Prefix_code (byte) 0x02 = JK_AJP13_FORWARD_REQUEST The body format of such a message is as follows: AJP13_FORWARD_REQUEST := It is used to send, for instance, GET/POST messages. Too bad, such packets are processed only if they have been sent from the host where Tomcat is running.
Apache tomcat 9.0 31 code#
Types of packets that can be sent to Tomcat containerĪ packet with the code 0x7 (Shutdown) immediately attracts attention because it shuts the server down. Accordingly, any popular web server (Nginx, Apache, IIS, etc.) should be used as the front-end. Because this is a binary protocol, the browser cannot send requests to AJP13 directly. Modern Tomcat versions use AJP 1.3 (AJP13). The sessions are passed to the right servers by a special routing mechanism where each application server gets its own name. In other words, AJP is an optimized, more powerful, and highly scalable version of HTTP.ĪJP is normally used to balance the load when one or several external web servers (front-end) send requests to the application server(s). Reading arbitrary files on the serverĪpache JServ Protocol (AJP) is a binary protocol designed as a more efficient alternative to HTTP.
Apache tomcat 9.0 31 archive#
All versions are available in the archive section. By the way, if you don’t like Docker, you may download a version with ready-to-use binaries from the developer’s website. In addition to the web server, I need a sniffer, for instance, Wireshark. Proxying traffic to Tomcat via Apache over AJP If the attacker manages to upload a file to the server, the vulnerability can be used to remotely execute arbitrary code. A specially crafted request to the server allows to read the content of files that are inaccessible under normal circumstances. The Apache JServ Protocol (AJP) implementation allows to control attributes that form paths to the requested files.
The bug enables the attacker to read arbitrary files on the target system inside the appBase directory. The vulnerability was recognized critical even and received a name, Ghostcat, and a logo. The bug was discovered by a researcher at Chaitin Tech earlier this year. It is installed, either as an independent solution or a servlet container, in various application servers (e.g. Tomcat is a popular web server that is frequently used in the corporate environment. It is written in Java and implements such specifications as JavaServer Pages (JSP) and JavaServer Faces (JSF). Tomcat is an open-source servlet container. Most importantly, the attacker does not need any rights in the target system to exploit this vulnerability. The problem lies in the implementation of the AJP protocol used to communicate with a Tomcat server.
This article addresses a vulnerability in Apache Tomcat that enables the attacker to read files on the server and, under certain conditions, execute arbitrary code.
0 kommentar(er)
