tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: java deserialization vulnerability for Tomcat 7/8
Date Wed, 11 Nov 2015 13:59:34 GMT
Johan,

On 11/11/15 8:53 AM, Johan Compagner wrote:
> On 11 November 2015 at 14:44, Christopher Schultz <
> chris@christopherschultz.net> wrote:
> 
>> Tomcat could potentially be
>> used as an attack vector against a system by someone with write-access
>> to the part of the filesystem where Tomcat stores its serialized session
>> objects during a restart
>>
> 
> if you already can do that... then i think there are other problems first ;)

Of course, but it's a way to attack the server using Tomcat's runtime
privileges that does not necessarily require the attacker to already
have Tomcat's runtime privileges.

If the SESSIONS.ser file is stored somewhere like /tmp or has lazy file
permissions, it may be possible to overwrite it. A default Tomcat
installation is trivially "stoppable" by anyone with localhost access...
just send "SHUTDOWN" to port 8005 and the server stops.

So while I think it's not very likely that Tomcat's SESSIONS.ser file is
writable by a non-tomcat user AND of course that already having
localhost access is pretty much game-over, there is the possibility of a
privilege escalation, here.

... and someone could potentially blame Tomcat, because Tomcat is the
one calling ObjectInputStream.readObject, not the application.

I don't see any great mitigations against this kind of thing other than
signing/encrypting the serialized sessions file, but then you have the
problem is protecting the key used for that purpose: you've added no
security, only moved the problem.

Besides, simply not allowing anyone to overwrite SESSIONS.ser is the
proper mitigation, here.

-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message