Associated Vulnerability
Title:Apache Tomcat 安全漏洞 (CVE-2020-1938)Description:When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be surprising. In Apache Tomcat 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, Tomcat shipped with an AJP Connector enabled by default that listened on all configured IP addresses. It was expected (and recommended in the security guide) that this Connector would be disabled if not required. This vulnerability report identified a mechanism that allowed: - returning arbitrary files from anywhere in the web application - processing any file in the web application as a JSP Further, if the web application allowed file upload and stored those files within the web application (or the attacker was able to control the content of the web application by some other means) then this, along with the ability to process a file as a JSP, made remote code execution possible. It is important to note that mitigation is only required if an AJP port is accessible to untrusted users. Users wishing to take a defence-in-depth approach and block the vector that permits returning arbitrary files and execution as JSP may upgrade to Apache Tomcat 9.0.31, 8.5.51 or 7.0.100 or later. A number of changes were made to the default AJP Connector configuration in 9.0.31 to harden the default configuration. It is likely that users upgrading to 9.0.31, 8.5.51 or 7.0.100 or later will need to make small changes to their configurations.
Description
This is exploit of CVE-2020-1938 Ghostcat-Apache Tomcat Vulnerability
Readme
# CVE-2020-1938: Ghostcat-Apache Tomcat AJP File Read/Inclusion Vulnerability
## Background
### Vulnerability Case Study Presentations
Hancheng Lei (251099234), Siyang Li (251129414)
This project focuses on the CVE-2020-1938 vulnerability, known as Ghostcat, which affects Apache Tomcat. The exploit has been enhanced to fix all previously identified bugs, ensuring better functionality and security.
### When Was It Discovered?
On February 20, the China National Vulnerability Database (CNVD) released a security advisory for CNVD-2020-10487, highlighting a critical vulnerability in Apache Tomcat's Apache JServ Protocol (AJP). AJP is a binary protocol designed to efficiently manage requests sent to a web server aimed at an application server.
The Ghostcat vulnerability (CVE-2020-1938) was discovered by researchers at Chaitin Tech and reported to the Apache Software Foundation on January 3, 2020.
### What Is Apache Tomcat?
Apache Tomcat (often referred to simply as "Tomcat") is an open-source implementation of Java Servlet, JavaServer Pages, Java Expression Language, and WebSocket technologies. It offers a "pure Java" HTTP web server environment where Java code can be executed.
Tomcat is maintained by a community of developers under the Apache Software Foundation and is distributed under the Apache License 2.0.
### What Is the AJP Protocol?
The AJP is a binary protocol that enables communication between the Apache Tomcat web server and the servlet container that operates behind it via TCP connections. It is primarily used in cluster or reverse proxy scenarios where web servers communicate with application servers or servlet containers.
### What Is CVE-2020-1938?
CVE-2020-1938 represents a file read/inclusion vulnerability in the AJP connector of Apache Tomcat, which is enabled by default on port 8009. This vulnerability allows a remote, unauthenticated attacker to read web application files from a vulnerable server. If the server permits file uploads, an attacker may upload malicious JavaServer Pages (JSP) code in various file types, potentially leading to remote code execution (RCE).
## Description
### Official Description
> When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than HTTP connections. If an attacker can access such connections, they can exploit them in unexpected ways. Versions of Tomcat 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50, and 7.0.0 to 7.0.99 had an AJP Connector enabled by default, listening on all configured IP addresses. It is advised to disable this Connector if it is not necessary. The vulnerability report identified a mechanism that allowed:
> - Returning arbitrary files from anywhere in the web application
> - Processing any file in the web application as a JSP
Moreover, if the web application permitted file uploads and stored these files within the application, the combination of this vulnerability and the ability to process files as JSP made remote code execution possible. Mitigation is required only if an AJP port is accessible to untrusted users. Users are encouraged to upgrade to Apache Tomcat versions 9.0.31, 8.5.51, or 7.0.100 or later, which include significant changes to the default AJP Connector configuration for enhanced security.
