The tool is only used for security research. It is prohibited to use the tool to launch illegal attacks, and the user is responsible for the consequences
Introduce: Apache Tomcat JMXProxy RCE
I reported this to Apache Tomcat as soon as I found the vulnerability, But Apache Tomcat Security Team does not consider this a security vulnerability, so it is open.
I understand that this is not a security issue for which Tomcat is responsible, but there are high security risks.
The vulnerability is based on
Tomcat and similar to Spring4Shell.
Tomcat provides JMX monitoring related functions. However, basic authentication is required to access it, so it is difficult to exploit it in general.
Vulnerability is difficult to exploit directly and require high preconditions, but the third-party JMX management platform can bypass basic authentication, then RCE easily. If the JMX management platform can be accessed anonymously or has an unauthorized access vulnerability, it can be bypassed.
- Apache Tomcat All Versions
- with JDK All Versions
- SpringBoot FarJar is not affected
Exploit Condition 1
- target must open jmxproxy manager
- hacker can access jmxproxy
Exploit Condition 2
- target must have JMX management platform (
- hacker can access the platform
Exploit Condition 3
- target must open jmxproxy
- based on csrf vulnerability
<user username="admin" password="123456" roles="manager-jmx"/>
# target ip host=127.0.0.1 # target port port=8080 # target tomcat jmxproxy username username=admin # target tomcat jmxproxy password password=123456 # execute command cmd=calc.exe
If the JMX Management Platform (
MX4J and others) can be accessed without authorization, directly modify
AccessLogValve MBean attributes to perform RCE attack
CSRF+RCE / XSS+CSRF+RCE
In Apache Tomcat Document:
“The HTML interface is protected against CSRF (Cross-Site Request Forgery) attacks, but the text and JMX interfaces cannot be protected.”
So we can exploit with CSRF / XSS+CSRF
The RCE is a github repository by 4ra1n