-
Notifications
You must be signed in to change notification settings - Fork 13.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add cve-2021-3493 module #15822
Add cve-2021-3493 module #15822
Conversation
This comment has been minimized.
This comment has been minimized.
OK, so after the changes, I tested on a couple platforms. We might need to do some finer work with minor versions on the tail ends of vulnerability. In theory, the 20.04 should be vulnerable, but my updated dev VM is not, and one of the 16.04 VMs should have been vulnerable, but was not. I think it is likely less of an issue because if the VM was not vulnerable and it ran it anyway, you just get a shell back with the same privileges you had before. No crash or explosions. The method of controlling the directories created during the exploit is somewhat unorthodox, but it works. Taking this out of draft once I get the documentation done. Ubuntu 18.04
Fedora 31
Ubuntu 16.04
Ubuntu 20.04
Ubuntu 20.04.2
|
Let's hold off momentarily and see if this will work with other architectures like ARM and x86 |
Couple quick notes from testing today (going to hold off on further testing until we see if it works with other architectures) I ran into the issue you mentioned running into on Ubuntu 20.04 where it said it was vulnerable but came back with a new session with the same privileges as the previous session When testing out on Ubuntu 18.04 with a python meterpreter session I ran into this:
I assumed this exploit should work with python and other non-native meterpreters I went and overrode the check by setting
|
fyi if you expose a vulnerable Ubuntu installation to the internet it will automagically grab the patch for this (I think it's an option under Software and Updates > Updates > When there are security updates : automatically download and install automatically). |
The curse of infosec research: It's a good thing when people make your life miserable..... |
OK.... First off, it does work right out of the box for ARM64, but I did find that installing
To do this, I installed Virtual machine manager and Qemu, then downloaded the image above. Import Disk (click the dropdown for Architecture options and select aarch64) |
@dwelch-r7 that is odd with Python. Specifically, the line here: After checking, that's the case. The module uses a call to
That's super odd, as the method for
OK.... I think this is a bug with python meterpreter. When I connect with an elf meterpreter I can run the check, and then use irb to see that we're properly pulling the
On a python session, I can't get any of that, and the cmd_exec fails...
I'm blaming Python, personally. |
@bwatters-r7 you might want to try rebase this on top of #15805 as it includes some fixes for python meterpreter cmd_exec |
@timwr here I was about to write an issue in Payloads, too! Now, it is just going to be an issue in mettle (I hope)! |
Rebasing no longer gives me an error, but also, it does not work....
|
…eation Added a method to get source code for the write and compile method
Add arch checks for payload/target
6641395
to
47aacbd
Compare
OK... so the TL;DR is that this works on the binary payload, but fails on python payloads:
This works on both:
Looks like there is a mismatch with how |
FWIW, you can verify this behavior by getting a python meterpreter session and a binary meterpreter session, then running : |
@dwelch-r7 unfortunately, targeting is hard..... The bright side is that nothing happens on a machine that's been patched. Tim suggested they shadow patch when connected to the internet, and I think he's right. |
Also, checking on that failure on python.... it looks maybe like the cleanup happened before the launch? I'll look into that real quick, too. |
Huh.... I swung and missed on this one. |
documentation/modules/exploit/linux/local/cve_2021_3493_overlayfs.md
Outdated
Show resolved
Hide resolved
documentation/modules/exploit/linux/local/cve_2021_3493_overlayfs.md
Outdated
Show resolved
Hide resolved
Also, I'll put this here- the python meterpreter is still failing, sort of:
It seems to hang on the remove if you're in a python session, but once you exit the new session, the rm finishes and cleans up. |
other bcoles improvements
Linux 20.04.02 With Binary Payload
Linux 20.04 With Python Payload
Linux 18.04 aarch64
|
Release NotesAdds a module for the CVE-2021-3493 overlay fs local privilege escalation for Ubuntu versions 14.04 - 20.10 |
This adds a module for the cve-2021-3493 overlay fs local privilege escalation for Ubuntu versions 14.04 - 20.10.
msfconsole
use exploit/linux/local/cve_2021_3493_overlayfs
set session <session>
set COMPILE False
run
exit
set COMPILE True
run
I'm leaving this as a draft because currently it:
(Added) 4. The C code needs some work to make it less obvious