[Secure-testing-team] Bug#840685: tomcat8: DSA-3670 incomplete

Paul Szabo paul.szabo at sydney.edu.au
Thu Oct 13 20:22:50 UTC 2016 

Package: tomcat8
Version: 8.0.14-1+deb8u3
Severity: critical
Tags: security
Justification: root security hole


[ I contacted team at security.debian.org about this, but no response ... ]

Recently DSA-3670 was released, and /etc/init.d/tomcat8 modified so:

...
NAME=tomcat8
...
JVM_TMP=/tmp/tomcat8-$NAME-tmp
...
		# Remove / recreate JVM_TMP directory
		rm -rf "$JVM_TMP"
		mkdir -p "$JVM_TMP" || {
			log_failure_msg "could not create JVM temporary directory"
			exit 1
		}
		chown $TOMCAT8_USER "$JVM_TMP"
...

That suffers from a TOCTOU race condition.

An attacker can, after the "rm -rf", create a symlink to /etc. Then
"mkdir -p" returns success (though does nothing); and chown follows
the symlink. That is "game over": ability to replace /etc/passwd.

The attacker can use inotify and act quickly, and have a good chance
of winning the race to create the symlink before the init.d script
starts a new mkdir process.

Do you need some working PoC code?

---

The script should be made more robust by using "chown -h". (This would
protect against the above attack.)

The script should use plain mkdir without "-p": not needed as we create
a single directory, and should not be used to let mkdir return failure.
(This may make it safe.)

Cheers, Paul

Paul Szabo   psz at maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia



-- System Information:
Debian Release: 8.6
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (x86_64)

Kernel: Linux 3.16.36-pk07.24-amd64 (SMP w/2 CPU cores)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)

Versions of packages tomcat8 depends on:
ii  adduser                3.113+nmu3
ii  debconf [debconf-2.0]  1.5.56
ii  tomcat8-common         8.0.14-1+deb8u3
ii  ucf                    3.0030

Versions of packages tomcat8 recommends:
pn  authbind  <none>

Versions of packages tomcat8 suggests:
pn  libtcnative-1     <none>
pn  tomcat8-admin     <none>
pn  tomcat8-docs      <none>
pn  tomcat8-examples  <none>
pn  tomcat8-user      <none>

-- Configuration Files:
/etc/init.d/tomcat8 changed [not included]
/etc/tomcat8/catalina.properties [Errno 13] Permission denied: u'/etc/tomcat8/catalina.properties'
/etc/tomcat8/context.xml [Errno 13] Permission denied: u'/etc/tomcat8/context.xml'
/etc/tomcat8/logging.properties [Errno 13] Permission denied: u'/etc/tomcat8/logging.properties'
/etc/tomcat8/policy.d/01system.policy [Errno 13] Permission denied: u'/etc/tomcat8/policy.d/01system.policy'
/etc/tomcat8/policy.d/02debian.policy [Errno 13] Permission denied: u'/etc/tomcat8/policy.d/02debian.policy'
/etc/tomcat8/policy.d/03catalina.policy [Errno 13] Permission denied: u'/etc/tomcat8/policy.d/03catalina.policy'
/etc/tomcat8/policy.d/04webapps.policy [Errno 13] Permission denied: u'/etc/tomcat8/policy.d/04webapps.policy'
/etc/tomcat8/policy.d/50local.policy [Errno 13] Permission denied: u'/etc/tomcat8/policy.d/50local.policy'
/etc/tomcat8/server.xml [Errno 13] Permission denied: u'/etc/tomcat8/server.xml'
/etc/tomcat8/tomcat-users.xml [Errno 13] Permission denied: u'/etc/tomcat8/tomcat-users.xml'
/etc/tomcat8/web.xml [Errno 13] Permission denied: u'/etc/tomcat8/web.xml'

-- debconf information excluded

More information about the Secure-testing-team mailing list