Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fixed shell script creation with passwords with special characters #13886

Merged
merged 3 commits into from Jul 23, 2020
Merged

Fixed shell script creation with passwords with special characters #13886

merged 3 commits into from Jul 23, 2020

Conversation

digitalcombine
Copy link
Contributor

With the post/multi/manage/sudo module I encountered that passwords with the $ character causes this module to fail. This is due to that lack of quoting when generating the script for sudo -s -A. The lack of quoting causes the script to attempt to expand the $ as a variable. For example the password "the$sign" creates the script:

#!/bin/sh
echo the

In sudo.rb on line 102, I changed the line:

cmd_exec("echo echo #{password} >> #{askpass_sh}")
to
cmd_exec("echo 'echo '\"'\"'#{password}'\"'\"'' >> #{askpass_sh}")

This adds quoting to the script generation and to the script itself. Now the password "the$sign" creates the script:

#!/bin/sh
echo 'the$sign'

Special characters in passwords shouldn't cause failures with the exception of the ' character. Thanks to @bwatters-r7 for reviewing the initial change.

@bcoles bcoles self-assigned this Jul 23, 2020
@bcoles
Copy link
Contributor

bcoles commented Jul 23, 2020

This looks good to me. I'll merge when the automated tests pass.

msf5 exploit(multi/handler) > [*] Command shell session 1 opened (172.16.191.165:1338 -> 172.16.191.166:56910) at 2020-07-23 09:33:20 -0400

msf5 exploit(multi/handler) > use post/multi/manage/sudo 
msf5 post(multi/manage/sudo) > set verbose true
verbose => true
msf5 post(multi/manage/sudo) > set password asdf$asdf`
password => asdf$asdf`
msf5 post(multi/manage/sudo) > set session 1 
session => 1
msf5 post(multi/manage/sudo) > run

[*] SUDO: Attempting to upgrade to UID 0 via sudo
[*] Sudoing with password `asdf$asdf`'.
[*] Writing the SUDO_ASKPASS script: /tmp/.lLQQnVV
[*] Max line length is 4096
[*] Writing 28 bytes in 1 chunks of 102 bytes (octal-encoded), using printf
[*] Setting executable bit.
[*] Setting environment variable.
[*] Executing sudo -s -A
[+] SUDO: Root shell secured.
[*] Post module execution completed
msf5 post(multi/manage/sudo) > sessions -i 1 
[*] Starting interaction with 1...

id
uid=0(root) gid=0(root) groups=0(root)

@bcoles
Copy link
Contributor

bcoles commented Jul 23, 2020

@digitalcombine Are you keen to take a look at some of the other issues with this module? (in a separate PR)

@bcoles bcoles merged commit 2379194 into rapid7:master Jul 23, 2020
@bcoles
Copy link
Contributor

bcoles commented Jul 23, 2020
edited by pbarry-r7

Release Notes

Fixed the post/multi/manage/sudo module support for passwords containing shell substitution and meta characters.

@digitalcombine
Copy link
Contributor Author

@bcoles definitely. I started looking into removing the evidence, might as well continue on.

@digitalcombine digitalcombine deleted the sudo-module-shell-escaping branch July 24, 2020 00:21
@bcoles bcoles mentioned this pull request Jul 24, 2020
Closed
@pbarry-r7 pbarry-r7 added the rn-fix release notes fix label Aug 5, 2020
This was referenced Jan 20, 2022
Open
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bcoles bcoles bcoles approved these changes

Assignees

@bcoles bcoles

Labels
bug module rn-fix release notes fix
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@digitalcombine @bcoles @pbarry-r7