Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2022-29885 PoC — EncryptInterceptor does not provide complete protection on insecure networks

Source
https://github.com/quynhlab/CVE-2022-29885
Associated Vulnerability
Title:EncryptInterceptor does not provide complete protection on insecure networks (CVE-2022-29885)
Description:The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62 and 8.5.38 to 8.5.78 for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an untrusted network. This was not correct. While the EncryptInterceptor does provide confidentiality and integrity protection, it does not protect against all risks associated with running over any untrusted network, particularly DoS risks.
Description
Apache Tomcat CVE-2022-29885
Readme
# CVE-2022-29885

**The tool is only used for security research. It is prohibited to use the tool to launch illegal attacks, and the user is responsible for the consequences**

**工具仅用于安全研究以及内部自查,禁止使用工具发起非法攻击,造成的后果使用者负责**

## Introduce

Apache Tomcat DoS (CVE-2022-29885) Exploit

Denial of Service in EncryptInterceptor (Tomcat Cluster)

The target machine needs to start the Cluster Nio Receiver,Sending a special TCP packet will cause a Denial of Service to the target. Whether `EncryptInterceptor` is used or not, there is the possibility of denial of service vulnerability

Condition: Enable tomcat cluster function and use `NioReceiver` for communication

**Any version of Tomcat will be affected. The only solution is to use a trusted network**

## Unsafe Config Exploit

Unsafe config: not use EncryptInterceptor

server.xml
```xml
<Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster">
  <Channel className="org.apache.catalina.tribes.group.GroupChannel">
    <Receiver className="org.apache.catalina.tribes.transport.nio.NioReceiver"
      address="0.0.0.0"
      port="5000"
      selectorTimeout="100"
      maxThreads="6"/>
  </Channel>
</Cluster>
```

exploit: `./dos -h target_ip -p target_nio_port`

![](img/unsafe.png)

**In unsafe config, you can use Safe-Config-Exploit as well**

**But in safe config, you can only use Safe-Config-Exploit**

## Safe Config Exploit

Safe config: use EncryptInterceptor

server.xml
```xml
<Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster">
  <Channel className="org.apache.catalina.tribes.group.GroupChannel">
    <Receiver className="org.apache.catalina.tribes.transport.nio.NioReceiver"
      address="0.0.0.0"
      port="5000"
      selectorTimeout="100"
      maxThreads="6"/>
    <Interceptor className="org.apache.catalina.tribes.group.interceptors.EncryptInterceptor"
       encryptionAlgorithm="AES/CBC/PKCS5Padding"
       encryptionKey="ANY_KEY(LENGTH:32)"/>
  </Channel>
</Cluster>
```

exploit: `./dos -h target_ip -p target_nio_port -s`

![](img/safe.png)

## Reference

https://lists.apache.org/thread/2b4qmhbcyqvc7dyfpjyx54c03x65vhcv
File Snapshot

 [4.0K]  /data/pocs/6102ee739ce360d324257d29842c6ebb6b5f3aff
├── [  27]  go.mod
├── [4.0K]  img
│   ├── [ 40K]  safe.png
│   └── [ 52K]  unsafe.png
├── [1.0K]  LICENSE
├── [ 21K]  main.go
└── [2.2K]  README.md

1 directory, 6 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →