[Secure-testing-team] Bug#845393: Privilege escalation via upgrade
Paul Szabo
paul.szabo at sydney.edu.au
Tue Nov 22 23:50:16 UTC 2016
Package: tomcat8
Version: 8.0.14-1+deb8u4
Severity: critical
Tags: security
Having installed tomcat8, the directory /etc/tomcat8/Catalina is set
writable by group tomcat8, as per the postinst script. Then the tomcat8
user, in the situation envisaged in DSA-3670 and DSA-3720, see also
http://seclists.org/fulldisclosure/2016/Oct/4
could use something like commands
mv -i /etc/tomcat8/Catalina/localhost /etc/tomcat8/Catalina/localhost-OLD
ln -s /etc/shadow /etc/tomcat8/Catalina/localhost
to create a symlink:
# ls -l /etc/tomcat8/Catalina/localhost
lrwxrwxrwx 1 tomcat8 tomcat8 11 Nov 23 10:19 /etc/tomcat8/Catalina/localhost -> /etc/shadow
Then when the tomcat8 package is upgraded (e.g. for the next DSA),
the postinst script runs
chmod 775 /etc/tomcat8/Catalina /etc/tomcat8/Catalina/localhost
and that will make the /etc/shadow file world-readable (and
group-writable). Other useful attacks might be to make the objects:
/root/.Xauthority
/etc/ssh/ssh_host_dsa_key
world-readable; or make something (already owned by group tomcat8)
group-writable (some "policy" setting maybe?).
Cheers, Paul
Paul Szabo psz at maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydney Australia
More information about the Secure-testing-team
mailing list