Johan, On 11/11/15 8:53 AM, Johan Compagner wrote: > On 11 November 2015 at 14:44, Christopher Schultz < > ch...@christopherschultz.net> wrote: > >> Tomcat could potentially be >> used as an attack vector against a system by someone with write-access >> to the part of the filesystem where Tomcat stores its serialized session >> objects during a restart >> > > if you already can do that... then i think there are other problems first ;)
Of course, but it's a way to attack the server using Tomcat's runtime privileges that does not necessarily require the attacker to already have Tomcat's runtime privileges. If the SESSIONS.ser file is stored somewhere like /tmp or has lazy file permissions, it may be possible to overwrite it. A default Tomcat installation is trivially "stoppable" by anyone with localhost access... just send "SHUTDOWN" to port 8005 and the server stops. So while I think it's not very likely that Tomcat's SESSIONS.ser file is writable by a non-tomcat user AND of course that already having localhost access is pretty much game-over, there is the possibility of a privilege escalation, here. ... and someone could potentially blame Tomcat, because Tomcat is the one calling ObjectInputStream.readObject, not the application. I don't see any great mitigations against this kind of thing other than signing/encrypting the serialized sessions file, but then you have the problem is protecting the key used for that purpose: you've added no security, only moved the problem. Besides, simply not allowing anyone to overwrite SESSIONS.ser is the proper mitigation, here. -chris --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
