CVE-2016-8745
06 Jan 2017 | categories noteshttps://bz.apache.org/bugzilla/show_bug.cgi?id=60409
POC
I succeeded to reproduce the exceptions from this issue [1].
1. Request a file with such a length so that "send file" is used.
- just before serving the file [2], delete it, thus it will cause the processor to be released and recycled. As a result this processor will be added to the "recycled processors" [3].
- after this while finishing the response the processor will be released and recycled once again [4]. This will add the processor again to the "recycled processors". As a result one and the same processor will be in the "recycled processors".
2. Now request twice. One and the same processor will be provided for the two different requests [5].
I do not know whether you scenario is similar. If you can describe your scenario it will be helpful.
So currently we are using org.apache.tomcat.util.collections.SynchronizedStack<T> which does not guarantee uniqueness of the elements.
[1] https://github.com/apache/tomcat/commit/74a12f550478b34261b39d2e324b3951e2ef80cc
[2] https://github.com/apache/tomcat/blob/trunk/java/org/apache/tomcat/util/net/NioEndpoint.java#L891
[3] https://github.com/apache/tomcat/blob/trunk/java/org/apache/coyote/AbstractProtocol.java#L927
[4] https://github.com/apache/tomcat/blob/trunk/java/org/apache/coyote/AbstractProtocol.java#L854
[5] https://github.com/apache/tomcat/blob/trunk/java/org/apache/coyote/AbstractProtocol.java#L728
原因
又一个奇葩漏洞,不过利用条件比较苛刻。
利用条件
- 服务器提供一个文件下载功能。
- 当客户端请求该Servlet时,服务器先响应下载头,但是当需要响应待下载的文件内容时,将文件删除。(什么深井冰服务器会这么做。。。不过可能在其他场景里有类似的可能。但是因为需要服务器端主动实现这类功能,攻击者只控制客户端发起攻击难度较大)
- 在(2)发生后,由于内部逻辑,当前处理的线程将发生两次
recycle
。也就是说,线程池里将会保留同一线程的两个句柄。 - 这样当后续请求发生时,同一线程将响应两个请求。二者的变量就共享了,导致相互之间的信息泄露。
我们可以将其命名为double recycle
攻击 >_<