2.6.32 2012 Local Root Exploit (Compiled)
For these cases, we would do exactly what we did when we compiled the exploit directly on the victim. This would include checking the comments for compilation and execution instructions and then compiling the exploit. Next, we would transfer the exploit onto the victim and then give it execution permissions before popping it and getting a root shell.
2.6.32 2012 Local Root Exploit (Compiled)
After compiling and executing the exploit we get prompted to enter a password; and by pressing enter, we set it to blank. Now we have to check the /etc/passwd file to confirm that we have overwritten the root user.
The flaw identified by CVE-2012-0056 (Red Hat Bugzilla 782642) describes an issue in the handling of the /proc/pid/mem writing functionality, where permissions are not being properly checked in the Linux kernel versions v2.6.39-rc1 to current. A local, unprivileged user could use this flaw to escalate their privileges.
CVE-2012-0056 affects the Linux kernel as shipped with Red Hat Enterprise Linux 6 from version 2.6.32-220.el6 (RHSA-2011:1530) and later, and Red Hat Enterprise MRG from version 2.6.33.9-rt31.75.el6rt (RHSA-2011:1253) and later. (The kernels shipped with RHSA-2011:1530 and RHSA-2011:1253 included a backport of upstream git commit 198214a7.)
2012-01-24: Article updated to reflect the release of the Red Hat Security Advisory RHSA-2012:0052, which fixes the CVE-2012-0056 flaw for Red Hat Enterprise Linux 6. The article was also updated to provide more information about generating a SystemTap kernel module for other computers, and to clarify that the publicly-circulated exploits do not affect Red Hat Enterprise Linux 6 and Red Hat Enterprise MRG at the time of writing.
2012-01-25: Article updated to reflect the release of the Red Hat Security Advisory RHSA-2012:0061, which fixes the CVE-2012-0056 flaw for Red Hat Enterprise MRG. The article was also updated to clarify that the publicly-circulated exploits do affect Red Hat Enterprise Linux 6 and Red Hat Enterprise MRG with slight modifications.
Une nouvelle faille 0day vient d'être découverte dans le noyau Linux et elle permet à un simple utilisateur de passer root sur une machine. Cette vulnérabilité affecte les distributions Linux basées sur des versions du kernel comprises entre la 2.6.32 et la à 3.8.8.
$ cat /etc/redhat-releaseCentOS release 6.3 (Final)$ uname -aLinux test1.hq.company.com 2.6.32-279.el6.x86_64 #1 SMP Fri Jun 22 12:19:21 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux$ iduid=503(user) gid=503(user) groups=503(user)context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023$ sestatusSELinux status: enabledSELinuxfs mount: /selinuxCurrent mode: enforcingMode from config file: enforcingPolicy version: 24Policy from config file: targeted$ ./a.out2.6.37-3.x x86_64sd@fucksheep.org 2010-sh-4.1# iduid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[*] Linux kernel >= 2.6.30 RDS socket exploit [*] by Dan Rosenberg [*] Resolving kernel addresses... [+] Resolved rds_proto_ops to 0xf7d2e518 [+] Resolved rds_ioctl to 0xf7d29000 [+] Resolved commit_creds to 0xc0450a6f [+] Resolved prepare_kernel_cred to 0xc045097a [*] Overwriting function pointer... [*] Triggering payload... [*] Restoring function pointer... [*] Got root!
Então a situação é a seguinte, não existe gcc no sistema alvo, não tem como eu transferir arquivos diretamente, para contornar isso, foi necessário fazer um cross-compile do exploit na máquina local para ser então enviado ao alvo via a funcionalidade de upload de arquivos do php plantada como backdoor e executado.
The paper is organized as follows. Section 2 presents a review of related literature. Section 3 discusses the root exploitation method for tampering the security labels of SELinux. Section 4 introduces a system model of enhanced SELinux with randomized security labels. Section 5 indicates the tamper-proof checking method on security labels in the kernel. Section 6 presents the theoretical analysis of the security effect of the current research. Section 7 introduces the experimental evaluation. Section 8 provides the conclusion and suggestions for future studies.
