8.8 High
AI Score
Confidence
High
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.887 High
EPSS
Percentile
98.7%
The Apache Tomcat Manager/Host Manager/Server Status is using default or known
hardcoded credentials.
# SPDX-FileCopyrightText: 2012 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only
CPE = "cpe:/a:apache:tomcat";
if(description)
{
script_oid("1.3.6.1.4.1.25623.1.0.103550");
script_version("2023-07-25T05:05:58+0000");
script_cve_id("CVE-2010-4094", "CVE-2009-3548", "CVE-2009-4189", "CVE-2009-3099", "CVE-2009-3843",
"CVE-2009-4188", "CVE-2010-0557");
script_name("Apache Tomcat Manager/Host Manager/Server Status Default/Hardcoded Credentials (HTTP)");
script_tag(name:"last_modification", value:"2023-07-25 05:05:58 +0000 (Tue, 25 Jul 2023)");
script_tag(name:"creation_date", value:"2012-08-22 17:19:15 +0200 (Wed, 22 Aug 2012)");
script_tag(name:"cvss_base", value:"10.0");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_category(ACT_ATTACK);
script_family("Default Accounts");
script_copyright("Copyright (C) 2012 Greenbone AG");
script_dependencies("gb_apache_tomcat_consolidation.nasl", "gb_default_credentials_options.nasl");
script_require_ports("Services/www", 8080);
script_mandatory_keys("apache/tomcat/http/detected", "ApacheTomcat/auth_required");
script_exclude_keys("default_credentials/disable_default_account_checks");
script_xref(name:"URL", value:"https://www.zerodayinitiative.com/advisories/ZDI-10-214/");
script_xref(name:"URL", value:"http://www.securityfocus.com/bid/36258");
script_xref(name:"URL", value:"http://www.securityfocus.com/bid/36954");
script_xref(name:"URL", value:"http://www.securityfocus.com/bid/37086");
script_xref(name:"URL", value:"http://www.securityfocus.com/bid/38084");
script_xref(name:"URL", value:"http://www.securityfocus.com/bid/44172");
script_xref(name:"URL", value:"http://www.securityfocus.com/bid/79264");
script_xref(name:"URL", value:"http://www.securityfocus.com/bid/79351");
script_xref(name:"URL", value:"https://www.zerodayinitiative.com/advisories/ZDI-09-085/");
script_tag(name:"solution", value:"Change the password to a strong one or remove the user from tomcat-users.xml.");
script_tag(name:"summary", value:"The Apache Tomcat Manager/Host Manager/Server Status is using default or known
hardcoded credentials.");
script_tag(name:"impact", value:"An attacker can exploit this issue to upload and execute arbitrary
code, which will facilitate a complete compromise of the affected computer.");
script_tag(name:"solution_type", value:"Mitigation");
script_tag(name:"qod_type", value:"remote_app");
script_timeout(600);
exit(0);
}
if( get_kb_item( "default_credentials/disable_default_account_checks" ) )
exit( 0 );
include("http_func.inc");
include("host_details.inc");
include("http_keepalive.inc");
include("misc_func.inc");
if( ! port = get_app_port( cpe:CPE, service:"www" ) )
exit( 0 );
if( ! dir = get_app_location( cpe:CPE, port:port ) )
exit( 0 );
# nb: Keep in sync with 2015/sw_tomcat_admin_default_credentials.nasl
credentials = make_list( "admin:admin", # Taken from various example files / documentations as well as from https://github.com/netbiosX/Default-Credentials/blob/master/Apache-Tomcat-Default-Passwords.mdown and https://www.ikkisoft.com/stuff/TomcatSec_LucaCarettoni.pdf
"admin:changethis",
"admin:password",
"admin:Password1",
"admin:password1",
"admin:vagrant",
"both:tomcat",
"manager:manager",
"password:password",
"role:changethis",
"role1:role1",
"role1:tomcat",
"role1:tomcat7",
"root:changethis",
"root:password",
"root:Password1",
"root:password1",
"root:r00t",
