Rich Mirch

Penetration Tester, Red Teamer, Security Researcher

Pi-hole Patches Critical Stored XSS Vulnerability — December 24, 2020

Pi-hole Patches Critical Stored XSS Vulnerability

Pi-hole v5.2.1 is vulnerable to a critical stored cross site scripting vulnerability. An attacker with the ability to directly or indirectly query DNS with a malicious hostname can cause arbitrary JavaScript to execute when the Pi-hole administrator accesses the Query Log or Long-term Query Log pages on the web portal.

The Pi-hole project released a fix on 12/24/2020 in v5.2.2. Shodan reports over 7,500 Pi-hole instances. This could be remotely exploited if these instances permit external DNS queries. Other possibilities may exist if a malformed DNS query is allowed.

No payloads are being published at this time to give users time to patch.

References

Timeline

  • 12/16/2020 Vulnerability reported to vendor
  • 12/18/2020 Vendor acknowledged receipt of report
  • 12/22/2020 Discovered a second XSS payload that would fire on the Long-term Queries Page
  • 12/23/2020 Mitre assigns CVE-2020-35659
  • 12/24/2020 Vendor released fix in v5.2.2
Metasploit module developed for CVE-2018-18556 VyOS Privilege Escalation — September 25, 2020

Metasploit module developed for CVE-2018-18556 VyOS Privilege Escalation

Today, a Metasploit module was merged for a vulnerability I found in 2018 with VyOS. This vulnerability was my first public InfoSec blog post. I appreciate bcoles for developing the exploit/linux/ssh/vyos_restricted_shell_privesc module. Read the Metasploit Wrapup for 9/25/2020. The full write-up can can be found on this blog at CVE-2018-18556 – VyOS Privilege escalation via sudo pppd for operator users.

CVE-2018-1792 – IBM MQ Privilege Escalation: Fun with RUNPATH — August 25, 2019

CVE-2018-1792 – IBM MQ Privilege Escalation: Fun with RUNPATH

Vulnerability Summary

IBM MQ for Linux and UNIX systems is vulnerable to a privilege escalation attack by forcing a setuid root binary to load a malicious library. A local attacker with access to the mqm account can execute arbitrary code as root. In October 2018 IBM published an advisory along with patches for several versions.

The goal of this post is to show how the RPATH/RUNPATH value could potentially be leveraged for privilege escalation. When specified at compile time this path is embedded in the binary and is the first path searched when searching for a library if the dependent library specified does contain a slash. Details on how this works can be found in the ld.so man page.

As with most file path type vulnerabilities, if you control the path, you may control the application in some way. In this case the mqm user is the owner of the directories listed in the RUNPATH.


Walkthrough

List setuid root applications.

[mqm@localhost]$ find /opt/mqm -perm -4000 -user root|xargs ls -l
-r-sr-x---. 1 root mqm 13384 Jul 9 07:09 /opt/mqm/bin/security/amqoamax
-r-sr-x---. 1 root mqm 13704 Jul 9 07:09 /opt/mqm/bin/security/amqoampx

Use readelf to read the dynamic section to extract the RPATH/RUNPATH.

[mqm@localhost ~]$ readelf -d /opt/mqm/bin/security/amqoamax |grep -e RPATH -e RUNPATH
0x000000000000001d (RUNPATH) Library runpath: [/opt/mqm/lib64:/opt/mqm/gskit8/lib64:/

Using my favorite utility strace, we can see the open() calls for libm.so.6 fails with ENOENT under /opt/mqm/lib64 and /opt/mqm/gskit8.  We’re using libm.so.6 for this PoC but other libraries can be used. The dependency is ultimately resolved at /usr/lib64/libm.so.6. This gets interesting because the mqm user owns the directories under /opt/mqm.

[mqm@localhost ~]$ strace -f /opt/mqm/bin/security/amqoamax 2>&1|grep libm.so
open("/opt/mqm/lib64/libm.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/opt/mqm/gskit8/lib64/libm.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/usr/lib64/libm.so.6", O_RDONLY|O_CLOEXEC) = 3

Continue reading