Lucene search

K
myhack58佚名MYHACK58:62202097573
HistoryMar 17, 2020 - 12:00 a.m.

Apache Tomcat from file contains to RCE exploit the principle of in-depth analysis-vulnerability warning-the black bar safety net

2020-03-1700:00:00
佚名
www.myhack58.com
141

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

The content of the article introduction
The present article is directed to the Apache Tomcat Ajp(CVE-2020-1938)the vulnerability file contains and RCE of the use of methods and principles for the in-depth analysis, including vulnerability to reproduce and analyze the environment to build the detailed steps, we can according to the text in the write your own build environment, and then in the code under the breakpoint from debug, so better understanding of the vulnerability principle.

Vulnerability description
2020 02 on 20 September, the CNVD disclosure vulnerability bulletins found in the Apache Tomcat file include vulnerability, CVE-2020-1938 on.
Apache Tomcat is the Apache open source organization developed for the processing of the HTTP service of the project. Apache Tomcat server is found in the existence of the file contains the vulnerability, an attacker can use this vulnerability to read or contains Tomcat, all the webapps directory of any file.
This vulnerability is a separate file that contains the vulnerability the vulnerability depends on the Tomcat AJP(orientation packet Protocol Protocol. AJP Protocol itself exist some flaws, resulting in the presence of a controllable parameter, controllable parameter can lead to a file containing the vulnerabilities. The AJP Protocol uses a rate of about 7. 8%, in view of the Tomcat as a middleware is a wide range of deployment on the server, this vulnerability Hazard is large.

AJP13 Protocol description
We the Tomcat General awareness there are two main functions, one is to act as aweb server, you can all static resource requests to respond to, the second is the Servlet container.
Commonweb serverthere is Apache, Nginx, IIS, etc. Common Servlet containers are Tomcat, Weblogic, JBOSS, etc.
The Servlet container can be understood as aWeb serverthe upgrade version, to get Tomcat to example, Tomcat itself can not do the Servlet container used, only acts as aWeb servercharacter is completely fine, but in the process of static resource requests of efficiency and speed is far less than the Apache, so in many cases the production environment will be Apache as aweb serverto accept the user’s request, the static resources with Apache directly processing, and the Servlet requests to Tomcat for processing. Doing so can make the two intermediate member carry out their duties, greatly accelerate the appropriate speed.
It is well known we the user’s request based on the http Protocol, the form is passed to the Web server, we in the browser of a domain name or ip to access, the head will have http or https in the representation, and the AJP Protocol the browser is unsupported, we cannot by the browser to send AJP message. Of course AJP this Protocol is also not available to our users to use.
In the Tomcat $CATALINA_BASE/conf/web. xml by default is configured with two Connector, respectively, listening on two different ports, one is the HTTP Connector by default listens to port 8080, one is the AJP Connector by default listens to 8009 port.
The HTTP Connector is mainly responsible for receiving a request from the user, regardless of the matter static or dynamic, as long as the HTTP request by the HTTP Connector to be responsible. With this Connector, Tomcat can be aweb server, but also additional handles Servlet and jsp.
While the AJP Protocol using the object is usually anotherWeb server. For example the Apache, here from online to find a figure, this figure will be described.
! [](/Article/UploadPic/2020-3/202031723353585. png)
Usually the case of the AJP Protocol usage scenario is like this.
AJP is a binary TCP transport Protocol, the browser can not be used, first by the Apache and Tomcat between the AJP Protocol for the communication, and then by the Apache through the proxy_ajp module to the reverse proxy converts it into a HTTP server and then exposed to the user, allowing the user to access.
The reason to do so, is because compared to HTTP this plain text Protocol efficiency and higher performance, but also do a lot of optimization.
In fact, AJP Protocol to some extent can be understood as a HTTP binary version, in order to accelerate the transmission efficiency so as to be used, the actual situation is like Apache so there proxy_ajp module can be a reverse proxy AJP Protocol is very little, so the daily production of AJP Protocol is rarely used

Tomcat Remote File Inclusion vulnerability analysis
Vulnerability analysis of the environment to build
First, from the official website to download the corresponding Tomcat source code file, and executable file. http://archive.apache.org/dist/tomcat/tomcat-8/v8.0.50/
! [](/Article/UploadPic/2020-3/202031723358452. png)
Download the two folders into the same directory and then in the source code in the new pom. xml and add the following content

xml version=”1.0” encoding=”UTF-8”?& gt;
project xmlns=“http://maven.apache.org/POM/4.0.0
xmlns:xsi=“http://www.w3.org/2001/XMLSchema-instance
xsi:schemaLocation=“http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd”>
modelVersion>4.0.0 modelVersion>
groupId>org. apache. tomcatgroupId>
artifactId>Tomcat8. 0artifactId>
name>Tomcat8. 0name>
version>8.0 version>
build>
finalName>Tomcat8. 0finalName>
sourceDirectory>javasourceDirectory>
testSourceDirectory>testtestSourceDirectory>
resources>
resource>
directory>javadirectory>
resource>
resources>
testResources>
testResource>
directory>testdirectory>
testResource>
testResources>
plugins>
plugin>
groupId>org. apache. maven. pluginsgroupId>

[1] [2] [3] [4] next

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P