Shulou(Shulou.com)05/31 Report--

This article introduces how to carry out ApacheTomca remote execution code CVE-2019-0232 vulnerability analysis and reproduction, the content is very detailed, interested friends can refer to, hope to be helpful to you.

Analysis and recurrence of vulnerabilities in ApacheTomca remote execution Code (CVE-2019-0232)

First, the background of loopholes

Apache Tomcat, commonly known as Tomcat Server, is an open source JavaServlet container developed by the community with the support of Apache Software Foundation (ASF). It implements several Java EE specifications, including Java Servlet,JavaServer Pages (JSP), Java expression language (EL) and WebSocket, and provides a "pure Java" HTTP Web server environment in which Java code can run.

On April 15, 2019, Nightwatch Network Security released information on CVE-2019-0232, including a remote execution Code (RCE) vulnerability in the Universal Gateway Interface (CGI) Servlet on Apache Tomcat. This high severity vulnerability could allow an attacker to execute arbitrary commands by abusing the injection of operating system commands caused by Tomcat CGIServlet input validation errors.

Second, influence the version

The affected versions are as follows:

Before tomcat 7.0.04

Before tomcat 8.5.40

Before tomcat 9.0.19

Third, loophole analysis

CGI (CommonGateway Interface) is one of the most important technologies in WWW technology, which has an irreplaceable important position. CGI is the interface standard between external applications (CGI programs) and WEB servers, and it is the process of transmitting information between CGI programs and Web servers. The CGI specification allows Web servers to execute external programs and send their output to Web browsers, and CGI turns a simple set of static hypermedia documents from Web into a complete new interactive media. The CGI script is used to execute programs external to the Tomcat Java Virtual Machine (JVM). CGI Servlet, which is disabled by default, is used to generate command-line arguments generated from query strings. Due to errors in the Java Runtime Environment (JRE) passing command line arguments to Windows, Tomcat servers running on Windows computers with the CGI Servlet parameter enableCmdLineArguments enabled are vulnerable to remote code execution.

The ApacheTomcat file web.xml is used to define default values for all Web applications loaded into the Tomcat instance. CGI Servlet is one of the servlet provided by default. The servlet supports the execution of external applications that conform to the CGI specification. Typically, CGI Servlet maps to the URL pattern "/ cgi-bin / *", which means that any executed CGI application must exist in the Web application.

Start a new process in the Windows operating system by calling the CreateProcess () function, which takes the following command line as a string (for the lpComandLine parameter of CreateProcess): int CreateProcess (..., lpComandLine,...)

Parameters in Windows are passed not separately as an array of strings, but as a single command-line string. This requires the program to parse the command line itself by using GetCommandLine () API to extract the command line string and then using the CommandLineArgvW () helper function to parse the parameter string. The command line string flowchart for Windows is as follows:

The vulnerability is caused by incorrect passing of command-line arguments from JRE to Windows, and for Java applications, ProcessBuilder () is called before the CreateProcess () function starts. The parameters are then passed to the static method start of ProcessImpl (), which is a platform-dependent class. In the Windows implementation of ProcessImpl (), the start method calls the private constructor of ProcessImpl (), which creates the command line for the CreateProcess call. The command line string flowchart for the Java application is as follows:

ProcessImpl () builds the Cmdline and passes it to the CreateProcess () Windows function, after which CreateProcess () executes .bat and .cmd files in the cmd.exe shell environment.

If the file you want to run contains a .bat or .cmd extension, the image you want to run becomes cmd.exe, the Windows command prompt. CreateProcess () then restarts at stage 1, and the name of the batch file is passed as the first parameter of cmd.exe. This leads to 'hello.bat...' Become'C:\ Windows\ system32\ cmd.exe / c "hello.bat...". Since CommandLineToArgvW's reference rules are different from cmd's, this means that an additional set of reference rules needs to be applied to avoid command injection on the command line interpreted by cmd.exe.

Since Java (ProcessImpl ()) does not have additional quotes for this implied call extension of parameters passed on cmd.exe, cmd.exe through processing parameters is now used to execute, presenting inherent problems if the parameters are not passed to cmd.exe correctly.

For cmd.exe, we first understand that cmd is essentially a text preprocessor: given a command line, it performs a series of text conversions, and then gives the converted command line to CreateProcess (). Some transformations replace environment variable names with their values. Transformations, such as those triggered by the &, |, & & operator, split the command line into parts. All cmd transformations are triggered by one of the following metacharacters: (,),%,! , ^, ", &, and |. Metacharacters" are particularly interesting: when cmd is converting the command line and sees it, it "copies" to the new command line and then starts copying characters from the old command line to the new command line without seeing whether any of these characters are metacharacters. this continues until cmd reaches the end of the command line, enters variable substitution, or sees another ".

If we rely on cmd's "- behavior" to protect parameters, using quotation marks can produce unexpected behavior. By passing untrusted data as command-line arguments, errors caused by convention mismatches become a security issue.

For example, the following:

Hello.bat "dir\" & whoami "

0: [hello.bat]

& dir

Here, cmd interprets & metacharacter as a command delimiter because, from its point of view, the & character is outside the reference area. In this case, 'whoami' can be replaced by any number of harmful commands. Implement command execution when using hello.bat to run the commands shown above.

IV. Recurrence of loopholes

First download the vulnerable version of tomcat, compress it to the response folder, and then configure the environment variables.

Then modify the conten.xml

Modify web.xml, add some parameters, and enable CGIServlet in the web.xml file.

After the two files are modified, start the server and access http://localhost:8080/

After successfully accessing the tomcat, create the hello.bat script and put it in the cgi-bin directory.

Hello.bat content

Then visit http://localhost:8080/cgi-bin/hello.bat?dir and show that the following command was executed successfully.

V. suggestions for restoration

Download the official Apache Tomcat patch and upgrade it as soon as possible for protection. At the same time, you can set the CGI Servlet initialization parameter enableCmdLineArguments to false for protection.

On how to carry out ApacheTomca remote execution code CVE-2019-0232 vulnerability analysis and reproduction is shared here, I hope the above content can be of some help to everyone, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.