A vulnerability has been identified in the Enlightenment user environment (CVE-2022-37706) that could allow an unprivileged local user to execute code as root. The vulnerability has not yet been fixed (0-day), but there is already an exploit in the public domain, tested in Ubuntu 22.04.
The problem is in the enlightenment_sys executable, which comes with the suid root flag and executes certain permitted commands via the system() call, such as mounting the drive with the mount utility. Due to the incorrect operation of the function that forms the string passed to the system() call, quotes are cut from the arguments of the command being run, which can be used to run your own code. For example, when you run mkdir -p /tmp/net mkdir -p "/tmp/;/tmp/exploit" echo "/bin/sh" > /tmp/exploit chmod a+x /tmp/exploit enlightenment_sys /bin/mount - o noexec,nosuid,utf8,nodev,iocharset=utf8,utf8=0,utf8=1,uid=$(id -u), "/dev/../tmp/;/tmp/exploit" /tmp/// net
due to the stripping of double quotes, instead of the specified command '/bin/mount β¦ "/dev/../tmp/;/tmp/exploit" /tmp///net', a string without double quotes will be passed to the system() function ' /bin/mount β¦ /dev/../tmp/;/tmp/exploit /tmp///net' which will cause the command '/tmp/exploit /tmp///net' to be executed separately instead of being treated as part of the path to device. The strings "/dev/../tmp/" and "/tmp///net" are chosen to bypass enlightenment_sys mount command argument checking (the mount device must start on /dev/ and point to an existing file, and the three "/" at the mount point are specified to achieve the required path size).
Source: opennet.ru