We're thrilled to announce £5.5million Series A funding from Gresham House Ventures. Click to find out more!
Default Tomcat Host Manager Credentials Lead to RCE

Default Tomcat Host Manager Credentials Leads to RCE

Highlighting a critical cybersecurity issue: Unauthorised access is inevitable wherever default credentials are used, underscoring the need for caution.

Alex Bassett
Alex Bassett
Technical Marketing Executive
February 28, 2023

Welcome to our Pentest Files blog series.

Each blog post will present an interesting or dangerous finding one of our testers has identified in an actual recent pen-test, so you can see the kinds of cool things our pen-testers get up to, and also to help you take steps to prevent similar vulnerabilities in your own assets.

These findings are taken from real reports, anonymised, and published with kind permission from our clients.

Tester: Adam

Vertical: Regulatory Technology

Impact: Critical

What Happened?

Adam discovered that the Tomcat Host Manager on the remote server was found to be operating with the documented default credentials, this often leads to attackers being able to deploy malicious content to the application.

Some Background

Remote Code Execution (RCE) vulnerabilities are often caused by handling user input in an unsafe manner, which can lead to the execution of commands on the affected endpoint. This can occur through various methods, such as SQL injection, passing user input into unsafe functions like system() in PHP, or memory-based exploits.

However, the situation being discussed was not specifically an RCE vulnerability caused by unsafe input. Instead, it was due to a common misconfiguration. Once an attacker has achieved RCE, they can establish Command & Control (C2) over the endpoint and then take action on objectives to achieve their goals.

The Tomcat Manager App is a built-in web application that comes bundled with the Tomcat server. It offers fundamental functionality for managing deployed web applications.

The application comes with pre-packed several features and services. In addition to facilitating the management of deployed applications, it also allows us to view the server's status and configuration, as well as that of its applications.

The Finding

During web application testing, one of our experienced testers, Adam, was able to discover that the Tomcat Host Manager was operating with the default credentials of “admin” & “admin” for the username and password. This poses a massive risk for our client, as it may allow an attacker to login and manage the virtual hosts within Tomcat. An attacker could potentially execute code arbitrarily on the affected server by deploying a new application.

Tomcat Host Manager

While testing, it was not possible to access the Tomcat Manager application via this method as the Manager App is only accessible from localhost by default. This was a positive find, as our client had taken measures to restrict the common attack vector. However, during this test, our tester was able to achieve RCE via deploying a malicious VHOST to Tomcat, which is a far more creative way of exploiting this vulnerability.

With this level of RCE, an attacker would have almost full control over the server.

With RCE, an attacker may aim to:

  • Exfiltrate data from the host, including files, keystrokes and more.
  • Cause a Denial of Service (DoS) by disrupting the operation of running services or the OS itself.
  • Attempt privilege escalation if necessary.
  • Attempt to pivot to other network resources.
  • Conduct a crypto mining operation using your resources.
  • Install ransomware to deny you access to your data.

The Fix

The fix for this one is nice for our client and is as simple as changing the Tomcat password to something strong and unique, and ensuring the portal is no longer accessible externally, as having the portal available externally risks the credentials being compromised via brute force. It’s important to always ensure default credentials are not used for any part of an application, as bad actors will seek out these services and could potentially cause both serious reputational and financial loss.

Bedtime Reading



Want to check for yourself if your application is free from this kind of vulnerability? Why not get a quote or contact us to set up a pentest.

More recommended articles

© 2024 ONSECURITY TECHNOLOGY LIMITED (company registered in England and Wales. Registered number: 14184026 Registered office: Runway East, 101 Victoria Street, Bristol, England, BS1 6PU). All rights reserved.