module
Xorg X11 Server SUID logfile Privilege Escalation
| Disclosed | Created |
|---|---|
| 2018-10-25 | 2019-03-19 |
Disclosed
2018-10-25
Created
2019-03-19
Description
This module attempts to gain root privileges with SUID Xorg X11 server
versions 1.19.0
A permission check flaw exists for -modulepath and -logfile options when
starting Xorg. This allows unprivileged users that can start the server
the ability to elevate privileges and run arbitrary code under root
privileges.
This module has been tested with OpenBSD 6.3, 6.4, CentOS 7.4.1708, and
CentOS 7.5.1804, and RHEL 7.5. The default PAM configuration for CentOS
and RHEL systems requires console auth for the user's session to start
the Xorg server.
Cron launches the payload, so if SELinux is enforcing, exploitation
may still be possible, but the module will bail.
Xorg must have SUID permissions and may not start if already running.
On exploitation a crontab.old backup file will be created by Xorg.
This module will remove the .old file and restore crontab after
successful exploitation. Failed exploitation may result in a corrupted
crontab. On successful exploitation artifacts will be created consistant
with starting Xorg and running a cron.
versions 1.19.0
A permission check flaw exists for -modulepath and -logfile options when
starting Xorg. This allows unprivileged users that can start the server
the ability to elevate privileges and run arbitrary code under root
privileges.
This module has been tested with OpenBSD 6.3, 6.4, CentOS 7.4.1708, and
CentOS 7.5.1804, and RHEL 7.5. The default PAM configuration for CentOS
and RHEL systems requires console auth for the user's session to start
the Xorg server.
Cron launches the payload, so if SELinux is enforcing, exploitation
may still be possible, but the module will bail.
Xorg must have SUID permissions and may not start if already running.
On exploitation a crontab.old backup file will be created by Xorg.
This module will remove the .old file and restore crontab after
successful exploitation. Failed exploitation may result in a corrupted
crontab. On successful exploitation artifacts will be created consistant
with starting Xorg and running a cron.
Authors
Narendra Shinde
Raptor - 0xdea
Aaron Ringo
bcoles bcoles@gmail.com
Raptor - 0xdea
Aaron Ringo
bcoles bcoles@gmail.com
Platform
Linux,OpenBSD
Architectures
cmd, x86, x64
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.