CVE-2023–26604
On one of the pentest project, an unprivileged account was accessed on rhel 8. It was spelled out in sudoers that the command /usr/bin/systemctl status *random_service* could be run from mine user. Coincidentally, the size of my terminal turned out to be small. There is a feature in systemctl which outputs information to pager less instead of cat if the size of the terminal is less than the length of any line output. Pager less has the ability to execute commands, in example you can triger new shell with command !sh.
Why it works?
Rhel 8.x and ubuntu use 20.x systemd 245. System 245 does not check the eUID and UID , which coupled with misconfig in /etc/sudoers allows for local privilege escalation. This works not only with systemctl status, but also with the other commands that systemd supplies.
A screenshot to prove my point below:
Fixes
Update systemd at least to systemd 247
Safeguards have been added to systemd 247 to prevent commands from being executed if the eUID is different from the UID. Link to check it.
And just in case, I’ll duplicate it here:
The autopaging logic in systemd’s various tools (such as systemctl) has been updated to turn on “secure” mode in “less”(i.e. $LESSECURE=1) if execution in a “sudo” environment is detected. This disables invoking external programs from the pager, via the pipe logic. This behaviour may be overridden via the new $SYSTEMD_PAGERSECURE environment variable.
Ubuntu 22.x uses systemd 249, so it’s not possible to elevate privileges locally in this way on this version
