Re: [SECURITY] CVE-2020-9484 Apache Tomcat Remote Code Execution via session persistence
On May 24, 2020 4:49:50 PM UTC, Stefan Mayr wrote: >Hi, > >Am 20.05.2020 um 17:19 schrieb Mark Thomas: >> CVE-2020-9484 Apache Tomcat Remote Code Execution via session >persistence >> >> Severity: High >> >> Vendor: The Apache Software Foundation >> >> Versions Affected: >> Apache Tomcat 10.0.0-M1 to 10.0.0-M4 >> Apache Tomcat 9.0.0.M1 to 9.0.34 >> Apache Tomcat 8.5.0 to 8.5.54 >> Apache Tomcat 7.0.0 to 7.0.103 >> >> Description: >> If: >> a) an attacker is able to control the contents and name of a file on >the >>server; and >> b) the server is configured to use the PersistenceManager with a >>FileStore; and >> c) the PersistenceManager is configured with >>sessionAttributeValueClassNameFilter="null" (the default unless a >>SecurityManager is used) or a sufficiently lax filter to allow the >>attacker provided object to be deserialized; and >> d) the attacker knows the relative file path from the storage >location >>used by FileStore to the file the attacker has control over; >> then, using a specifically crafted request, the attacker will be able >to >> trigger remote code execution via deserialization of the file under >> their control. Note that all of conditions a) to d) must be true for >the >> attack to succeed. >> > >Assuming an attacker can do (a), (d) and the Tomcat instance is running >with a default configuration (c): is the StandardManager vulnerable or >not (b)? No. >Also a question about naming: is PersistenceManager the same >PersistentManager as in org.apache.catalina.session.PersistentManager? Yes. >So a vulnerable configuration would need to use something like > > > > Yes. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [SECURITY] CVE-2020-9484 Apache Tomcat Remote Code Execution via session persistence
Hi, Am 20.05.2020 um 17:19 schrieb Mark Thomas: > CVE-2020-9484 Apache Tomcat Remote Code Execution via session persistence > > Severity: High > > Vendor: The Apache Software Foundation > > Versions Affected: > Apache Tomcat 10.0.0-M1 to 10.0.0-M4 > Apache Tomcat 9.0.0.M1 to 9.0.34 > Apache Tomcat 8.5.0 to 8.5.54 > Apache Tomcat 7.0.0 to 7.0.103 > > Description: > If: > a) an attacker is able to control the contents and name of a file on the >server; and > b) the server is configured to use the PersistenceManager with a >FileStore; and > c) the PersistenceManager is configured with >sessionAttributeValueClassNameFilter="null" (the default unless a >SecurityManager is used) or a sufficiently lax filter to allow the >attacker provided object to be deserialized; and > d) the attacker knows the relative file path from the storage location >used by FileStore to the file the attacker has control over; > then, using a specifically crafted request, the attacker will be able to > trigger remote code execution via deserialization of the file under > their control. Note that all of conditions a) to d) must be true for the > attack to succeed. > Assuming an attacker can do (a), (d) and the Tomcat instance is running with a default configuration (c): is the StandardManager vulnerable or not (b)? Also a question about naming: is PersistenceManager the same PersistentManager as in org.apache.catalina.session.PersistentManager? So a vulnerable configuration would need to use something like Regards, Stefan Mayr - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [SECURITY] CVE-2020-9484 Apache Tomcat Remote Code Execution via session persistence
