Xorg X11 Server SUID modulepath Privilege Escalation
Description
This module attempts to gain root privileges with SUID Xorg X11 server versions 1.19.0 < 1.20.3. A permission check flaw exists for -modulepath and -logfile options when starting Xorg. This allows unprivileged users that can start the server the ability to elevate privileges and run arbitrary code under root privileges. This module has been tested with CentOS 7 (1708). CentOS default install will require console auth for the users session. Xorg must have SUID permissions and may not start if running. On successful exploitation artifacts will be created consistant with starting Xorg.
Author(s)
- Narendra Shinde
- Aaron Ringo
Platform
Linux,Solaris,Unix
Architectures
x86, x64
Development
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
msf > use exploit/multi/local/xorg_x11_suid_server_modulepath
msf exploit(xorg_x11_suid_server_modulepath) > show targets
...targets...
msf exploit(xorg_x11_suid_server_modulepath) > set TARGET < target-id >
msf exploit(xorg_x11_suid_server_modulepath) > show options
...show and set options...
msf exploit(xorg_x11_suid_server_modulepath) > exploit
- Collect and share all the information you need to conduct a successful and efficient penetration test
- Simulate complex attacks against your systems and users
- Test your defenses to make sure they’re ready
- Automate Every Step of Your Penetration Test
Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.
– Jim O’Gorman | President, Offensive Security