Kotsi (CVE-2022-37706) e khethiloe tikolohong ea Mosebelisi ea Leseli e lumellang mosebelisi oa lehae ea sa sireletsehang ho sebelisa khoutu e nang le litokelo tsa metso. Kotsi ha e so lokisoe (0-day), empa ho se ho ntse ho na le ts'ebeliso e fumanehang sebakeng sa sechaba, e lekiloeng ho Ubuntu 22.04.
Bothata bo ho enlightenment_sys e ka phethisoang, e tsamaisang folakha ea motso oa suid mme e etsa litaelo tse itseng tse lumelletsoeng, joalo ka ho kenya koloi ka sesebelisoa sa mount, ka mohala ho system(). Ka lebaka la ts'ebetso e fosahetseng ea ts'ebetso e hlahisang khoele e fetiselitsoeng ho system() call, mantsoe a qotsitsoeng a khaoloa likhang tsa taelo e ntseng e hlahisoa, e ka sebelisoang ho tsamaisa khoutu ea hau. Mohlala, ha o matha mkdir -p /tmp/net mkdir -p "/tmp/;/tmp/exploit" echo "/bin/sh"> /tmp/exploit chmod a+x /tmp/exploit enlightenment_sys /bin/mount - o noexec,nosuid,utf8,nodev,iocharset=utf8,utf8=0,utf8=1,uid=$(id -u), “/dev/../tmp/;/tmp/exploit” /tmp// / letlooa
ka lebaka la ho tlosoa ha mantsoe a qotsitsoeng habeli, sebakeng sa taelo e boletsoeng '/bin/mount ... "/dev/../tmp/;/tmp/exploit" /tmp///net' khoele e se nang mantsoe a mabeli e tla ba. fetisetsoa ho sistimi () ts'ebetso ' / bin/mount ... /dev/../tmp/;/tmp/exploit /tmp///net', e tla baka taelo '/tmp/exploit /tmp///net ' ho etsoa ka thoko sebakeng sa ho sebetsoa joalo ka karolo ea tsela ea sesebelisoa. Mehala "/dev/../tmp/" le "/tmp///net" e khethiloe ho feta khang ho hlahloba taelo ea mount inlightenment_sys (sesebelisoa sa mount se tlameha ho qala ka / dev/ ebe se supa faele e teng, mme litlhaku tse tharo tsa "/" sebakeng sa thaba li hlalositsoe ho fihlela boholo ba tsela e hlokahalang).
Source: opennet.ru