Hi, When I run dns leaktest https://www.dnsleaktest.com/I have a setup which shows 32 Servers identifying my origin.All from different continents If some one did pen test or ethical hacking with same setup as myself using these tools for bug bounties on Tomcat. How what is the defence against such penetration attack ? Kali Linux Tools Listing Information Gathering - ace-voip - Amap - APT2 - arp-scan - Automater - bing-ip2hosts - braa - CaseFile - CDPSnarf - cisco-torch - copy-router-config - DMitry - dnmap - dnsenum - dnsmap - DNSRecon - dnstracer - dnswalk - DotDotPwn - enum4linux - enumIAX - EyeWitness - Faraday - Fierce - Firewalk - fragroute - fragrouter - Ghost Phisher - GoLismero - goofile - hping3 - ident-user-enum - InSpy - InTrace - iSMTP - lbd - Maltego Teeth - masscan - Metagoofil - Miranda - nbtscan-unixwiz - Nikto - Nmap - ntop - OSRFramework - p0f - Parsero - Recon-ng - SET - SMBMap - smtp-user-enum - snmp-check - SPARTA - sslcaudit - SSLsplit - sslstrip - SSLyze - Sublist3r - THC-IPV6 - theHarvester - TLSSLed - twofi - Unicornscan - URLCrazy - Wireshark - WOL-E - Xplico Vulnerability Analysis - BBQSQL - BED - cisco-auditing-tool - cisco-global-exploiter - cisco-ocs - cisco-torch - copy-router-config - Doona - DotDotPwn - HexorBase - jSQL Injection - Lynis - Nmap - ohrwurm - openvas - Oscanner - Powerfuzzer - sfuzz - SidGuesser - SIPArmyKnife - sqlmap - Sqlninja - sqlsus - THC-IPV6 - tnscmd10g - unix-privesc-check - Yersinia Exploitation Tools - Armitage - Backdoor Factory - BeEF - cisco-auditing-tool - cisco-global-exploiter - cisco-ocs - cisco-torch - Commix - crackle - exploitdb - jboss-autopwn - Linux Exploit Suggester - Maltego Teeth - Metasploit Framework - MSFPC - RouterSploit - SET - ShellNoob - sqlmap - THC-IPV6 - Yersinia Wireless Attacks - Airbase-ng - Aircrack-ng - Airdecap-ng and Airdecloak-ng - Aireplay-ng - airgraph-ng - Airmon-ng - Airodump-ng - airodump-ng-oui-update - Airolib-ng - Airserv-ng - Airtun-ng - Asleap - Besside-ng - Bluelog - BlueMaho - Bluepot - BlueRanger - Bluesnarfer - Bully - coWPAtty - crackle - eapmd5pass - Easside-ng - Fern Wifi Cracker - FreeRADIUS-WPE - Ghost Phisher - GISKismet - Gqrx - gr-scan - hostapd-wpe - ivstools - kalibrate-rtl - KillerBee - Kismet - makeivs-ng - mdk3 - mfcuk - mfoc - mfterm - Multimon-NG - Packetforge-ng - PixieWPS - Pyrit - Reaver - redfang - RTLSDR Scanner - Spooftooph - Tkiptun-ng - Wesside-ng - Wifi Honey - wifiphisher - Wifitap - Wifite - wpaclean Forensics Tools - Binwalk - bulk-extractor - Capstone - chntpw - Cuckoo - dc3dd - ddrescue - DFF - diStorm3 - Dumpzilla - extundelete - Foremost - Galleta - Guymager - iPhone Backup Analyzer - p0f - pdf-parser - pdfid - pdgmail - peepdf - RegRipper - Volatility - Xplico Web Applications - apache-users - Arachni - BBQSQL - BlindElephant - Burp Suite - CutyCapt - DAVTest - deblaze - DIRB - DirBuster - fimap - FunkLoad - Gobuster - Grabber - hURL - jboss-autopwn - joomscan - jSQL Injection - Maltego Teeth - Nikto - PadBuster - Paros - Parsero - plecost - Powerfuzzer - ProxyStrike - Recon-ng - Skipfish - sqlmap - Sqlninja - sqlsus - ua-tester - Uniscan - w3af - WebScarab - Webshag - WebSlayer - WebSploit - Wfuzz - WhatWeb - WPScan - XSSer - zaproxy Stress Testing - DHCPig - FunkLoad - iaxflood - Inundator - inviteflood - ipv6-toolkit - mdk3 - Reaver - rtpflood - SlowHTTPTest - t50 - Termineter - THC-IPV6 - THC-SSL-DOS Sniffing & Spoofing - bettercap - Burp Suite - DNSChef - fiked - hamster-sidejack - HexInject - iaxflood - inviteflood - iSMTP - isr-evilgrade - mitmproxy - ohrwurm - protos-sip - rebind - responder - rtpbreak - rtpinsertsound - rtpmixsound - sctpscan - SIPArmyKnife - SIPp - SIPVicious - SniffJoke - SSLsplit - sslstrip - THC-IPV6 - VoIPHopper - WebScarab - Wifi Honey - Wireshark - xspy - Yersinia - zaproxy