銆愬▉鑳侀€氬憡銆慉pache Tomcat 鏂囦欢鍖呭惈婕

銆愬▉鑳侀€氬憡銆慉pache Tomcat 鏂囦欢鍖呭惈婕忔礊锛圕VE-2020-5902锛塀IG-IP RCE :54 鏉ユ簮锛?em>钃濋槦浜?/em>


婕忔礊CVE-2020-5902


CVE-2020-5902鍦?020骞?鏈?鏃ョ敱F5 Networks鍦?/span>K涓?/span>鎶湶涓築ig-IP绠$悊鐣岄潰涓殑CVSS 10.0杩滅▼浠g爜鎵ц婕忔礊銆?/span>璇ュ崥瀹㈢潃鐪间簬鍙戠幇涓ょ鍒╃敤璺緞鐨勬牴鏈師鍥犮€?/span>褰撴秹鍙婂埌绉颁负鐭╅樀锛堟垨璺緞锛夊弬鏁扮殑涓嶅父瑙乁RI鍏冪礌鏃讹紝瀹冧滑褰掔粨涓虹粏寰殑閰嶇疆闂浠ュ強Apache httpd鍜孉pache Tomcat涔嬮棿鐨勮涓哄樊寮傘€?/span>

鍒╃敤鏇存柊

鍦ㄨ缁嗕粙缁嶄箣鍓嶏紝蹇€熷洖椤?/span>涓€涓嬫垜浠湅鍒扮殑娑夊強涓や釜绔偣鐨勬紡娲?/span>寰堟湁鐢?/span>锛?/span>

https锛?/ [IP] //..;/tmui/locallb/?fileName=/etc/passwd

鍜?/span>

https锛?/ [IP] / hsqldb;
Apache妯″潡澶勭悊韬唤楠岃瘉

F5浠?/span>mod_f5_auth_cookie.so涓哄箤瀛愬疄鐜颁簡鑷繁鐨凱AM鍜宑ookie妯″潡锛屽湪鍏朵腑锛屽畠浠厑璁告棤闇€韬唤楠岃瘉鍗冲彲璇锋眰鏌愪簺URL锛?/span>





濡備笂鎵€绀猴紝鎴戜滑鍙互璇锋眰/鑰屼笉闇€瑕佽繘琛岃韩浠介獙璇併€?/span>

浣跨敤Apache httpd鍜宮od_proxy_ajp

瑕佷簡瑙h繖浜涢棶棰橈紝鎴戜滑棣栧厛闇€瑕佹煡鐪嬫墍娑夊強鐨勬妧鏈強鍏堕厤缃€?/span>

F5鐨凚ig-IP浣跨敤Apache httpd浣滀负闈㈠悜Web鏈嶅姟鍣ㄧ殑鐢ㄦ埛锛岄€氳繃mod_proxy_ajp浠g悊鍒癆pache Tomcat鐨勬煇浜沀RL銆?/span>

涓庝袱涓鍒╃敤绔偣鏈夊叧鐨?/span>proxy_ajp.conf閰嶇疆濡備笅鎵€绀猴細

ProxyPassMatch ^/tmui/(.*\.jsp.*)$ ajp://localhost:8009/tmui/$1 retry=5
ProxyPassMatch ^/hsqldb(.*)$ ajp://localhost:8009/tmui/hsqldb$1 retry=5

涓庤繖涓や釜绔偣鏈夊叧鐨?/span>httpd.conf閰嶇疆濡備笅鎵€绀猴細

#
# HSQLDB
 Location /hsqldb 
 RequireAll 
 AuthType Basic
 AuthName  BIG\-IP 
 AuthPAM_Enabled on
 AuthPAM_IdleTimeout 1200
 require valid-user
 
 Require all granted
 
 /RequireAll 
 /Location 
# TMUI
 Location /tmui 
 # Enable pression by type, disable for browsers with known issues
  IfModule mod_deflate.c 
 AddOutputFilterByType DEFLATE text/html text/plain application/x-javascript text/css
 BrowserMatch ^Mozilla/4 gzip-only-text/html
 BrowserMatch ^Mozilla/4\.0[678] no-gzip
 BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
  /IfModule 
 
 RequireAll 
 AuthType Basic
 AuthName  Restricted area 
 AuthPAM_Enabled on
 AuthPAM_ExpiredPasswordsSupport on
 AuthPam_ValidateIP On
 AuthPAM_IdleTimeout 1200
 AuthPAM_DashboardTimeout Off
 require valid-user
 
