I don’t know where to even have this discussion anymore. ¯_(ツ)_/¯
This is ultimately building a remote check for apache-tomcat-cve-2020-1938.
I have an internal platform that I use while I wait for Rapid7 checks to become available or figure out how to re-write the check to work for R7. What I’m currently doing to detect systems vulnerable to GhostCat isn’t fool proof but cleaned up a bunch of systems in our environment. So that’s a win. I’m basically just using nmap with the “ajp-request” lua script and provide an invalid uri: “–script-args path=/test_ghostcat_test.jsp” then if the system doesn’t have any redirects and still has a default error page then we run a regex against the error page for vulnerable versions. If AJP is exposed and doesn’t require authentication to access and an impacted version number is present then we trigger remediation actions.
nmap -p 8009 x.x.x.x --script ajp-request --script-args path=/test_ghostcat_test.jsp Starting Nmap 7.01 ( https://nmap.org ) at 2020-03-03 14:26 EST
Nmap scan report for host.example.com (x.x.x.x)
Host is up (0.00052s latency).
PORT STATE SERVICE
8009/tcp open ajp13
| AJP/1.3 404 Not Found
| Content-Type: text/html;charset=utf-8
| Content-Length: 976
|_Apache Tomcat/5.5.34 - Error report
HTTP Status 404 - /test_ghostcat_test.jsp
type Status report
description The requested resource (/test_ghostcat_test.jsp) is not available.
Apache Tomcat/5.5.34Nmap done: 1 IP address (1 host up) scanned in 0.20 seconds
match: !ruby/regexp '/HTTP Status 40.+Apache Tomcat/([1-6].\d+.\d+|7.([0-9]|[1-9][0-9]).|8.([0-4].\d+|5.50)|9.0.([0-9]|[1-2][0-9]|30))/'
I’m wondering if anyone has thoughts on the best way to implement something similar in Nexpose/InsightVM? If I can allow it limited capability to follow redirects with the method that’s a win. (Redirected root directories are common on vulnerable printers)