Apache Tomcat packages provided by default repositories of RedHat-based distributions (i.e. CentOS, RedHat, OracleLinux, Fedora, etc.) create a tmpfiles.d configuration file with insecure permissions. The configuration file /usr/lib/tmpfiles.d/tomcat.conf could be modified by a member of the tomcat group or by a malicious web application deployed on Tomcat in order to trigger the issue and escalate their privileges to root and compromise the system.
Depending on the specific machine. the execution of systemd-tmpfiles could be triggered by other services, including cronjobs and startup scripts.
The impact of the flaw is serious considering that the Apache Tomcat powers numerous large-scale web services in any industry.
“The configuration files in tmpfiles.d are used by systemd-tmpfiles to manage temporary files including their creation. Attackers could very easily exploit the weak permissions on tomcat.conf to inject configuration that creates a rootshell or remote reverse shell that allows them to execute arbitrary commands with root privileges.” wrote Golunski in a security advisory.
“Injected malicious settings would be processed whenever /usr/bin/systemd–tmpfiles gets executed. systemd–tmpfiles is executed by default on boot on RedHat-based systems through systemd–tmpfiles-setup.service service as can be seen below:”
The flaw could potentially be exploited by remote attackers in combination with a vulnerable web application hosted on Apache Tomcat if they managed to find a path traversal (i.e. in a file upload feature) or an arbitrary file write/append vulnerability. This would allow them to append settings to /
This attacker just need to append settings to /usr/lib/tmpfiles.d/tomcat.conf file and achieve code execution with root privileges.This vector could prove useful to attackers, for
“This vector could prove useful to attackers, for example if they were unable to obtain a tomcat-privileged shell/codeexec by uploading a .jsp webshell through a vulnerable file upload feature due to restrictions imposed by Tomcat security manager, or a read-only webroot etc. It is worth to note that systemd–tmpfiles does not stop on syntax errors when processing configuration files which makes exploitation easier as attackers only need to inject their payload after a new line and do not need to worry about garbage data potentially prepended by a vulnerable webapp in case of Arbitrary File Write/Append exploitation.” added Golunski .
Further information on the affected systems was available in the security advisory published by RedHat.
To address the CVE-2016-5425 flaw update to the latest packages provided by your distribution or as workaround adjust permissions on /usr/lib/tmpfiles.d/tomcat.conf file removing write permission for the tomcat group.
Dawid Golunski also included a proof of concept code in his advisory.
Security Affairs – (Apache Tomcat, CVE-2016-5425)