[Secure-testing-team] Bug#845385: Privilege escalation via removal

Paul Szabo paul.szabo at sydney.edu.au
Tue Nov 22 22:35:34 UTC 2016


Package: tomcat8
Version: 8.0.14-1+deb8u4
Severity: critical
Tags: security

Having installed tomcat8, the directory /etc/tomcat8/Catalina is set
writable by group tomcat8, as per the postinst script. Then the tomcat8
user, in the situation envisaged in DSA-3670 and DSA-3720, see also
  http://seclists.org/fulldisclosure/2016/Oct/4
could use something like commands
  touch /etc/tomcat8/Catalina/attack
  chmod 2747 /etc/tomcat8/Catalina/attack
to create a file:
  # ls -l /etc/tomcat8/Catalina/attack
  -rwxr-Srwx 1 tomcat8 tomcat8 0 Nov 23 09:00 /etc/tomcat8/Catalina/attack
Then if the tomcat8 package is removed (purged?), the postrm script runs
  chown -Rhf root:root /etc/tomcat8/
and that will leave the file world-writable, setgid root:
  # ls -l /etc/tomcat8/Catalina/attack
  -rwxr-Srwx 1 root root 0 Nov 23 09:00 /etc/tomcat8/Catalina/attack
allowing "group root" access to the world.

Cheers, Paul

Paul Szabo   psz at maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia



More information about the Secure-testing-team mailing list