Welcome to our Pentest Files blog series.
Each blog post will present an interesting or dangerous finding one of our testers has identified in an actual recent pen-test, so you can see the kinds of cool things our pen-testers get up to, and also to help you take steps to prevent similar vulnerabilities in your own assets.
These findings are taken from real reports, anonymised, and published with kind permission from our clients.
Tester: Adam
Vertical: Regulatory Technology
Impact: Critical
What Happened?
Adam discovered that the Tomcat Host Manager on the remote server was found to be operating with the documented default credentials, this often leads to attackers being able to deploy malicious content to the application.
Some Background
Remote Code Execution (RCE) vulnerabilities are often caused by handling user input in an unsafe manner, which can lead to the execution of commands on the affected endpoint. This can occur through various methods, such as SQL injection, passing user input into unsafe functions like system() in PHP, or memory-based exploits.
However, the situation being discussed was not specifically an RCE vulnerability caused by unsafe input. Instead, it was due to a common misconfiguration. Once an attacker has achieved RCE, they can establish Command & Control (C2) over the endpoint and then take action on objectives to achieve their goals.
The Tomcat Manager App is a built-in web application that comes bundled with the Tomcat server. It offers fundamental functionality for managing deployed web applications.
The application comes with pre-packed several features and services. In addition to facilitating the management of deployed applications, it also allows us to view the server's status and configuration, as well as that of its applications.
The Finding
During web application testing, one of our experienced testers, Adam, was able to discover that the Tomcat Host Manager was operating with the default credentials of “admin” & “admin” for the username and password. This poses a massive risk for our client, as it may allow an attacker to login and manage the virtual hosts within Tomcat. An attacker could potentially execute code arbitrarily on the affected server by deploying a new application.
While testing, it was not possible to access the Tomcat Manager application via this method as the Manager App is only accessible from localhost by default. This was a positive find, as our client had taken measures to restrict the common attack vector. However, during this test, our tester was able to achieve RCE via deploying a malicious VHOST to Tomcat, which is a far more creative way of exploiting this vulnerability.
With this level of RCE, an attacker would have almost full control over the server.
With RCE, an attacker may aim to:
- Exfiltrate data from the host, including files, keystrokes and more.
- Cause a Denial of Service (DoS) by disrupting the operation of running services or the OS itself.
- Attempt privilege escalation if necessary.
- Attempt to pivot to other network resources.
- Conduct a crypto mining operation using your resources.
- Install ransomware to deny you access to your data.
The Fix
The fix for this one is nice for our client and is as simple as changing the Tomcat password to something strong and unique, and ensuring the portal is no longer accessible externally, as having the portal available externally risks the credentials being compromised via brute force. It’s important to always ensure default credentials are not used for any part of an application, as bad actors will seek out these services and could potentially cause both serious reputational and financial loss.
Bedtime Reading
https://attack.mitre.org/techniques/T0812/
https://tomcat.apache.org/tomcat-9.0-doc/html-host-manager-howto.html
Want to check for yourself if your application is free from this kind of vulnerability? Why not get a quote or contact us to set up a pentest.