CVE-2016-5425
published 2016-10-13CVE-2016-5425: The Tomcat package on Red Hat Enterprise Linux (RHEL) 7, Fedora, CentOS, Oracle Linux, and possibly other Linux distributions uses weak permissions for…
PriorityP353high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
EXPLOIT
EPSS
3.78%
88.6th percentile
The Tomcat package on Red Hat Enterprise Linux (RHEL) 7, Fedora, CentOS, Oracle Linux, and possibly other Linux distributions uses weak permissions for /usr/lib/tmpfiles.d/tomcat.conf, which allows local users to gain root privileges by leveraging membership in the tomcat group.
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vendor_redhat7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-c7fc-mp9g-99j3: The Tomcat package on Red Hat Enterprise Linux (RHEL) 7, Fedora, CentOS, Oracle Linux, and possibly other Linux distributions uses weak permissions fo
ghsa_unreviewed·2022-05-13
CVE-2016-5425 [HIGH] CWE-276 GHSA-c7fc-mp9g-99j3: The Tomcat package on Red Hat Enterprise Linux (RHEL) 7, Fedora, CentOS, Oracle Linux, and possibly other Linux distributions uses weak permissions fo
The Tomcat package on Red Hat Enterprise Linux (RHEL) 7, Fedora, CentOS, Oracle Linux, and possibly other Linux distributions uses weak permissions for /usr/lib/tmpfiles.d/tomcat.conf, which allows local users to gain root privileges by leveraging membership in the tomcat group.
Red Hat
tomcat: Local privilege escalation via systemd-tmpfiles service
vendor_redhat·2016-10-10·CVSS 7.8
CVE-2016-5425 [HIGH] CWE-284 tomcat: Local privilege escalation via systemd-tmpfiles service
tomcat: Local privilege escalation via systemd-tmpfiles service
The Tomcat package on Red Hat Enterprise Linux (RHEL) 7, Fedora, CentOS, Oracle Linux, and possibly other Linux distributions uses weak permissions for /usr/lib/tmpfiles.d/tomcat.conf, which allows local users to gain root privileges by leveraging membership in the tomcat group.
It was discovered that the Tomcat packages installed configuration file /usr/lib/tmpfiles.d/tomcat.conf writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges.
Package: tomcat5 (Red Hat Enterprise Linux 5) - Not affected
Package: tomcat6 (Red Hat Enterprise Linux 6) - Not affected
Package: jbossweb (Red Hat JBoss Data Grid 6) - Not affected
Package: j
No detection rules found.
Exploit-DB
Apache Tomcat 8/7/6 (RedHat Based Distros) - Local Privilege Escalation
exploitdb·2016-10-10·CVSS 7.8
CVE-2016-5425 [HIGH] Apache Tomcat 8/7/6 (RedHat Based Distros) - Local Privilege Escalation
Apache Tomcat 8/7/6 (RedHat Based Distros) - Local Privilege Escalation
---
- Discovered by: Dawid Golunski
- http://legalhackers.com
- dawid (at) legalhackers.com
- CVE-2016-5425
- Release date: 10.10.2016
- Revision: 1
- Severity: High
I. VULNERABILITY
Apache Tomcat (packaging on RedHat-based distros) - Root Privilege Escalation
II. BACKGROUND
"The Apache Tomcat® software is an open source implementation of the
Java Servlet, JavaServer Pages, Java Expression Language and Java WebSocket
technologies. The Java Servlet, JavaServer Pages, Java Expression Language
and Java WebSocket specifications are developed under the Java Community
Process.
The Apache Tomcat software is developed in an open and participatory
environment and released under the Apache License version 2.
