Rich Mirch

Penetration Tester, Red Teamer, Security Researcher

CVE-2019-3466 Debian / Ubuntu Privilege Escalation via pg_ctlcluster — November 15, 2019

CVE-2019-3466 Debian / Ubuntu Privilege Escalation via pg_ctlcluster

Vulnerability Summary

The pg_ctlcluster script in the postgresql-common package in Debian and Ubuntu is vulnerable to a local privilege escalation attack. pg_ctlcluster is a script used to manage PostgreSQL instances. A malicious actor with access to the postgres account can create arbitrary directories during startup or reload when called via systemd. This vulnerability can be leveraged to escalate privileges to root.

It’s important to note this is not a vulnerability in PostgreSQL and is specific to Debian, Ubuntu, or any system that consumes the Debian postgresql-common package.

A fix is now available. Administrators should upgrade to the latest version of the postgresql-common package. See the Debian security tracker for details.

The vulnerability appears to have existed since 2013 based on the Debian Git history (9dc97b, e97d16). I attempted to reproduce it on Wheezy but was unable to verify it due to unrelated technical issues standing up a test environment.

This proof of concept will show the ability to gain root privileges using the default
installation of  postgresql-common v200+deb10u2 along with postgresql-11 on Debian Buster. I have also verified the vulnerability on Ubuntu 19.04 with version 199 of the postgresql-common package.


Walkthrough

The postgresql init script(/etc/init.d/postgresql) sources init.d-functions which contain functions that call the pg_ctlcluster script. pg_ctlcluster loads the following configuration files determined by the Pgcommon module.

  • /etc/postgresql/cluster-version/cluster-name/pg_ctl.conf
  • /etc/postgresql/cluster-version/cluster-name/postgresql.conf
  • /var/lib/postgresql/cluster-version/cluster-name/postgresql.auto.conf

These files are owned by the postgres user. The postgresql.auto.conf file will override the settings from /etc/postgresql. This file is created when the alter system command is executed.

pg_ctlcluster contains logic to create directories for socketdir(defined in pg_ctl.conf) and stats_temp_directory(defined in postgresql.conf). During a start or reload, if the directories defined in either of these variables do not exist, pg_ctlcluster will create it and set the owner to the postgres user.

Continue reading

CVE-2018-1792 – IBM MQ Privilege Escalation: Fun with RUNPATH — August 25, 2019

CVE-2018-1792 – IBM MQ Privilege Escalation: Fun with RUNPATH

Vulnerability Summary

IBM MQ for Linux and UNIX systems is vulnerable to a privilege escalation attack by forcing a setuid root binary to load a malicious library. A local attacker with access to the mqm account can execute arbitrary code as root. In October 2018 IBM published an advisory along with patches for several versions.

The goal of this post is to show how the RPATH/RUNPATH value could potentially be leveraged for privilege escalation. When specified at compile time this path is embedded in the binary and is the first path searched when searching for a library if the dependent library specified does contain a slash. Details on how this works can be found in the ld.so man page.

As with most file path type vulnerabilities, if you control the path, you may control the application in some way. In this case the mqm user is the owner of the directories listed in the RUNPATH.


Walkthrough

List setuid root applications.

[mqm@localhost]$ find /opt/mqm -perm -4000 -user root|xargs ls -l
-r-sr-x---. 1 root mqm 13384 Jul 9 07:09 /opt/mqm/bin/security/amqoamax
-r-sr-x---. 1 root mqm 13704 Jul 9 07:09 /opt/mqm/bin/security/amqoampx

Use readelf to read the dynamic section to extract the RPATH/RUNPATH.

[mqm@localhost ~]$ readelf -d /opt/mqm/bin/security/amqoamax |grep -e RPATH -e RUNPATH
0x000000000000001d (RUNPATH) Library runpath: [/opt/mqm/lib64:/opt/mqm/gskit8/lib64:/

Using my favorite utility strace, we can see the open() calls for libm.so.6 fails with ENOENT under /opt/mqm/lib64 and /opt/mqm/gskit8.  We’re using libm.so.6 for this PoC but other libraries can be used. The dependency is ultimately resolved at /usr/lib64/libm.so.6. This gets interesting because the mqm user owns the directories under /opt/mqm.

[mqm@localhost ~]$ strace -f /opt/mqm/bin/security/amqoamax 2>&1|grep libm.so
open("/opt/mqm/lib64/libm.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/opt/mqm/gskit8/lib64/libm.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/usr/lib64/libm.so.6", O_RDONLY|O_CLOEXEC) = 3

Continue reading

CVE-2019-12572 PIA Windows Privilege Escalation: Malicious OpenSSL Engine — June 10, 2019

CVE-2019-12572 PIA Windows Privilege Escalation: Malicious OpenSSL Engine

Vulnerability Summary

During startup the PIA Windows service(pia-service.exe) loads the OpenSSL library from C:\Program Files\Private Internet Access\libeay32.dll. This library attempts to load the C:\etc\ssl\openssl.cnf configuration file. By default on Windows systems, authenticated users can create directories under C:\. A low privileged user can create a openssl.cnf configuration file to load a malicious OpenSSL engine library resulting in the arbitrary code execution as SYSTEM when the service starts.

