Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

http-default-accounts-fingerprints: Tomcat, add support for host-manager #1755

Closed
wants to merge 2 commits into from
Closed

Conversation

cnotin
Copy link

@cnotin cnotin commented Sep 23, 2019

Tomcat has two common management applications: "manager" and "host-manager".
Host manager is at "/host-manager/html" and with the "Tomcat Host Manager Application" realm.
See:
https://github.com/apache/tomcat/blob/3e5ce3108e2684bc25013d9a84a7966a6dcd6e14/webapps/manager/WEB-INF/web.xml#L153
https://github.com/apache/tomcat/blob/3e5ce3108e2684bc25013d9a84a7966a6dcd6e14/webapps/host-manager/WEB-INF/web.xml#L99

Copy link

@nnposter nnposter left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is definitely a valid enhancement.

This implementation might work in most instances but there is a fundamental weakness in that you are really trying to leverage the same fingerprint for two different applications that do not inherently share the same authorization base.

As an example, imagine that a Tomcat instance has user mymanager in role manager-gui and also user myadmin in role admin-gui and let's assume that these are hypothetically Tomcat default accounts.

  1. According to your code, the script will first probe path /manager/html/ and finds user mymanager.
  2. It will flag this path as correct for this Tomcat instance.
  3. It will not find user myadmin on path /manager/html/ because it does not have the appropriate role.
  4. The script finishes the testing of default users in the fingerprint, never proceeding to probe the rest of the paths, hence never finding myadmin.

A better approach might be to split the fingerprint into two, which is what I have in my NNDefaccts fingerprint set:

  1. The script will first test the fingerprint for Manager against path /manager/html/ and finds user mymanager.
  2. It flags this path as correct for this Tomcat Manager instance.
  3. It will not test for user myadmin on path /manager/html/ because it is not part of this fingerprint (and even if it were, it still lacks the appropriate role).
  4. The script finishes the testing of default users in the fingerprint, never proceeding to probe the rest of the paths.
  5. The script then moves onto the fingerprint for Host Manager.
  6. It finds user myadmin on path /host-manager/html/.
  7. It flags this path as correct for this Tomcat Host Manager instance.
  8. The script finishes the testing of the fingerprint for Host Manager.

@cnotin
Copy link
Author

cnotin commented Dec 1, 2019

Thanks for the detailed feedback. Indeed it's better this way!
I see that you made it that way in your repo, do you intend to change it here too, or how do you suggest we proceed? Should I update my PR?

@nnposter
Copy link

nnposter commented Dec 2, 2019

My fingerprint set is not a working clone of what is in Nmap but a separate, GPL-licensed product, which makes it unsuitable for merging into Nmap. I would suggest two paths forward:

  • Either keep the current single-fingerprint design and just add the missing path of /tomcat/host-manager/html/.
  • Or, split the fingerprint as discussed and update the PR. (Again, for licensing reasons you cannot just copy my code.)

I am fine with either approach.

@cnotin
Copy link
Author

cnotin commented Dec 2, 2019

I split the fingerprint since it's better as you said.
I also added a few URLs for manager as shown in https://github.com/apache/tomcat/blob/master/webapps/manager/WEB-INF/web.xml

I copied the credential for "host manager" from "manager". I did not copy your own.

@nnposter
Copy link

nnposter commented Dec 3, 2019

Committed as r37772. Thank you for contributing to Nmap!

@cnotin
Copy link
Author

cnotin commented Dec 3, 2019

Thanks for suggestions!

@cnotin cnotin deleted the patch-2 branch December 20, 2019 17:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants