Apache Tomcat is an open-source implementation of the Java Servlet, JavaServer Pages, Java Expression Language, and WebSocket technologies. In this post, we will dive into the analysis of a vulnerability in the apache tomcat server 9.0.27.
The vulnerability allows a remote attacker to execute arbitrary code on the target system. The vulnerability exists due to insecure input validation when processing serialized data in uploaded file names. A remote attacker can pass the specially crafted file name to the application and execute arbitrary code on the target system.
Prerequisites
The attacker is able to upload a file with arbitrary content.
We have to know the location where the file is uploaded
The PersistentManager is enabled and it is using a FileStore.
Exploit
Tomcat provide two implementations for session management.
StandardManager
PersistentManager
When you are using PersistentManager first, it checks if the session exists in the memory, If the session does not exist in memory, it will check the session on the disk. When Tomcat receives an HTTP request with a JSESSIONID cookie, it will ask the Manager to check if this session already exists. Because the attacker can control the value of JSESSIONID sent in the request, what would happen if he put something like “JSESSIONID=../../../../../../tmp/12345“?
Tomcat requests the Manager to check if a session with session ID“../../../../../../tmp/12345 exists.
It will first check if it has that session in memory.
It does not. But the currently running Manager is a PersistentManager, so it will also check if it has the session on disk.
It will check at location directory + sessionid + “.session”, which evaluates to “./session/../../../../../../tmp/12345.session“
If the file exists, it will deserialize it and parse the session information from it.
Step 1:
We should first determine the server file upload path. It is located at /opt/sample/uploads in my application. I found it through the server exception in my application.
Step 2:
we need a payload to get the reverse shell. I used a simple bash shell for our payload.
Next, we need to create a serialized session file to download our payload with curl. To do this, I used a ysoserial jar file. you can download it from here.
Create Session file to download our payload to the victim machine: