Re: [OT] Symantic has a first tomcat worm ;-)
On Tue, Nov 26, 2013 at 5:53 AM, André Warnier wrote: > So yes, by any means, have the Manager disabled by default, even when > subsequently enabled restrict it by default to localhost, ... +1
Re: [OT] Symantic has a first tomcat worm ;-)
On 25 November 2013 23:27, Ognjen Blagojevic wrote: > What most users do is to copy the XML example, and paste it into > tomcat-users.xml. > > I propose that 401 page for Manager be dynamically generated, so that > instead of occurrences of example password "s3cret", it generates random > password, different for every request which results in 401 error page. In > that way, every security-unaware user will have unique password, and not > "s3cret". I second this proposal. It's much less of a burden on a user to write down a long random password (cut/paste) than to dig out an appropriate tool and generate one. cheers, David. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] Symantic has a first tomcat worm ;-)
Ognjen Blagojevic wrote: Chris, On 25.11.2013 20:56, Christopher Schultz wrote: What most users do is to copy the XML example, and paste it into tomcat-users.xml. If that were the case, I would have expected to see "tomcat:s2cret" listed in the worm's "obvious creds" list. Since it's not there, I suppose that either it's not used very often in the wild or the authors are not very smart. This worm maybe does not, but I found references to that username/password in wordlists[1], blogs[2,3] and books[4]. For me, that is a sign that Tomcat should avoid using that particular example password. -Ognjen [1] https://github.com/lattera/metasploit/blob/master/data/wordlists/tomcat_mgr_default_userpass.txt [2] http://www.socialseer.com/2013/07/14/watching-the-hackers-try-to-break-into-tomcat/ [3] http://x9090.blogspot.com/2012/09/a-case-study-of-tomcat-web-server.html [4] http://www.amazon.com/Hacking-Exposed-Network-Security-Solutions/dp/0071780289 My company has been distributing an (external) software package for 30 years. In the standard distributive, there are 3 users defined with 3 standard passwords, to use for the initial demo and user training. The documentation has a prominent section in capitals and red color that says that the passwords of these users should be changed, or these users deleted as soon as the initial testing phase is over. When I go visit customers however, about 50% of them still have these users enabled with the original passwords, even at some very security-conscious places. Users are like that. So yes, by any means, have the Manager disabled by default, even when subsequently enabled restrict it by default to localhost, and in the documentation and examples, use some password that is guaranteed NOT to work and MUST be changed. "**" may be a good way to suggest that it has to be changed, though I am sure that there will be users trying it literally. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] Symantic has a first tomcat worm ;-)
Chris, On 25.11.2013 20:56, Christopher Schultz wrote: What most users do is to copy the XML example, and paste it into tomcat-users.xml. If that were the case, I would have expected to see "tomcat:s2cret" listed in the worm's "obvious creds" list. Since it's not there, I suppose that either it's not used very often in the wild or the authors are not very smart. This worm maybe does not, but I found references to that username/password in wordlists[1], blogs[2,3] and books[4]. For me, that is a sign that Tomcat should avoid using that particular example password. -Ognjen [1] https://github.com/lattera/metasploit/blob/master/data/wordlists/tomcat_mgr_default_userpass.txt [2] http://www.socialseer.com/2013/07/14/watching-the-hackers-try-to-break-into-tomcat/ [3] http://x9090.blogspot.com/2012/09/a-case-study-of-tomcat-web-server.html [4] http://www.amazon.com/Hacking-Exposed-Network-Security-Solutions/dp/0071780289 - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] Symantic has a first tomcat worm ;-)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Ognjen, On 11/25/13, 7:27 AM, Ognjen Blagojevic wrote: > Current 401 page for Manager application says something like: > > You are not authorized to view this page. If you have not > changed any configuration files, please examine the file > conf/tomcat-users.xml in your installation. That file must contain > the credentials to let you use this webapp. > > For example, to add the manager-gui role to a user named tomcat > with a password of s3cret, add the following to the config file > listed above. > > password="s3cret" roles="manager-gui"/> > > What most users do is to copy the XML example, and paste it into > tomcat-users.xml. If that were the case, I would have expected to see "tomcat:s2cret" listed in the worm's "obvious creds" list. Since it's not there, I suppose that either it's not used very often in the wild or the authors are not very smart. