CVE-2020-1938 Apache-Tomcat-Ajp vulnerability reproduction

Others 2020-03-24 09:56:14 views: null

I. Overview

       1.1 Vulnerability ID: CVE-2020-1938

  1.2 Hazard Class: High

       1.3 Description

  2020 February 20, the national information security vulnerabilities sharing platform (CNVD) released security bulletin on Apache Tomcat's, Apache Tomcat file contains the vulnerability is due to Tomcat enabled by default AJP service (8009 port) there is a file containing the flaw, an attacker configuration request packet may be malicious files containing the operation, and further comprising any files or read all the webapp directory Tomcat, such as: webapp profile, such as source code.

Second, the impact of version

       Apache Tomcat 6

  Apache Tomcat 7 < 7.0.100

  Apache Tomcat 8 < 8.5.51

  Apache Tomcat 9 < 9.0.31

 

Third, the vulnerability analysis

       Through the analysis of the source code and found that there are loopholes in dealing with Tomcat ajp agreement, can be set to any request by calling the property to Tomcat request.setAttribute. Reproduction found Tomcat ajp agreement arbitrary file read vulnerability web directory and the JSP file that contains the vulnerability.

  When set to a non jsp ajp URI path, Tomcat will call DefaultServlet treatment at this time will lead to any web directory file read vulnerability.

  When set ajp URI path to jsp, Tomcat will call JspServlet treatment at this time will lead to JSP file that contains the vulnerability

Fourth, reproduce step

Environment Introduction

       Target win7 (IP): 192.168.91.132

       Attack aircraft kali (IP): 192.168.91.128

       Tomcat Version: 8.5.5

  Note: The download link incidentally attach various versions of Tomcat: http://archive.apache.org/dist/tomcat/

Check whether the deployment tomcat 4.1

 

4.2 Host found

 

4.3 scan ports (opening 8009)

 

4.4 download read the file poc

  Poc link: https://github.com/YDHCUI/CNVD-2020-10487-Tomcat-Ajp-lfi

 

4.5 Input parameters and execute

  We can see that we have successfully read the file information

 

Fifth, defensive measures

       1. Disable AJP protocol found /conf/server.xml tomcat installation file path, remove or comment this line of code: <Connector port = "8009" protocol = "AJP / 1.3" redirectPort = "8443" />

       2. Upgrade to the latest version of tomcat,

       3. Configure AJP protocol set secret authentication credentials, such as: <Connector port = "8009" protocol = "AJP / 1.3" redirectPort = "8443" address = "YOUR_TOMCAT_IP_ADDRESS" secret = "YOUR_TOMCAT_AJP_SECRET" />

Six harm

       An attacker can exploit the vulnerability by constructing a particular parameter, read any file server webapp. If there is a server-side file upload function at the same time, the attacker can further achieve remote code execution

 

Guess you like

Origin www.cnblogs.com/bin1121/p/12556749.html
Recommended
微软回应中国区AI团队“打包赴美”传闻
Ranking
How to use ChatGPT to write 100,000+ hot articles for public accounts (includes prompt words)
sudo echo command execution Permission denied
ADO: Using Transactions to Operate Oracle Database
[Java] [Class and Object] equals, hashCode, clone methods
Linux virtual host function
Порт управления rabbitmq открыт
on,where
jQuery WeUI
How can there be a weed pilot in Hangzhou?
tcp / ip model four
Daily
More
2024-05-15(5)
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)

Code World

© 2018 codetd.com