Privilege escalation and remote inter-protocol exploitation with EXTRACT 0.5.1

Howdy folks. Today I'll be introducing you to the EXTRAnet Collaboration Tool (EXTRACT) 0.5.1 (Homepage and Source).

We'll explore leveraging EXTRACT to escalate privileges with a 0day bug. I'll also show you how you can enjoy some remote shell goodness thanks to inter-protocol exploitation (with some luck and a little user interaction).

Let's get started.

Background Information

EXTRACT is a Web Information Management System based on Samba which allows users to store and search many kinds of structured data in a database (database records, Samba directories and files) classified in categories like in file system browsers.

It comes with a web interface including a PHP script "to be run as daemon (root) to manage users and groups on the system." The daemon accepts connections on localhost port 10100 by default. Even if the daemon is not running we can launch it by running admin/admserver.php on the web server however it will run with only web server permissions which (usually) means no permissions to modify/add user accounts. There is also another script located in admin/admservershutdown.php which send the "shutdown" command to the daemon. Not surprisingly this terminates the daemon.

The Bug

Diving into the source reveals the commands we have available in phpmain():

The commands are fairly self explanatory. Let's start it:

And create a user:

Back at the daemon:

Well it worked ... The daemon has obediently created a user for us:

... but the user doesn't have root permissions and has /bin/false for ssh :(

At this point we could mess around with the other commands like "updategroup" and "updateuser" but that's no fun. Wouldn't you prefer a shell? Let's go back to the source ...

Well that looks promising. Can we inject a pipe? Let's try createuser again:

Yes we can! Good times. Unfortunately we're limited to two commands separated by spaces... or are we?

Well that was easy. Now for the exploit - a simple reverse shell to localhost port 1337 as proof of concept. Note that it's assumed netcat is already on the system, however it would be trivial to modify the exploit to download netcat first.

The Exploit

Starting our listen shell:

Start the daemon:

Run the exploit:

Back at our listener:

Back at the daemon:

We have root!

Local bug becomes remote bug

Now if only we could turn this bug into a remote exploit. The good news is we can but it requires some luck and a little user interaction.

If the daemon is running then gaining a remote shell is as easy as tricking a user into viewing a webpage. Thanks to a little inter-protocol exploitation we can post commands to http://localhost:10100/ using JavaScript. The daemon ignores malformed requests so our HTTP POST request headers are ignored and the daemon will interpret and execute the POST data as a valid request from localhost.

It turns out that even if the daemon is not running we can still gain a remote shell if we know where the EXTRACT files are hosted in the web root. Launching admin/admserver.php from a browser will start the daemon running with web server permissions.

Now for the inter-protocol exploit - a simple reverse shell to localhost port 1337 as proof of concept. Note that it's assumed netcat is already on the system, however it would be trivial to modify the exploit to download netcat first.

The Exploit [IPEC]

Video Demonstration

Appendix

PoC: Proof of Concept Exploit

PoC: Proof of Concept IPEC Exploit

Video: Privilege escalation and remote inter-protocol exploitation with EXTRACT 0.5.1