Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 2 Dec 2016 11:43:08 +0100
From: S├ębastien Delafond <seb@...ian.org>
To: oss-security@...ts.openwall.com
Subject: CVE request: 2 issues in tomcat8 Debian packaging

Hello,

the Debian security team would like to requests 2 CVEs, for issues
discovered by Paul Szabo in the tomcat8 Debian packaging.

  * Privilege escalation when upgrading tomcat8 package
    https://bugs.debian.org/845393

    > Having installed tomcat8, the directory /etc/tomcat8/Catalina is
    > set writable by group tomcat8, as per the postinst script. Then
    > the tomcat8 user, in the situation envisaged in DSA-3670 and
    > DSA-3720, see also http://seclists.org/fulldisclosure/2016/Oct/4
    > could use something like commands
    > 
    >   mv /etc/tomcat8/Catalina/localhost /tmp/
    >   ln -s /etc/shadow /etc/tomcat8/Catalina/localhost
    > 
    > to create a symlink.
    > 
    > Then when the tomcat8 package is upgraded (e.g. for the next DSA),
    > the postinst script runs
    > 
    >   chmod 775 /etc/tomcat8/Catalina /etc/tomcat8/Catalina/localhost
    > 
    > and that will make the /etc/shadow file world-readable (and
    > group-writable). Other useful attacks might be to make the
    > objects:
    > 
    >   /root/.Xauthority
    >   /etc/ssh/ssh_host_dsa_key
    > 
    > world-readable; or make something (already owned by group tomcat8)
    > group-writable (some "policy" setting maybe?).

  * Privilege escalation when removing tomcat8 package
    https://bugs.debian.org/845395    

    > Having installed tomcat8, the directory
    > /etc/tomcat8/Catalina is set writable by group tomcat8, as
    > per the postinst script. Then the tomcat8 user, in the
    > situation envisaged in DSA-3670 and DSA-3720, see also
    > http://seclists.org/fulldisclosure/2016/Oct/4
    > 
    > could use something like commands
    > 
    >   touch /etc/tomcat8/Catalina/attack
    >   chmod 2747 /etc/tomcat8/Catalina/attack
    > 
    > Then if the tomcat8 package is removed (purged?), the
    > postrm script runs
    > 
    >   chown -Rhf root:root /etc/tomcat8/
    > 
    > and that will leave the file world-writable, setgid root:
    > 
    >   # ls -l /etc/tomcat8/Catalina/attack
    >   -rwxr-Srwx 1 root root 0 Nov 23 09:00 /etc/tomcat8/Catalina/attack
    > 
    > allowing "group root" access to the world.

Cheers,

--Seb

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