GhostCat: Vulnerability In Apache Tomcat Servers

CVE-2020-1938: 0-Day Vulnerability Discovered In Apache Tomcat. Before Its Too Late Upgrade Your Servers Asap.

What Is GhostCat / CVE-2020-1938?

It is a vulnerability disclosed recently in Apache Tomcat servers by a Chinese company Chaitin Tech. All technical details are being tracked under CVEID- CVE-2020-1938. An attacker can read or include any files in the webapp directories of Tomcat. For example, An attacker can read the webapp configuration files or source code. In addition, if the target web application has a file upload function, the attacker may execute malicious code on the target host by exploiting file inclusion through Ghostcat vulnerability.

This vulnerability doesn’t reside on the server itself, it resides on the protocol used by the server. Tomcat server is configured with two connector protocols, which are HTTP and AJP connector and the vulnerability resides in the AJP protocol, which is used by Apache tomcat server with a higher degree of trust as compared to the HTTP connection.

  • HTTP Connector: used to process HTTP protocol requests (HTTP/1.1), and the default listening address is 0.0.0.0:8080
  • AJP Connector: used to process AJP protocol requests (AJP/1.3), and the default listening address is 0.0.0.0:8009

How This Can Be Exploited?

AJP Protocol: Apache Jserv protocol is an optimized version of the HTTP protocol in binary format. It reduces the processing cost of the HTTP requests, so it’s widely used in scenarios that need clustering or reverse proxy.

Vulnerability is exploitable when a file read/inclusion is done using the AJP connector in Apache Tomcat. The AJP protocol is enabled by default, with the AJP connector listening in TCP port 8009 and bond to IP address 0.0.0.0. A remote, unauthenticated/untrusted attacker could exploit this AJP configuration to read web application files from a server exposing the AJP port to untrusted clients. In instances where a poorly configured server allows file uploads, an attacker could upload malicious JavaServer Pages (JSP) code within a variety of file types to gain remote code execution (RCE).

Active exploitation of ghostcat vulnerability

Other proof of concept exploits associated with this vulnerability can be found at following GitHub links: Exploit 1, Exploit 2 and Exploit 3.

Impact Of The Successful Exploit

  • An attacker can read or include any files in the web app directories of Tomcat
  • If the target web application has a file upload function, the attacker may also be able to execute malicious code on the target host by exploiting file inclusion through Ghostcat vulnerability.

Affected Products

  • Apache Tomcat 9.x < 9.0.31
  • Apache Tomcat 8.x < 8.5.51
  • Apache Tomcat 7.x < 7.0.100
  • Apache Tomcat 6.x

Solution and Mitigation

  • Upgrade the Tomcat to latest versions: 9.0.31, 8.5.51 or 7.0.100 and configure the “secret” attribute for the AJP Connector to set AJP protocol authentication credentials.
  • If the upgrade is not an option and AJP connector is not in use, then disable the AJP connector or change its listening address to the localhost.
  • Prevent untrusted sources from accessing the Tomcat AJP connector service port.
  • If the upgrade is not an option and AJP connector is in use, then also we can mitigate this risk by only configuring the “requiredSecret” attribute for the AJP Connector to set AJP protocol authentication credentials.

Stay tuned with us for more cyber stuff!
Have any suggestions and ideas for us to improve, please feel free to reach out to us.

Leave a Comment

Your e-mail address will not be published. Required fields are marked *