Apache Tomcat AJP Connector Request Injection (Ghostcat)
Apache Tomcat AJP Connector Request Injection (Ghostcat)-
Ghostcat [CVE-2020–1938] is a LFI vulnerability in AJP service. An attacker can exploit Ghostcat vulnerability and read the contents of configuration files and source code files of all webapps deployed on Tomcat. For example, the /WEB-INF/web.xml file is the Web Root directory who’s access is restricted and cannot be accessed by anyone over HTTP Tomcat server.
So by exploiting the Ghostcat [CVE-2020–1938] vulnerability, it is possible to read contents of the files in the Web server directory from AJP13 protocol (LFI vulnerability). In our case the /WEB-INF/web.xml file.
Run below command from the terminal- (Downloaded exploit at https://github.com/00theway/Ghostcat-CNVD-2020-10487/blob/master/ajpShooter.py Location)
python3 ajpShooter.py http://IP:8080 8009 /WEB-INF/web.xml read
Impact-A file read/inclusion vulnerability was found in AJP connector. A remote, unauthenticated attacker could exploit this vulnerability to read web application files from a vulnerable server. In instances where the vulnerable server allows file uploads, an attacker could upload malicious JavaServer Pages (JSP) code within a variety of file types and gain remote code execution (RCE).
Recommendation-Update the AJP configuration to require authorization and/or upgrade the Tomcat server to 7.0.100, 8.5.51, 9.0.31 or later.
Thanks!!
Comments
Post a Comment