search

aliasrobotics / RVD

Robot Vulnerability Database. An archive of robot vulnerabilities and bugs.
https://aliasrobotics.com
GNU General Public License v3.0
171 stars 31 forks source link

RVD#1424: Bash before 4.4 allows local users to privilege escalation #1424

Open unaithetutamatumatu opened 4 years ago

unaithetutamatumatu commented 4 years ago 
{
    "id": 1424,
    "title": "RVD#1424: Bash before 4.4 allows local users to privilege escalation",
    "type": "vulnerabitity",
    "description": "Bash before 4.4 allows local users to execute arbitrary commands with root privileges via crafted SHELLOPTS and PS4 environment variables.",
    "cwe": "CWE-20",
    "cve": "CVE-2016-7543",
    "keywords": "triage",
    "system": "URx",
    "vendor": "Universal Robots",
    "severity": {
        "rvss-score": 9.8,
        "rvss-vector": "RVSS:1.0/AV:L/AC:L/PR:N/UI:N/Y:M/S:C/C:L/I:L/A:H/H:U",
        "severity-description": "High",
        "cvss-score": 8.5,
        "cvss-vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:H"
    },
    "links": [
        "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7543",
        "https://www.openwall.com/lists/oss-security/2016/09/26/9",
        "https://www.cvedetails.com/vulnerability-list/vendor_id-72/product_id-21050/GNU-Bash.html",
        "https://github.com/aliasrobotics/RVD/issues/1424"
    ],
    "flaw": {
        "phase": "explotation",
        "specificity": "subject-specific",
        "architectural-location": "Operating system",
        "application": "Bash",
        "subsystem": "N/A",
        "package": "bash 4.2+dfsg-0.1+deb7u3 i386",
        "languages": "Shell",
        "date-detected": null,
        "detected-by": "Victor Mayoral Vilches and Lander Usategui San Juan (Alias Robotics)",
        "detected-by-method": "N/A",
        "date-reported": "2020-03-31",
        "reported-by": "N/A",
        "reported-by-relationship": "N/A",
        "issue": "https://github.com/aliasrobotics/RVD/issues/1424",
        "reproducibility": "Always",
        "trace": "N/A",
        "reproduction": "Not available",
        "reproduction-image": "Not available"
    },
    "exploitation": {
        "description": "Shells running as root inherit PS4 from the environment. This involved PS4 expansion performing command substitution. SHELLOPTS/PS4 Environment Variables Privilege Escalation",
        "exploitation-image": "N/A",
        "exploitation-vector": "N/A"
    },
    "mitigation": {
        "description": "sudo apt-get --assume-yes install --only-upgrade bash",
        "pull-request": null,
        "date-mitigation": null
    }
}
LanderU commented 4 years ago

alurity.yml used to demostrate this:

networks:
  - network:
    - driver: overlay
    - name: urnetwork
    - encryption: false

containers:
  - container:
    - name: ur_3121
    - modules:
         - base: registry.gitlab.com/aliasrobotics/offensive/alurity/robo_ur_cb3_1:3.12.1
         - network: urnetwork
    - cpus: 4
    - memory: 4096
    - mount: /aliasrobotics/RVD1424:/root/shared
  - container:
    - name: attacker
    - modules:
         - base: registry.gitlab.com/aliasrobotics/offensive/alurity/alurity:latest
         - volume: registry.gitlab.com/aliasrobotics/offensive/alurity/expl_robosploit/expl_robosploit:latest
         - volume: registry.gitlab.com/aliasrobotics/offensive/alurity/deve_atom:latest
         - volume: registry.gitlab.com/aliasrobotics/offensive/alurity/reco_nmap:latest
         - network: urnetwork

flow:
  - container:
    - name: ur_3121
    - window:
        - name: priv_escalation
        - commands:
          - command: "useradd -m -p aliasexploit -s /bin/bash exploituser"
          - command: "cp /root/shared/priv-escalation /home/exploituser"
          - command: "chmod 4755 /home/exploituser/priv-escalation"
          - command: "su exploituser"