Description
This module exploits the trusted `$PATH` environment variable of the SUID binary `omniresolve` in Micro Focus (HPE) Data Protector A.10.40 and prior.
The `omniresolve` executable calls the `oracleasm` binary using a relative path and the trusted environment `$PATH`, which allows an attacker to execute a custom binary with `root` privileges.
This module has been successfully tested on: HPE Data Protector A.09.07: OMNIRESOLVE, internal build 110, built on Thu Aug 11 14:52:38 2016; Micro Focus Data Protector A.10.40: OMNIRESOLVE, internal build 118, built on Tue May 21 05:49:04 2019 on CentOS Linux release 7.6.1810 (Core)
The vulnerability has been patched in: Micro Focus Data Protector A.10.40: OMNIRESOLVE, internal build 125, built on Mon Aug 19 19:22:20 2019
Module options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
msf > use exploit/linux/local/omniresolve_suid_priv_escmsf undefined(omniresolve_suid_priv_esc) > show actions ...actions...msf undefined(omniresolve_suid_priv_esc) > set ACTION < action-name >msf undefined(omniresolve_suid_priv_esc) > show options ...show and set options...msf undefined(omniresolve_suid_priv_esc) > runPrioritise with Active Threat Intelligence
With curated Threat Intelligence, you can see which vulnerabilities truly put you at risk, prioritize what matters most, and act before attackers do.
Explore Intelligence Hub