‘Apache Tomcat Directory Traversal (..)’

Summary

‘The Apache HTTP Server Project is an effort to develop and maintain an open-source HTTP server for modern operating systems including UNIX and Windows NT. The goal of this project is to provide a secure, efficient and extensible server that provides HTTP services in sync with the current HTTP standards. Apache Tomcat is the servlet container that is used in the official Reference Implementation for the Java Servlet and JavaServer Pages technologies. The Java Servlet and JavaServer Pages specifications are developed by Sun under the Java Community Process.

A directory traversal vulnerability was fixed in Apache Tomcat.’

Credit:

‘The information has been provided by D. Matscheko / SEC-CONSULT.
The original article can be found at:
http://www.sec-consult.com/286.html


Details

Vulnerable Systems:
 * Apache Tomcat 5 versions prior to 5.5.22
 * Apache Tomcat 6 versions prior to 6.0.10

If the Apache HTTP Server and Tomcat are configured to inter-operate with the common proxy modules (mod_proxy, mod_rewrite, mod_jk), an attacker might be able to break out of the intended destination path up to the webroot in Tomcat.

 * The only character found to be accepted as directory separator from Apache is ‘/’ (slash).
 * On the other hand Tomcat allows characters including URI encoded characters like ‘/’ (slash), ” (backslash) or ‘%5C’ (backslash URI encoded).

This allowing an attacker to utilize directory traversing attack methods.

Depending on the configuration HTTP requests, including strings like ‘/../’ allow attackers to break out of the given context- and directory structures.

Proof of concept:
As an example an URL like
‘http://www.example.com/foo/../manager/html’
would point to the Tomcat Manager Application. If the password for the Tomcat Manager can be guessed, it is possible to deploy new applications like e.g. a remote command shell.

Note: Using this method, the Tomcat Manager and also other web applications can be accessed over port 80, even if they are not proxied by the Apache HTTP Server. Port 8080 (the Tomcat HTTP port) and 8009 (the Tomcat AJP port) can be and are assumed to be blocked by a firewall.

Disclosure Timeline:
 * 2007-02-08 – Vendor notified.
 * 2007-02-08 – Vendor response.
 * 2007-02-28 – Patch available.
 * 2007-03-14 – Disclosure.’

Categories: UNIX