Muaj ib qho teeb meem (CVE-2022-37706) tau raug tshawb pom hauv Enlightenment tus neeg siv ib puag ncig, uas tso cai rau tus neeg siv hauv zos uas tsis muaj cai siv tau los ua cov lej nrog cov cai hauv paus. Qhov teeb meem no tseem tsis tau kho (zero-day), tab sis qhov kev siv tsis raug sim hauv public domain twb muaj lawm. Ubuntu 22.04.
Qhov teeb meem no muaj nyob rau hauv enlightenment_sys executable, uas tau muab nrog lub suid root flag thiab ua qee cov lus txib tso cai los ntawm kev hu system(), xws li mounting lub drive nrog lub mount utility. Vim muaj kev ua haujlwm tsis zoo hauv qhov kev ua haujlwm uas tsim cov hlua xa mus rau qhov system(), cov lus hais raug tshem tawm ntawm cov lus sib cav ntawm cov lus txib uas tau khiav, uas tuaj yeem siv los khiav cov lej kev cai. Piv txwv li, thaum khiav mkdir -p /tmp/net mkdir -p "/tmp/;/tmp/exploit" echo "/bin/sh" > /tmp/exploit chmod a+x /tmp/exploit enlightenment_sys /bin/mount -o noexec,nosuid,utf8,nodev,iocharset=utf8,utf8=0,utf8=1,uid=$(id -u), "/dev/../tmp/;/tmp/exploit" /tmp///net
Vim yog qhov kev tshem tawm cov lus cim ob npaug, es tsis txhob siv cov lus txib tshwj xeeb '/bin/mount β¦ "/dev/../tmp/;/tmp/exploit" /tmp///net', cov hlua uas tsis muaj cov lus cim ob npaug '/bin/mount β¦ /dev/../tmp/;/tmp/exploit /tmp///net' yuav raug xa mus rau lub system() function, uas yuav ua rau cov lus txib '/tmp/exploit /tmp///net' raug ua tiav cais es tsis txhob raug ua tiav ua ib feem ntawm txoj kev mus rau lub cuab yeej. Cov hlua "/dev/../tmp/" thiab "/tmp///net" raug xaiv los hla qhov kev kuaj xyuas kev sib cav ntawm cov lus txib mount hauv enlightenment_sys (lub cuab yeej mount yuav tsum pib nrog /dev/ thiab taw tes rau cov ntaub ntawv uas twb muaj lawm, thiab peb lub cim "/" ntawm qhov chaw mount tau teev tseg kom ua tiav qhov loj me ntawm txoj kev xav tau).
Tau qhov twg los: opennet.ru
