-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Libuser roothelper Privilege Escalation exploit #9919
Conversation
RankingI tested the original Check methodThe most confident response from glibc
libuser While it's possible to verify the installed version of pam mitigation Red Hat does offer a workaround to prevent exploitation. I didn't bother to check for this. script / suSuccessful exploitation results in a new user added to the system with On some systems, it's possible to pipe The new user is removed from the system Original exploitThe original C code was modified in two instances, both of which are documented in the source. The first was to allow cross-compiling on my system which complained about the use of The second was to prevent the backup of |
|
I get this on a non-vulnerable session (which is good):
|
'DefaultTarget' => 0)) | ||
register_options [ | ||
OptEnum.new('COMPILE', [ true, 'Compile on target', 'Auto', %w(Auto True False) ]), | ||
OptString.new('PASSWORD', [ false, 'Password for the current user', '' ]), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As discussed I will make this option a requirement
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For context, while a blank password is valid, libuser does not appear to accept it.
Also working on shell sessions:
|
Excellent work @bcoles !!!! |
Release NotesThe exploit/linux/local/libuser_roothelper_priv_esc module has been added to the framework. It allows you to gain root privileges on Red Hat based Linux systems (including RHEL, Fedora, and CentOS) by exploiting a newline injection vulnerability in libuser and userhelper. |
Add Libuser roothelper Privilege Escalation exploit.
Verification
msfconsole
use exploit/linux/local/libuser_roothelper_priv_esc
set SESSION <ID>
set PASSWORD <PASSWORD>
run
Scenarios
libuser 0.56.13-5.el6 on Red Hat 6.6 (x86_64)
libuser 0.60-5.el7 on CentOS 7.1-1503 (x86_64)
libuser 0.60-6.fc21 on Fedora Desktop 21 (x86_64)