# CVE-2016-8745

| categories notes
tags CVE分析

https://bz.apache.org/bugzilla/show_bug.cgi?id=60409


POC

I succeeded to reproduce the exceptions from this issue [1].

1. Request a file with such a length so that "send file" is used.
- just before serving the file [2], delete it, thus it will cause the processor to be released and recycled. As a result this processor will be added to the "recycled processors" [3].
- after this while finishing the response the processor will be released and recycled once again [4]. This will add the processor again to the "recycled processors". As a result one and the same processor will be in the "recycled processors".
2. Now request twice. One and the same processor will be provided for the two different requests [5].

I do not know whether you scenario is similar. If you can describe your scenario it will be helpful.

So currently we are using org.apache.tomcat.util.collections.SynchronizedStack<T> which does not guarantee uniqueness of the elements.

[1] https://github.com/apache/tomcat/commit/74a12f550478b34261b39d2e324b3951e2ef80cc
[2] https://github.com/apache/tomcat/blob/trunk/java/org/apache/tomcat/util/net/NioEndpoint.java#L891
[3] https://github.com/apache/tomcat/blob/trunk/java/org/apache/coyote/AbstractProtocol.java#L927
[4] https://github.com/apache/tomcat/blob/trunk/java/org/apache/coyote/AbstractProtocol.java#L854
[5] https://github.com/apache/tomcat/blob/trunk/java/org/apache/coyote/AbstractProtocol.java#L728



### 原因

1. 服务器提供一个文件下载功能。
2. 当客户端请求该Servlet时，服务器先响应下载头，但是当需要响应待下载的文件内容时，将文件删除。(什么深井冰服务器会这么做。。。不过可能在其他场景里有类似的可能。但是因为需要服务器端主动实现这类功能，攻击者只控制客户端发起攻击难度较大)
3. 在(2)发生后，由于内部逻辑，当前处理的线程将发生两次recycle。也就是说，线程池里将会保留同一线程的两个句柄。
4. 这样当后续请求发生时，同一线程将响应两个请求。二者的变量就共享了，导致相互之间的信息泄露。

If you liked this post, you can share it with your followers !