Since the in-kernel security label (sid) is randomly allocated in the proposed scheme, the root privilege escalation attack succeeds only if the correct sid of the targeted security label is guessed out. To achieve this goal, the attacker could exploit the brute force attack, that is to say, the attacker guesses a different sid value one time and then tampers the victim process with that value, trying to pass the permission check of SELinux.
Privilege escalation attacks are also regarded as threats to mobile devices, such as smartphones and tablets. On the Android, rooting is often performed to gain administrative privileges for altering critical settings of the target device. The Android uses the Linux kernel, and the rooting is mainly performed by exploiting the Linux kernel vulnerabilities. Once a device is rooted, intellectual property, such as application programs and libraries independently developed by device manufacturers, may be leaked.
As an example of this attack, we present a privilege escalation attack that exploits CVE-2014-0038. CVE-2014-0038 is a memory corruption vulnerability due to improper parameter checking in the recvmmsg system call. When CONFIG_X86_X32 is enabled, the compat_sys_recvmmsg function in net/compat.c in Linux kernel versions preceding 3.13.2 allows local users to gain privileges via a recvmmsg system call with a specially customized timeout pointer parameter [21]. In a privilege escalation attack that exploits CVE-2014-0038, a recvmmsg system call with sophisticated specially customized parameters is called multiple times. Then, the pointer of the kernel function called in the open system call is changed to the pointer of a kernel function for changing permissions. Subsequently, the exploit code issues the open system call to the target kernel function by referencing the changed pointer. It rewrites the privilege of its process in the open system call, thereby achieving privilege escalation. As a kernel function for rewriting the privilege of its own process, the prepare_kernel_cred() function or commit_creds() is used.
Although Metasploit is commercially owned, it is still an open source project and grows and thrives based on user-contributed modules. As there are only a handful of full-time developers on the team, there is a great opportunity to port existing public exploits to the Metasploit Framework. Porting exploits will not only help make Metasploit more versatile and powerful, it is also an excellent way to learn about the inner workings of the Framework and helps you improve your Ruby skills at the same time. One very important point to remember when writing Metasploit modules is that you always need to use hard tabs and not spaces. For a few other important module details, refer to the HACKING file located in the root of the Metasploit directory. There is some important information that will help ensure your submissions are quickly added to the trunk.
AFFECTED PRODUCTSReolink RLC-410W: v3.0.0.136_20121102QID Detection Logic:This QID checks for the Vulnerable version of Reolink RLC-410W using passive scanning.ConsequenceA denial of service vulnerability exists in the cgiserver.cgi session creation functionality of reolink RLC-410W v3.0.0.136_20121102. A specially-crafted HTTP request can lead to prevent users from logging in. An attacker can send an HTTP request to trigger this vulnerability.SolutionCustomers are advised to refer to CERT MITIGATIONS section TALOS-2021-1423 for affected packages and patching details.CVE-2021-40423QID: 591332Reolink RLC-410W cgiserver.cgi command parser denial of service (DoS) Vulnerability (TALOS-2021-1432)SeverityCritical4Under InvestigationQualys