Shulou(Shulou.com)05/31 Report--

How to carry out CVE-2020-1938 loophole analysis, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain for you in detail, people with this need can come to learn, I hope you can gain something.

I. Environmental construction

The environment building section directly uses the brew package manager for Tomcat installation. Version 8.5.47 is shown below:

Skip the settings for remote debugging with IDEA, and check the port opening status after the construction is completed, as shown in the following figure:

II. AJP protocol learning

Since the CVE-2020-1938 vulnerability is exploited through Tomcat's AJP protocol, you should first learn about the AJP protocol to understand what it is and what it is used for.

Here is the official AJP document for the AJP agreement section on the Apache official website.

After reading the official documents and server.xml documents, we can see that the Tomcat server listens to two ports for normal access and communication with the client. As shown in the figure above, it listens to ports 8080 and 8009 respectively, of which port 8080 is the well-known port for normal HTTP protocol communication, and port 8009 uses the AJP protocol for communication, using binary format to transmit readable text, which can reduce the processing cost of HTTP requests. Therefore, it is mainly used in scenarios where clusters and reverse proxies are needed.

By reading the document, we can know the structure of the request message of the AJP protocol, the definition of Headers, the code value of the attribute and so on. This part will be found again in the following vulnerability code analysis.

Third, loophole analysis

Vulnerability analysis is done with the earliest release of an Heng Tomcat-Ajp protocol vulnerability analysis article, personal analysis of the article for learning and vulnerability details, download Tomcat source code for analysis.

Navigate to the core code of the vulnerability on line 778-812 of the org.apache.coyote.ajp.AjpProcessor.java file, as follows:

First of all, analyze the first red box location code, first assign a value to attributeCode and then take the comparison result as a loop condition; query the value of Constants.SC_A_ARE_DONE in the Constants.java file as 0XFF, and the attribute code as the request termination in the official manual, then this is a constant True judgment, and the loop executes the following switch judgment code.

Analyzing the location code of the second red box, when case goes to Constants.SC_A_REQ_ATTRIBUTE, it will enter the following judgment, so what is this Constants.SC_A_REQ_ATTRIBUTE? Find SC_A_REQ_ATTRIBUTE = 10 in Constants.java; there is also a line of comment that declares this for attributes that are not in the list above.

Continue to return to the official website manual for search, and sure enough, there is a declaration in the attribute description of the official website as shown in the following figure. That is, if you want to send a value other than the above basic property, you can send it by setting its property name and value through req_attribute (0X0A).

Then the meaning of the code in the third red box is already obvious. We can take out the contents of the AJP and set them to the Attribute property of the request object.

After setting up the request object in the above section, I didn't figure out how to pass it to the container until I saw this article analyzing the CoyoteAdapter of Tomcat:

Adapter connects Tomcat connector Connector and container Container. Its implementation class is CoyoteAdapter, which is mainly responsible for encapsulating requests and constructing Request and Response objects. And forward the request to Container, the Servlet container.

Finally, the getAdapter (). Service (request,response) in an Heng vulnerability analysis article is concatenated. After this, you also need to pay attention to the processing of Servlet. You can see that two servlet processes, DefaultServlet and JSP Servlet, are configured in web.xml. The more accurate the path is, the more accurate the path is to match first, and / all, and the matching degree is fuzzy, so the priority is the lowest. When other Servlet matches are unsuccessful, DefaultServlet will cover the bottom.

Follow up the DefaultServlet.class file in Tomcat_lib and obtain the resource file through the serveResource method.

Get the resource file path through getRelativePath.

Then read the file by controlling the above three attributes controlled by ajp. By manipulating the above three attributes, you can read all the sensitive files under / WEB-INF, not limited to class, xml, jar and other files.

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.