# CrackArmor LPE via Confused-Deputy and Sudo/Postfix

Within the CrackArmor suite, a subset of two vulnerabilities can be combined to achieve local root privileges. This chain exploits a **confused-deputy flaw** in AppArmor profile management and a **fail-open privilege-handling behavior in `sudo`** when Postfix is installed.

An <mark style="color:$danger;">unprivileged</mark> user can manipulate AppArmor’s pseudo-files to load a crafted profile denying `CAP_SETUID` to `sudo`. This causes `sudo` to fail to drop its root privileges when invoking the mailer. By supplying a controlled Postfix configuration via the `MAIL_CONFIG` environment variable, the user can execute a helper binary with **full root privileges**, achieving reliable local privilege escalation.

This issue affects Linux kernels starting from **4.1.1 (released in 2017)**, and patches addressing the AppArmor interface flaws appear in **6.8.0-106**.

***

### Technical Details

The attack begins with AppArmor’s pseudo-files (`.load`, `.replace`, `.remove`) in `/sys/kernel/security/apparmor`. Although `write()` operations are restricted, the files themselves are world-writable at the file descriptor level. This allows an unprivileged user to trick a privileged process, such as `su -P`, into writing fully controlled content—a classic **confused-deputy scenario**. Using this primitive, the attacker injects a malicious AppArmor profile for `sudo` that explicitly denies `CAP_SETUID`.

When `sudo` executes under this profile, its calls to `setuid()` and `setresuid()` fail, but `sudo` continues running instead of aborting. In error handling, `sudo` invokes Postfix’s `/usr/sbin/sendmail` using the original environment, which can be controlled via `MAIL_CONFIG`. By pointing this variable to an attacker-controlled directory containing malicious helper binaries, the mailer executes these binaries as root, completing the privilege escalation.

***

### PoC || GTFO

```bash
void@ubnt-dev:~$ python3 crackarmor.py 
--=== CrackArmor LPE ===--
[+] Setting up payload (local)
[+] Building profile
[+] Injecting profile
Password: 
[+] Triggering exploit

========== IMPORTANT ==========
[!] SUID shell: /tmp/rootbash
[!] sudo is broken (AppArmor profile replaced)
[!] Restore with: python3 script.py --restore
===============================

rootbash-5.2# id
uid=1000(void) gid=1000(void) euid=0(root) groups=1000(void)
```

{% embed url="<https://github.com/0xPThree/crackarmor-lpe>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://0xpthree.gitbook.io/notes/exploits-pocs/apparmor/crackarmor-lpe-via-confused-deputy-and-sudo-postfix.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.