ID591332Vendor ReferenceTALOS-2021-1432CVE ReferenceCVE-2021-40423CVSS ScoresBase 7.5 / Temporal 7.1DescriptionAFFECTED PRODUCTSReolink RLC-410W: v3.0.0.136_20121102QID Detection Logic:This QID checks for the Vulnerable version of Reolink RLC-410W using passive scanning.ConsequenceA denial of service vulnerability exists in the cgiserver.cgi API command parser functionality of reolink RLC-410W v3.0.0.136_20121102. A specially-crafted series of HTTP requests can lead to denial of service. An attacker can send an HTTP request to trigger this vulnerability.SolutionCustomers are advised to refer to CERT MITIGATIONS section TALOS-2021-1432 for affected packages and patching details.CVE-2022-3736+QID: 283685Fedora Security Update for bind (FEDORA-2023-a3d608daf4)SeverityCritical4In DevelopmentQualys ID283685Vendor ReferenceFEDORA-2023-a3d608daf4CVE ReferenceCVE-2022-3736, CVE-2022-3094, CVE-2022-3924CVSS ScoresBase 7.5 / Temporal 6.5DescriptionFedora has released a security update for bind to fix the vulnerabilities.Affected OS:Fedora 36ConsequenceMalicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.SolutionRefer to Fedora security advisory Fedora 36 for updates and patch information.Patches Fedora 36 FEDORA-2023-a3d608daf4CVE-2023-24038QID: 181539Debian Security Update for libhtml-stripscripts-perl (DSA 5339-1)SeverityCritical4Recently PublishedQualys ID181539Date PublishedFebruary 6, 2023Vendor ReferenceDSA 5339-1CVE ReferenceCVE-2023-24038CVSS ScoresBase 7.5 / Temporal 6.5DescriptionDebian has released a security update for libhtml-stripscripts-perl to fix the vulnerabilities.ConsequenceSuccessful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.SolutionRefer to Debian security advisory DSA 5339-1 for updates and patch information.Patches Debian DSA 5339-1CVE-2023-20076QID: 317287Cisco IOx Application Hosting Environment Command Injection Vulnerability (cisco-sa-iox-8whGn5dL)SeverityCritical4In DevelopmentQualys ID317287Vendor Referencecisco-sa-iox-8whGn5dLCVE ReferenceCVE-2023-20076CVSS ScoresBase 7.2 / Temporal 6.3DescriptionA vulnerability in the Cisco IOx application hosting environment could allow an authenticated, remote attacker to execute arbitrary commands as root on the underlying host operating system.Affected ProductsThis vulnerability affects Cisco devices that are running Cisco IOS XE Software if they have the Cisco IOx feature enabled and they do not support native docker.800 Series Industrial ISRsCGR1000 Compute ModulesIC3000 Industrial Compute Gateways (releases 1.2.1 and later run native docker)IR510 WPAN Industrial Routers QID Detection Logic (Authenticated):The check matches Cisco IOS XE version retrieved via Unix Auth using "show version" command. QID Detection Logic (Unauthenticated):The check matches Cisco IOS XE version retrieved via SNMP or TCP/IP Fingerprint or NTP or Telnet. Note: This QID does not check for IC3000 Industrial Compute Gateways and IR510 WPAN Industrial Routers.ConsequenceA successful exploit could allow the attacker to execute arbitrary commands as root on the underlying host operating system.SolutionCustomers are advised to refer to cisco-sa-iox-8whGn5dL for more information.Patches cisco-sa-iox-8whGn5dLCVE-2022-42302+QID: 377958Veritas NetBackup SQL Injection VulnerbilitySeveritySerious3In DevelopmentQualys ID377958Vendor ReferenceVTS22-011CVE ReferenceCVE-2022-42302, CVE-2022-42303, CVE-2022-42304CVSS ScoresBase 9.8 / Temporal 8.5DescriptionVeritas NetBackup is an enterprise level heterogeneous backup and recovery suite.Affected Versions:Veritas NetBackup v10.0.0.0 and earlier.QID Detection Logic (Authenticated):Operating Systems: WindowsThe QID checks for the