一、 漏洞 CVE-2020-9484 基础信息
漏洞信息
                                        # N/A

## 概述
在特定配置下,攻击者可以利用Apache Tomcat中的远程代码执行漏洞进行攻击。该漏洞要求攻击者能够控制服务器上的文件内容及其名称,并知道文件存储位置的相对路径。

## 影响版本
- 10.0.0-M1 到 10.0.0-M4
- 9.0.0.M1 到 9.0.34
- 8.5.0 到 8.5.54
- 7.0.0 到 7.0.103

## 细节
- 攻击者需要能够控制服务器上的文件内容和文件名称。
- 服务器配置使用PersistenceManager和FileStore。
- PersistenceManager配置为`sessionAttributeValueClassNameFilter="null"`(默认值,除非使用SecurityManager)或允许反序列化的过滤器松弛。
- 攻击者需要知道文件存储位置的相对路径。

## 影响
如果上述条件全部满足,攻击者可以通过精心构造的请求触发远程代码执行,从而执行任意代码。
提示
尽管我们采用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。
神龙会尽力确保数据准确,但也请结合实际情况进行甄别与判断。
神龙祝您一切顺利!
漏洞标题
N/A
来源:美国国家漏洞数据库 NVD
漏洞描述信息
When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control. Note that all of conditions a) to d) must be true for the attack to succeed.
来源:美国国家漏洞数据库 NVD
CVSS信息
N/A
来源:美国国家漏洞数据库 NVD
漏洞类别
N/A
来源:美国国家漏洞数据库 NVD
漏洞标题
Apache Tomcat 代码问题漏洞
来源:中国国家信息安全漏洞库 CNNVD
漏洞描述信息
Apache Tomcat是美国阿帕奇(Apache)基金会的一款轻量级Web应用服务器。该程序实现了对Servlet和JavaServer Page(JSP)的支持。 Apache Tomcat中存在代码问题漏洞。攻击者可通过控制服务器上文件的内容和名称等方法利用该漏洞执行代码。以下产品及版本受到影响:Apache Tomcat 10.0.0-M1版本至10.0.0-M4版本,9.0.0.0.M1版本至9.0.43之前版本,8.5.0版本至8.5.63之前版本,7.0.0版本至7.0.108之前版本。
来源:中国国家信息安全漏洞库 CNNVD
CVSS信息
N/A
来源:中国国家信息安全漏洞库 CNNVD
漏洞类别
代码问题
来源:中国国家信息安全漏洞库 CNNVD
二、漏洞 CVE-2020-9484 的公开POC
# POC 描述 源链接 神龙链接
1 tomcat使用了自带session同步功能时,不安全的配置(没有使用EncryptInterceptor)导致存在的反序列化漏洞,通过精心构造的数据包, 可以对使用了tomcat自带session同步功能的服务器进行攻击。PS:这个不是CVE-2020-9484,9484是session持久化的洞,这个是session集群同步的洞! https://github.com/threedr3am/tomcat-cluster-session-sync-exp POC详情
2 None https://github.com/masahiro331/CVE-2020-9484 POC详情
3 利用ceye批量检测CVE-2020-9484 https://github.com/seanachao/CVE-2020-9484 POC详情
4 用Kali 2.0复现Apache Tomcat Session反序列化代码执行漏洞 https://github.com/IdealDreamLast/CVE-2020-9484 POC详情
5 for Ubuntu 18.04, improve functions. https://github.com/qerogram/CVE-2020-9484 POC详情
6 CVE-2020-9484 Mass Scanner, Scan a list of urls for Apache Tomcat deserialization (CVE-2020-9484) which could lead to RCE https://github.com/osamahamad/CVE-2020-9484-Mass-Scan POC详情
7 None https://github.com/anjai94/CVE-2020-9484-exploit POC详情
8 None https://github.com/PenTestical/CVE-2020-9484 POC详情
9 A smol bash script I threw together pretty quickly to scan for vulnerable versions of the Apache Tomcat RCE. I'll give it some love when I have the time. https://github.com/DanQMoo/CVE-2020-9484-Scanner POC详情
10 None https://github.com/AssassinUKG/CVE-2020-9484 POC详情
11 POC for CVE-2020-9484 https://github.com/VICXOR/CVE-2020-9484 POC详情
12 None https://github.com/DXY0411/CVE-2020-9484 POC详情
13 Apache Tomcat RCE (CVE-2020-9484) https://github.com/RepublicR0K/CVE-2020-9484 POC详情
14 POC - Apache Tomcat Deserialization Vulnerability (CVE-2020-9484) https://github.com/ColdFusionX/CVE-2020-9484 POC详情
15 Exploit for Apache Tomcat deserialization (CVE-2020-9484) which could lead to RCE https://github.com/d3fudd/CVE-2020-9484_Exploit POC详情
16 small test to prevent sql injections attack. 🔒 CVE-2020-9484 https://github.com/pxcs/webLogin-DEV POC详情
17 Remake of CVE-2020-9484 by Pentestical https://github.com/0dayCTF/CVE-2020-9484 POC详情
18 Bash POC for CVE-2020-9484 that i used in tryhackme challenge https://github.com/Disturbante/CVE-2020-9484 POC详情
19 Remake of CVE-2020-9484 by Pentestical https://github.com/deathquote/CVE-2020-9484 POC详情
20 PoC exploit for CVE-2020-9484, and a vulnerable web application for its demonstration https://github.com/savsch/PoC_CVE-2020-9484 POC详情
21 When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control. Note that all of conditions a) to d) must be true for the attack to succeed. https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2020/CVE-2020-9484.yaml POC详情
三、漏洞 CVE-2020-9484 的情报信息