CVE-2016-1240
published 2016-10-03CVE-2016-1240: The Tomcat init script in the tomcat7 package before 7.0.56-3+deb8u4 and tomcat8 package before 8.0.14-1+deb8u3 on Debian jessie and the tomcat6 and…
PriorityP355high7.8CVSS 3.0
AVLACLPRLUINSUCHIHAH
EXPLOIT
EPSS
9.78%
94.9th percentile
The Tomcat init script in the tomcat7 package before 7.0.56-3+deb8u4 and tomcat8 package before 8.0.14-1+deb8u3 on Debian jessie and the tomcat6 and libtomcat6-java packages before 6.0.35-1ubuntu3.8 on Ubuntu 12.04 LTS, the tomcat7 and libtomcat7-java packages before 7.0.52-1ubuntu0.7 on Ubuntu 14.04 LTS, and tomcat8 and libtomcat8-java packages before 8.0.32-1ubuntu1.2 on Ubuntu 16.04 LTS allows local users with access to the tomcat account to gain root privileges via a symlink attack on the Catalina log file, as demonstrated by /var/log/tomcat7/catalina.out.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
CVSS provenance
nvdv3.07.8HIGHCVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
osv7.8HIGH
vendor_redhat7.8HIGH
vendor_ubuntu7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-8c5c-v572-37xf: The Tomcat init script in the tomcat7 package before 7
ghsa_unreviewed·2022-05-14
CVE-2016-1240 [HIGH] CWE-20 GHSA-8c5c-v572-37xf: The Tomcat init script in the tomcat7 package before 7
The Tomcat init script in the tomcat7 package before 7.0.56-3+deb8u4 and tomcat8 package before 8.0.14-1+deb8u3 on Debian jessie and the tomcat6 and libtomcat6-java packages before 6.0.35-1ubuntu3.8 on Ubuntu 12.04 LTS, the tomcat7 and libtomcat7-java packages before 7.0.52-1ubuntu0.7 on Ubuntu 14.04 LTS, and tomcat8 and libtomcat8-java packages before 8.0.32-1ubuntu1.2 on Ubuntu 16.04 LTS allows local users with access to the tomcat account to gain root privileges via a symlink attack on the Catalina log file, as demonstrated by /var/log/tomcat7/catalina.out.
OSV
tomcat6, tomcat7, tomcat8 vulnerability
osv·2016-09-19·CVSS 7.8
CVE-2016-1240 [HIGH] tomcat6, tomcat7, tomcat8 vulnerability
tomcat6, tomcat7, tomcat8 vulnerability
Dawid Golunski discovered that the Tomcat init script incorrectly handled
creating log files. A remote attacker could possibly use this issue to
obtain root privileges. (CVE-2016-1240)
This update also reverts a change in behaviour introduced in USN-3024-1 by
setting mapperContextRootRedirectEnabled to True by default.
OSV
CVE-2016-1240: The Tomcat init script in the tomcat7 package before 7
osv·2016-09-16·CVSS 7.8
CVE-2016-1240 [HIGH] CVE-2016-1240: The Tomcat init script in the tomcat7 package before 7
The Tomcat init script in the tomcat7 package before 7.0.56-3+deb8u4 and tomcat8 package before 8.0.14-1+deb8u3 on Debian jessie and the tomcat6 and libtomcat6-java packages before 6.0.35-1ubuntu3.8 on Ubuntu 12.04 LTS, the tomcat7 and libtomcat7-java packages before 7.0.52-1ubuntu0.7 on Ubuntu 14.04 LTS, and tomcat8 and libtomcat8-java packages before 8.0.32-1ubuntu1.2 on Ubuntu 16.04 LTS allows local users with access to the tomcat account to gain root privileges via a symlink attack on the Catalina log file, as demonstrated by /var/log/tomcat7/catalina.out.
Ubuntu
Tomcat vulnerability
vendor_ubuntu·2020-10-27
CVE-2016-1240 Tomcat vulnerability
Title: Tomcat vulnerability
Summary: The system could be made to run programs as an administrator.
Dawid Golunski discovered that the Tomcat init script incorrectly handled
creating log files. A remote attacker could possibly use this issue to
obtain root privileges.
Instructions: In general, a standard system update will make all the necessary changes.
Ubuntu
Tomcat vulnerability
vendor_ubuntu·2016-09-19·CVSS 7.8
CVE-2016-1240 [HIGH] Tomcat vulnerability
Title: Tomcat vulnerability
Summary: The system could be made to run programs as an administrator.
