Apache Tomcat CVE-2019-0232 RCE漏洞分析与防护指南<\/h1>

漏洞概述<\/h2>
CVE-2019-0232是Apache Tomcat中的一个远程代码执行漏洞，影响Windows平台上的CGI Servlet功能。该漏洞源于Tomcat CGI将命令行参数传递给Windows程序的方式存在缺陷，导致可能被命令注入攻击。<\/p>

影响范围<\/h2>

Apache Tomcat 9.0.0.M1 至 9.0.17<\/li>
Apache Tomcat 8.5.0 至 8.5.39<\/li>

Apache Tomcat 7.0.0 至 7.0.93<\/li> <\/ul>

漏洞利用前提条件<\/h2>

操作系统限制<\/strong>：仅影响Windows平台<\/li>

配置要求<\/strong>：

启用了CGIServlet<\/li>
设置了enableCmdLineArguments参数为true<\/li> <\/ul> <\/li>
默认安全性<\/strong>：CGIServlet和enableCmdLineArguments参数默认情况下都不启用<\/li> <\/ol>
漏洞复现步骤<\/h2>
环境准备<\/h3>

Tomcat版本：9.0.12<\/li>
JRE版本：1.8.0<\/li> <\/ul>
配置步骤<\/h3>

启用CGIServlet<\/strong>（修改conf\/web.xml）：<\/li> <\/ol>
<servlet><\/span> <\/span><\/span> <servlet-name><\/span>cgi<\/servlet-name><\/span> <\/span><\/span> <servlet-class><\/span>org.apache.catalina.servlets.CGIServlet<\/servlet-class><\/span> <\/span><\/span> <init-param><\/span> <\/span><\/span> <param-name><\/span>cgiPathPrefix<\/param-name><\/span> <\/span><\/span> <param-value><\/span>WEB-INF\/cgi-bin<\/param-value><\/span> <\/span><\/span> <\/init-param><\/span> <\/span><\/span> <init-param><\/span> <\/span><\/span> <param-name><\/span>enableCmdLineArguments<\/param-name><\/span> <\/span><\/span> <param-value><\/span>true<\/param-value><\/span> <\/span><\/span> <\/init-param><\/span> <\/span><\/span> <init-param><\/span> <\/span><\/span> <param-name><\/span>executable<\/param-name><\/span> <\/span><\/span> <param-value><\/param-value><\/span> <\/span><\/span> <\/init-param><\/span> <\/span><\/span> <load-on-startup><\/span>5<\/load-on-startup><\/span> <\/span><\/span><\/servlet><\/span> <\/span><\/span><\/code><\/pre> 添加Servlet映射<\/strong>（conf\/web.xml）：<\/li> <\/ol> <servlet-mapping><\/span> <\/span><\/span> <servlet-name><\/span>cgi<\/servlet-name><\/span> <\/span><\/span> <url-pattern><\/span>\/cgi-bin\/*<\/url-pattern><\/span> <\/span><\/span><\/servlet-mapping><\/span> <\/span><\/span><\/code><\/pre> 修改Context权限<\/strong>（conf\/context.xml）：<\/li> <\/ol> <Context<\/span> privileged=<\/span>"true"<\/span>><\/span> <\/span><\/span> <\/span> <\/span><\/span><\/Context><\/span> <\/span><\/span><\/code><\/pre> 创建CGI脚本<\/strong>：<\/li> <\/ol> 在ROOT\/WEB-INF下创建cgi-bin目录<\/li> 创建e.bat文件，内容为：echo Content-type: text\/html<\/code><\/li> <\/ul> 漏洞验证<\/h3> 访问URL：http:\/\/127.0.0.1:8080\/cgi-bin\/e.bat?&ver<\/code><\/p> 漏洞原理分析<\/h2> 技术背景<\/h3> 漏洞存在于tomcat\/java\/org\/apache\/catalina\/servlets\/CGIServlet.java<\/code>中，当启用enableCmdLineArguments<\/code>参数时，CGIServlet会根据RFC 3875从URL参数生成命令行参数，并通过Java的Runtime执行。