CVE-2020-1938

基本信息#

When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be surprising. In Apache Tomcat 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, Tomcat shipped with an AJP Connector enabled by default that listened on all configured IP addresses. It was expected (and recommended in the security guide) that this Connector would be disabled if not required. This vulnerability report identified a mechanism that allowed: - returning arbitrary files from anywhere in the web application - processing any file in the web application as a JSP Further, if the web application allowed file upload and stored those files within the web application (or the attacker was able to control the content of the web application by some other means) then this, along with the ability to process a file as a JSP, made remote code execution possible. It is important to note that mitigation is only required if an AJP port is accessible to untrusted users. Users wishing to take a defence-in-depth approach and block the vector that permits returning arbitrary files and execution as JSP may upgrade to Apache Tomcat 9.0.31, 8.5.51 or 7.0.100 or later. A number of changes were made to the default AJP Connector configuration in 9.0.31 to harden the default configuration. It is likely that users upgrading to 9.0.31, 8.5.51 or 7.0.100 or later will need to make small changes to their configurations.

影响范围：

• 7.0.0 - 7.0.99
• 8.5.0 - 8.5.50
• 9.0.0.M1 - 9.0.0.30

漏洞复现#

环境配置#

./conf/server.xml中默认已默认打开AJP

92     <!-- Define an AJP 1.3 Connector on port 8009 -->
93     <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />

攻击#

任意文件读

# python CVE-2020-1938-read.py -p 8009 -f test.txt 47.100.18.67
----------------------------
This is Vulnerable CVE-2017-12617!

任意文件包含

// print.jsp
<%
        out.print("This is CVE-2020-1938");
%>

# python CVE-2020-1938-include.py -p 8009 -f print.jsp 47.100.18.67
----------------------------
This is CVE-2020-1938

原理#

Request Prepare#

./java/org/apache/coyote/ajp/AjpProcessor.java

对于Ajp请求，Tomcat使用AjpProcessor类处理用户的请求

163            if (!getErrorState().isError()) {
                // Setting up filters, and parse some request headers
                rp.setStage(org.apache.coyote.Constants.STAGE_PREPARE);
                try {
                    // 准备请求（将用户的请求转换为内部的请求）
                    prepareRequest();
                } catch (Throwable t) {
                    ExceptionUtils.handleThrowable(t);
                    log.debug(sm.getString("ajpprocessor.request.prepare"), t);
                    // 500 - Internal Server Error
                    response.setStatus(500);
                    setErrorState(ErrorState.CLOSE_CLEAN, t);
                    getAdapter().log(request, response, 0);
                }
            }

其中PrepareRequest方法继承自父类AbstractAjpProcessor，对请求进行预处理

./java/org/apache/coyote/ajp/AbstractAjpProcessor.java

746    protected void prepareRequest() {
...
832        while ((attributeCode = requestHeaderMessage.getByte())
                != Constants.SC_A_ARE_DONE) {

            switch (attributeCode) {

            case Constants.SC_A_REQ_ATTRIBUTE :
                requestHeaderMessage.getBytes(tmpMB);
                String n = tmpMB.toString();
                requestHeaderMessage.getBytes(tmpMB);
                String v = tmpMB.toString();
                /*
                 * AJP13 misses to forward the local IP address and the
                 * remote port. Allow the AJP connector to add this info via
                 * private request attributes.
                 * We will accept the forwarded data and remove it from the
                 * public list of request attributes.
                 */
                if(n.equals(Constants.SC_A_REQ_LOCAL_ADDR)) {
                    // 赋值IP给request
                    request.localAddr().setString(v);
                } else if(n.equals(Constants.SC_A_REQ_REMOTE_PORT)) {
                    // 赋值端口给request
                    try {
                        request.setRemotePort(Integer.parseInt(v));
                    } catch (NumberFormatException nfe) {
                        // Ignore invalid value
                    }
                } else if(n.equals(Constants.SC_A_SSL_PROTOCOL)) {
                      // 将https属性加入key中
                    request.setAttribute(SSLSupport.PROTOCOL_VERSION_KEY, v);
                } else {
                    // 其他情况直接加入key
-                    request.setAttribute(n, v );
                    // All 'known' attributes will be processed by the previous
                    // blocks. Any remaining attribute is an 'arbitrary' one.
+                    Pattern pattern = protocol.getAllowedArbitraryRequestAttributesPattern();
+                    if (pattern == null) {
+                        response.setStatus(403);
+                        setErrorState(ErrorState.CLOSE_CLEAN, null);
+                    } else {
+                        Matcher m = pattern.matcher(n);
+                        if (m.matches()) {
+                            request.setAttribute(n, v);
+                        } else {
+                            response.setStatus(403);
+                            setErrorState(ErrorState.CLOSE_CLEAN, null);
+                        }
+                    }
                }
                break;

