Shulou(Shulou.com)06/02 Report--

This article mainly explains the "Tomcat-Ajp protocol vulnerability analysis", the content of the article is simple and clear, easy to learn and understand, the following please follow the editor's ideas slowly in depth, together to study and learn "Tomcat-Ajp protocol vulnerability analysis"!

Loophole background

Security bulletin number: CNTA-2020-0004

February 20, 2020, 360CERT monitoring found that the National Information Security vulnerability sharing platform (CNVD) included vulnerabilities in the CNVD-2020-10487 Apache Tomcat file.

CNVD-2020-10487/CVE-2020-1938 is a file inclusion vulnerability that can be exploited by xxx users to read or include arbitrary files in all webapp directories on Tomcat, such as webapp configuration files or source code.

The affected versions include: version 7.0.100 of Tomcat 6 Tomcat 7, version 8.5.51 of Tomcat 8, version 9.0.31 of Tomcat 9.

CNVD has a comprehensive rating of the vulnerability as "high risk".

Affect version 1, Apache Tomcat 9.x

< 9.0.31 2、Apache Tomcat 8.x < 8.5.51 3、Apache Tomcat 7.x < 7.0.100 4、Apache Tomcat 6.x漏洞分析3.1 AJP Connector Apache Tomcat服务器通过Connector连接器组件与客户程序建立连接，Connector表示接收请求并返回响应的端点。即Connector组件负责接收客户的请求，以及把Tomcat服务器的响应结果发送给客户。 在Apache Tomcat服务器中我们平时用的最多的8080端口，就是所谓的Http Connector，使用Http（HTTP/1.1）协议 在conf/server.xml文件里，它对应的配置为: 而 AJP Connector，它使用的是 AJP 协议（Apache Jserv Protocol）是定向包协议。因为性能原因，使用二进制格式来传输可读性文本，它能降低 HTTP 请求的处理成本，因此主要在需要集群、反向代理的场景被使用。 Ajp协议对应的配置为: Tomcat服务器默认对外网开启该端口 Web客户访问Tomcat服务器的两种方式:

3.2 Code Analysis

The main location of the vulnerability is where the content of the Ajp request is processed

Org.apache.coyote.ajp.AbstractAjpProcessor.java#prepareRequest ()

The SCAREQ_ATTRIBUTE is judged first, which means that if the Ajp attribute used is not in the list above, then enter this condition

SC_A_REQ_REMOTE_PORT corresponds to AJP_REMOTE_PORT, which refers to the forwarding of remote ports. Ajp13 does not forward remote ports, but accepts forwarded data as remote ports.

So here we can set specific properties for Ajp. The Attribute properties encapsulated as request objects, such as the following three properties, can be set.

Javax.servlet.include.request_urijavax.servlet.include.path_infojavax.servlet.include.servlet_path3.3 arbitrary file reading

When the request is distributed to the org.apache.catalina.servlets.DefaultServlet#serveResource () method

To call the getRelativePath method, you need to get that request_uri is not null, and then get and set the pathInfo attribute value and servletPath attribute value from the request object.

Next, when you see the getResource method, you pass in path as a parameter to get the source code of the file.

Vulnerability demonstration: read / WEB-INF/web.xml file

3.4 Command execution

When processing the uri of a jsp request, org.apache.jasper.servlet.JspServlet#service () is called

Finally, the pathinfo will be handed over to serviceJspFile to parse the file with jsp, so when we can control the jsp file on the server, such as uploading the file with jsp, we can cause rce.

Vulnerability demonstration: causing rce

Repair suggestion

Apache Tomcat 6 maintenance has been stopped, please upgrade to the latest supported Tomcat version to avoid vulnerabilities, please update to the following Tomcat version:

Thank you for reading, the above is the content of "Tomcat-Ajp Protocol vulnerability Analysis". After the study of this article, I believe you have a deeper understanding of the problem of Tomcat-Ajp protocol vulnerability analysis, and the specific use needs to be verified in practice. Here is, the editor will push for you more related knowledge points of the article, welcome to follow!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.