AJPy icon indicating copy to clipboard operation
AJPy copied to clipboard

Published 20 hours ago verified publisher icon hypn0s

Timeout error when using "read_file" functionality

Open ggrpmnn opened this issue 4 years ago • 4 comments

Hey there!

I ran across this lib while looking for ways to check for the recent "Ghostcat" CVE. When trying to use the code (both as a lib and using the standalone tomcat.py script) to check for the vuln on a testing host, I encounter timeouts when waiting on a socket. Here's the stacktrace I get when running tomcat.py.

sh-3.2# python tomcat.py version <VULNERABLE HOSTNAME>
Apache Tomcat/8.5.32
sh-3.2# python tomcat.py read_file --webapp=manager /WEB-INF/web.xml <VULNERABLE HOSTNAME>
Traceback (most recent call last):
  File "tomcat.py", line 377, in <module>
    hdrs, data = bf.perform_request("/" + args.webapp + "/xxxxx.jsp", attributes=attributes)
  File "tomcat.py", line 153, in perform_request
    responses = self.forward_request.send_and_receive(self.socket, self.stream)
  File "/.../AJPy/ajpy/ajp.py", line 274, in send_and_receive
    r = AjpResponse.receive(stream)
  File "/.../AJPy/ajpy/ajp.py", line 380, in receive
    r.parse(stream)
  File "/.../AJPy/ajpy/ajp.py", line 337, in parse
    self.magic, self.data_length, self.prefix_code = unpack(stream, ">HHb")
  File "/.../AJPy/ajpy/ajp.py", line 44, in unpack
    buf = stream.read(size)
  File "/usr/local/Cellar/python/3.7.6_1/Frameworks/Python.framework/Versions/3.7/lib/python3.7/socket.py", line 589, in readinto
    return self._sock.recv_into(b)
TimeoutError: [Errno 60] Operation timed out

As you can see, I can get the server version correctly from the first call, so there's no issue with connectivity to the host. I'm on MacOS using Python version 3.7.6 (installed via homebrew). Any insight into what's up would be helpful.

ggrpmnn avatar Mar 03 '20 17:03 ggrpmnn

Hi there, thank you for reporting this issue.

If you look at the network traffic using Wireshark for instance, do you see a response from the server on this request?

Maybe the server is slow to respond and the default timeout is not enough but you will see in Wireshark if that's the case.

hypn0s avatar Mar 03 '20 17:03 hypn0s

Hi, I just checked the sequence via Wireshark as requested. It looks like the TCP handshake completes, but then it looks like it tries to redeliver the initial AJP request until it hits the timeout:

Wirshark

ggrpmnn avatar Mar 04 '20 00:03 ggrpmnn

Hmmm I cannot reproduce with this version of Tomcat.

Can you try to read the web.xml of the root (without the webapp parameter)? $ python tomcat.py read_file /WEB-INF/web.xml <VULNERABLE HOSTNAME>

hypn0s avatar Mar 04 '20 15:03 hypn0s

Same stack trace:

python tomcat.py read_file /WEB-INF/web.xml <VULNERABLE HOSTNAME>
Traceback (most recent call last):
  File "tomcat.py", line 377, in <module>
    hdrs, data = bf.perform_request("/" + args.webapp + "/xxxxx.jsp", attributes=attributes)
  File "tomcat.py", line 153, in perform_request
    responses = self.forward_request.send_and_receive(self.socket, self.stream)
  File "/.../AJPy/ajpy/ajp.py", line 274, in send_and_receive
    r = AjpResponse.receive(stream)
  File "/.../AJPy/ajpy/ajp.py", line 380, in receive
    r.parse(stream)
  File "/.../AJPy/ajpy/ajp.py", line 337, in parse
    self.magic, self.data_length, self.prefix_code = unpack(stream, ">HHb")
  File "/.../AJPy/ajpy/ajp.py", line 44, in unpack
    buf = stream.read(size)
  File "/usr/local/Cellar/python/3.7.6_1/Frameworks/Python.framework/Versions/3.7/lib/python3.7/socket.py", line 589, in readinto
    return self._sock.recv_into(b)
TimeoutError: [Errno 60] Operation timed out

ggrpmnn avatar Mar 04 '20 17:03 ggrpmnn