关联漏洞
标题:
Apache Tomcat 输入验证错误漏洞
(CVE-2016-1240)
描述:Apache Tomcat是美国阿帕奇(Apache)软件基金会下属的Jakarta项目的一款轻量级Web应用服务器,它主要用于开发和调试JSP程序,适用于中小型系统。 Apache Tomcat启动脚本存在安全漏洞。具有Tomcat账户访问权限本地攻击者可通过对Catalina日志文件实施符号链接攻击利用该漏洞获取root权限。以下产品和版本受到影响:Apache Tomcat 6.0,7.0,8.0,Debian Linux 8.0,Ubuntu Linux 16.04,14.04,12.04。
描述
CVE-2016-1240 exploit and patch
介绍
# CVE_Project
## Preparations for exploitation:
1.Install Tomcat 7 on the virtual machine
`sudo apt-get install tomcat7`
2.If the first step is failed,set J**DK_DIRS="/usr/lib/jvm/java-8-oracle"** and add the statements “export JAVA_HOME=/usr/lib/jvm/java-8-oracle” and **“export CATALINA_HOME=/usr/share/tomcat7”**. Then reinstall Tomcat 7
3.Set up an initial password for the Tomcat user
`sudo passwd tomcat7`
4.Assign login shell for the Tomcat user
`sudo usrmod -s /bin/bash tomcat7`
5.Establish the Tomcat 7 user shell
`ssh tomcat7@localhost`
## Launch the attack:
1.Create the exploit scripts attack.sh at /tmp through Tomcat7 user shell and then make the exploit codes executable
`touch attack.sh`
`chmod +x attack.sh`
2.Run the exploit code
`./attack.sh `
3.Restart the Tomcat server to check the attack result.
`sudo service tomcat7 restart`
4.Check the ID of user
`id`
Then the attack should be successful and the euid should be 0 which is root.
## Vulnerability:
# Run the catalina.sh script as a daemon
set +e
touch "$CATALINA_PID" "$CATALINA_BASE"/logs/catalina.out
chown $TOMCAT7_USER "$CATALINA_PID" "$CATALINA_BASE"/logs/catalina.out
start-stop-daemon --start -b -u "$TOMCAT7_USER" -g "$TOMCAT7_GROUP" \
-c "$TOMCAT7_USER" -d "$CATALINA_TMPDIR" -p "$CATALINA_PID" \
-x /bin/bash -- -c "$AUTHBIND_COMMAND $TOMCAT_SH"
status="$?"
set +a -e
return $status
The code above is key of esclating privilege. As it runs with root privilege, it can do anything we want. Then we need to change the owner of catalina.out to user of tomcat7. After we reboot the Tomcat, we are able to read the file which catalina points to.
Specifically, when the tomcat restart, it will change the owner of the catalina.out to user of Tomcat, and the restart is invoked by the linux init. By taking advantage of Linux init, we can use symlink to change the owener of any file to the user of tomcat. If we symlink catalina.out to any file, we could operate any file in the system with the privilege root which given by the catalina.out. This is typical exploitation of DLL hijack.
文件快照
[4.0K] /data/pocs/cac677d43be1bd0681398f78a018576e7618e917
├── [4.4M] apache-tomcat-7.0.68-src.tar.gz
├── [1.5K] attack.sh
├── [ 11K] catalina.out
├── [2.1K] README.md
├── [7.8K] tomcat7_patched
└── [7.8K] tomcat7_vulnerable
0 directories, 6 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。