 Require all granted
 
 /RequireAll 
 /Location 

瑕佸甫璧扮殑閲嶈閮ㄥ垎鏄細

灏界鏈塕equireAll鎸囦护锛屼絾鐢变簬PAM妯″潡鍏佽/锛屽洜姝ゆ棤闇€韬唤楠岃瘉鍗冲彲璁块棶瀹?/span>

mod_ajp閰嶇疆浣跨敤姝e垯琛ㄨ揪寮忛€氶厤绗?/span>

Apache閰嶇疆涓嶈浣跨敤閫氶厤绗︽垨LocationMatch姝e垯琛ㄨ揪寮?/span>

鏈€鍚庝袱鐐规剰鍛崇潃瀹冧滑涓嶅钩琛°€?/span>

Apache涓嶵omcat璺緞宸紓涓殑鍘嗗彶璇剧▼

鍦?018骞?鏈堬紝8鏈堝拰11鏈堝湪鍏朵粬绉颁负jk鍜屾洿骞挎硾鐨勯厤缃殑Apache Tomcat杩炴帴鍣ㄤ腑鍙戠幇浜?/span>鍑犱箮瀹屽叏鐩稿悓鐨?/span>婕忔礊锛?/span>

2018骞?鏈?/span>CVE-2018-1323涓殑ISAPI閲嶅畾鍚戝櫒

浜?018骞?鏈堝湪Blackhat涓婂彂琛ㄩ涓?/span>Breaking Parser Logic锛圫lides 40 鈥?53锛夌殑婕旇

2018骞?1鏈?/span>CVE-2018-11759涓殑mod_jk

璇ラ棶棰樹笓闂ㄦ槸Apache Tomcat瀵瑰垎鍙凤紙;锛夌浉瀵逛簬Apache httpd鐨勮В鏋愨€?nbsp;Immunit鏆楃ず浜嗘鎻忚堪鐨勯棶棰橈細

鈥?nbsp;Apache httpd灏哢RL涓殑鍒嗗彿瑙i噴涓虹敤浜庤矾寰勮В鏋愮殑鏅€氬瓧绗︼紝鑰孴omcat灏嗗叾瑙i噴涓烘煡璇㈠畾鐣岀锛堜笌鈥滐紵鈥濈被浼肩殑鍔熻兘锛夈€?/span>鈥?/span>

Immunit鎻忚堪寰堟帴杩戯紝浣嗘槸Path Parameters鍜孮uery Parameters涔嬮棿瀛樺湪宸紓銆?/span>鎴戜滑鍥炴函鍒?011骞达紝璇ュ崥瀹㈡爣棰樹负鈥?nbsp;涓夊垎鍙锋紡娲炩€?/a>锛屼互浣滆繘涓€姝ヨ鏄庯細

鈥?Apache Tomcat鏄敮鎸佲€滆矾寰勫弬鏁扳€濈殑Web鏈嶅姟鍣ㄧ殑涓€涓ず渚嬨€?/span>璺緞鍙傛暟鏄枃浠跺悕鍚庣殑澶氫綑鍐呭锛屼互鍒嗗彿鍒嗛殧銆?/span>鍒嗗彿鍚庣殑浠讳綍浠绘剰鍐呭閮戒笉浼氬奖鍝峎eb娴忚鍣ㄧ殑鐧诲綍椤甸潰銆傗€?/span>

鍦?019骞寸殑甯栧瓙涓?/span>锛屾瘡涓猈eb寮€鍙戜汉鍛樺繀椤讳簡瑙g殑URL缂栫爜鐭ヨ瘑鏄?/a>锛?/span>

鈥滄瘡涓矾寰勬閮藉彲浠ュ叿鏈夊彲閫夌殑璺緞鍙傛暟锛堜篃绉颁负鐭╅樀鍙傛暟锛夛紝瀹冧滑浣嶄簬璺緞娈垫湯灏剧殑鈥?鈥濅箣鍚庯紝骞朵互鈥?鈥濆垎闅?nbsp;瀛楃銆?/span>姣忎釜鍙傛暟鍚嶇О閮介€氳繃鈥?=鈥濆瓧绗︿笌鍏跺€煎垎寮€锛屽涓嬫墍绀猴細鈥?/ file; p = 1鈥濓紝瀹冨畾涔夎矾寰勬鈥?file鈥濆叿鏈夊€间负鈥?1鈥濈殑璺緞鍙傛暟鈥?p鈥濄€?/span>杩欎簺鍙傛暟骞朵笉缁忓父浣跨敤-璁╂垜浠潰瀵圭幇瀹?浣嗘槸瀹冧滑浠嶇劧瀛樺湪鈥?/span>