File Version of nbutil.exe ConsequenceAn attacker can comprise the Veritas NetBackup via SQL Injection. SolutionThe vendor has issued a fix for these vulnerabilities. Please refer to the vendor advisory VTS22-011 which addresses this issue.Patches VTS22-011CVE-2023-22374QID: 377959F5 BIG-IP IControl SOAP Vulnerability CVE-2023-22374 (K35253541)SeveritySerious3In DevelopmentQualys ID377959Vendor ReferenceK000130415CVE ReferenceCVE-2023-22374CVSS ScoresBase 8.6 / Temporal 7.5DescriptionBIG-IP has released a security update for BIG-IP to fix the vulnerabilities.Vulnerable Component: Affected Versions:17.0.016.1.0 - 16.1.315.1.0 - 15.1.814.1.0 - 14.1.513.1.5QID Detection Logic(Authenticated):This QID checks for the vulnerable versions of F5 BIG-IP devices using the tmsh command.ConsequenceThis vulnerability may allow an authenticated attacker with network access to iControl SOAP through the BIG-IP management port and/or self IP addresses to cause a denial-of-service (DoS) on the iControl SOAP CGI process or potentially execute arbitrary system commandsSolutionPlease refer to K000130415 for more information. Patches K000130415CVE-2022-45789QID: 591331Schneider Electric Modicon M340, M580 CPU and M580 CPU Safety Authentication Bypass Vulnerability (SEVD-2023-010-06)SeveritySerious3Under InvestigationQualys ID591331Vendor ReferenceSEVD-2023-010-06CVE ReferenceCVE-2022-45789CVSS ScoresBase 8.1 / Temporal 7.2DescriptionAFFECTED PRODUCTSModicon M340 CPU (part numbers BMXP34*): All VersionsModicon M580 CPU (part numbers BMEP* and BMEH*): All VersionsModicon M580 CPU Safety (part numbers BMEP58*S and BMEH58*S): All VersionsQID Detection Logic:This QID checks for the Vulnerable version of Schneider Electric Modicon M340, M580 CPU and M580 CPU Safety using passive scanning.ConsequenceSuccessful exploitation of these vulnerabilities may risk unauthorized access to your PLC, which could result in the possibility of denial of service and loss of confidentiality, integrity of the controller. SolutionCustomers are advised to refer to Schneider Electric MITIGATIONS section SEVD-2023-010-06 for affected packages and patching details.CVE-2022-22483QID: 20323IBM DB2 Information Disclosure Vulnerability (6618779)SeveritySerious3In DevelopmentQualys ID20323Vendor Reference6618779CVE ReferenceCVE-2022-22483CVSS ScoresBase 6.5 / Temporal 5.7DescriptionIBM Db2 may be vulnerable to an information disclosure in some scenarios due to unauthorized access caused by improper privilege management when CREATE OR REPLACE command is used.Affected Versions:IBM DB2 up to V9.7 FP11IBM DB2 up to V10.1 FP6IBM DB2 up to V10.5 FP11IBM DB2 up to V11.1 FP 7IBM DB2 up to 11.5 FP8QID Detection Logic:Authenticated (DB2):This QID queries the DB2 server to get the server version and fix pack level and checks to see if it's vulnerable.Authenticated (Windows):This QID checks for vulnerable versions of DB2 on windows OSConsequenceSuccessful exploitation could lead to leakage of sensitive information SolutionPlease refer to the following links 6618779Patches 6618779CVE-2022-31697+QID: 216307VMware vCenter Server 7.0 Update 7.0 U3i (VMSA-2022-0030)SeveritySerious3Under InvestigationQualys ID216307Vendor ReferenceVMSA-2022-0030CVE ReferenceCVE-2022-31697, CVE-2022-31698CVSS ScoresBase 5.5 / Temporal 4.8DescriptionVMware vCenter Server is a server management solution that helps IT admins manage virtualized hosts and virtual machines in enterprise environments via a single console.Affected Versions: VMware vCenter Server Virtual Appliance 6.7 prior to build 20845200QID Detection Logic (Unauthenticated):This QID checks for vulnerable versions of VMware vCenter Server with build