Request Process#

预处理后转回AjpProcessor类进行请求处理，adapter根据web.xml中的设置选择JspServlet或者DefaultServlet进行处理

./java/org/apache/coyote/ajp/AjpProcessor.java

187            // Process the request in the adapter
            if (!getErrorState().isError()) {
                try {
                    rp.setStage(org.apache.coyote.Constants.STAGE_SERVICE);
                    adapter.service(request, response);
                } catch (InterruptedIOException e) {
                    setErrorState(ErrorState.CLOSE_NOW, e);
                } catch (Throwable t) {
                    ExceptionUtils.handleThrowable(t);
                    log.error(sm.getString("ajpprocessor.request.process"), t);
                    // 500 - Internal Server Error
                    response.setStatus(500);
                    setErrorState(ErrorState.CLOSE_CLEAN, t);
                    getAdapter().log(request, response, 0);
                }
            }

Jsp后缀处理

./java/org/apache/jasper/servlet/JspServlet.java :service

338            boolean precompile = preCompile(request);
339            serviceJspFile(request, response, jspUri, precompile);

./java/org/apache/jasper/servlet/JspServlet.java :serviceJspFile

新建或获取当前的wapper，处理jsp文件，将结果作为response返回

377        if (wrapper == null) {
            synchronized(this) {
                wrapper = rctxt.getWrapper(jspUri);
                if (wrapper == null) {
                    // Check if the requested JSP page exists, to avoid
                    // creating unnecessary directories and files.
                    if (null == context.getResource(jspUri)) {
                        handleMissingResource(request, response, jspUri);
                        return;
                    }
                    wrapper = new JspServletWrapper(config, options, jspUri,
                                                    rctxt);
                    rctxt.addWrapper(jspUri,wrapper);
                }
            }
        }
                //调用JspServletWrapper执行请求的jsp文件
        try {
            wrapper.service(request, response, precompile);
        } catch (FileNotFoundException fnfe) {
            handleMissingResource(request, response, jspUri);
        }

普通后缀处理

DefaultSerlvet类继承自HttpServlet，对于Get请求，使用doGet方法读取对应的内容作为response

./java/javax/servlet/http/HttpServlet.java:service

619         if (method.equals(METHOD_GET)) {
            long lastModified = getLastModified(req);
            if (lastModified == -1) {
                // servlet doesn't support if-modified-since, no reason
                // to go through further expensive logic
                doGet(req, resp);
            } else {
                long ifModifiedSince;
                try {
                    ifModifiedSince = req.getDateHeader(HEADER_IFMODSINCE);
                } catch (IllegalArgumentException iae) {
                    // Invalid date header - proceed as if none was set
                    ifModifiedSince = -1;
                }
                if (ifModifiedSince < (lastModified / 1000 * 1000)) {
                    // If the servlet mod time is later, call doGet()
                    // Round down to the nearest second for a proper compare
                    // A ifModifiedSince of -1 will always be less
                    maybeSetLastModified(resp, lastModified);
                    doGet(req, resp);
                } else {
                    resp.setStatus(HttpServletResponse.SC_NOT_MODIFIED);
                }
            }
         }

利用方法#

使用Ajp协议请求网站根目录下的文件

防护方法#

1. 原本默认开启的AJP服务被设置为默认关闭
2. 建议用户在使用AJP服务时使用安全认证机制
3. 对含有任意请求属性的访问返回403（拒绝exp中控制设置的属性的ajp请求）
4. patch链接：
   • https://github.com/apache/tomcat/commit/86768e423a6ca0ae32e64acb65c9ae8dccf52256
   • https://github.com/apache/tomcat/commit/38a0fd9bb287e9e70eb61a5d8ea12cf602fb6398
   • https://github.com/apache/tomcat/commit/2e108583e8665fdc61970137a409f15c4df3a36f

参考资料#

• AJP协议官方文档

• CVE-2020-1938漏洞分析

• CVE-2020-1938 EXP