Especialista de segurança estão a alertar sobre varrimentos ongoing aos servidores Apache Tomcat afetados pela vulnerabilidade recém-divulgada Ghostcat CVE-2020-1938.
A falha afeta todas as versões do Apache Tomcat; pode ser explorada para ler ficheiros de configuração ou instalar backdoors em servidores vulneráveis.
A vulnerabilidade afeta o protocolo AJP do Tomcat e foi descoberta pela empresa chinesa de segurança Chaitin Tech, e pode permitir o acesso e controlo remoto da máquina vulnerável.
Durante o fim de semana, os investigadores da Bad Packets notaram uma enorme vaga de ataques explorando esta falha.
Mass scanning activity targeting this vulnerability has already begun. PATCH NOW! https://t.co/pmEiYd2Rbl
— Bad Packets Report (@bad_packets) February 29, 2020
“Ghostcat is a serious vulnerability in Tomcat discovered by security researcher of Chaitin Tech. Due to a flaw in the Tomcat AJP protocol, an attacker can read or include any files in the webapp directories of Tomcat.” states the website set up to describe the issue. “For example, An attacker can read the webapp configuration files or source code. In addition, if the target web application has a file upload function, the attacker may execute malicious code on the target host by exploiting file inclusion through Ghostcat vulnerability.”
O Tomcat Connector permite que o Tomcat se ligue à parte externa, permitindo que o recurso Catalina receba solicitações da parte externa, as transfira para a aplicação web correspondente para processamento e retorne o resultado da solicitação.
Por padrão, o Tomcat usa dois conectores, o HTTP Connector e o AJP Connector, este último disponível na porta 8009 do servidor.
A vulnerabilidade do Ghostcat no AJP que pode ser explorada para ler ou gravar ficheiro de um servidor Tomcat.
As versões do Tomcat afetadas pela vulnerabilidade do Ghostcat são:
- Apache Tomcat 9.x < 9.0.31
- Apache Tomcat 8.x < 8.5.51
- Apache Tomcat 7.x < 7.0.100
- Apache Tomcat 6.x
Security patches were already released for Tomcat 7.x, Tomcat 8.x, and Tomcat 9.x, Chaitin experts also released an update to their XRAY scanner to find vulnerable Tomcat servers.
Immediately after the public disclosure of the Ghostcat issue, several experts have shared proof-of-concept exploit scripts [1, 2, 3, 4, 5] to GitHub.
Researchers at Chaitin Tech also released a tool that could be exploited to find Tomcat servers vulnerable to the Ghostcat flaw.
Querying Shodan for Tomcat servers exposed online, we can find over 900,000 installs, but only above versions are vulnerable.
Pedro Tavares is a professional in the field of information security working as an Ethical Hacker/Pentester, Malware Researcher and also a Security Evangelist. He is also a founding member at CSIRT.UBI and Editor-in-Chief of the security computer blog seguranca-informatica.pt.
In recent years he has invested in the field of information security, exploring and analyzing a wide range of topics, such as pentesting (Kali Linux), malware, exploitation, hacking, IoT and security in Active Directory networks. He is also Freelance Writer (Infosec. Resources Institute and Cyber Defense Magazine) and developer of the 0xSI_f33d – a feed that compiles phishing and malware campaigns targeting Portuguese citizens.
Read more here.