Experts warn of mass scans for Apache Tomcat Ghostcat flaw

Pierluigi Paganini March 03, 2020

Experts warn of ongoing scans for Apache Tomcat servers affected by the Ghostcat flaw that could allow attackers to take over servers.

Security experts are warning of ongoing scans for Apache Tomcat servers affected by the recently disclosed Ghostcat vulnerability CVE-2020-1938.

The flaw affects all versions of Apache Tomcat, it could be exploited by attackers to read configuration files or install backdoors on vulnerable servers.

The vulnerability affects the Tomcat AJP protocol and was discovered by the Chinese cybersecurity firm Chaitin Tech, it could potentially allow attackers to take over vulnerable servers.

During the weekend, Bad Packets researchers reported an ongoing mass scanning for this flaw.

The Apache JServ Protocol (AJP) is a binary protocol that can proxy inbound requests from a web server through to an application server that sits behind the web server.

“Ghostcat is a serious vulnerability in Tomcat discovered by security researcher of Chaitin Tech. Due to a flaw in the Tomcat AJP protocol, an attacker can read or include any files in the webapp directories of Tomcat.” states the website set up to describe the issue. “For example, An attacker can read the webapp configuration files or source code. In addition, if the target web application has a file upload function, the attacker may execute malicious code on the target host by exploiting file inclusion through Ghostcat vulnerability.”

Tomcat Connector allows Tomcat to connect to the outside, it enables Catalina to receive requests from the outside, pass them to the corresponding web application for processing, and return the response result of the request.

By default, Tomcat used two Connectors, the HTTP Connector and the AJP Connector, the latter listens on the server’s port 8009.

The Ghostcat vulnerability in the AJP that can be exploited to either read or write files to a Tomcat server, an attacker could trigger the flaw to access configuration files and steal passwords or API tokens. It can also allow attackers to write files to a server, including malware or web shells.

Tomcat versions affected by the Ghostcat vulnerability are:

  • Apache Tomcat 9.x < 9.0.31
  • Apache Tomcat 8.x < 8.5.51
  • Apache Tomcat 7.x < 7.0.100
  • Apache Tomcat 6.x

Security patches were already released for Tomcat 7.xTomcat 8.x, and Tomcat 9.x, Chaitin experts also released an update to their XRAY scanner to find vulnerable Tomcat servers.

Immediately after the public disclosure of the Ghostcat issue, several experts have shared proof-of-concept exploit scripts [12345] to GitHub.

Researchers at Chaitin Tech also released a tool that could be exploited to find Tomcat servers vulnerable to the Ghostcat flaw.

Querying Shodan for Tomcat servers exposed online, we can find over 900,000 installs, but only above versions are vulnerable.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Ghostcat)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment