tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brian Cochran" <li...@bricom.com>
Subject RE: Hackers shutting down your Tomcat 4.x server?
Date Fri, 09 Nov 2001 21:10:16 GMT
As I understand it, the way the ServerSocket is constructed using the
InetAddress the server will only accept connections that are sent TO the
loopback port.

Here's a snippet from the javadoc.

public ServerSocket(int port,
                    int backlog,
                    InetAddress bindAddr)
             throws IOException

Create a server with the specified port, listen backlog, and local IP
address to bind to. The bindAddr argument can be used on a multi-homed host
for a ServerSocket that will only accept connect requests to one of its
addresses. If bindAddr is null, it will default accepting connections on
any/all local addresses. The port must be between 0 and 65535, inclusive.

So tomcat is probably setting up this server with something like
  ServerSocket shutdownListener =
      new ServerSocket(port,backlog,InetAddress.getLocalHost());

One could probably spoof a return address of 127.0.0.1 but if the "to"
address is 127.0.0.1 there really isn't a way to route it to any box but
yourself (at least on a switched network). Only thing I could think of is on
a non-switched network you are somewhat vulnerable to an internal attack by
faking a mac address (although I may be wrong). However, I would guess that
nearly all production environments in which Tomcat is used are on fully
switched networks.

Hope this helps,
Brian




-----Original Message-----
From: pero [mailto:pero@antaramusic.de]
Sent: Friday, November 09, 2001 2:03 PM
To: Tomcat Users List
Subject: RE: Hackers shutting down your Tomcat 4.x server?


As far as I know the SHUTDOWN command can only be sent from localhost -> so
the hacker has to break into your system first. And if that happens you'll
experience other problems :-)
But I don't know if it is possible to do a "fake-localhost" connect as I am
not that familiar with the hacking stuff...

pero



--
To unsubscribe:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands: <mailto:tomcat-user-help@jakarta.apache.org>
Troubles with the list: <mailto:tomcat-user-owner@jakarta.apache.org>


Mime
View raw message