CVE-2004-1452

Vulnerability

In Gentoo Linux, the Tomcat ebuild sets the ownership of the init scripts (/etc/init.d/tomcat* and /etc/conf.d/tomcat*) to tomcat:tomcat. However, these scripts are executed with root privileges when the system starts or when the Tomcat service is managed. This misconfiguration affects Tomcat versions before 5.0.27-r3 on Gentoo [1].

Exploitation

A local user who is a member of the tomcat group can modify the init scripts (e.g., /etc/init.d/tomcat*) to include arbitrary commands. When the system boots or the Tomcat init script is run (e.g., via service tomcat start), the injected commands execute with root privileges. No additional authentication or user interaction beyond being in the tomcat group is required [1].

Impact

Successful exploitation allows a local attacker in the tomcat group to execute arbitrary commands as root, leading to full root compromise of the system. This is a local privilege escalation vulnerability [1].

Mitigation

Users should upgrade to Tomcat >=5.0.27-r3 (the fixed version) via emerge ">=www-servers/tomcat-5.0.27-r3". As a workaround, change ownership of the init and configuration files to root:root using:

chown -R root:root /etc/init.d/tomcat*
chown -R root:root /etc/conf.d/tomcat*

This vulnerability is documented in Gentoo GLSA 200408-15 [1].