[not an issue] jkmount function on CVE-2018-11759

[syrius01]

Hi,

Really good read based on your blog post (https://www.immunit.ch/blog/2018/11/01/cve-2018-11759-apache-mod_jk-access-bypass/). Now, I am wondering if some kind of remote code execution would be possible via the jkmount function? Since jkmount can assign URLs to tomcat workers, maybe it would be possible to upload a jsp shell;

<VirtualHost EVIL-IP:80>
  DocumentRoot /web/shell.jsp
  ServerName evil-corp.net
  JkMount /*.jsp worker1
  JkMount /servlet/* worker1
</VirtualHost>

Please let me know what would be your advice on this idea,

Thanks

[immunIT]

Hi,

Thanks for your interest in our recent finding impacting the mod_jk Apache module. We do not believe that this access bypass could lead (directly) to remote code execution. Indeed, only denial of service attacks as well as the hijacking of endpoints can be performed through the JK Status Manager interface if it is set in read-write mode. By pointing a worker towards your malicious server, the reverse-proxy would certainly redirect legitimate users to the webshell hosted on your server, allowing them to execute commands in your infrastructure, which is not the behavior you would expect^^.

However, it would indeed be possible to use this vulnerability to achieve remote code execution, for example by hijacking a worker and having it point to a vulnerable Java Webserver or route inside the target infrastructure, which would not be initially served by the reverse-proxy. We are still interested by your input and are open to chatting if you have more ideas !

We'll let you close this issue if our answer suits you :)

Best, Jean Lejeune and Raphaël Arrouas