Module Request: Linux Local Tomcat Escalation

[h00die]

This module will exploit two CVEs to cover all of the possible platforms: edb edb

Should be tested vs tomcat 6, 7, 8 on centos/fedora, and debian/ubuntu.

Not that I love them anyways, but module docs will be really important for this one. Mainly because in the comments of that edb code it says that execution is not instant but '(on reboot by tmpfiles-setup.service, by cron, by another service etc.)', so it would be good to see some examples of how long that may take. Maybe on some of these systems its possible for the tomcat user to reboot tomcat, that may be a good option to include (DISABLED BY DEFAULT)

[h00die]

also keep in mind, EDB did not verify them.

[justinsteven]

I'm working on 40450 (Apache Tomcat 8/7/6 (Debian-Based Distros) - Privilege Escalation)

Certainly not guaranteeing I'll do a good job of it. If anyone else has something in the works, please keep on keeping on.

[h00die]

Awesome! Just write in if you need help. No pressure to add the fedora one as well, that can be a second PR that adds on. Besides, if it helps, my first pr #4888 crashed the framework and had to be rewritten #5307.

[h00die]

@justinsteven hows it going? Need any help or guidance or anything?

[justinsteven]

Hey @h00die. Getting there. I've gotten bogged down in some stuff, and so this got put on the backburner. I've got a good start - just need to fine-tune the escalation method (hooking via ld.so.preload can be fragile and I want to do a good job of it), make it work across all Tomcat versions, and fix some TODOs. If someone can't wait for my nonsense to settle down so I can get back to it, happy to hand over what I've got.

[h00die]

no prob, just wanted to make sure you were still working on it and there wasn't any issues that i/we could help out with.

[bcoles]

30 months of inactivity

[h00die]

@justinsteven It's been almost 2yrs, if you have some base code (working or not) you could always PR it and someone can start taking a look at it

[justinsteven]

@h00die I haven't worked on this since 2016. I've scoured ~ and my backups and I think the module has been lost to the big bitbucket in the sky.

This is all I have:

[~/work/tomcat_lpe]% tree
.
├── m.elf
└── tomcat8_deb_vuln
    ├── install_tomcat.bsh
    ├── libtomcat8-java_8.0.36-2_all.deb
    ├── tomcat8_8.0.36-2_all.deb
    ├── tomcat8-admin_8.0.36-2_all.deb
    ├── tomcat8-common_8.0.36-2_all.deb
    ├── tomcat8-docs_8.0.36-2_all.deb
    ├── tomcat8-examples_8.0.36-2_all.deb
    └── tomcat8-user_8.0.36-2_all.deb

1 directory, 9 files

[~/work/tomcat_lpe]% cat tomcat8_deb_vuln/install_tomcat.bsh 
#!/bin/bash

MYDIR=$(dirname $(readlink -f "$0"))

sudo apt update && sudo apt install default-jre-headless libecj-java
sudo dpkg -i $MYDIR/libtomcat8-java_8.0.36-2_all.deb
sudo dpkg -i $MYDIR/tomcat8-common_8.0.36-2_all.deb
sudo dpkg -i $MYDIR/tomcat8_8.0.36-2_all.deb

[~/work/tomcat_lpe]% file m.elf 
m.elf: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, corrupted section header size

[~/work/tomcat_lpe]% strings m.elf 
SCSj
fPQS
Rhn/shh//bi

I suspect I was developing in a VM that was lost to a hard drive crash.

[h00die]

Working on the RHEL one now, I have it working but the payloads dont seem to be happy with how theyre getting executed. Should have it finalized in a day or two.