Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Example: Apache Tomcat Denial-of-Service Attacks

    In this example, we assume you have a Web Server running Apache Tomcat. Your security administrator notifies you that a vulnerability has just been announced for Apache Tomcat, and you decide to create a custom attack object to protect your network until you can schedule downtime to patch the server.

    The CVE advisory for the vulnerability (http://nvd.nist.gov/nvd.cfm?cvename=CAN-2002-0682) contains the following quotation:

    A cross-site scripting vulnerability in Apache Tomcat 4.0.3 allows 
    remote attackers to execute script as other web users via script in a URL with 
    the /servlet/ mapping, which does not filter the script when an exception is 
    thrown by the servlet.

    From this information, you know that the attack uses HTTP. Now you must locate the attack code. The advisory also includes references that link to more information about the attack. Unfortunately, none of the referenced Web pages contain exploit code. After searching the Web using the information you learned from the CVE advisory, you locate some exploit code at http://packetstormsecurity.nl/0210-exploits/neuter.c. Copy the script and move it to the attacker computer in your test lab.

    To develop this attack object:

    1. Reproduce the attack to determine the attack context, direction, and pattern. Ideally, use scio ccap and Wireshark concurrently so you have to run the attack only once. Figure 1 shows the packet capture in Wireshark.

      Figure 1: CAN2002 Packet Capture

      Image g036665.gif
    2. Discover the following elements of the attack signature:

      • Service. You know from the CVE advisory that the attack uses the HTTP protocol. Review the packet capture to confirm the protocol.
      • Context. Use scio ccap to determine whether you can match a particular service context. In this example, the signature pattern occurs in the service context HTTP URL Parsed.
      • Pattern. You know from the advisory that the attack occurs using an exploited GET method in the HTTP protocol. Select the frame that contains the GET method to view details for that section of the packet. You can quickly identify the signature pattern as examples/servlet/AUX.
      • Direction. Locate the source IP that initiated the session. Because this attack uses TCP, you can use the Follow TCP Stream option in Wireshark to quickly discover the source IP that initiated the session. The attack direction is client-to-server.
    3. Create an attack object to match the attack signature. This example uses the following regular expression to match the signature:
       .*/examples/servlet/AUX|LPT1|CON|PRN.*

      Figure 2 shows the Custom Attack – Attack Pattern page for this example.

      Figure 2: CAN-2002-0682 Attack Pattern

      Image g036661.gif

      In this expression:

      • The dot star combination (.*) indicates a wildcard match.
      • The /examples/servlet/ section is taken directly from the packet capture.
      • The parentheses ( ) indicate a group of items, and the pipe character (|) indicates OR. These characters are often used together to indicate that an attack must include one item from the group. In this example, the attack must contain the word aux, lpt1, con, or prn after the string /examples/servlet/.

        Notice that this example uses a group. The packet capture displays the signature pattern as /examples/servlet/AUX. AUX is a Windows device. You have good reason to be on guard for attempts to exploit LPT1, CON, and PRN devices.

    4. Test the attack object.

    Published: 2011-02-08