Vulnerability or a valid behavior of tomcat ?
Hi all, I wanted to exploit tomcat vulnerability CVE-2009-2693 named *Arbitrary file deletion and/or alteration on deploy* . You can have a look on it here. (http://tomcat.apache.org/security-6.html) Here they say the affected versions are Affects: 6.0.0-6.0.20. I wanted to give it a try. So I downloaded a web application insecure (insecure web application from OWASP). This application has some jsp files and some java files. So in one of the java file (DatasourceConnectionprovider.java), I added following code which deletes file named file1.txt from home directory. Pl note that I use ubuntu and I created file1.txt in home directory. The code looks like below: public void deletefile() { try{ File file = new File(../../file1.txt); // this deletes file1.txt from home dir if(file.delete()){ System.out.println(file.getName() + is deleted!); }else{ System.out.println(Delete operation is failed.); } }catch(Exception e){ e.printStackTrace(); } } I compiled the file(DatasourceConnectionprovider.java) and I replaced the default DatasourceConnectionprovider.class with the changed DatasourceConnectionprovider.class. So in short I deploy a war file in tomcat which deletes the file1.txt from home directory. I tried this with both tomcat 6.0.35 and tomcat7.0.28 and it actually deleted the file1.txt from home directory. So I guess I have succeded to exploit the said CVE-2009-2693 named *Arbitrary file deletion and/or alteration on deploy* vulnerability. So my question is: 1) They say that the affected versions are tomcat 6.0.0-6.0.20. But I could do this with tomcat 7.0.28 also. I checked for tomcat 7 vulnerability and I could not find this (*Arbitrary file deletion and/or alteration on deploy*) in the list on org.apache site. *a) the way I have tried to exploit that vulnerability is correct ? or is it something which can be considered normal behaviour ? (attempting to try to delete file from home dir or from web root dir while deploying war file)** ** **b) Is this vulnerability still exist in tomcat 7.0.28 ? I think so bcoz I could delete file form home dir with tomcat 7.0.28 version also. but I am not sure.* Should this be reported to security team of tomcat ? Ultimately I want to make sure that I have succeeded to exploit vulnerability of tomcat. This is part of my research and no intention to harm others. :-) Thanks Richa
Re: Vulnerability or a valid behavior of tomcat ?
On 21/09/2012 11:23, Ragini wrote: I tried this with both tomcat 6.0.35 and tomcat7.0.28 and it actually deleted the file1.txt from home directory. So I guess I have succeded to exploit the said CVE-2009-2693 named *Arbitrary file deletion and/or alteration on deploy* vulnerability. You guess wrong. So my question is: 1) They say that the affected versions are tomcat 6.0.0-6.0.20. But I could do this with tomcat 7.0.28 also. I checked for tomcat 7 vulnerability and I could not find this (*Arbitrary file deletion and/or alteration on deploy*) in the list on org.apache site. That is because Tomcat 7 is not vulnerable to that vulnerability. a) the way I have tried to exploit that vulnerability is correct ? No, it is not correct. or is it something which can be considered normal behaviour ? Yes, the behaviour you observe is normal, expected behaviour. (attempting to try to delete file from home dir or from web root dir while deploying war file) That isn't what you are doing. b) Is this vulnerability still exist in tomcat 7.0.28 ? No. I think so bcoz I could delete file form home dir with tomcat 7.0.28 version also. Your thinking is incorrect. but I am not sure.* Should this be reported to security team of tomcat ? No. Please don't waste our time. Further, potential security vulnerabilities should not be discussed on a public mailing list. They should be reported privately to the security team. Fortunately no harm was done in this case since your supposed vulnerability was nothing of the sort. As someone claiming to be a security researcher you should be aware of that. That makes one question your claim to be a security researcher. Ultimately I want to make sure that I have succeeded to exploit vulnerability of tomcat. This is part of my research and no intention to harm others. :-) You need to re-read the description of CVE-2009-2693 on the Tomcat web site [1] and then try and exploit that rather than simply deleting a file. Unless you run under a security manager, a JSP is able to delete any file the user Tomcat is running under is able to delete. That fact that you do not understand the above adds further doubt to your claim to be a security researcher. Your previous message to this list (a security researcher who has not heard of Metasploit?) also casts serious doubt on your claims to be a security researcher. Mark [1] http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.24 - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Vulnerability or a valid behavior of tomcat ?
On 09/21/2012 12:46 PM, Mark Thomas wrote: On 21/09/2012 11:23, Ragini wrote: I tried this with both tomcat 6.0.35 and tomcat7.0.28 and it actually deleted the file1.txt from home directory. So I guess I have succeded to exploit the said CVE-2009-2693 named *Arbitrary file deletion and/or alteration on deploy* vulnerability. You guess wrong. So my question is: 1) They say that the affected versions are tomcat 6.0.0-6.0.20. But I could do this with tomcat 7.0.28 also. I checked for tomcat 7 vulnerability and I could not find this (*Arbitrary file deletion and/or alteration on deploy*) in the list on org.apache site. That is because Tomcat 7 is not vulnerable to that vulnerability. a) the way I have tried to exploit that vulnerability is correct ? No, it is not correct. or is it something which can be considered normal behaviour ? Yes, the behaviour you observe is normal, expected behaviour. (attempting to try to delete file from home dir or from web root dir while deploying war file) That isn't what you are doing. b) Is this vulnerability still exist in tomcat 7.0.28 ? No. I think so bcoz I could delete file form home dir with tomcat 7.0.28 version also. Your thinking is incorrect. but I am not sure.* Should this be reported to security team of tomcat ? No. Please don't waste our time. Further, potential security vulnerabilities should not be discussed on a public mailing list. They should be reported privately to the security team. Fortunately no harm was done in this case since your supposed vulnerability was nothing of the sort. As someone claiming to be a security researcher you should be aware of that. That makes one question your claim to be a security researcher. Ultimately I want to make sure that I have succeeded to exploit vulnerability of tomcat. This is part of my research and no intention to harm others. :-) You need to re-read the description of CVE-2009-2693 on the Tomcat web site [1] and then try and exploit that rather than simply deleting a file. Unless you run under a security manager, a JSP is able to delete any file the user Tomcat is running under is able to delete. That fact that you do not understand the above adds further doubt to your claim to be a security researcher. Your previous message to this list (a security researcher who has not heard of Metasploit?) also casts serious doubt on your claims to be a security researcher. Mark [1] http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.24 - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Thanks for pointing out about running tomcat under security manager. And as u have mentioned about research multiple times let me be clear :-) . I am not expert in security research. I am doing my master thesis and this is a part of it so I said as part of my research work. Before this I have not worked with tomcat or any security related things. So as a beginner it is obvious not to know about metasploit or security manager of tomcat.. ;-) One does not need to be an expert at the thing before doing research about it. knowing and learning about it is also a part of research.. Regards. Richa - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org