Shulou(Shulou.com)05/31 Report--

This article introduces how to reproduce Apache Tomcat remote code execution vulnerability CVE-2020-1938. The content is very detailed. Interested friends can use it for reference. I hope it will be helpful to you.

Brief introduction of vulnerabilities:

Apache Tomcat is an open source implementation of Java Servlet,JavaServer Pages,Java Expression Language and WebSocket technologies. Tomcat provides a "pure Java" HTTP Web server environment in which you can run Java code. Recently, Apache Tomcat fixed a vulnerability (CVE-2020-1938) that allows an attacker to read any webapps file (such as webapp configuration file, source code, etc.) or include a file to execute code remotely. Due to a file inclusion flaw in the AJP service (port 8009) enabled by Tomcat by default, an attacker can construct a malicious request packet for file inclusion operation to read the Web directory file on the affected Tomcat server.

Threat Typ

File contains, remote code execution

Threat level

High

Vulnerability number

CVE-2020-1938 affected system and Application version

Apache tomcat 6

Apache tomcat 7 < 7.0.100

Apache tomcat 8 < 8.5.51

Apache tomcat 9 < 9.0.31

Loophole recurrence: 1. Build the environment

VMware virtual machine windows 7

JDK 1.8.0_73

Apache tomcat 9.0.13

2. Recurrence steps

First install JDK (the jdk_1.8.0_241 I use here) and then configure the environment variables

Download the Tomcat installation package https://archive.apache.org/dist/tomcat/ in accordance with the version

Download JDK to prepare to configure the environment

1. Install jdk and choose a directory at will. If there are no special requirements, you can complete the installation by default.

2. Install jre → before changing →\ java, the directory is the same as the installation jdk directory.

3. Configure environment variables after JDK installation computer → properties → advanced system settings → advanced → environment variables

4. The system variable → creates a new JAVA_HOME variable.

The variable value fills in the installation directory of jdk

My path is C:\ Program Files\ Java\ jdk1.8.0_241

5. System variable → looks for Path variable → editing

Enter% JAVA_HOME%\ bin;%JAVA_HOME%\ jre\ bin at the end of the variable value

6. System variable → create a new CLASSPATH variable

Fill in the variable value.;% JAVA_HOME%\ lib;%JAVA_HOME%\ lib\ tools.jar

7. Verify whether the configuration runs successfully. If the cmd input java-version shows the version information as shown in the figure, the installation and configuration are successful. 8. Download Tomcat from the above URL. After downloading the installation package, go to the bin directory and execute startup.bat to start tomcat.

9. Visit http://localhost:8080

10. Modify the configuration file

First modify apache-tomcat-9.0.13\ conf\ web.xml

(1) delete this comment and add the code in the red box.

EnableCmdLineArguments true executadle

(2) delete the comments here

11. Then change

Apache-tomcat-9.0.13\ conf\ context.xml

Add the privileged= "true" statement as shown below

The environment has been built!

12. Scan the open port of tomcat using nmap

View the ip of the tomcat host

Scan port

It is seen that ports 8080 and 8009 are open, which proves that this vulnerability exists.

13. In the CMD execution environment, the python environment is 2.7

Poc address:

Portal

The file can be accessed successfully, and the vulnerability can be reproduced successfully!

2. Repair suggestion

1. Disable the AIP port and comment it out in the conf/server.xml configuration file

2. Upgrade the latest official version.

On how to carry out Apache Tomcat remote code execution vulnerability CVE-2020-1938 reproduced to share here, I hope the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.