CVE-2016-8745

| categories notes 
tags CVE分析 

https://bz.apache.org/bugzilla/show_bug.cgi?id=60409

POC

I succeeded to reproduce the exceptions from this issue [1].

1. Request a file with such a length so that "send file" is used.
 - just before serving the file [2], delete it, thus it will cause the processor to be released and recycled. As a result this processor will be added to the "recycled processors" [3].
 - after this while finishing the response the processor will be released and recycled once again [4]. This will add the processor again to the "recycled processors". As a result one and the same processor will be in the "recycled processors".
2. Now request twice. One and the same processor will be provided for the two different requests [5].

I do not know whether you scenario is similar. If you can describe your scenario it will be helpful.

So currently we are using org.apache.tomcat.util.collections.SynchronizedStack<T> which does not guarantee uniqueness of the elements.

[1] https://github.com/apache/tomcat/commit/74a12f550478b34261b39d2e324b3951e2ef80cc
[2] https://github.com/apache/tomcat/blob/trunk/java/org/apache/tomcat/util/net/NioEndpoint.java#L891
[3] https://github.com/apache/tomcat/blob/trunk/java/org/apache/coyote/AbstractProtocol.java#L927
[4] https://github.com/apache/tomcat/blob/trunk/java/org/apache/coyote/AbstractProtocol.java#L854
[5] https://github.com/apache/tomcat/blob/trunk/java/org/apache/coyote/AbstractProtocol.java#L728

原因

又一个奇葩漏洞,不过利用条件比较苛刻。

利用条件

  1. 服务器提供一个文件下载功能。
  2. 当客户端请求该Servlet时,服务器先响应下载头,但是当需要响应待下载的文件内容时,将文件删除。(什么深井冰服务器会这么做。。。不过可能在其他场景里有类似的可能。但是因为需要服务器端主动实现这类功能,攻击者只控制客户端发起攻击难度较大)
  3. 在(2)发生后,由于内部逻辑,当前处理的线程将发生两次recycle。也就是说,线程池里将会保留同一线程的两个句柄。
  4. 这样当后续请求发生时,同一线程将响应两个请求。二者的变量就共享了,导致相互之间的信息泄露。

我们可以将其命名为double recycle攻击 >_<

If you liked this post, you can share it with your followers !