鍥犳锛屾垜浠湁涓ゅ彴Web鏈嶅姟鍣ㄥ拰涓€鍙帮紙Apache Tomcat锛夋垜浠煡閬撳厑璁镐娇鐢≒ath / Matrix鍙傛暟銆?/span>

浜嗚В浜嗚繖涓€鐐逛箣鍚庯紝鎴戜滑鍙互杞埌Apache httpd婧愪唬鐮?棣栧厛锛岃鎴戜滑鐪嬩竴涓?/span>mod_proxy_ajp.c婧愪唬鐮侊細





鎴戜滑鍦ㄨ繖閲岄噰鐢ㄧ殑璺緞鏄?#39;else 鎴?/span>ap_proxy_canonenc锛?/span>鍥犳锛屽鏋滄垜浠煡鐪?/span>proxy_util.c婧愪唬鐮佸苟涓旇冻澶熺‘瀹氾細





鍥犳ap_proxy_ajp鍑芥暟灏嗗厑璁稿甫鏈?/span>;鐨?/span>璺緞銆?/span>涓€鐩村埌鍚庣Tomcat閮芥病鏈夋爣鍑嗗寲/瑙勮寖鍖栥€?/span>濡傛灉鎴戜滑鍦˙ig-IP涓婂梾鎺pache httpd鍜孉pache Tomcat涔嬮棿鐨勭幆鍥烇紝鎴戜滑鍙互鐪嬪埌杩欑琛屼负锛?/span>





濡傛灉鐜板湪杞埌Tomcat婧愶紝Catalina杩炴帴鍣ㄥ拰Request.java锛?/a>鎴戜滑灏嗙湅鍒板樊寮傜殑缃瓉绁搁锛屽嵆浠ヤ笅琛屼负锛?/span>





鍏蜂綋鏉ヨ锛?/span>removePathParameters鍑芥暟灏嗕粠/涓?/span>鍒?/span>鍑哄唴瀹癸紱鐩村埌涓嬩竴涓鏂滄潬銆?/span>





杩欏皢鏀瑰彉鎴戜滑鐨勬湁鏁堣浇鑽?/span>

https锛?/  IP  //..;/tmui/locallb/?fileName=/etc/passwd

鑷筹細

https锛?/  IP  //../tmui/locallb/?fileName=/etc/passwd

鐒跺悗锛?/span>RequestUtil.normalize鍑芥暟灏嗘墽琛屾垜浠湡鏈涚殑鎿嶄綔锛屽嵆鍒犻櫎URI鐨勫厛鍓峛lob锛?/span>





杩欎細灏嗘湁鏁堣浇鑽蜂粠浠ヤ笅浣嶇疆鏇存敼锛?/span>

https锛?/  IP  //../tmui/locallb/?fileName=/etc/passwd

鑷筹細

https锛?/  IP  /tmui/tmui/locallb/?fileName=/etc/passwd

璁╂垜浠拡瀵?/span>Tomcat 鐨?/span>web.xml閰嶇疆杩涜楠岃瘉锛?/span>浠ユ煡鐪嬪畠鏄惁鏈夋剰涔夊苟纭繚鎴戜滑鏈€缁堝湪杩欓噷锛?/span>

 servlet-mapping 
  .apache.jsp.tmui.locallb.workspace.fileRead_jsp /servlet-name 
  url-pattern /tmui/locallb/ /url-pattern 
 /servlet-mapping 

鍥犳锛屽鏋滄垜浠煡鐪嬪師濮嬬殑Login.jsp

 servlet-mapping  
  servlet-name LoginJsp /servlet-name  
  url-pattern /login.jsp /url-pattern 
 /servlet-mapping 

杩欎娇鎴戜滑鑳藉锛?/span>

 servlet 
  servlet-name LoginJsp /servlet-name 
  .apache.jsp.tmui.login.index_jsp /servlet-class 
  !-- jsp-file tmui/ /jsp-file -- 
  load-on-startup 3 /load-on-startup 
  /servlet 

杩欐牱鎵€鏈夊唴瀹归兘鍙互瀵归綈锛屽苟鍏佽鎴戜滑灏嗚緭鍏ヤ笌鐪嬪埌鐨勮涓鸿仈绯昏捣鏉ャ€?/span>

鏍规湰鍘熷洜

鏍规湰鍘熷洜鍦ㄤ袱涓鐐逛笂閮界暐鏈変笉鍚岋紝骞朵笖涓よ€呴兘鍙兘閮ㄥ垎褰掑洜浜?/span>涓篢omcat杩炴帴鍣?/span>閫夋嫨浜?/span>mod_proxy_ajp鑰?/span>涓嶆槸mod_jk銆?/span>

