Timeout error when using "read_file" functionality

[ggrpmnn]

Hey there!

I ran across this lib while looking for ways to check for the recent "Ghostcat" CVE. When trying to use the code (both as a lib and using the standalone tomcat.py script) to check for the vuln on a testing host, I encounter timeouts when waiting on a socket. Here's the stacktrace I get when running tomcat.py.

sh-3.2# python tomcat.py version <VULNERABLE HOSTNAME>
Apache Tomcat/8.5.32
sh-3.2# python tomcat.py read_file --webapp=manager /WEB-INF/web.xml <VULNERABLE HOSTNAME>
Traceback (most recent call last):
  File "tomcat.py", line 377, in <module>
    hdrs, data = bf.perform_request("/" + args.webapp + "/xxxxx.jsp", attributes=attributes)
  File "tomcat.py", line 153, in perform_request
    responses = self.forward_request.send_and_receive(self.socket, self.stream)
  File "/.../AJPy/ajpy/ajp.py", line 274, in send_and_receive
    r = AjpResponse.receive(stream)
  File "/.../AJPy/ajpy/ajp.py", line 380, in receive
    r.parse(stream)
  File "/.../AJPy/ajpy/ajp.py", line 337, in parse
    self.magic, self.data_length, self.prefix_code = unpack(stream, ">HHb")
  File "/.../AJPy/ajpy/ajp.py", line 44, in unpack
    buf = stream.read(size)
  File "/usr/local/Cellar/python/3.7.6_1/Frameworks/Python.framework/Versions/3.7/lib/python3.7/socket.py", line 589, in readinto
    return self._sock.recv_into(b)
TimeoutError: [Errno 60] Operation timed out

As you can see, I can get the server version correctly from the first call, so there's no issue with connectivity to the host. I'm on MacOS using Python version 3.7.6 (installed via homebrew). Any insight into what's up would be helpful.

[hypn0s]

Hi there, thank you for reporting this issue.

If you look at the network traffic using Wireshark for instance, do you see a response from the server on this request?

Maybe the server is slow to respond and the default timeout is not enough but you will see in Wireshark if that's the case.

[ggrpmnn]

Hi, I just checked the sequence via Wireshark as requested. It looks like the TCP handshake completes, but then it looks like it tries to redeliver the initial AJP request until it hits the timeout:

[hypn0s]

Hmmm I cannot reproduce with this version of Tomcat.

Can you try to read the web.xml of the root (without the webapp parameter)?
$ python tomcat.py read_file /WEB-INF/web.xml <VULNERABLE HOSTNAME>

[ggrpmnn]

Same stack trace:

python tomcat.py read_file /WEB-INF/web.xml <VULNERABLE HOSTNAME>
Traceback (most recent call last):
  File "tomcat.py", line 377, in <module>
    hdrs, data = bf.perform_request("/" + args.webapp + "/xxxxx.jsp", attributes=attributes)
  File "tomcat.py", line 153, in perform_request
    responses = self.forward_request.send_and_receive(self.socket, self.stream)
  File "/.../AJPy/ajpy/ajp.py", line 274, in send_and_receive
    r = AjpResponse.receive(stream)
  File "/.../AJPy/ajpy/ajp.py", line 380, in receive
    r.parse(stream)
  File "/.../AJPy/ajpy/ajp.py", line 337, in parse
    self.magic, self.data_length, self.prefix_code = unpack(stream, ">HHb")
  File "/.../AJPy/ajpy/ajp.py", line 44, in unpack
    buf = stream.read(size)
  File "/usr/local/Cellar/python/3.7.6_1/Frameworks/Python.framework/Versions/3.7/lib/python3.7/socket.py", line 589, in readinto
    return self._sock.recv_into(b)
TimeoutError: [Errno 60] Operation timed out