Tomcat Apache Information Dumps - Hack the Garbage.

AKS aka 0kn0ck , CERA

---

Note : For Education Purposes Only !.

---

View:
.

The web is a platform for launching number of attacks in different environment. It is not so easy to directly trigger the pattern of insecurity and exploit the dynamic entities. The web itself holds tremendous information. This information should be managed and tackled in a right way. Again the administration is a big problem. Well it is. While pen testing Apache tomcat it is undertaken that the security is implemented in a worst way. Most of the time weak passwords and poorly generated modules and misconfigurations lead to control.

Note: 50 % of Apache Tomcat servers can be hacked in easy manner if security is slithered.

The randmization check on web produces understated dump of tomcat-users.xml file. It some time look strange and insecure to prove the fact that administration leads to insecurity. One other reason can be the administrator do not understand the actual parameter of security when particular security object is concerned. This time it is Apache Tomcat. Its always been a threat as username and password is present in the XML file. One more step is its present in clear text. We will look into two casesas related to this factor.

1. http://www.opensource.apache.com

2. http://www.opensource.adobe.com


So lets see:-

Check 1

tomcat-users
role rolename="Editeerder"/
role rolename="Consulterend Gebruiker"/
role rolename="Beheerder"/
role rolename="Goedkeurder"/
role rolename="tomcat"/
user username="gast" password="gast" roles="Consulterend Gebruiker"/
user username="editeerder" password="editeerder" roles="Consulterend Gebruiker,Editeerder"/
user username="tomcat" password="tomcat" roles="tomcat"/
user username="gegis" password="gegispass" roles="Consulterend Gebruiker,Editeerder,Goedkeurder,Beheerder"/
user username="guest" password="guest" roles="Consulterend Gebruiker"/
/tomcat-users

Check 2

?xml version='1.0' encoding='utf-8'?
tomcat-users
  role rolename="demo.owner"/
  role rolename="tomcat"/
  role rolename="role1"/
  role rolename="manager"/
  role rolename="demo.user"/
  role rolename="demo.alerts"/
  role rolename="demo.contentadmin"/
  role rolename="admin"/
  role rolename="demo.admin"/
  user username="caluser2" password="uwcal" roles="demo.user"/
  user username="calcontent" password="uwcal" roles="demo.contentadmin"/
  user username="caluser" password="uwcal" roles="demo.user"/
  user username="caluser1" password="uwcal" roles="demo.user"/
  user username="tomcat" password="tomcat" roles="tomcat"/
  user username="caladmin" password="uwcal" roles="demo.admin"/
  user username="calowner" password="uwcal" roles="demo.owner"/
  user username="calowner2" password="uwcal" roles="demo.owner"/
  user username="calowner3" password="uwcal" roles="demo.owner"/
  user username="role1" password="tomcat" roles="role1"/
  user username="both" password="tomcat" roles="tomcat,role1"/
  user username="caluser3" password="uwcal" roles="demo.user"/
  user username="manager" password="VuRyser2" roles="admin,manager"/
/tomcat-users

Check 3

 1 ?xml version='1.0' encoding='utf-8'?
 2 tomcat-users
 3   role rolename="tomcat"/
 4   role rolename="role1"/
 5   user username="tomcat" password="tomcat" roles="tomcat"/
 6   user username="role1" password="tomcat" roles="role1"/
 7   user username="both" password="tomcat" roles="tomcat,role1"/
 8 /tomcat-users

Check 4

tomcat-users
role rolename="tomcat"/
role rolename="role1"/
role rolename="manager"/
role rolename="admin"/
user username="tomcat" password="tomcat" roles="tomcat"/
user username="role1" password="tomcat" roles="role1"/
user username="both" password="tomcat" roles="tomcat,role1"/
user username="admin" password="admin" roles="admin,manager"/
/tomcat-users

Check 5

tomcat-users
role rolename="provider"/
role rolename="manager"/
role rolename="admin"/
user username="root" password="" fullName="sys admin" roles="admin,manager,provider"/
/tomcat-users

?xml version='1.0' encoding='utf-8'?
tomcat-users
  role rolename="tomcat"/
  role rolename="role1"/
  user username="tomcat" password="tomcat" roles="tomcat"/
  user username="role1" password="tomcat" roles="role1"/
  user username="both" password="tomcat" roles="tomcat,role1"/
/tomcat-users

tomcat-users
user name="tomcat" password="tomcat" roles="tomcat,manager"/
user name="role1" password="tomcat" roles="role1"/
user name="both" password="tomcat" roles="tomcat,role1"/
/tomcat-users

This is actually the result of incessant dumps that are present on servers. But this really a good deal of fidning relative passwords as such. On next step this information is used for further attacks on the web server itself.

http://www.opensource.apache.com

tomcat-users
role rolename="tomcat"/
role rolename="role1"/
role rolename="admin"/
user username="tomcat" password="tomcat" roles="tomcat"/
user username="role1" password="tomcat" roles="role1"/
user username="both" password="tomcat" roles="tomcat,role1"/
user username="admin" password="apple" roles="admin"/
/tomcat-users

http://www.opensource.adobe.com

?xml version='1.0' encoding='utf-8'?
tomcat-users
!--
role rolename="tomcat"/
role rolename="role1"/
user username="tomcat" password="tomcat" roles="tomcat"/
user username="both" password="tomcat" roles="tomcat,role1"/
user username="role1" password="tomcat" roles="role1"/
--
/tomcat-users

So this is what we use to get from garbage dumps. So lets Hack through Web Garbage.