<\/p> Windows与Linux执行差异<\/h3> Windows执行机制<\/strong>：<\/p> 使用CreateProcess<\/code>创建进程<\/li> 参数合并为字符串作为lpComandLine<\/code>传入<\/li> 对于.bat或.cmd文件，会调用cmd.exe<\/code>执行<\/li> 最终格式：cmd.exe \/c "arg.bat & dir"<\/code><\/li> <\/ul> <\/li> Linux执行机制<\/strong>：<\/p> 使用execve<\/code>系统调用<\/li> 参数直接传递，不会进行命令解释<\/li> 示例调用：execve("arg.sh", ["arg.sh", "arg"dir"], [\/* 23 vars *\/])<\/code><\/li> <\/ul> <\/li> <\/ol> Windows参数处理特性<\/h3> 引号处理问题<\/strong>：<\/p> Windows将"<\/code>中的内容拷贝为下一个参数，直到遇到下一个"<\/code><\/li> 对\"<\/code>处理存在缺陷，可能导致参数逃逸<\/li> <\/ul> <\/li> 示例<\/strong>：<\/p> dir "\"&whoami"<\/code>在Windows中会执行命令<\/li> 同样的命令在Linux中是安全的<\/li> <\/ul> <\/li> <\/ol> 修复方案<\/h2> 官方修复<\/h3> 新增参数校验<\/strong>：<\/p> 添加cmdLineArgumentsDecoded<\/code>参数<\/li> 对传入的命令行参数进行模式匹配校验<\/li> <\/ul> <\/li> 校验代码<\/strong>：<\/p> <\/li> <\/ol> String decodedArgument =<\/span> URLDecoder.<\/span>decode<\/span>(<\/span>encodedArgument,<\/span> parameterEncoding);<\/span> <\/span><\/span>if<\/span> (<\/span>cmdLineArgumentsDecodedPattern !=<\/span> null<\/span> <\/span><\/span> &&<\/span> !<\/span>cmdLineArgumentsDecodedPattern.<\/span>matcher<\/span>(<\/span>decodedArgument).<\/span>matches<\/span>())<\/span> {<\/span> <\/span><\/span> if<\/span> (<\/span>log.<\/span>isDebugEnabled<\/span>())<\/span> {<\/span> <\/span><\/span> log.<\/span>debug<\/span>(<\/span>sm.<\/span>getString<\/span>(<\/span>"cgiServlet.invalidArgumentDecoded"<\/span>,<\/span> <\/span><\/span> decodedArgument,<\/span> cmdLineArgumentsDecodedPattern.<\/span>toString<\/span>()));<\/span> <\/span><\/span> }<\/span> <\/span><\/span> return<\/span> false<\/span>;<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre> 执行控制<\/strong>：<\/li> <\/ol> if<\/span> (<\/span>cgiEnv.<\/span>isValid<\/span>())<\/span> {<\/span> <\/span><\/span> CGIRunner cgi =<\/span> new<\/span> CGIRunner(<\/span>cgiEnv.<\/span>getCommand<\/span>(),<\/span> <\/span><\/span> cgiEnv.<\/span>getEnvironment<\/span>(),<\/span> <\/span><\/span> cgiEnv.<\/span>getWorkingDirectory<\/span>(),<\/span> <\/span><\/span> cgiEnv.<\/span>getParameters<\/span>());<\/span> <\/span><\/span> if<\/span> (<\/span>"POST"<\/span>.<\/span>equals<\/span>(<\/span>req.<\/span>getMethod<\/span>()))<\/span> {<\/span> <\/span><\/span> cgi.<\/span>setInput<\/span>(<\/span>req.<\/span>getInputStream<\/span>());<\/span> <\/span><\/span> }<\/span> <\/span><\/span> cgi.<\/span>setResponse<\/span>(<\/span>res);<\/span> <\/span><\/span> cgi.<\/span>run<\/span>();<\/span> <\/span><\/span>}<\/span> else<\/span> {<\/span> <\/span><\/span> res.<\/span>sendError<\/span>(<\/span>404<\/span>);<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>修复版本说明<\/h3> 虽然9.0.18修复了该漏洞，但该更新未通过候选版本投票<\/li> 建议用户升级至9.0.19或更高版本<\/li> <\/ul> 防护建议<\/h2> 升级Tomcat<\/strong>：<\/p> 升级到不受影响的版本（9.0.19+、8.5.40+、7.0.94+）<\/li> <\/ul> <\/li> 配置调整<\/strong>：<\/p> 关闭enableCmdLineArguments<\/code>参数（设置为false）<\/li> 如非必要，禁用CGIServlet功能<\/li> <\/ul> <\/li> 安全实践<\/strong>：<\/p> 最小化Tomcat运行权限<\/li> 定期审查服务器配置<\/li> 监控可疑的CGI请求<\/li> <\/ul> <\/li> <\/ol> 参考资源<\/h2> Windows命令行参数处理<\/a><\/li> Java与Windows命令注入<\/a><\/li> <\/ol>

