This was an interesting challenge which @7axmi and I solved recently. The goal here is to get code execution as a limited user and then do a privilege escalation to get root access. In summary there are twio vulnerable programs in the VM, A custom written HTTP server: SuperSecureServer.py A custom cryptosystem with which the user credentials are encrypted. A custom written sudo replacement: BetterSSH.py Getting the source The homepage of the VM hinted the name of the server’s source filename as SuperSecureServer.
I started out installing Gentoo in a VM so that I can watch a movie or something while the packages are getting compiled. But my goal is to use it as my primary distro instead of my current Arch. The idea is to write whatever content present in the single rootfs present in the VM onto a partition in the physical disk. My VM had a VDI disk. I had to convert that to a raw img disk.
I wanted to try out Gentoo to kill some time while being stuck at home during the covid-19 lockdown. But, at the same time I did not want to spend my entire weekend looking at compilation messages in a tty console without even being able to watch a movie or listen to a song in the side. Credit: XKCD comics So, I decided to start the installation in a VM. SSH into the Gentoo netinstall ISO booted up and started setting it up as per the Gentoo AMD64 handbook.
Vivek and I discovered a couple of security bugs in the git index handling mechanism in libgit2, an year back. There were two CVEs assigned for the two issues discovered. CVE-2018-8098 - Integer overflow which causes out-of-bounds read. CVE-2018-8099 - Double free caused by incorrect return value. Following is the mail I originally sent out to libgit2 maintainers for reporting the vulnerabilities. Double-Free In read_entry() function, git_decode_varint() can be made to fail with it returning varint_len as 0.
I discovered a DoS issue in Python’s marshal module. However, the Python community decided that this is not an (security) issue as it is already documented in marshal module that untrusted data is not supposed to be fed to that. So, here is a way to segfault the Python interpreter, if anyone needs a reliable way to do it. Last tested in Python 3.7.3 in Arch Linux on 16th July 2019.