Kutholakale ubuthakathaka (CVE-2022-37706) endaweni yomsebenzisi we-Enlightenment, okuvumela umsebenzisi wendawo ongenamalungelo ukuthi asebenzise ikhodi enamalungelo ezimpande. Ubuthakathaka abukalungiswa okwamanje (usuku oluyi-zero), kodwa i-exploit evivinywe emphakathini isivele itholakala. Ubuntu 22.04.
Inkinga ikhona ku-enlightenment_sys esebenzisekayo, ehlinzekwa ngefulegi lempande ye-suid futhi isebenzisa imiyalo ethile evunyelwe ngekholi yesistimu(), njengokukhweza idrayivu ngesisetshenziswa sokukhweza. Ngenxa yokungasebenzi kahle komsebenzi okwenza iyunithi yezinhlamvu edluliselwe ocingweni lwesistimu(), izingcaphuno ziyasuswa ezimpikiswaneni zomyalo osebenzayo, ongasetshenziswa ukusebenzisa ikhodi yangokwezifiso. Isibonelo, uma usebenzisa i-mkdir -p /tmp/net mkdir -p "/tmp/;/tmp/exploit" echo "/bin/sh"> /tmp/exploit chmod a+x /tmp/exploit enlightenment_sys /bin/mount -o noexec,nosuid,utf8,nodev,iocharset=utf8,utf8=0,utf8=1,uid=$(id -u), "/dev/../tmp/;/tmp/exploit" /tmp///net
Ngenxa yokususwa kwezingcaphuno eziphindwe kabili, esikhundleni somyalo oshiwo othi '/bin/mount … "/dev/../tmp/;/tmp/exploit" /tmp///net', uchungechunge olungenazo izingcaphuno eziphindwe kabili '/bin/mount … /dev/../tmp/;/tmp/exploit /tmp////net' umsebenzi ozodluliselwa ohlelweni/i-ex () izodluliselwa ohlelweni /tmp///net' isetshenziswa ngokuhlukile esikhundleni sokucutshungulwa njengengxenye yendlela eya kudivayisi. Iyunithi yezinhlamvu ethi "/dev/../tmp/" kanye nethi "/tmp///net" zikhethelwe ukweqa ukuphikisana kokuhlolwa komyalo wokukhweza ku-enlightenment_sys (idivayisi yokukhweza kufanele iqale ngo-/dev/ futhi ikhombe ifayela elikhona, futhi izinhlamvu ezintathu "/" endaweni yokukhweza zicaciswe ukuze kuzuzwe usayizi wendlela odingekayo).
Source: opennet.ru
