关联漏洞
标题:
Apache Tomcat 安全漏洞
(CVE-2020-1938)
描述:Apache Tomcat是美国阿帕奇(Apache)基金会的一款轻量级Web应用服务器。该程序实现了对Servlet和JavaServer Page(JSP)的支持。 Apache Tomcat 7.0.100版本之前的7.*版本、8.5.51版本之前的8.*版本和9.0.31版本之前的9.*版本中的Tomcat AJP协议存在安全漏洞。攻击者可利用该漏洞读取或包含Tomcat上所有webapp目录下的任意文件,如 webapp 配置文件或源代码等。
描述
This is exploit of CVE-2020-1938 Ghostcat-Apache Tomcat Vulnerability
介绍
# CVE-2020-1938: Ghostcat-Apache Tomcat AJP File Read/Inclusion Vulnerability
## Background
### Vulnerability Case Study Presentations
Hancheng Lei (251099234), Siyang Li (251129414)
This project focuses on the CVE-2020-1938 vulnerability, known as Ghostcat, which affects Apache Tomcat. The exploit has been enhanced to fix all previously identified bugs, ensuring better functionality and security.
### When Was It Discovered?
On February 20, the China National Vulnerability Database (CNVD) released a security advisory for CNVD-2020-10487, highlighting a critical vulnerability in Apache Tomcat's Apache JServ Protocol (AJP). AJP is a binary protocol designed to efficiently manage requests sent to a web server aimed at an application server.
The Ghostcat vulnerability (CVE-2020-1938) was discovered by researchers at Chaitin Tech and reported to the Apache Software Foundation on January 3, 2020.
### What Is Apache Tomcat?
Apache Tomcat (often referred to simply as "Tomcat") is an open-source implementation of Java Servlet, JavaServer Pages, Java Expression Language, and WebSocket technologies. It offers a "pure Java" HTTP web server environment where Java code can be executed.
Tomcat is maintained by a community of developers under the Apache Software Foundation and is distributed under the Apache License 2.0.
### What Is the AJP Protocol?
The AJP is a binary protocol that enables communication between the Apache Tomcat web server and the servlet container that operates behind it via TCP connections. It is primarily used in cluster or reverse proxy scenarios where web servers communicate with application servers or servlet containers.
### What Is CVE-2020-1938?
CVE-2020-1938 represents a file read/inclusion vulnerability in the AJP connector of Apache Tomcat, which is enabled by default on port 8009. This vulnerability allows a remote, unauthenticated attacker to read web application files from a vulnerable server. If the server permits file uploads, an attacker may upload malicious JavaServer Pages (JSP) code in various file types, potentially leading to remote code execution (RCE).
## Description
### Official Description
> When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than HTTP connections. If an attacker can access such connections, they can exploit them in unexpected ways. Versions of Tomcat 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50, and 7.0.0 to 7.0.99 had an AJP Connector enabled by default, listening on all configured IP addresses. It is advised to disable this Connector if it is not necessary. The vulnerability report identified a mechanism that allowed:
> - Returning arbitrary files from anywhere in the web application
> - Processing any file in the web application as a JSP
Moreover, if the web application permitted file uploads and stored these files within the application, the combination of this vulnerability and the ability to process files as JSP made remote code execution possible. Mitigation is required only if an AJP port is accessible to untrusted users. Users are encouraged to upgrade to Apache Tomcat versions 9.0.31, 8.5.51, or 7.0.100 or later, which include significant changes to the default AJP Connector configuration for enhanced security.
### Explanation in Simple Terms
- Basic Conditions: Apache Tomcat versions 6.x, 7.x, 8.x, and 9.x allow remote code execution when the AJP connector, enabled by default on port 8009, is granted more trust than a standard HTTP connection. This oversight enables attackers to exploit it and perform unintended actions.
- Ghostcat permits attackers to retrieve arbitrary files from anywhere in the web application, including sensitive directories like `WEB-INF` and `META-INF`, and any location accessible via `ServletContext.getResourceAsStream()`. Additionally, it allows attackers to process any file in the web application as JSP.
- If an affected Tomcat application has a file upload vulnerability, attackers can exploit it in combination with Ghostcat for remote code execution.
## Impact
According to a 2010 blog post from the Apache Software Foundation, Apache Tomcat has been downloaded over 10 million times and is utilized by various software applications, often embedded as a web server. The potential impact of this vulnerability is extensive; if left unaddressed, users and their data will remain at risk.
### Affected Versions and Fixed Versions
| Apache Version | Affected Release Versions | Fixed Version |
|---------------------|---------------------------|---------------|
| Apache Tomcat 9 | 9.0.30 and below | 9.0.31 |
| Apache Tomcat 8 | 8.5.50 and below | 8.5.51 |
| Apache Tomcat 7 | 7.0.99 and below | 7.0.100 |
## Vulnerability Analysis and Exploits
### Vulnerability Principle
When Tomcat processes a request, it retrieves the value from the Request Attribute of `javax.servlet.include.servlet_path`. The Default Servlet interprets this as the file path for static resources, while the JspServlet treats it as the file path for JSP files. Since this attribute is controllable, any file within the web application directory can be accessed through this Request Attribute.
The vulnerability is present when RCE conditions are met:
- Web applications must allow file uploads and storage within the application. Otherwise, attackers must find alternative means to control the web application's content. This scenario, combined with the ability to process files as JSP, enables RCE.
### Steps for Exploitation
1. An attacker can read any file in the web application directory deployed under Tomcat using the AJP connection, typically found on port 8009.
2. If the application has an upload function, the attacker can upload a malicious file containing JSP code to the server (the upload file can be any type: image, plain text file, etc.) and then use Ghostcat to include the file, achieving code execution.
### Exploits Demonstration
Tools: Kali-linux 64 bit Virtual Machine, Tomcat-8.5.32, JRE8 environment.
1. Search the image of tomcat-8.5.32 by Docker[5].
command: `docker search tomcat-8.5.32`
the command of docker installation: `apt install docker.io`
2. Pull image of tomcat and load it to local virtual machine.
command: `docker search duonghuuphuc/tomcat-8.5.32`
3. Run ports 8080 and 8009 after create the container of this image.
command: `docker run -d -p 8080:8080 -p 8009:8009 --name ghostcat duonghuuphuc/tomcat-8.5.32`
-d: Run container in background and return container ID.
-p: the internal port of the container is bound to the specified host port.
--name: specify the name of container.
4. Use the tool Nmap[6] to scan whether the ports 8080 and 8009 of the local IP address are open.
command: `nmap <IP address>`
5. Check if the Tomcat environment is working properly in web browser.
6. Run python vulnerability script in the host port 8009 to read files which are in the webapp directory.
command: `python CVE-2020-1938.py <IP address> -p 8009 -f WEB-INF/web.xml`
-p: specify the port
-f: specify the location of the file to be read
## References
[1]https://www.tenable.com/blog/cve-2020-1938-ghostcat-apache-tomcat-ajp-file-readinclusion-vulnerability-cnvd-2020-10487
[2]https://en.wikipedia.org/wiki/Apache_Tomcat
[3]https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1938\
[4]https://www.synopsys.com/blogs/software-security/ghostcat-vulnerability-cve-2020-1938/
[5]https://www.docker.com/
[6]https://nmap.org/
文件快照
[4.0K] /data/pocs/7aba57a30ed3072544520660ef281e129f1c61fb
├── [ 11K] CVE-2020-1938-Exploit.py
└── [8.4K] README.md
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。