Shulou(Shulou.com)06/01 Report--

This article shows you how to analyze the reproduction of Tomcat-CVE-2020-1938. The content is concise and easy to understand. It will definitely brighten your eyes. I hope you can get something through the detailed introduction of this article.

Overview of 0x01 vulnerabilities

Tomcat is a Servlet container developed by the Jakarta project under the Apache Software Foundation. According to the technical specifications provided by Sun Microsystems, it supports Servlet and JavaServer Page (JSP), and provides some unique functions as a Web server, such as Tomcat management and control platform, security bureau management and Tomcat valve. Because Tomcat itself includes a HTTP server, it can also be considered a separate Web server. The attacker exploits this vulnerability through the Ajp protocol port to read files or include arbitrary files in all webapp directories on Tomcat, such as webapp configuration files, source code, etc.

Scope of influence of 0x02 vulnerability

There are more than 200,000 vulnerability-affected versions in China:

Tomcat 6.*Tomcat 7.* < 7.0.100Tomcat 8.* < 8.5.51Tomcat 9.* < 9.0.31

0x03 reproduction environment installation

Server environment: Ubuntu 16 Ali Cloud Source

1. Install JDK

What I use here is JDK1.8, which can be installed directly using the apt command.

Apt install openjdk-8-jre-headless

two。 Download and install Tomcat

You can download a vulnerable version on Github. What I download here is tomcat-7.0.99.

Https://github.com/apache/tomcat/releases

And upload it to our server.

There are two pits, one is to create a new logs folder under the Tomcat root, and the other is missing some important files.

Running Tomcat showed success, but we found that tomcat did not start, and looking at the log found that important files were missing.

The installation package downloaded from github is incomplete. We need to download it from the official website.

Https://archive.apache.org/dist/tomcat/tomcat-7/v7.0.99/bin/

Upload the missing files in the bin file on our server.

Add permissions to the startup file chmod + x * .sh and then. / startup.sh start

Successfully install Tomcat 7.0.99 to see if port 8009 of the default AJP connector service is open

At this point, the installation of the CVE-2020-1938 reproduction environment has been completed. (if you find it troublesome to replace, you can use the full version of the installation package on the official website.)

0x04 vulnerability exploitation

Exploit scripts can be downloaded at Github

Https://github.com/xindongzhuaizhuai/CVE-2020-1938https://github.com/nibiwodong/CNVD-2020-10487-Tomcat-ajp-POC

Or reply to 003 to get it.

Read WEB-INF/web.xml file

Python poc.py-p 8009-f "/ WEB-INF/web.xml" 154.221.20.69

Suggestions on reinforcement and repair of 0x05

1.Apache has officially released versions 9.0.31, 8.5.51 and 7.0.100 to fix this vulnerability. Apache Tomcat 6 has stopped maintenance. Please upgrade to the latest supported Tomcat version to avoid being affected by the vulnerability:

Https://tomcat.apache.org/download-70.cgi https://tomcat.apache.org/download-80.cgihttps://tomcat.apache.org/download-90.cgi

two。 Temporary solution to using AJP protocol: configure secret for AJP Connector to set authentication credentials for AJP protocol, and pay attention to password strength

3. Temporary solution for not using AJP protocol: disable AJP protocol port, comment in conf/server.xml configuration file, and restart Tomcat service

The above content is how to analyze the reproduction of Tomcat-CVE-2020-1938. Have you learned any knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.