Re: Apache Tomcat penetration test

["R. DuFresne" <dufresne () sysinfo com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1




Actually the issue here is running apache and tomcat within a windows env 
when those applications were tuned to be run on real multi-user systems 
rather then an env that had multi-user shoehorned in.

If any real sense of security is required do not run such applications on 
an architecture that has so much single user legacy built in from the 
ground up remaining.

Thanks,

Ron DuFresne


On Fri, 17 Nov 2006, Danux wrote:

> Well,
>
> In my Experience, the main vulnerabilities will be found on the code
> (JSP, Servlets, so on) instead of architecture (Tomcat itself).
>
> Although Tomcat did provide a good deal of security, it still fails
> due to the following method:
> 1.      After installation, Tomcat Runs As a System Service.
> 2.      If it is not run as a system service, by default all Web server
> administrators run Tomcat As Administrator.
> These two things allow Java Run Time to access any files in any
> directory of any Windows machine. By default, Java Run Time takes the
> security privileges according to the user that is running the Java Run
> Time. When Tomcat is run by an administrator or as a System Service,
> Java Run Time gets all the rights that the System User has or
> Administrator has. In that manner, Java Run Time gets the complete
> rights to all files in all directories. And, Servlets (JSP converted
> to Servlets) gets the same previlleges. So, the Java code can call
> File API in Java SDK to list all files in the directory, delete any
> file, and also the greatest risk is to RUN a program with system
> privileges. When any Servlet has code like this:
>
> Runtime rt = Runtime.getRuntime();
> rt.exec("c:\\SomeDirectory\\SomeUnsafeProgram.exe")
> this is the greatest risk, and it's unknown to many people.
>
> Hope this helps
>
>
> On 11/17/06, a007 <a007 () ixi ru> wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Hi
> >
> > I am looking for the way to penetrate Apache Tomcat server. Does anybody
> > know useful link on this? There is not much information on Web.
> >
> > I need to analyze Apache Tomcat Apache Tomcat/5.5.17 server. After URI
> > manipulation I've found some server debug messages like this:
> >
> > HTTP Status 500 - java.lang.NoSuchMethodException:
> > partners.service.PartnersService.getLink(javax.servlet.http.HttpServletRequest)
> > at java.lang.Class.getMethod(Class.java:1581) at
> > web.AjaxService.doGet(AjaxService.java:80) at
> > javax.servlet.http.HttpServlet.service(HttpServlet.java:689) at
> > javax.servlet.http.HttpServlet.service(HttpServlet.java:802) at
> > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:252)
> > at
> > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
> > at
> > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
> > at
> > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
> > at
> > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
> > at
> > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
> > at
> > org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:541)
> > at
> > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
> > at
> > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
> > at
> > org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869)
> > at
> > org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:664)
> > at
> > org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
> > at
> > org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:80)
> > at
> > org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)
> > at java.lang.Thread.run(Thread.java:595)
> >
> > Thanks in advance,
> >
> > a007
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.4.5 (MingW32)
> > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> >
> > iD8DBQFFXVxXMoMPiPgGoAcRAqv4AJ9OyDznLWS4lNLkinyVo2pmpQDkvQCfX88z
> > +hDZNLvvi9qDA8k5el4Xwns=
> > =C/+x
> > -----END PGP SIGNATURE-----
> >
> > ------------------------------------------------------------------------
> > This List Sponsored by: Cenzic
> >
> > Need to secure your web apps?
> > Cenzic Hailstorm finds vulnerabilities fast.
> > Click the link to buy it, try it or download Hailstorm for FREE.
> > http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
> > ------------------------------------------------------------------------

- -- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior security consultant:  sysinfo.com
                        http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A  E838 B2DF AFCC 94B0 6629

...We waste time looking for the perfect lover
instead of creating the perfect love.

                -Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFFYgcGst+vzJSwZikRAvmAAJ46WmR9d2bawpw9nJY/XbfIvUKZJACfVUwj
7WYTFLlWdhJA4p1yK5P+rbo=
=OYhh
-----END PGP SIGNATURE-----

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------