### Explanation in Simple Terms
- Basic Conditions: Apache Tomcat versions 6.x, 7.x, 8.x, and 9.x allow remote code execution when the AJP connector, enabled by default on port 8009, is granted more trust than a standard HTTP connection. This oversight enables attackers to exploit it and perform unintended actions.
- Ghostcat permits attackers to retrieve arbitrary files from anywhere in the web application, including sensitive directories like `WEB-INF` and `META-INF`, and any location accessible via `ServletContext.getResourceAsStream()`. Additionally, it allows attackers to process any file in the web application as JSP.
- If an affected Tomcat application has a file upload vulnerability, attackers can exploit it in combination with Ghostcat for remote code execution.
## Impact
According to a 2010 blog post from the Apache Software Foundation, Apache Tomcat has been downloaded over 10 million times and is utilized by various software applications, often embedded as a web server. The potential impact of this vulnerability is extensive; if left unaddressed, users and their data will remain at risk.
### Affected Versions and Fixed Versions
| Apache Version | Affected Release Versions | Fixed Version |
|---------------------|---------------------------|---------------|
| Apache Tomcat 9 | 9.0.30 and below | 9.0.31 |
| Apache Tomcat 8 | 8.5.50 and below | 8.5.51 |
| Apache Tomcat 7 | 7.0.99 and below | 7.0.100 |
## Vulnerability Analysis and Exploits
### Vulnerability Principle
When Tomcat processes a request, it retrieves the value from the Request Attribute of `javax.servlet.include.servlet_path`. The Default Servlet interprets this as the file path for static resources, while the JspServlet treats it as the file path for JSP files. Since this attribute is controllable, any file within the web application directory can be accessed through this Request Attribute.
The vulnerability is present when RCE conditions are met:
- Web applications must allow file uploads and storage within the application. Otherwise, attackers must find alternative means to control the web application's content. This scenario, combined with the ability to process files as JSP, enables RCE.
### Steps for Exploitation
1. An attacker can read any file in the web application directory deployed under Tomcat using the AJP connection, typically found on port 8009.
2. If the application has an upload function, the attacker can upload a malicious file containing JSP code to the server (the upload file can be any type: image, plain text file, etc.) and then use Ghostcat to include the file, achieving code execution.
### Exploits Demonstration
Tools: Kali-linux 64 bit Virtual Machine, Tomcat-8.5.32, JRE8 environment.
1. Search the image of tomcat-8.5.32 by Docker[5].
command: `docker search tomcat-8.5.32`
the command of docker installation: `apt install docker.io`
2. Pull image of tomcat and load it to local virtual machine.
command: `docker search duonghuuphuc/tomcat-8.5.32`
3. Run ports 8080 and 8009 after create the container of this image.
command: `docker run -d -p 8080:8080 -p 8009:8009 --name ghostcat duonghuuphuc/tomcat-8.5.32`
-d: Run container in background and return container ID.
-p: the internal port of the container is bound to the specified host port.
--name: specify the name of container.
4. Use the tool Nmap[6] to scan whether the ports 8080 and 8009 of the local IP address are open.
command: `nmap <IP address>`
5. Check if the Tomcat environment is working properly in web browser.
6. Run python vulnerability script in the host port 8009 to read files which are in the webapp directory.
command: `python CVE-2020-1938.py <IP address> -p 8009 -f WEB-INF/web.xml`
-p: specify the port
-f: specify the location of the file to be read
## References
[1]https://www.tenable.com/blog/cve-2020-1938-ghostcat-apache-tomcat-ajp-file-readinclusion-vulnerability-cnvd-2020-10487
[2]https://en.wikipedia.org/wiki/Apache_Tomcat
[3]https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1938\
[4]https://www.synopsys.com/blogs/software-security/ghostcat-vulnerability-cve-2020-1938/
[5]https://www.docker.com/
[6]https://nmap.org/
File Snapshot
[4.0K] /data/pocs/7aba57a30ed3072544520660ef281e129f1c61fb
├── [ 11K] CVE-2020-1938-Exploit.py
└── [8.4K] README.md
0 directories, 2 files
Remarks
1. It is advised to access via the original source first.
2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →