Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2016-1240 PoC — Apache Tomcat 输入验证错误漏洞

Source
https://github.com/mhe18/CVE_Project
Associated Vulnerability
Title:Apache Tomcat 输入验证错误漏洞 (CVE-2016-1240)
Description:The Tomcat init script in the tomcat7 package before 7.0.56-3+deb8u4 and tomcat8 package before 8.0.14-1+deb8u3 on Debian jessie and the tomcat6 and libtomcat6-java packages before 6.0.35-1ubuntu3.8 on Ubuntu 12.04 LTS, the tomcat7 and libtomcat7-java packages before 7.0.52-1ubuntu0.7 on Ubuntu 14.04 LTS, and tomcat8 and libtomcat8-java packages before 8.0.32-1ubuntu1.2 on Ubuntu 16.04 LTS allows local users with access to the tomcat account to gain root privileges via a symlink attack on the Catalina log file, as demonstrated by /var/log/tomcat7/catalina.out.
Description
CVE-2016-1240 exploit and patch
Readme
# CVE_Project
## Preparations for exploitation:

1.Install Tomcat 7 on the virtual machine

  `sudo apt-get install tomcat7`
  
2.If the first step is failed,set J**DK_DIRS="/usr/lib/jvm/java-8-oracle"** and add the statements “export JAVA_HOME=/usr/lib/jvm/java-8-oracle” and **“export CATALINA_HOME=/usr/share/tomcat7”**. Then reinstall Tomcat 7

3.Set up an initial password for the Tomcat user

  `sudo passwd tomcat7`
  
4.Assign login shell for the Tomcat user

  `sudo usrmod -s /bin/bash tomcat7`
  
5.Establish the Tomcat 7 user shell

  `ssh tomcat7@localhost`


## Launch the attack:
1.Create the exploit scripts attack.sh at /tmp through Tomcat7 user shell and then make the exploit codes executable
  `touch attack.sh`
  
  `chmod +x attack.sh`
  
2.Run the exploit code

  `./attack.sh `
  
3.Restart the Tomcat server to check the attack result.

  `sudo service tomcat7 restart`
  
4.Check the ID of user
  
  `id`
  
Then the attack should be successful and the euid should be 0 which is root.


## Vulnerability:
	# Run the catalina.sh script as a daemon
	set +e
	touch "$CATALINA_PID" "$CATALINA_BASE"/logs/catalina.out
	chown $TOMCAT7_USER "$CATALINA_PID" "$CATALINA_BASE"/logs/catalina.out
	start-stop-daemon --start -b -u "$TOMCAT7_USER" -g "$TOMCAT7_GROUP" \
		-c "$TOMCAT7_USER" -d "$CATALINA_TMPDIR" -p "$CATALINA_PID" \
		-x /bin/bash -- -c "$AUTHBIND_COMMAND $TOMCAT_SH"
	status="$?"
	set +a -e
	return $status
  The code above is key of esclating privilege. As it runs with root privilege, it can do anything we want. Then we need to change the owner of catalina.out to user of tomcat7. After we reboot the Tomcat, we are able to read the file which catalina points to.
  
  Specifically, when the tomcat restart, it will change the owner of the catalina.out to user of Tomcat, and the restart is invoked by the linux init. By taking advantage of Linux init, we can use symlink to change the owener of any file to the user of tomcat. If we symlink catalina.out to any file, we could operate any file in the system with the privilege root which given by the catalina.out. This is typical exploitation of DLL hijack.
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →