(CVE-2020-1938) Apache Tomcat: High: AJP Request Injection and potential Remote Code Execution

I don’t know where to even have this discussion anymore. ¯_(ツ)_/¯

This is ultimately building a remote check for apache-tomcat-cve-2020-1938.

I have an internal platform that I use while I wait for Rapid7 checks to become available or figure out how to re-write the check to work for R7. What I’m currently doing to detect systems vulnerable to GhostCat isn’t fool proof but cleaned up a bunch of systems in our environment. So that’s a win. I’m basically just using nmap with the “ajp-request” lua script and provide an invalid uri: “–script-args path=/test_ghostcat_test.jsp” then if the system doesn’t have any redirects and still has a default error page then we run a regex against the error page for vulnerable versions. If AJP is exposed and doesn’t require authentication to access and an impacted version number is present then we trigger remediation actions.

nmap -p 8009 x.x.x.x --script ajp-request --script-args path=/test_ghostcat_test.jsp Starting Nmap 7.01 ( https://nmap.org ) at 2020-03-03 14:26 EST
Nmap scan report for host.example.com (x.x.x.x)
Host is up (0.00052s latency).
8009/tcp open ajp13
| ajp-request:
| AJP/1.3 404 Not Found
| Content-Type: text/html;charset=utf-8
| Content-Length: 976
|_Apache Tomcat/5.5.34 - Error report

HTTP Status 404 - /test_ghostcat_test.jsp

type Status report

message /test_ghostcat_test.jsp

description The requested resource (/test_ghostcat_test.jsp) is not available.

Apache Tomcat/5.5.34

Nmap done: 1 IP address (1 host up) scanned in 0.20 seconds

match: !ruby/regexp '/HTTP Status 40[2456789].+Apache Tomcat/([1-6].\d+.\d+|7.([0-9]|[1-9][0-9]).|8.([0-4].\d+|5.50)|9.0.([0-9]|[1-2][0-9]|30))/'

I’m wondering if anyone has thoughts on the best way to implement something similar in Nexpose/InsightVM? If I can allow it limited capability to follow redirects with the method that’s a win. (Redirected root directories are common on vulnerable printers)

1 Like

@brian_w_gray We are going to try to find the best person to give you a little more direct recommendations on writing this type of custom check. While we are tracking someone down, referencing the Writing Vulnerability Checks help page is always a good place to get started.


Thank you! I’m assuming that writing a generic Tomcat fingerprint via AJP is the way to go then do a standard service / version range check. However, I’m not sure exactly which direction is the optimal option for the fingerprint.