The Apa
Metasploit
Apache Tomcat on RedHat Based Systems Insecure Temp Config Privilege Escalation
metasploit
Apache Tomcat on RedHat Based Systems Insecure Temp Config Privilege Escalation
Apache Tomcat on RedHat Based Systems Insecure Temp Config Privilege Escalation
This module exploits a vulnerability in RedHat based systems where improper file permissions are applied to /usr/lib/tmpfiles.d/tomcat.conf for Apache Tomcat versions before 7.0.54-8. This may also work against The configuration files in tmpfiles.d are used by systemd-tmpfiles to manage temporary files including their creation. With this weak permission, we're able to inject commands into systemd-tmpfiles service to write a cron job to execute our payload. systemd-tmpfiles is executed by default on boot on RedHat-based systems through systemd-tmpfiles-setup.service. Depending on the system in use, the execution of systemd-tmpfiles could also be triggered by other services, cronjobs, startup scripts etc. This m
Bugzilla
CVE-2016-5425 tomcat: Local privilege escalation via systemd-tmpfiles service [fedora-all]
bugzilla·2016-10-10·CVSS 7.8
CVE-2016-5425 [HIGH] CVE-2016-5425 tomcat: Local privilege escalation via systemd-tmpfiles service [fedora-all]
CVE-2016-5425 tomcat: Local privilege escalation via systemd-tmpfiles service [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported
Bugzilla
CVE-2016-6325 tomcat: tomcat writable config files allow privilege escalation
bugzilla·2016-08-16·CVSS 7.8
CVE-2016-6325 [HIGH] CVE-2016-6325 tomcat: tomcat writable config files allow privilege escalation
CVE-2016-6325 tomcat: tomcat writable config files allow privilege escalation
It was discovered that Tomcat packages in certain versions of Red Hat Enterprise Linux use incorrect permissions for /etc/sysconfig/tomcat configuration files. The file is writable to tomcat group (root:tomcat, 664). On systems using classic /etc/init.d init scripts (i.e. on Red Hat Enterprise Linux 6 and earlier), the file is sourced by the Tomcat init script and its content executed with root privileges when Tomcat service is started, stopped or restarted.
On Red Hat Enterprise Linux 7 using systemd, the file is not longer directly executed with root privileges, but it's still used to initialize environment for the Tomcat service. This would not allow a malicious or compromised web application deployed on Tom
Bugzilla
CVE-2016-5425 tomcat: Local privilege escalation via systemd-tmpfiles service
bugzilla·2016-08-02·CVSS 7.8
CVE-2016-5425 [HIGH] CVE-2016-5425 tomcat: Local privilege escalation via systemd-tmpfiles service
CVE-2016-5425 tomcat: Local privilege escalation via systemd-tmpfiles service
It was reported that Tomcat packages in Red Hat Enterprise Linux 7 are vulnerable to local privilege escalation from tomcat group user to root. Tomcat configuration file located at /usr/lib/tmpfiles.d/tomcat.conf can be modified by any user belonging to tomcat group. This file is used by /usr/bin/systemd-tmpfiles service to create temporary files.
As the systemd-tmpfiles service runs with root permissions, this enables the tomcat user to gain root privileges by editing the /usr/lib/tmpfiles.d/tomcat.conf file to contain a line which will cause the systemd-tmpfiles to create files within arbitrary system directory and arbitrary permissions.
External Reference:
http://legalhackers.com/advisories/Tomcat-RedHat-b
http://legalhackers.com/advisories/Tomcat-RedHat-Pkgs-Root-PrivEsc-Exploit-CVE-2016-5425.htmlhttp://packetstormsecurity.com/files/139041/Apache-Tomcat-8-7-6-Privilege-Escalation.htmlhttp://rhn.redhat.com/errata/RHSA-2016-2046.htmlhttp://www.openwall.com/lists/oss-security/2016/10/10/2http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.htmlhttp://www.securityfocus.com/bid/93472http://www.securitytracker.com/id/1036979https://lists.apache.org/thread.html/6b414817c2b0bf351138911c8c922ec5dd577ebc0b9a7f42d705752d%40%3Cissues.activemq.apache.org%3Ehttps://www.exploit-db.com/exploits/40488/https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.htmlhttp://legalhackers.com/advisories/Tomcat-RedHat-Pkgs-Root-PrivEsc-Exploit-CVE-2016-5425.htmlhttp://packetstormsecurity.com/files/139041/Apache-Tomcat-8-7-6-Privilege-Escalation.htmlhttp://rhn.redhat.com/errata/RHSA-2016-2046.htmlhttp://www.openwall.com/lists/oss-security/2016/10/10/2http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.htmlhttp://www.securityfocus.com/bid/93472http://www.securitytracker.com/id/1036979https://lists.apache.org/thread.html/6b414817c2b0bf351138911c8c922ec5dd577ebc0b9a7f42d705752d%40%3Cissues.activemq.apache.org%3Ehttps://www.exploit-db.com/exploits/40488/https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
2016-10-13
Published