Apache Tomcat CVE-2019-0232 RCE漏洞分析与防护指南<\/h1>

漏洞概述<\/h2>
CVE-2019-0232是Apache Tomcat中的一个远程代码执行漏洞，影响Windows平台上的CGI Servlet功能。该漏洞源于Tomcat CGI将命令行参数传递给Windows程序的方式存在缺陷，导致可能被命令注入攻击。<\/p>

漏洞复现步骤<\/h2>

漏洞验证<\/h3>
访问URL：`http:\/\/127.0.0.1:8080\/cgi-bin\/e.bat?&ver<\/code><\/p>`

技术背景<\/h3>
漏洞存在于`tomcat\/java\/org\/apache\/catalina\/servlets\/CGIServlet.java<\/code>中，当启用enableCmdLineArguments<\/code>参数时，CGIServlet会根据RFC 3875从URL参数生成命令行参数，并通过Java的Runtime执行。<\/p>`

修复方案<\/h2>

参考资源<\/h2>

Windows命令行参数处理<\/a><\/li>
Java与Windows命令注入<\/a><\/li> <\/ol>

Apache Tomcat CVE-2019-0232 RCE漏洞分析与防护指南<\/h1>

漏洞概述<\/h2> CVE-2019-0232是Apache Tomcat中的一个远程代码执行漏洞，影响Windows平台上的CGI Servlet功能。该漏洞源于Tomcat CGI将命令行参数传递给Windows程序的方式存在缺陷，导致可能被命令注入攻击。<\/p>

漏洞复现步骤<\/h2>

漏洞验证<\/h3> 访问URL：http:\/\/127.0.0.1:8080\/cgi-bin\/e.bat?&ver<\/code><\/p>

技术背景<\/h3> 漏洞存在于tomcat\/java\/org\/apache\/catalina\/servlets\/CGIServlet.java<\/code>中，当启用enableCmdLineArguments<\/code>参数时，CGIServlet会根据RFC 3875从URL参数生成命令行参数，并通过Java的Runtime执行。<\/p>

修复方案<\/h2>

参考资源<\/h2> Windows命令行参数处理<\/a><\/li> Java与Windows命令注入<\/a><\/li> <\/ol>

漏洞概述<\/h2>
CVE-2019-0232是Apache Tomcat中的一个远程代码执行漏洞，影响Windows平台上的CGI Servlet功能。该漏洞源于Tomcat CGI将命令行参数传递给Windows程序的方式存在缺陷，导致可能被命令注入攻击。<\/p>

漏洞验证<\/h3>
访问URL：`http:\/\/127.0.0.1:8080\/cgi-bin\/e.bat?&ver<\/code><\/p>`

技术背景<\/h3>
漏洞存在于`tomcat\/java\/org\/apache\/catalina\/servlets\/CGIServlet.java<\/code>中，当启用enableCmdLineArguments<\/code>参数时，CGIServlet会根据RFC 3875从URL参数生成命令行参数，并通过Java的Runtime执行。<\/p>`

参考资源<\/h2>

Windows命令行参数处理<\/a><\/li>
Java与Windows命令注入<\/a><\/li> <\/ol>