"root:root",
"root:toor",
"scott:tiger", # Oracle freaks
"tomcat:admin",
"tomcat:changethis",
"tomcat:j5Brn9", # Sun Solaris installation
"tomcat:none",
"tomcat:password",
"tomcat:Password1",
"tomcat:password1",
"tomcat:tomcat",
"ADMIN:ADMIN", # https://nvd.nist.gov/vuln/detail/CVE-2010-4094
"admin:none", # https://nvd.nist.gov/vuln/detail/CVE-2009-3548
"admin:tomcat", # https://github.com/seshendra/vagrant-ubuntu-tomcat7/blob/abd0a6c9cf08f8db642bde33ce7491259247ce18/manifests/default.pp#L49-L50
"ovwebusr:OvW*busr1", # https://nvd.nist.gov/vuln/detail/CVE-2009-4189, https://nvd.nist.gov/vuln/detail/CVE-2009-3099 and https://nvd.nist.gov/vuln/detail/CVE-2009-3843
"j2deployer:j2deployer", # https://nvd.nist.gov/vuln/detail/CVE-2009-4188
"tomcat:s3cret", # https://github.com/apache/tomcat/blob/2b8f9665dbfb89c78878784cd9b63d2b976ba623/webapps/manager/WEB-INF/jsp/403.jsp#L66
"cxsdk:kdsxc", # https://nvd.nist.gov/vuln/detail/CVE-2010-0557
"xampp:xampp", # XAMPP from https://www.apachefriends.org/index.html
"QCC:QLogic66", # QLogic QConvergeConsole from http://www.qlogic.com/
"root:owaspbwa", # OWASP Broken Web Applications Project
"fhir:FHIRDefaultPassword" ); # HAPI FHIR from http://hapifhir.io/
# nb: This is expected to be here, the port will be added with a later call...
host = http_host_name( dont_add_port:TRUE );
vuln = FALSE;
report = ""; # nb: To make openvas-nasl-lint happy...
# nb: Set by gb_apache_tomcat_consolidation.nasl
authRequireUrls = get_kb_list( "www/" + host + "/" + port + "/ApacheTomcat/auth_required" );
if( isnull( authRequireUrls ) )
exit( 0 );
# Sort to not report changes on delta reports if just the order is different
authRequireUrls = sort( authRequireUrls );
useragent = http_get_user_agent();
host = http_host_name( port:port );
foreach url( authRequireUrls ) {
foreach credential( credentials ) {
user_pass = split( credential, sep:":", keep:FALSE );
user = chomp( user_pass[0] );
pass = chomp( user_pass[1] );
if( tolower( pass ) == "none" ) pass = "";
userpass = string( user, ":", pass );
userpass64 = base64( str:userpass );
req = string( "GET ", url, " HTTP/1.1\r\n",
"Host: ", host, "\r\n",
"User-Agent: ", useragent, "\r\n",
"Authorization: Basic ", userpass64, "\r\n",
"\r\n" );
res = http_keepalive_send_recv( port:port, data:req, bodyonly:FALSE );
if( res =~ "^HTTP/1\.[01] 200" && "Tomcat Web Application Manager" >< res ) {
report += "It was possible to login into the Tomcat Manager at " + http_report_vuln_url( port:port, url:url, url_only:TRUE ) + ' using user "' + user + '" with password "' + pass + '"\n\n';
vuln = TRUE;
} else if( res =~ "^HTTP/1\.[01]" && "Tomcat Virtual Host Manager" >< res ) {
report += "It was possible to login into the Tomcat Host Manager at " + http_report_vuln_url( port:port, url:url, url_only:TRUE ) + ' using user "' + user + '" with password "' + pass + '"\n\n';
vuln = TRUE;
} else if( res =~ "^HTTP/1\.[01]" && "Server Status" >< res && "Complete Server Status" >< res ) {
report += "It was possible to login into the Tomcat Server Status at " + http_report_vuln_url( port:port, url:url, url_only:TRUE ) + ' using user "' + user + '" with password "' + pass + '"\n\n';
vuln = TRUE;
}
}
}
if( vuln ) {
security_message( port:port, data:report );
exit( 0 );
}
exit( 99 );
www.securityfocus.com/bid/36258
www.securityfocus.com/bid/36954
www.securityfocus.com/bid/37086
www.securityfocus.com/bid/38084
www.securityfocus.com/bid/44172
www.securityfocus.com/bid/79264
www.securityfocus.com/bid/79351
www.zerodayinitiative.com/advisories/ZDI-09-085/
www.zerodayinitiative.com/advisories/ZDI-10-214/