Loading...


GhostCat Vulnerability Scanner (CVE-2020-1938)

Detect Apache Tomcat servers vulnerable to GhostCat due to unsecure AJP Connector

Sample Report | Use Cases | Technical Details

Sample Report

Here is a GhostCat Vulnerability Scanner (CVE-2020-1938) sample report:

  • Shows the full contents of the file read from the server
  • Includes detailed risk description and vulnerability information
  • Provides recommendations for fixing the issue

Download Sample Report

Sample report

GhostCat Vulnerability Scanner (CVE-2020-1938) - Use Cases

This is a specialized scanner which detects vulnerable Apache Tomcat servers, affected by the GhostCat vulnerability (CVE-2020-1938). The tool attempts to read a common file (WEB-INF/web.xml) from the web root of the server via the AJP Connector. The AJP port (usually 8009) needs to be open for this test to work properly.

Technical Details


About

Apache Tomcat is a very popular Java servlet container. Versions 6.x, <= 7.0.99, <= 8.5.50 and <= 9.0.30 of this software are being affected by an Arbitrary File Read / Inclusion vulnerability which allows an attacker to read any file from the web root folder (webapps) or to include it for being executed.

The Ghostcat vulnerability is present in the Apache JServ Protocol (AJP) which is being used by the AJP Connector of Tomcat to talk to external entities (ex. the web server). The AJP Connector is enabled by default in Tomcat and it usually listens on TCP port 8009. However, this port should not be publicly accessible because it is meant to be used only by the web server (ex. Apache HTTPD) when it wants to communicate with Apache Tomcat.

There are several public exploits which prove the vulnerability by reading the common WEB-INF/web.xml file but there are other interesting files that can be read, depending on the application. When choosing which file to read, one should know the typical directory structure of a Tomcat installation, where multiple servlets (web applications) can be run by the same server and all of their files can be accessed with Ghostcat.

Tomcat deployment files


Parameters

Parameter Description
Target host The hostname or IP address of the target server
Target port The AJP port to connect to (default: 8009)
File to read The relative path of the file to read from the server (default: WEB-INF/web.xml)


How it works

The Ghostcat scanner first opens a TCP connection to the specified AJP port (default 8009) and then it starts talking the AJP protocol with the server.

The AJP is a binary protocol used for communication between the web server (ex. Apache HTTPD) and the application server (Apache Tomcat). Our scanner creates and sends an AJP Forward Request to the server, specifying the custom attribute javax.servlet.include.path_info equal to the file path that we want to read from the server.

Vulnerable servers respond with the contents of the desired file if it exists on the file system.
However, if the file does not exist on the server, a message similar to this one is returned (the server is still vulnerable in this case):
<html>
    <head>
        <title>Apache Tomcat/5.5.23 - Error report</title>
        <style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}-->
        </style>
    </head>
    <body>
        <h1>HTTP Status 404 - /</h1>
        <HR size="1" noshade="noshade">
        <p><b>type</b> Status report</p>
        <p><b>message</b> <u>/</u></p>
        <p><b>description</b> <u>The requested resource (/) is not available.</u></p>
        <HR size="1" noshade="noshade"><h3>Apache Tomcat/5.5.23</h3>
    </body>
</html>