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.15 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJSk6t1AAoJEBzwKT+lPKRY/ukP/3Ji0L9U6N/cyPJZesP/tWYG 2ZVPTTGDgsBJIO7FnVCy/kYAiNu91ioMVvaKJE2pVKvn/umv0iRT0IMK7QbIB8BN hh1D6DqfDnsswJwWlZRT28E1bod1BH7ic/g8PUK8u4B/aePd0esnZRTZs9GxZ98g CY4Ut+o6Kq/SbcKusSIukOgUKKx0Z19VVcIn9yDlF2sm/wcUz44zq7vE0JLMTmI4 mED0oF8cfh8W/VwU8RB86Ce9ERwiMAsPGgMaOpkN+hnbYyAjTyeh64DnL6X4jzgf /UJeX4OU6EQD5n/RDvG72d/8jreqVwnv4rpITaFRdqrFlQ1RrLzoWuZOIHS//2uH ZaHyhZJGvPUJcNfNW2q8+NAmmT03JsPoOMG8ecd8FXF8N6yXCxmcgnehbQ3velPT LZqaqlykzcgHz3uqYsbhXHZ0maIhaX0AOrgP7NpBeyNCT6BqLwk9qxbo99+hHJSq FjjfxZQ0q/Xu52485u8PygyK0WS6Ci6YnLzA7TK1pPyCsQhy4tbRvNytGep0KuJ5 pZE5hzobMPaGJqDjnFrb29IYlSo6dHz+Y+V3XFMSL6DWm/R5dkwvCKOKHlm+I+OY 0+d4KQ3ejfTuHnBpw9ZSxvsVAyGmWJVAS37O0/N1wDgqYiVnG5dsVp+Av5ypqXdW UX96gGqjv6tFvGjqi3Fw =Xs7A -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] Symantic has a first tomcat worm ;-)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mark, On 11/25/13, 5:08 AM, Mark Thomas wrote: > Folks that disabled the LockOutRealm in server.xml that protects > against brute-force password attacks (against any app - not just > the Manager) should probably be worried. I had configured my Manager using a custom manager.xml file and had overlooked that particular protection. Thanks for the reminder. I am using localhost-only and a password, so I should be all set, but it hurts nothing to add LockOutRealm and gives a modicum of additional protection. > The one thing that is new is that this exploit appears to be > self-replicating. +1 ... which isn't really that creative. > Unrelated to this issue, I have recently expanded the section of > the docs that covers securing the default applications. The updates > will be in the next release. Until then you can read it via the > copy of the docs built by the CI system: > http://ci.apache.org/projects/tomcat/tomcat8/docs/security-howto.html#Default_web_applications > > The one question this raises for me is should the Manager > application be limited to localhost be default? I'd be interested > in the community's views on that. I would support such a change. Anyone who wants to run a remotely-accessible Manager should be [forced to be] competent enough to modify that restriction. > Personally, I can't stand the taste if caffe but I did enjoy my > beverage of choice. Aw. Note that Coffee and Espresso are quite different experiences. I highly recommend trying the latter if you haven't recently. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.15 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJSk6jjAAoJEBzwKT+lPKRYdUAP/Raj0Y5guBUArwpvWiQaWH4m vG/f9pPPBXs99Lc+Ysy+gHCMzoHxpswc0xYGX+K/UaRJGnaq2jEnAcNo4zZ1L/OQ WV4rsbAk8mVx8f97cGZm9EGfTfI2H8SiIz7FK5U1UtvDoMQ/HAKIYFd4WHkBjjj6 i810IgdDEp609SFw1Bu728VsFUSYMzSov1+Z1J+g5tI+OgQYhEJemy/KlLaOS0CZ qvleRFJM0fEwn1nRHkInYBUUZ860Ou2w0PAYTPX1EwBR9e2cyLXckIXOqJPHd1VJ k9pEPxhK6o9wUOb9A4/KzvfdEeL5Ntf5CkHd+q3xHkM7BJuq0lJ2KVw0u6RusGD7 IY5g8Bvoc7yJ/amkkEc8UVpTGMYSVtHtDtnLgmERvLHhoOjIEBzRGEqpkq4OuBIo rK+iIoOSAWISpary1nf2yRn9Y5zizpCOl4ZqwaPd3YWIBLxQk1lvmfgucM+4JHM8 a/lk2oHnYXbflVm/jr+TKdXuBjzR4rBEbK6EzEtKCHnFnlBUvXwKnhcbipfuffqc TI+yNPbF8I49FyEk0TRgd1GMkbIwDff2/hlAkA08vePHs5hBLZ+JvA7Mxlg8vF4H +ErB+l4qlbruEe4r0unkmk6q8ZBDZMA7IOBi3/ephKkRYArVFED0knG3kgosTmZT GzoLnrKo45pvcUh3NDTj =+7KQ -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] Symantic has a first tomcat worm ;-)
Mikolaj, On 25.11.2013 12:46, Mikolaj Rydzewski wrote: On 25.11.2013 12:42, Ognjen Blagojevic wrote: I also think it would be very usefull if 401 error page for manager application does not example password "s3cret", but randomly generated long password unique for every request. I guess there is a number of Tomcat instances out there with username "tomcat" and passoword "s3cret", and that needs to be prevented. Can you elaborate on that? What do you mean by randomly passwords for 401 pages? Current 401 page for Manager application says something like: You are not authorized to view this page. If you have not changed any configuration files, please examine the file conf/tomcat-users.xml in your installation. That file must contain the credentials to let you use this webapp. For example, to add the manager-gui role to a user named tomcat with a password of s3cret, add the following to the config file listed above. What most users do is to copy the XML example, and paste it into tomcat-users.xml. I propose that 401 page for Manager be dynamically generated, so that instead of occurrences of example password "s3cret", it generates random password, different for every request which results in 401 error page. In that way, every security-unaware user will have unique password, and not "s3cret". -Ognjen - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] Symantic has a first tomcat worm ;-)
On 25.11.2013 12:42, Ognjen Blagojevic wrote: I also think it would be very usefull if 401 error page for manager application does not example password "s3cret", but randomly generated long password unique for every request. I guess there is a number of Tomcat instances out there with username "tomcat" and passoword "s3cret", and that needs to be prevented. Can you elaborate on that? What do you mean by randomly passwords for 401 pages? -- Mikolaj Rydzewski - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] Symantic has a first tomcat worm ;-)
