Rapid7 Vulnerability & Exploit Database

Xorg X11 Server SUID logfile Privilege Escalation

Back to Search

Xorg X11 Server SUID logfile Privilege Escalation

Disclosed
10/25/2018
Created
03/19/2019

Description

This module attempts to gain root privileges with SUID Xorg X11 server versions 1.19.0 < 1.20.3. A permission check flaw exists for -modulepath and -logfile options when starting Xorg. This allows unprivileged users that can start the server the ability to elevate privileges and run arbitrary code under root privileges. This module has been tested with OpenBSD 6.3, 6.4, CentOS 7.4.1708, and CentOS 7.5.1804, and RHEL 7.5. The default PAM configuration for CentOS and RHEL systems requires console auth for the user's session to start the Xorg server. Cron launches the payload, so if SELinux is enforcing, exploitation may still be possible, but the module will bail. Xorg must have SUID permissions and may not start if already running. On exploitation a crontab.old backup file will be created by Xorg. This module will remove the .old file and restore crontab after successful exploitation. Failed exploitation may result in a corrupted crontab. On successful exploitation artifacts will be created consistant with starting Xorg and running a cron.

Author(s)

  • Narendra Shinde
  • Raptor - 0xdea
  • Aaron Ringo
  • bcoles <bcoles@gmail.com>

Platform

Linux,OpenBSD

Architectures

cmd, x86, x64

Development

References

Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/multi/local/xorg_x11_suid_server
msf exploit(xorg_x11_suid_server) > show targets
    ...targets...
msf exploit(xorg_x11_suid_server) > set TARGET < target-id >
msf exploit(xorg_x11_suid_server) > show options
    ...show and set options...
msf exploit(xorg_x11_suid_server) > exploit

Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.

– Jim O’Gorman | President, Offensive Security

;