Dawid Golunski discovered that the Tomcat init script incorrectly handled
creating log files. A remote attacker could possibly use this issue to
obtain root privileges. (CVE-2016-1240)
This update also reverts a change in behaviour introduced in USN-3024-1 by
setting mapperContextRootRedirectEnabled to True by default.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
tomcat: unsafe chown of catalina.log in tomcat init script allows privilege escalation
vendor_redhat·2016-09-15·CVSS 7.8
CVE-2016-1240 [HIGH] CWE-284 tomcat: unsafe chown of catalina.log in tomcat init script allows privilege escalation
tomcat: unsafe chown of catalina.log in tomcat init script allows privilege escalation
The Tomcat init script in the tomcat7 package before 7.0.56-3+deb8u4 and tomcat8 package before 8.0.14-1+deb8u3 on Debian jessie and the tomcat6 and libtomcat6-java packages before 6.0.35-1ubuntu3.8 on Ubuntu 12.04 LTS, the tomcat7 and libtomcat7-java packages before 7.0.52-1ubuntu0.7 on Ubuntu 14.04 LTS, and tomcat8 and libtomcat8-java packages before 8.0.32-1ubuntu1.2 on Ubuntu 16.04 LTS allows local users with access to the tomcat account to gain root privileges via a symlink attack on the Catalina log file, as demonstrated by /var/log/tomcat7/catalina.out.
It was reported that the Tomcat init script performed unsafe file handling, which could result in local privilege escalation.
Package: tomcat5
Red Hat
jboss: jbossas: unsafe chown of server.log in jboss init script allows privilege escalation
vendor_redhat·2016-09-15·CVSS 7.8
CVE-2016-8656 [HIGH] CWE-284 jboss: jbossas: unsafe chown of server.log in jboss init script allows privilege escalation
jboss: jbossas: unsafe chown of server.log in jboss init script allows privilege escalation
Jboss jbossas before versions 5.2.0-23, 6.4.13, 7.0.5 is vulnerable to an unsafe file handling in the jboss init script which could result in local privilege escalation.
It was discovered that the jboss init script performed unsafe file handling which could result in local privilege escalation.
Statement: It was found that a variant of the Tomcat CVE-2016-1240 exploit is also applicable to Red Hat JBoss Enterprise Application Platform 5, 6, and 7. CVE-2016-8656 addresses these problems with JBoss EAP. The issue is now corrected in the various versions of Red Hat JBoss Enterprise Application Platform including EAP 6.4.13 and EAP 7.0.5. For further information please refer to https://access.redhat.
No detection rules found.
Exploit-DB
Apache Tomcat 8/7/6 (Debian-Based Distros) - Local Privilege Escalation
exploitdb·2016-10-03·CVSS 7.8
CVE-2016-1240 [HIGH] Apache Tomcat 8/7/6 (Debian-Based Distros) - Local Privilege Escalation
Apache Tomcat 8/7/6 (Debian-Based Distros) - Local Privilege Escalation
---
- Discovered by: Dawid Golunski
- http://legalhackers.com
- dawid (at) legalhackers.com
- CVE-2016-1240
- Release date: 30.09.2016
- Revision: 1
- Severity: High
I. VULNERABILITY
Apache Tomcat packaging on Debian-based distros - Local Root Privilege Escalation
Affected debian packages:
Tomcat 8 /etc/ld.so.preload 2>/dev/null
fi
echo -e "\n[+] Job done. Exiting with code $1 \n"
exit $1
}
function ctrl_c() {
echo -e "\n[+] Active exploitation aborted. Remember you can use -deferred switch for deferred exploitation."
cleanexit 0
}
#intro
echo -e "\033[94m \nTomcat 6/7/8 on Debian-based distros - Local Root Privilege Escalation Exploit\nCVE-2016-1240\n"
echo -e "Discovered and coded by: \n\nDawid Golunski \nh
Metasploit
Apache Tomcat on Ubuntu Log Init Privilege Escalation
metasploit
Apache Tomcat on Ubuntu Log Init Privilege Escalation
Apache Tomcat on Ubuntu Log Init Privilege Escalation
Tomcat (6, 7, 8) packages provided by default repositories on Debian-based distributions (including Debian, Ubuntu etc.) provide a vulnerable tomcat init script that allows local attackers who have already gained access to the tomcat account (for example, by exploiting an RCE vulnerability in a java web application hosted on Tomcat, uploading a webshell etc.) to escalate their privileges from tomcat user to root and fully compromise the target system. Tested against Tomcat 8.0.32-1ubuntu1.1 on Ubuntu 16.04
Bugzilla
CVE-2016-8656 jboss: jbossas: unsafe chown of server.log in jboss init script allows privilege escalation
bugzilla·2016-11-30·CVSS 7.8
CVE-2016-8656 [HIGH] CVE-2016-8656 jboss: jbossas: unsafe chown of server.log in jboss init script allows privilege escalation
CVE-2016-8656 jboss: jbossas: unsafe chown of server.log in jboss init script allows privilege escalation
It was reported that the jbossas init script performed unsafe file handling, which could result in local privilege escalation.
