CVE-2016-1240

HIGH

Apache Tomcat on Ubuntu Log Init Privilege Escalation

Title source: metasploit
STIX 2.1

Exploitation Summary

EIP tracks 4 public exploits for CVE-2016-1240. PoCs published by Dawid Golunski, Naramsim, mhe18, including Metasploit module exploits/linux/local/tomcat_ubuntu_log_init_priv_esc.

AI-analyzed exploit summary This exploit targets a privilege escalation vulnerability in Apache Tomcat packaging on Debian-based distributions. It allows local attackers with access to the tomcat user to escalate privileges to root by manipulating the catalina.out log file via symlink attacks.

Description

The Tomcat init script in the tomcat7 package before 7.0.56-3+deb8u4 and tomcat8 package before 8.0.14-1+deb8u3 on Debian jessie and the tomcat6 and libtomcat6-java packages before 6.0.35-1ubuntu3.8 on Ubuntu 12.04 LTS, the tomcat7 and libtomcat7-java packages before 7.0.52-1ubuntu0.7 on Ubuntu 14.04 LTS, and tomcat8 and libtomcat8-java packages before 8.0.32-1ubuntu1.2 on Ubuntu 16.04 LTS allows local users with access to the tomcat account to gain root privileges via a symlink attack on the Catalina log file, as demonstrated by /var/log/tomcat7/catalina.out.

Exploits (4)

exploitdb WORKING POC VERIFIED
by Dawid Golunski · textlocallinux
https://www.exploit-db.com/exploits/40450

This exploit targets a privilege escalation vulnerability in Apache Tomcat packaging on Debian-based distributions. It allows local attackers with access to the tomcat user to escalate privileges to root by manipulating the catalina.out log file via symlink attacks.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Apache Tomcat 6/7/8 on Debian-based distributions
Auth required
Prerequisites: Access to the tomcat user account · Tomcat service restart or system reboot
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WRITEUP 1 stars
by Naramsim · poc
https://github.com/Naramsim/Offensive

The repository contains descriptions and references for multiple CVEs, including CVE-2014-2064, but lacks executable exploit code for the specified CVE. It includes detailed explanations and references for vulnerabilities in Tomcat, Spring, and Jenkins.

Classification
Writeup 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Theoretical
Target: Jenkins
No auth needed
Prerequisites: Access to the vulnerable Jenkins instance
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by mhe18 · poc
https://github.com/mhe18/CVE_Project

This repository contains a functional exploit for CVE-2016-1240, a local privilege escalation vulnerability in Apache Tomcat 7. The exploit leverages a symlink attack on the catalina.out log file to manipulate /etc/ld.so.preload and execute arbitrary code with root privileges.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Apache Tomcat 7
Auth required
Prerequisites: Access to a Tomcat 7 user shell · Tomcat 7 installed and running · Ability to restart Tomcat
devstral-2 · analyzed Feb 18, 2026 Full analysis →
metasploit WORKING POC MANUAL
by h00die, Dawid Golunski <[email protected]> · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/tomcat_ubuntu_log_init_priv_esc.rb

This Metasploit module exploits CVE-2016-1240, a privilege escalation vulnerability in Apache Tomcat on Ubuntu/Debian systems. It manipulates the catalina.out log file to create a symlink to /etc/ld.so.preload, allowing arbitrary library loading for root privilege escalation.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Apache Tomcat 6, 7, 8 on Debian-based distributions (Ubuntu, Debian, etc.)
Auth required
Prerequisites: Access to the tomcat user account · Write access to /var/log/tomcat8/catalina.out · Tomcat service restart required
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (14)

Core 14
Core References
Third Party Advisory, VDB Entry vdb-entry
http://www.securitytracker.com/id/1036845
Third Party Advisory vendor-advisory
http://www.debian.org/security/2016/dsa-3670
Third Party Advisory, VDB Entry vdb-entry
http://www.securityfocus.com/bid/93263
Vendor Advisory vendor-advisory
http://rhn.redhat.com/errata/RHSA-2017-0457.html
Third Party Advisory vendor-advisory
http://www.debian.org/security/2016/dsa-3669
Vendor Advisory vendor-advisory
https://access.redhat.com/errata/RHSA-2017:0455
Third Party Advisory, VDB Entry mailing-list
http://www.securityfocus.com/archive/1/539519/100/0/threaded
Vendor Advisory vendor-advisory
https://access.redhat.com/errata/RHSA-2017:0456
Third Party Advisory vendor-advisory
http://www.ubuntu.com/usn/USN-3081-1
Exploit, Third Party Advisory exploit
https://www.exploit-db.com/exploits/40450/
Third Party Advisory vendor-advisory
https://security.gentoo.org/glsa/201705-09

Scores

CVSS v3 7.8
EPSS 0.0978
EPSS Percentile 94.9%
Attack Vector LOCAL
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-20
Status published
Products (3)
apache/tomcat 6.0
apache/tomcat 7.0
apache/tomcat 8.0
Published Oct 03, 2016
Tracked Since Feb 18, 2026