Apache Ghostcat - CVE 2020-1938

Theory

Java is currently the most popular programming language in Web development, and Tomcat is one of the most popular Java middleware servers. It has been used for more than 20 years since its initial release.

Ghostcat is a serious vulnerability in Tomcat discovered by security researcher of Chaitin Tech. Due to a flaw in the Tomcat AJP protocol, an attacker can read or include any files in the webapp directories of Tomcat. For example, An attacker can read the webapp configuration files or source code. In addition, if the target web application has a file upload function, the attacker may execute malicious code on the target host by exploiting file inclusion through Ghostcat vulnerability.

Tomcat Connector is the channel for Tomcat to connect to the outside. It enables Catalina to receive requests from the outside, pass them to the corresponding web application for processing, and return the response result of the request.

By default, Tomcat is configured with two Connectors, which are HTTP Connector and AJP Connector:

HTTP Connector: used to process HTTP protocol requests (HTTP/1.1), and the default listening address is 0.0.0.0:8080

AJP Connector: used to process AJP protocol requests (AJP/1.3), and the default listening address is 0.0.0.0:8009

HTTP Connector is used to provide HTTP Web services that we often use. The AJP Connector uses the AJP protocol (Apache Jserv Protocol). The AJP protocol can be understood as a performance optimized version of the HTTP protocol in binary format. It can reduce the processing cost of HTTP requests, so it is mainly used in scenarios that require clustering or reverse proxy.

Practical

Metasploit

msfconsole -q

search ghostcat

use auxiliary/admin/http/tomcat_ghostcat

set RHOSTS 10.10.7.246

run

REFERENCES

• https://www.exploit-db.com/exploits/49039

• https://www.chaitin.cn/en/ghostcat