Discussion:
This issue has been addressed in the following products:
Via RHSA-2017:0247 https://rhn.redhat.com/errata/RHSA-2017-0247.html
---
This issue has been addressed in the following products:
Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 5
Via RHSA-2017:0246 https://rhn.redhat.com/errata/RHSA-2017-0246.html
---
This issue has been addressed in the following products:
Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7
Via RHSA-2017:0245 https://rhn.redhat.com/errata/RHSA-2017-0245.html
---
This issue has been addresse
Bugzilla
CVE-2016-1240 tomcat: unsafe chown of catalina.log in tomcat init script allows privilege escalation
bugzilla·2016-09-16·CVSS 7.8
CVE-2016-1240 [HIGH] CVE-2016-1240 tomcat: unsafe chown of catalina.log in tomcat init script allows privilege escalation
CVE-2016-1240 tomcat: unsafe chown of catalina.log in tomcat init script allows privilege escalation
It was reported that the Tomcat init script performed unsafe file handling, which could result in local privilege escalation.
References:
http://seclists.org/bugtraq/2016/Sep/26
Discussion:
Debian advisories for tomcat7 and tomcat8 for this CVE:
https://www.debian.org/security/2016/dsa-3669
https://www.debian.org/security/2016/dsa-3670
---
Created attachment 1201569
Debian patch for tomcat7
---
Created attachment 1201570
Debian patch for tomcat8
---
Created tomcat tracking bugs for this issue:
Affects: fedora-all [bug 1376716]
---
Created tomcat tracking bugs for this issue:
Affects: epel-6 [bug 1376718]
---
This is the flaw description in the Debian packages changelog:
*
Bugzilla
CVE-2016-1240 tomcat: Local privilege escalation via unsafe file handling in the Tomcat init script [epel-6]
bugzilla·2016-09-16·CVSS 7.8
CVE-2016-1240 [HIGH] CVE-2016-1240 tomcat: Local privilege escalation via unsafe file handling in the Tomcat init script [epel-6]
CVE-2016-1240 tomcat: Local privilege escalation via unsafe file handling in the Tomcat init script [epel-6]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
[bug automatically c
Bugzilla
CVE-2016-1240 tomcat: Local privilege escalation via unsafe file handling in the Tomcat init script [fedora-all]
bugzilla·2016-09-16·CVSS 7.8
CVE-2016-1240 [HIGH] CVE-2016-1240 tomcat: Local privilege escalation via unsafe file handling in the Tomcat init script [fedora-all]
CVE-2016-1240 tomcat: Local privilege escalation via unsafe file handling in the Tomcat init script [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affe
http://legalhackers.com/advisories/Tomcat-DebPkgs-Root-Privilege-Escalation-Exploit-CVE-2016-1240.htmlhttp://packetstormsecurity.com/files/170857/Apache-Tomcat-On-Ubuntu-Log-Init-Privilege-Escalation.htmlhttp://rhn.redhat.com/errata/RHSA-2017-0457.htmlhttp://www.debian.org/security/2016/dsa-3669http://www.debian.org/security/2016/dsa-3670http://www.securityfocus.com/archive/1/539519/100/0/threadedhttp://www.securityfocus.com/bid/93263http://www.securitytracker.com/id/1036845http://www.ubuntu.com/usn/USN-3081-1https://access.redhat.com/errata/RHSA-2017:0455https://access.redhat.com/errata/RHSA-2017:0456https://security.gentoo.org/glsa/201705-09https://security.netapp.com/advisory/ntap-20180731-0002/https://www.exploit-db.com/exploits/40450/http://legalhackers.com/advisories/Tomcat-DebPkgs-Root-Privilege-Escalation-Exploit-CVE-2016-1240.htmlhttp://packetstormsecurity.com/files/170857/Apache-Tomcat-On-Ubuntu-Log-Init-Privilege-Escalation.htmlhttp://rhn.redhat.com/errata/RHSA-2017-0457.htmlhttp://www.debian.org/security/2016/dsa-3669http://www.debian.org/security/2016/dsa-3670http://www.securityfocus.com/archive/1/539519/100/0/threadedhttp://www.securityfocus.com/bid/93263http://www.securitytracker.com/id/1036845http://www.ubuntu.com/usn/USN-3081-1https://access.redhat.com/errata/RHSA-2017:0455https://access.redhat.com/errata/RHSA-2017:0456https://security.gentoo.org/glsa/201705-09https://security.netapp.com/advisory/ntap-20180731-0002/https://www.exploit-db.com/exploits/40450/
2016-10-03
Published