Chiwopsezo (CVE-2022-37706) chadziwika m'malo ogwiritsa ntchito a Enlightenment omwe amalola wogwiritsa ntchito wamba omwe alibe mwayi kuti apereke ma code okhala ndi mizu. Chiwopsezochi sichinakhazikitsidwebe (0-day), koma pali kale kugwiritsa ntchito komwe kulipo pagulu, koyesedwa ku Ubuntu 22.04.
Vuto liri mu enlightenment_sys executable, yomwe imatumiza ndi mbendera ya suid ndikuchita malamulo ena ololedwa, monga kukwera galimoto ndi mount utility, kupyolera mu kuyitana ku system(). Chifukwa cha ntchito yolakwika ya ntchito yomwe imapanga chingwe chodutsa ku dongosolo () kuyitana, zolemba zimadulidwa kuchokera ku mfundo za lamulo lomwe likuyambitsidwa, lomwe lingagwiritsidwe ntchito kuyendetsa nambala yanu. Mwachitsanzo, poyendetsa mkdir -p /tmp/net mkdir -p "/tmp/;/tmp/exploit" echo "/bin/sh"> /tmp/exploit chmod a+x /tmp/exploit enlightenment_sys /bin/mount - o noexec,nosuid,utf8,nodev,iocharset=utf8,utf8=0,utf8=1,uid=$(id -u), β/dev/../tmp/;/tmp/exploitβ /tmp// / neti
chifukwa cha kuchotsedwa kwa mawu awiri, m'malo mwa lamulo lotchulidwa '/ bin/mount ... "/dev/../tmp/;/tmp/exploit" /tmp///net' chingwe chopanda mawu awiri chidzakhala adapita ku dongosolo () ntchito '/bin/mount ... /dev/../tmp/;/tmp/exploit /tmp///net', zomwe zidzayambitsa lamulo '/tmp/exploit /tmp///net ' kuti aphedwe padera m'malo mosinthidwa ngati gawo la njira yopita ku chipangizo. Mizere "/dev/../tmp/" ndi "/tmp///net" amasankhidwa kuti alambalale mkangano pofufuza lamulo la mount mu enlightenment_sys (chipangizo chokwera chiyenera kuyamba ndi /dev/ ndi kuloza fayilo yomwe ilipo, ndi zilembo zitatu za "/" pamalo okwera zafotokozedwa kuti mukwaniritse kukula kwanjira).
Source: opennet.ru