version using web service present on the target. ConsequenceA malicious actor with access to a workstation that invoked a vCenter Server Appliance ISO operation (Install/Upgrade/Migrate/Restore) can access plaintext passwords used during that operation.SolutionRefer to VMware advisory VMSA-2022-0030 for more information.Patches VMSA-2022-0030CVE-2022-31697+QID: 216306VMware vCenter Server 6.7 Update 6.7 U3S (VMSA-2022-0030)SeveritySerious3Under InvestigationQualys ID216306Vendor ReferenceVMSA-2022-0030CVE ReferenceCVE-2022-31697, CVE-2022-31698CVSS ScoresBase 5.5 / Temporal 4.8DescriptionVMware vCenter Server is a server management solution that helps IT admins manage virtualized hosts and virtual machines in enterprise environments via a single console.Affected Versions: VMware vCenter Server Virtual Appliance 6.7 prior to build 20540798QID Detection Logic (Unauthenticated):This QID checks for vulnerable versions of VMware vCenter Server with build version using web service present on the target. ConsequenceA malicious actor with access to a workstation that invoked a vCenter Server Appliance ISO operation (Install/Upgrade/Migrate/Restore) can access plaintext passwords used during that operation.SolutionRefer to VMware advisory VMSA-2022-0030 for more information.Patches VMSA-2022-0030CVE-2023-23608QID: 691050Free Berkeley Software Distribution (FreeBSD) Security Update for spotipy (c3fb48cc-a2ff-11ed-8fbc-6cf0490a8c18)SeverityMedium2In DevelopmentQualys ID691050Vendor Referencec3fb48cc-a2ff-11ed-8fbc-6cf0490a8c18CVE ReferenceCVE-2023-23608CVSS ScoresBase 0 / Temporal 0DescriptionFreeBSD has released a security update for spotipy to fix the vulnerabilities.ConsequenceSuccessful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.SolutionRefer to FreeBSD security advisory c3fb48cc-a2ff-11ed-8fbc-6cf0490a8c18 for updates and patch information.Patches "FreeBSD" c3fb48cc-a2ff-11ed-8fbc-6cf0490a8c18CVE-2022-46146QID: 691047Free Berkeley Software Distribution (FreeBSD) Security Update for node_exporter (d835c54f-a4bd-11ed-b6af-b42e991fc52e)SeverityCritical4Recently PublishedQualys ID691047Date PublishedFebruary 6, 2023Vendor Referenced835c54f-a4bd-11ed-b6af-b42e991fc52eCVE ReferenceCVE-2022-46146CVSS ScoresBase 8.8 / Temporal 7.7DescriptionFreeBSD has released a security update for node_exporter to fix the vulnerabilities.ConsequenceSuccessful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.SolutionRefer to FreeBSD security advisory d835c54f-a4bd-11ed-b6af-b42e991fc52e for updates and patch information.Patches "FreeBSD" d835c54f-a4bd-11ed-b6af-b42e991fc52eCVE-2022-2602+QID: 753620SUSE Enterprise Linux Security Update for the Linux Kernel (Live Patch 12 for SLE 15 SP3) (SUSE-SU-2023:0262-1)SeverityCritical4Recently PublishedQualys ID753620Date PublishedFebruary 6, 2023Vendor ReferenceSUSE-SU-2023:0262-1CVE ReferenceCVE-2022-2602, CVE-2022-3424CVSS ScoresBase 8.6 / Temporal 7.5DescriptionSUSE has released a security update for kernel to fix the vulnerabilities.Affected product(s):SUSE Linux Enterprise Server 15 SP2SUSE Linux Enterprise Server for SAP Applications 15 SP2SUSE Linux Enterprise Server 15 SP3SUSE Linux Enterprise Server for SAP Applications 15 SP3ConsequenceSuccessful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.SolutionRefer to SUSE security advisory SUSE-SU-2023:0262-1 for updates and patch information.Patches SUSE Enterprise Linux SUSE-SU-2023:0262-1CVE-2023-22809QID: 283684Fedora Security Update for sudo (FEDORA-2023-298c136eee)SeverityCritical4Recently PublishedQualys ID283684Date PublishedFebruary 6, 2023Vendor ReferenceFEDORA-2023-298c136eeeCVE ReferenceCVE-2023-22809CVSS ScoresBase 7.8 / Te