Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Apache Tomcat penetration test

from [Danux] Network Security [Permanent Link]
Subject: Re: Apache Tomcat penetration test
Date: Fri, 17 Nov 2006 17:17:23 -0600 
Well,

In my Experience, the main vulnerabilities will be found on the code
(JSP, Servlets, so on) instead of architecture (Tomcat itself).

Although Tomcat did provide a good deal of security, it still fails
due to the following method:
1.      After installation, Tomcat Runs As a System Service.
2.      If it is not run as a system service, by default all Web server
administrators run Tomcat As Administrator.
These two things allow Java Run Time to access any files in any
directory of any Windows machine. By default, Java Run Time takes the
security privileges according to the user that is running the Java Run
Time. When Tomcat is run by an administrator or as a System Service,
Java Run Time gets all the rights that the System User has or
Administrator has. In that manner, Java Run Time gets the complete
rights to all files in all directories. And, Servlets (JSP converted
to Servlets) gets the same previlleges. So, the Java code can call
File API in Java SDK to list all files in the directory, delete any
file, and also the greatest risk is to RUN a program with system
privileges. When any Servlet has code like this:

Runtime rt = Runtime.getRuntime();
rt.exec("c:\\SomeDirectory\\SomeUnsafeProgram.exe")
this is the greatest risk, and it's unknown to many people.

Hope this helps


On 11/17/06, a007 <a007@ixi.ru> wrote: 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi

I am looking for the way to penetrate Apache Tomcat server. Does anybody
know useful link on this? There is not much information on Web.

I need to analyze Apache Tomcat Apache Tomcat/5.5.17 server. After URI
manipulation I've found some server debug messages like this:

HTTP Status 500 - java.lang.NoSuchMethodException:
partners.service.PartnersService.getLink(javax.servlet.http.HttpServletRequest)
at java.lang.Class.getMethod(Class.java:1581) at
web.AjaxService.doGet(AjaxService.java:80) at
javax.servlet.http.HttpServlet.service(HttpServlet.java:689) at
javax.servlet.http.HttpServlet.service(HttpServlet.java:802) at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:252)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
at
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:541)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869)
at
org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:664)
at
org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
at
org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:80)
at
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)
at java.lang.Thread.run(Thread.java:595)

Thanks in advance,

a007
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFXVxXMoMPiPgGoAcRAqv4AJ9OyDznLWS4lNLkinyVo2pmpQDkvQCfX88z
+hDZNLvvi9qDA8k5el4Xwns=
=C/+x
-----END PGP SIGNATURE-----

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------




--
Danux, CISSP
Chief Information Security Officer
Macula Security Consulting Group
www.macula-group.com

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: IDS Assessments....and the I{D|P}S evasion research project, Eric Hacker
Next by Date:  Apache Tomcat 5.5.9 pen-test questions., rlvi_2001
Previous by Thread:  Apache Tomcat penetration test, a007
Next by Thread:  Re: Apache Tomcat penetration test, R. DuFresne
Indexes:  [Date] [Thread] [Top] [All Lists]