Going to WAR on Tomcat with Laundanum

Weds 11th May 11

During a recent security test [1] I found a Tomcat server with default username and password, great I thought, easy shell. I fired up Metasploit, chose multi/http/tomcat_mgr_deploy, pointed it at the server and let it go. Bang, fail. I've never had this fail before so I checked my options and fired it off again, fail again. I checked the options again and the server and found it was a Linux x86_64 box but the 64 bit payload appeared to be broken. So I tried the generic payload, still nothing.

A shout on the Metasploit mailing list resulted in a quick answer of "It's broken and can't be fixed, I'm going to remove it", well a quick answer but not the one I was looking for, at least it stopped me wasting my time and continuing to bang my head against something that would never work.

So, I've got full access to the management console and can't get an easy shell, there was no way I was going to give up being so close. As part of the Metasploit list discussions someone suggested Laudanum by Secure Ideas (previously InGuardians). This is a selection of files that can be uploaded to web servers to give shells and other fun stuff.

To use Laudanum with Tomcat is fairly simple, take the cmd.war file from the jsp directory and upload it in the web console. If you are lucky the application is automatically deployed and appears in the list of applications, just look for the name cmd. The natural next step is to click on the cmd link but if you do you get a page titled "HTTP Status 404 - /cmd/". I cursed at this for a while, even closer and still no shell! Looking at the source that comes with the war file there is no index.jsp but there is a cmd.jsp so I added that to the end of the URL and bang, there on screen was a nice text box asking me to enter a command. A quick ls and directory listing on screen and I was doing the happy root dance.

Not happy to leave it at that I decided to have a play with Tomcat in my lab when I got home and came across a few issues that need mentioning as they are potential show stoppers on a test. The first is getting an Apache 404 page, this is noticeably different to the Tomcat 404 page. If you get this then I believe it is because Tomcat isn't set to automatically deploy new applications, there is an XML file behind the scenes that needs modifying to enable this. If you get this error then tough, this path of attack won't work.

Another error is a 500 error which in the "root cause" section mentions:

java.security.AccessControlException: access denied (java.io.FilePermission <<ALL FILES>> execute)

This means that the server has been set to disallow system commands, this is another shell fail. This setting became standard from Tomcat version 5.5.25.

A last one is that on Windows machines you need to prefix your commands with:

cmd.exe /c

Otherwise you get errors about command not found or something similar, I don't have the Windows setup in my lab so can't give the exact message.

This is the first time I've had to go beyond simply exploiting Tomcat with the standard Metasploit module and I'm glad I did because I now understand a lot more about Tomcat and it gave me the idea for a new tool that may or may not be appearing soon depending on workload.

Lab It Up

If you want to have a go with Laudanum in your lab then Turnkey do a pair of pre-built Tomcat servers, one just Tomcat and the other Tomcat on Apache. The versions available when I downloaded them are both configured to prevent shells from working. The Apache based one doesn't auto-deploy and the Tomcat one has command execution protection enabled. I suggest getting both just to see the different errors but if you want to get things working and see the shell then grab the Tomcat one and create the file /etc/tomcat5.5/policy.d/99hack.policy with the following content:

grant {
    permission java.security.AllPermission;
};

Then restart Tomcat.

If you want to manually deploy the shell on the Apache based server then you need to edit /etc/tomcat5.5/mod_jk.conf and add the following lines:

JkMount /cmd	ajp13_worker
JkMount /cmd/*	ajp13_worker

Then restart Tomcat and Apache.

Conclusion

So, whats the point of all this? First, if Metasploit fails then don't assume complete failure and move on, I'm sure there are plenty of shells that get missed because of this. If you've got time do some research and ask some questions and you may still get that shell. Second, give Laudanum a go. Granted its shell isn't as good as a Meterpreter shell but sometimes simplicity is all you need and if you are a coder then it gives you a good base to create your own super shell from.

If anyone wants to pick me up on any mistakes in here then please get in touch. All that is here has come from Google and experimentation, if there are better ways to do things or ways around either of the errors then I'd be more than happy to know.

[1] Actually it was probably six months ago but I wrote most of this article then got distracted with other things and it has been sat waiting to be finsihed since then.