Mark, On 25.11.2013 11:08, Mark Thomas wrote: Unrelated to this issue, I have recently expanded the section of the docs that covers securing the default applications. The updates will be in the next release. Until then you can read it via the copy of the docs built by the CI system: http://ci.apache.org/projects/tomcat/tomcat8/docs/security-howto.html#Default_web_applications On a related matter, if one configure file permissions as recommended here: http://tomcat.apache.org/tomcat-8.0-doc/security-howto.html#Non-Tomcat_settings Manager application will be unusable for deployment by uploading .war files. Automatic war unpacking also won't work. What is the best practice for remote deployment of .war files in such environment? I usually copy .war file to temporary dir on server using scp client. Then, using ssh client I extract the .war file, chown .war file and extracted folder, and mv .war file and extracted folder to webapps/. I then wait for auto deployer to pick them up. Is there a better alternative to that? The one question this raises for me is should the Manager application be limited to localhost be default? I'd be interested in the community's views on that. Yes. A lot of Tomcat instances I've seen run under user root. Unfortunately, a lot of users needs Tomcat running on port 80, and they don't have time or knowledge to configure jsvc or httpd. They unfortunately resort to running tomcat as root, forgetting that manager application (and all other deployed webapps) will also have root privileges. So, adding one more level of security by enabling RemoteAddrValve will help security ignorant users, and will take only little additional effort for admins. I also think it would be very usefull if 401 error page for manager application does not example password "s3cret", but randomly generated long password unique for every request. I guess there is a number of Tomcat instances out there with username "tomcat" and passoword "s3cret", and that needs to be prevented. -Ognjen - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] Symantic has a first tomcat worm ;-)
> > The one question this raises for me is should the Manager application be > limited to localhost be default? I'd be interested in the community's > views on that. > my view: yes If it is easy configurable (like removing localhost to have all access, but also adding a host) Because then people know that they can do it, they have seen it so they think more about it. Especially with stuff that just works out of the box
Re: [OT] Symantic has a first tomcat worm ;-)
On 25/11/2013 08:22, Leon Rosenberg wrote: > Morning everyone, > > what can be greater start in the morning as reading about first tomcat worm > found by symantec ;-) > > http://www.symantec.com/connect/blogs/all-your-tomcat-are-belong-bad-guys How good your morning will be after reading that article will depend rather a lot on how careful you were configuring your Tomcat instance(s). Folks that simply used the default installation have nothing to worry about. The Manager application has been disabled (in the sense that no user was granted access to it) by default in every release from 4.0.0 onwards. I didn't go back any further because a) 3.x was a very, very long time ago and b) I never worked on 3.x and didn't fancy trying to find my way around the very different code structure. Folks that added a user to the Manager application and configured it with a strong password have nothing to worry about. Folks that enabled the commented out RemoteAddrValve for the Manager app that limits access to localhost have nothing to worry about. Folks that disabled the LockOutRealm in server.xml that protects against brute-force password attacks (against any app - not just the Manager) should probably be worried. Folks that added a user to the Manager application and configured it with a weak password might be about to have a bad day. Attacks against Tomcat that exploit a publicly accessible Manager application configured with a user weak a weak password are nothing new. The security@ list has been sent a number of examples of the malicious apps that get installed via this route over the years. These examples go all the way back to at least the 4.1.x days (when I first got involved with Tomcat) and probably earlier. The one thing that is new is that this exploit appears to be self-replicating. Unrelated to this issue, I have recently expanded the section of the docs that covers securing the default applications. The updates will be in the next release. Until then you can read it via the copy of the docs built by the CI system: http://ci.apache.org/projects/tomcat/tomcat8/docs/security-howto.html#Default_web_applications The one question this raises for me is should the Manager application be limited to localhost be default? I'd be interested in the community's views on that. > Enjoy your caffe. Personally, I can't stand the taste if caffe but I did enjoy my beverage of choice. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
[OT] Symantic has a first tomcat worm ;-)
Morning everyone, what can be greater start in the morning as reading about first tomcat worm found by symantec ;-) http://www.symantec.com/connect/blogs/all-your-tomcat-are-belong-bad-guys Enjoy your caffe. Leon