支持本站 — 捐款将帮助我们持续运营

目标: 1000 元,已筹: 1000

100.0%
立即捐款

POC详情: 6102ee739ce360d324257d29842c6ebb6b5f3aff

来源
https://github.com/quynhlab/CVE-2022-29885
关联漏洞
标题:Apache Tomcat 资源管理错误漏洞 (CVE-2022-29885)
Description:Apache Tomcat是美国阿帕奇(Apache)基金会的一款轻量级Web应用服务器。该程序实现了对Servlet和JavaServer Page(JSP)的支持。 Apache Tomcat存在资源管理错误漏洞。攻击者利用该漏洞通过 EncryptInterceptor 导致 Apache Tomcat 过载,从而触发拒绝服务。
Description
Apache Tomcat CVE-2022-29885
介绍
# CVE-2022-29885

**The tool is only used for security research. It is prohibited to use the tool to launch illegal attacks, and the user is responsible for the consequences**

**工具仅用于安全研究以及内部自查,禁止使用工具发起非法攻击,造成的后果使用者负责**

## Introduce

Apache Tomcat DoS (CVE-2022-29885) Exploit

Denial of Service in EncryptInterceptor (Tomcat Cluster)

The target machine needs to start the Cluster Nio Receiver,Sending a special TCP packet will cause a Denial of Service to the target. Whether `EncryptInterceptor` is used or not, there is the possibility of denial of service vulnerability

Condition: Enable tomcat cluster function and use `NioReceiver` for communication

**Any version of Tomcat will be affected. The only solution is to use a trusted network**

## Unsafe Config Exploit

Unsafe config: not use EncryptInterceptor

server.xml
```xml
<Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster">
  <Channel className="org.apache.catalina.tribes.group.GroupChannel">
    <Receiver className="org.apache.catalina.tribes.transport.nio.NioReceiver"
      address="0.0.0.0"
      port="5000"
      selectorTimeout="100"
      maxThreads="6"/>
  </Channel>
</Cluster>
```

exploit: `./dos -h target_ip -p target_nio_port`

![](img/unsafe.png)

**In unsafe config, you can use Safe-Config-Exploit as well**

**But in safe config, you can only use Safe-Config-Exploit**

## Safe Config Exploit

Safe config: use EncryptInterceptor

server.xml
```xml
<Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster">
  <Channel className="org.apache.catalina.tribes.group.GroupChannel">
    <Receiver className="org.apache.catalina.tribes.transport.nio.NioReceiver"
      address="0.0.0.0"
      port="5000"
      selectorTimeout="100"
      maxThreads="6"/>
    <Interceptor className="org.apache.catalina.tribes.group.interceptors.EncryptInterceptor"
       encryptionAlgorithm="AES/CBC/PKCS5Padding"
       encryptionKey="ANY_KEY(LENGTH:32)"/>
  </Channel>
</Cluster>
```

exploit: `./dos -h target_ip -p target_nio_port -s`

![](img/safe.png)

## Reference

https://lists.apache.org/thread/2b4qmhbcyqvc7dyfpjyx54c03x65vhcv
文件快照

 [4.0K]  /data/pocs/6102ee739ce360d324257d29842c6ebb6b5f3aff
├── [  27]  go.mod
├── [4.0K]  img
│   ├── [ 40K]  safe.png
│   └── [ 52K]  unsafe.png
├── [1.0K]  LICENSE
├── [ 21K]  main.go
└── [2.2K]  README.md

1 directory, 6 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。