The root cause is when the OpenSSL libraries were built, the OPENSSLDIR parameter was set to a path which a low privileged user can modify or create. I believe this issue is lurking in many Window applications that bundle OpenSSL libraries. I have discovered the same vulnerability in several other Windows applications and will be disclosing those findings when patches are available.

I created a simple tool to help identify potentially vulnerable OpenSSL libraries –https://github.com/mirchr/openssldir_check.

CVE-2019-12572 has been patched in v1.2.1. The latest Windows desktop client can be upgraded automatically via the application or manually from the download page at Private Internet Access.


Walkthrough

While hunting for potential vulnerabilities in the Windows Private Internet Access desktop application I noticed a failed call to open the c:\etc\ssl\openssl.cnf file during the service startup.

pia-openssl-failed-open

This caught my attention and I needed to research this further. But before I get into the details of that, let’s take a step back and see how I arrived there.

Continue reading

Write-up for CVE-2018-15332 , CVE-2018-5529 , CVE-2018-5546 , CVE-2019-6617 — May 21, 2019

Write-up for CVE-2018-15332 , CVE-2018-5529 , CVE-2018-5546 , CVE-2019-6617

Published write-ups for a few vulnerabilities I discovered and responsibly disclosed last year. One vulnerability took three fixes to finally resolve the issue. As a best practice, I always re-check the vulnerability after a patch is available because the fix may not properly resolve the issue or a new vulnerability is introduced. Kudos to the F5 Security Incident Response Team (SIRT). I will be posting additional detailed write-ups in the near future.

CVE-2018-15332 , CVE-2018-5529 , and CVE-2018-5546 – F5 BIG-IP APM client for Linux and macOS arbitrary file takeover vulnerability.

https://github.com/mirchr/security-research/blob/master/vulnerabilities/F5/CVE-2018-15332.txt

https://github.com/mirchr/security-research/blob/master/vulnerabilities/F5/CVE-2018-5529.txt

CVE-2019-6617 – F5 BIG-IP Resource Administrator Privilege Escalation. 

https://github.com/mirchr/security-research/blob/master/vulnerabilities/F5/CVE-2019-6617.txt

 

CVE-2019-6724 : Barracuda VPN Client Privilege Escalation on Linux and macOS — February 14, 2019

CVE-2019-6724 : Barracuda VPN Client Privilege Escalation on Linux and macOS

The barracudavpn component of the Barracuda VPN Client prior to version 5.0.2.7 for Linux, macOS, and OpenBSD runs as a privileged process and can allow an unprivileged local attacker to load a malicious library, resulting in arbitrary code executing as root.

This post will walk through the process on how I found and exploited the vulnerability on Linux. The full PoC will  also work on macOS. When researching for potential vulnerabilities with privileged binaries a test system should be used to avoid causing damage or negative impacts.

Continue reading

Linux persistence idea – using group passwords — January 9, 2019

Linux persistence idea – using group passwords

A rarely used feature on Linux and UNIX systems is the ability to add a password to a group. The concept is similar to how users are handled. An encrypted hash is stored in the second field of the gshadow(5) file. Anyone with the password can execute the newgrp(1) command to temporarily change their GID without having to be a member of the group. The goal of this post is show how this feature can be leveraged to create persistence on a server in a semi stealthy way.

Continue reading

CVE-2018-18629: Keybase Linux privilege escalation — December 21, 2018

CVE-2018-18629: Keybase Linux privilege escalation

Recently I started using Keybase which is a Slack like application but provides end-to-end encryption. Version 2.8.0.20181017144746.3efc4cbf3c is vulnerable to a privilege escalation vulnerability allowing a low privileged user to execute arbitrary commands as root.

After executing the application using a low privileged account I noticed a process named keybase-redirector running as root. I was interested and wanted to understand how this worked. After checking the file permissions I found that the keybase-redirector was setuid root. I enjoy the challenge of finding vulnerabilities in privileged binaries so I started my research.

Continue reading

CVE-2018-19788 PoC – polkit: Improper handling of user with uid > INT_MAX leading to authentication bypass — December 9, 2018

CVE-2018-19788 PoC – polkit: Improper handling of user with uid > INT_MAX leading to authentication bypass

While reviewing my Twitter feed I noticed a recent popular tweet from @0xdea.

I was intrigued and wanted to see if there was a way to leverage this to execute arbitrary code as root.

Continue reading

CVE-2018-18556 – VyOS Privilege escalation via sudo pppd for operator users — November 5, 2018

CVE-2018-18556 – VyOS Privilege escalation via sudo pppd for operator users

Recently I found several ways to escape the restricted shell for an operator user in VyOS 1.1.8. VyOS is a Linux-based network operating system that provides software-based network routing, firewall, and VPN functionality. I plan to post information on the restricted shell escapes in the near future; For now read the blog by @dmbaturin detailing some of the methods.

This post will focus how root access was obtained using sudo after the restricted shell was escaped. One of my first post exploitation steps on Linux after a low privileged shell is obtained is to check if the user has sudo rules configured. Sudo is designed to limit privileges but often times it can be leveraged to elevate access.

Continue reading