Service Detection – Tomcat Manager, From “Info” to “Ouch”

Continuing on the thread of highlighting Nessus vulnerability scan results that turned out to be more severe than reported . . .

I always review the “Info” level “Service Detection” finding reported by Nessus, particularly any web servers that it lists because there are often blatant security issues hidden in there.

This is as simple as visiting each host:port combination in a web browser and seeing what the server response is.  To aid me in this effort when there are a lot of results to go through I use a free tool called EyeWitness by Chris Truncer that reads all the protocol, host and port combinations from the Nessus scan and takes a screenshot of each one as if you visited it manually in a web browser.  This allows me to quickly scan through the images and pick out services of interest or concern.  Other similar and recommended tools for doing the same thing are PeepingTom by Tim Tomes and Rawr by @al14s.

During a recent penetration test I didn’t have any of these tools available so I just used a web browser and entered the URL manually.   The scan result had indicated that a web server was running on port 8080 of several hosts. On one of the hosts, this brought up an Apache Tomcat page with a link to Tomcat Manager.

A username and password was required to gain access to the Manager but to my surprise a default username of “admin” and a blank password worked.  I was surprised because this is something I think Nessus should have highlighted as a vulnerability.  Then again, I’ve seen Nessus miss default credential findings a lot so I shouldn’t be surprised.

Access to the manager allowed deployment of WAR files from its interface as shown below.

So there you have it, a little golden nugget in an informational finding that is actually a critical vulnerability allowing command shell access to the server.