oss-sec mailing list archives
CVE request: tomcat privilege escalations in Debian packaging
From: Sébastien Delafond <seb () debian org>
Date: Fri, 2 Dec 2016 10:07:43 +0000 (UTC)
Hello, the Debian security team would like to request 2 CVEs for issues in Tomcat packaging. Both were discovered by Paul Szabo. * Privilege escalation when upgrading tomcat8 package https://bugs.debian.org/845393 > Having installed tomcat8, the directory /etc/tomcat8/Catalina is > set writable by group tomcat8, as per the postinst script. Then > the tomcat8 user, in the situation envisaged in DSA-3670 and > DSA-3720, see also http://seclists.org/fulldisclosure/2016/Oct/4 > could use something like commands > > mv -i /etc/tomcat8/Catalina/localhost /tmp > ln -s /etc/shadow /etc/tomcat8/Catalina/localhost > > to create a symlink. > > Then when the tomcat8 package is upgraded (e.g. for the next DSA), > the postinst script runs > > chmod 775 /etc/tomcat8/Catalina /etc/tomcat8/Catalina/localhost > > and that will make the /etc/shadow file world-readable (and > group-writable). Other useful attacks might be to make the > objects: > > /root/.Xauthority > /etc/ssh/ssh_host_dsa_key > > world-readable; or make something (already owned by group tomcat8) > group-writable (some "policy" setting maybe?). * Privilege escalation when removing tomcat8 package https://bugs.debian.org/845385 > Having installed tomcat8, the directory /etc/tomcat8/Catalina is > set writable by group tomcat8, as per the postinst script. Then > the tomcat8 user, in the situation envisaged in DSA-3670 and > DSA-3720, see also http://seclists.org/fulldisclosure/2016/Oct/4 > could use something like commands > > # touch /etc/tomcat8/Catalina/attack > # chmod 2747 /etc/tomcat8/Catalina/attack > > to create a file. > > Then if the tomcat8 package is removed (purged?), the postrm > script runs > > chown -Rhf root:root /etc/tomcat8/ > > and that will leave the file world-writable, setgid root: > > # ls -l /etc/tomcat8/Catalina/attack > -rwxr-Srwx 1 root root 0 Nov 23 09:00 /etc/tomcat8/Catalina/attack > > allowing "group root" access to the world. Cheers, --Seb
Current thread:
- CVE request: tomcat privilege escalations in Debian packaging Sébastien Delafond (Dec 02)
- Re: CVE request: tomcat privilege escalations in Debian packaging cve-assign (Dec 02)