CVE-2018-14665 exploit: local privilege escalation on OpenBSD 6.3 and 6.4

This is my take on the recent Xorg vulnerability (CVE-2018-14665):

“A flaw was found in xorg-x11-server before 1.20.3. An incorrect permission check for -modulepath and -logfile options when starting Xorg. X server allows unprivileged users with the ability to log in to the system via physical console to escalate their privileges and run arbitrary code under root privileges.”

My exploit specifically targets OpenBSD’s cron in order to escalate privileges to root on OpenBSD 6.3 and 6.4. You don’t need to be connected to a physical console, it works perfectly on pseudo-terminals connected via SSH as well.

My take on CVE-2018-14665: OpenBSD 6.3 and 6.4 local root privilege escalation via cron. https://t.co/wUyfoRhtsV

Thanks to @hackerfantastic and @info_dox for the inspiration!@HackwithGithub @ExploitDB pic.twitter.com/sC2Htavbdf

— raptor (@0xdea) October 27, 2018

Updated my version of OpenBSD Xorg exploit to use crontab overwrite, same as @0xdea but with no need for a compiler. Overwriting the master.passwd is a bad idea in general, requires extra work and makes systems unstable when it fails. https://t.co/3FqgJPwdnm

— Hacker Fantastic (@hackerfantastic) October 27, 2018

Happy Caturday! wake upto "raptor_xorgasm" exploit retro hax by @0xdea – 🇮🇹 – download https://t.co/YeJoUatv0y – noteworthy he used /etc/crontab for stable root auto code execution (runs on create by default) – updated 2 use with minor improvements 🇺🇸🇬🇧 https://t.co/3FqgJPeCvO

— Hacker Fantastic (@hackerfantastic) October 27, 2018

Great job! 👍

As a side note, my exploit should work flawlessly even without gcc, I put fallback in it especially for this case.

I tested it with sh instead of ksh and it worked ¯_(ツ)_/¯https://t.co/hEcoOBDQ6z pic.twitter.com/1GnJMzqYYe

— raptor (@0xdea) October 27, 2018

The code is available here:

https://github.com/0xdea/exploits/blob/master/openbsd/raptor_xorgasm