鎵€杩?/span>绗竴鏄浣曚箣闂村垎鍙峰拰璺緞/鐭╅樀鍙傛暟鐢卞鐞嗙殑宸紓鐨刴od_proxy_ajp Apache涓殑httpd鍜孉pache Tomcat銆?/span>

鍦?/span>绗簩涓?/span>鏄浜嗗嚑鍒嗗惈钃勶紝鑰屾槸鍥犱负瀹冪殑绗竴涓鑷磋鏀诲嚮銆?/span>浣嶇疆鐨凙pache httpd閰嶇疆涓猴細

 Location /hsqldb 

鍘诲摢鍎夸簡锛?/span>

 Location /hsqldb* 

鏍规嵁Location鐨凙pache鏂囨。锛屽畠涓嶄細琚埄鐢?/span>銆?/span>杩欐槸鍥犱负/ hsqldb灏嗕笌/ hsqldb锛?/span>/ hsqldb /鍜?/span>/ hsqldb / file.txt鍖归厤锛?/span>浣嗕笉鑳戒笌/ hsqldbsomething鎴?/span>/ hsqldb; 鍖归厤銆?/span>锛堝氨鍍忔垜浠湪婕忔礊鍒╃敤绋嬪簭涓湅鍒扮殑閭f牱锛岀劧鍚庡皢鍏跺垹闄わ級銆?/span>

鍦?/span>绗笁涓?/span>涔熸槸寰鐨勶紝浣嗕富瑕佹槸鐢变簬璇ヨ璇?浼氳瘽楠岃瘉鏄敱Apache鐨刪ttpd鐨勫鐞嗙殑浜嬪疄銆?/span>杩欐槸閫氳繃涓€涓嚜瀹氫箟妯″潡瀹炵幇鐨勶紝璇ユā鍧楁病鏈変互涓嶢pache Tomcat鐩稿悓鐨勬柟寮忓URI杩涜鏍囧噯鍖栵紝鍥犱负瀹冧緷璧栦簬Apache httpd琛屼负銆?/span>杩欎笌璺緞/鐭╅樀鍙傛暟鐨勫樊寮傜浉缁撳悎锛屾湁鍔╀簬寮€鍙戙€?/span>

涓€鑸紦瑙f帾鏂?/span>

濡傛灉鎮ㄥ皢Apache httpd涓嶢pache Tomcat鍜宮od_proxy_ajp鎴栫被浼肩増鏈竴璧蜂娇鐢紝鎴戜滑寤鸿鍍廎5閭f牱浣跨敤閫氱敤閰嶇疆鏉ラ樆姝㈠湪浣嶇疆浣跨敤鍒嗗彿锛屽嵆锛?/span>

 LocationMatch  
Redirect 404 /
 /LocationMatch 

浣嗘槸锛屼篃璇锋敞鎰忥紝浣嶇疆鏍囩涔熷簲灏藉彲鑳借椽濠互鎻愪緵鏈€澶х▼搴︾殑淇濇姢銆?/span>鎴戜滑鐪嬪埌涓€涓笉浣跨敤鍒嗗彿鐨勬梺璺紝杩欎篃鏄敱浜嶢pache httpd鍜孉pache Tomcat涔嬮棿瀛樺湪宸紓銆?/span>

杩欎簺闂灏嗕細鏇村

缁嗗井鐨勯厤缃棶棰橈紝鍐嶅姞涓婂姛鑳戒笂鐨勭粏寰樊寮備互鍙婃綔鍦ㄧ殑涓撴湁浠g爜锛岄兘澶櫘閬嶄簡銆?/span>鍥犳锛屾垜浠笇鏈涗細鍙戠幇鏇村杩欑被闂锛屽挨鍏舵槸鍦ㄨ繖绉嶆妧鏈粍鍚堜腑銆?/span>

鍙傝€冩枃绔?/h2>jas502n/CVE-2020-5902

post/id/210659#h2-4

2020/07/12/understanding-the-root-cause-works-k-tmui-rce-vulnerability-cve-2020-5902/



4006-75-4006锛?9:00-23:30锛?br> 0 锛堟€绘満锛?/strong>锛?9:00-18:00锛?/p>