-
Notifications
You must be signed in to change notification settings - Fork 13.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Exploit for CVE-2021-38648 (OMIGOD LPE) #15802
Conversation
You should have installed Protocon on the target! |
The hardcoded messages were recovered using: | ||
``` | ||
strace -v -s 5000 -f -xx -e trace=socket,connect,write,writev,close \ | ||
/opt/omi/bin/omicli iv root/scx { SCX_OperatingSystem } ExecuteShellCommand { command '...' timeout 0 } | ||
``` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
pid = pidof('omiserver').first | ||
return CheckCode::Safe if pid.nil? | ||
|
||
omiserver_bin = read_file("/proc/#{pid}/cmdline").split("\x00", 2).first |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To a potential reviewer, it's worth double checking if we'll always have access to read this file.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's use the most common default binary path as a fallback if we don't have the ability to confirm the binary cmdline
as expected
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To a potential reviewer, it's worth double checking if we'll always have access to read this file.
/proc/PID/cmdline
is world-readable unless the /proc
filesystem is manually mounted with the hidepid
option. Not certain how common it is to do that though.
Converted to a draft because I noticed an issue that will take me a bit to address. Will undraft once it's unblocked. |
Docker setup:
For a manual setup on Ubuntu 20, I'm getting the following output:
That may be due to an error in my installation though. Code and docs look good to me! |
And it was my installation:
|
Release NotesThis adds a local exploit module that targets versions less than |
This is an exploit for CVE-2021-38648 which is an authentication bypass within Microsoft's OMI management interface. Unlike the semi-related CVE-2021-38647 (see PR #15800) this vulnerability must be leveraged locally and can be exploited in the default configuration. Exploitation results in OS command execution as the root user.
The vulnerability works by replaying the messages necessary to execute an OS command but without the initial authentication exchange. The messages are in an OMI-specific binary protocol format. The included Python exploit uses hard-coded messages but limits the OS command that's executed to 256 characters max. When the Linux Dropper target is used though, the space is irrelevant because the command is just used to execute the payload ELF file that is written to disk.
A Python script is used for maximum compatibility in Metaspoit's current state. In theory, railgun could be used to perform the exploit entirely in memory but that would limit it to use with only Python Meterpreter sessions. Likewise, Rex could maybe be used to forward an AF_UNIX socket, but is currently limited to TCP/IP right now. Python is pretty widely available and included on many distros as part of the base. The exploit will automatically find and execute an appropriate Python binary.
Verification
While developing this module, I noticed an issue whereby the Python Meterpreter for some reason fails to identify a Python executable using
command_exists?
while Mettle succeeds. I suspect this is an issue with the Python Meterpreter and will investigate/fix it in a separate PR. In the meantime, don't use the Python Meterpreter for testing this exploit.docker build . -t ms-omi:cve-2021-38648
docker run -it --entrypoint /bin/bash ms-omi:cve-2021-38648
/etc/init.d/omid restart
msfconsole
exploit/multi/script/web_delivery
works well for this purposeuse exploit/linux/local/cve_2021_38648_omigod
exploit
Example