oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE request: 2 issues in tomcat8 Debian packaging

From: Sébastien Delafond <seb () debian org>
Date: Fri, 2 Dec 2016 11:43:08 +0100
Hello,

the Debian security team would like to requests 2 CVEs, for issues
discovered by Paul Szabo in the tomcat8 Debian packaging.

  * Privilege escalation when upgrading tomcat8 package
    https://bugs.debian.org/845393

    > Having installed tomcat8, the directory /etc/tomcat8/Catalina is
    > set writable by group tomcat8, as per the postinst script. Then
    > the tomcat8 user, in the situation envisaged in DSA-3670 and
    > DSA-3720, see also http://seclists.org/fulldisclosure/2016/Oct/4
    > could use something like commands
    > 
    >   mv /etc/tomcat8/Catalina/localhost /tmp/
    >   ln -s /etc/shadow /etc/tomcat8/Catalina/localhost
    > 
    > to create a symlink.
    > 
    > Then when the tomcat8 package is upgraded (e.g. for the next DSA),
    > the postinst script runs
    > 
    >   chmod 775 /etc/tomcat8/Catalina /etc/tomcat8/Catalina/localhost
    > 
    > and that will make the /etc/shadow file world-readable (and
    > group-writable). Other useful attacks might be to make the
    > objects:
    > 
    >   /root/.Xauthority
    >   /etc/ssh/ssh_host_dsa_key
    > 
    > world-readable; or make something (already owned by group tomcat8)
    > group-writable (some "policy" setting maybe?).

  * Privilege escalation when removing tomcat8 package
    https://bugs.debian.org/845395    

    > Having installed tomcat8, the directory
    > /etc/tomcat8/Catalina is set writable by group tomcat8, as
    > per the postinst script. Then the tomcat8 user, in the
    > situation envisaged in DSA-3670 and DSA-3720, see also
    > http://seclists.org/fulldisclosure/2016/Oct/4
    > 
    > could use something like commands
    > 
    >   touch /etc/tomcat8/Catalina/attack
    >   chmod 2747 /etc/tomcat8/Catalina/attack
    > 
    > Then if the tomcat8 package is removed (purged?), the
    > postrm script runs
    > 
    >   chown -Rhf root:root /etc/tomcat8/
    > 
    > and that will leave the file world-writable, setgid root:
    > 
    >   # ls -l /etc/tomcat8/Catalina/attack
    >   -rwxr-Srwx 1 root root 0 Nov 23 09:00 /etc/tomcat8/Catalina/attack
    > 
    > allowing "group root" access to the world.

Cheers,

--Seb
Previous By Date Next
Previous By Thread Next

Current thread: