on githu release page

Please add an option to skip specific test or add option to force continuation of tests even if you encountered a privesc. In this way, the tool is no longer a tool used only for privesc and becomes a used audit tool as well.

If I run this tool with the -p option, it reports a lot of Gtfobins vulnerabilities. However, when I tried to exploit one of them, the output was this:

[+] Assessing machine state...
[+] Checking for opportunities...
[+][gtfobins:gcc] Opportunity found, trying to exploit it...
[+][gtfobins:gcc] Using command '/home/koodi/.nix-profile/bin/gcc'...
[+][gtfobins:gcc] Starting command with pty...
[+][gtfobins:gcc] Setting up terminal...
[+][gtfobins:gcc] Authenticating with sudo...
[+][gtfobins:gcc] Writing payload...
[sudo] root user password: sudo: timeout when reading password
sudo: password needed
[+][gtfobins:gcc] Session complete.
[+] Done.

...and no root prompt.

(Sudo messages manually translated to English from my native language)

My guess is that the tool tries to pass the user password to Sudo, but fails because I have Defaults targetpw line in my sudoers file, and thus it's root password that is needed.

But I think it's not a vulnerability then, and the tool should not report it as one even with the -p option? Or at least fail instantly when trying to exploit instead of waiting for the timeout?

How to skip a vulnerability to continue to find exploitable vulnerabilities

• Microsoft writeup: https://www.microsoft.com/security/blog/2022/04/26/microsoft-finds-new-elevation-of-privilege-linux-vulnerability-nimbuspwn/
• Python PoC: https://github.com/Immersive-Labs-Sec/nimbuspwn/blob/main/nimbuspwn.py
• Vulnerability detection (shell): https://github.com/jfrog/nimbuspwn-tools/blob/main/nimbuspwn-detector.sh
• Golang dbus library: https://github.com/godbus/dbus

https://lwn.net/ml/oss-security/[email protected]/

Both vulnerabilities related to netfilter

Mention the list of currently supported exploits in README

apt install powertop
powertop

It's Like That...

I ran v0.0.14 on a fully-patched (at least as far as apt permits) Ubuntu 22.04LTS, and got this result:

▀█▀ █▀█ ▄▀█ █ ▀█▀ █▀█ █▀█
░█░ █▀▄ █▀█ █ ░█░ █▄█ █▀▄ v0.0.14
https://github.com/liamg/traitor

[+] Assessing machine state...
[+] Checking for opportunities...
[+][kernel:CVE-2022-0847] Kernel version 5.15.0 is vulnerable!
[+][kernel:CVE-2022-0847] System is vulnerable! Run again with '--exploit kernel:CVE-2022-0847' to exploit it.

Checking the installed kernel version, I get this:

$ cat /proc/version_signature
Ubuntu 5.15.0-25.25-generic 5.15.30

According to the vendor (see https://ubuntu.com/kernel for details), the mainline kernel release is the 5.15.30 part. According to NIST (see https://nvd.nist.gov/vuln/detail/CVE-2022-0847), the CVE details state that 5.15.0 to 5.15.24 are affected, with 5.15.25 and newer not affected.

Given that Ubuntu LTS is a relatively popular choice among server operating systems – and 22.04 is the most recent LTS cut – it might be worth clarifying what kernel versions are affected by CVE-2022-0847 at a patch release level instead of minor release branch.

Thanks for your consideration.

Hi,

I am using the command: ./traitor --exploit kernel:CVE-2022-0847

It seem to work, but terminates with an error: [+][error] Exploit failed: invalid password (see below).

In /etc/passwd: traitor4242:x:1001:1001:CVE-2021-3560,,,:/home/traitor4242:/bin/bash
In /etc/shadow: traitor4242:!:19092:0:99999:7:::
In /etc/group: sudo:x:27:thomas,traitor4242

Is there a reason, why it terminates with an error ?
Thanks for help
Thomas

▀█▀ █▀█ ▄▀█ █ ▀█▀ █▀█ █▀█
░█░ █▀▄ █▀█ █ ░█░ █▄█ █▀▄ v0.0.0
https://github.com/liamg/traitor

[+] Assessing machine state...
[+] Checking for opportunities...
[+][kernel:CVE-2022-0847] Kernel version 5.13.0 is vulnerable!
[+][kernel:CVE-2022-0847] Opportunity found, trying to exploit it...
[+][kernel:CVE-2022-0847] Attempting to set root password...
[+][kernel:CVE-2022-0847] Opening '/etc/passwd' for read...
[+][kernel:CVE-2022-0847] Creating pipe...
[+][kernel:CVE-2022-0847] Determining pipe size...
[+][kernel:CVE-2022-0847] Pipe size is 65536.
[+][kernel:CVE-2022-0847] Filling pipe...
[+][kernel:CVE-2022-0847] Draining pipe...
[+][kernel:CVE-2022-0847] Pipe drained.
[+][kernel:CVE-2022-0847] Splicing data...
[+][kernel:CVE-2022-0847] Writing to dirty pipe...
[+][kernel:CVE-2022-0847] Write of '/etc/passwd' successful!
[+][kernel:CVE-2022-0847] Starting shell...
[+][kernel:CVE-2022-0847] Please exit the shell once you are finished to ensure the contents of /etc/passwd is restored.
[+][kernel:CVE-2022-0847] Setting up tty...
[+][kernel:CVE-2022-0847] Attempting authentication as root...
[+][kernel:CVE-2022-0847] Restoring contents of /etc/passwd...
[+][kernel:CVE-2022-0847] Opening '/etc/passwd' for read...
[+][kernel:CVE-2022-0847] Creating pipe...
[+][kernel:CVE-2022-0847] Determining pipe size...
[+][kernel:CVE-2022-0847] Pipe size is 65536.
[+][kernel:CVE-2022-0847] Filling pipe...
[+][kernel:CVE-2022-0847] Draining pipe...
[+][kernel:CVE-2022-0847] Pipe drained.
[+][kernel:CVE-2022-0847] Splicing data...
[+][kernel:CVE-2022-0847] Writing to dirty pipe...
[+][kernel:CVE-2022-0847] Write of '/etc/passwd' successful!
[+][error] Exploit failed: invalid password
[+] Continuing to look for opportunities
[+] Nothing found to exploit.
thomas@thomas-ThinkPad-E15:~/traitor$

(Note: I would ask this in a discussion but those haven't been setup yet- so another vote for enabling those: #70)

Sorry if this is the wrong place to ask this question - but I searched these issues, and I searched the web, and I can't find anything good on it.

Having docker.sock writable by the docker group is extremely handy/useful. However, I don't want to allow that as it results in this root exploit.

Is there any way to have docker.sock writable but without enabling this exploit? Is it a fundamental problem with Docker's design? Seems like a big deal...

Does it or will it support other privileges elevators: doas or opendoas, on both Linux and BSDs?

I ran the app (release v0.0.1, AMD) on Kubuntu 20.10. Without "-p", it finds nothing. With "-p", everything in bin at least is flagged as exploitable. I am left wondering what any of this means, and what I do/don't need to fix in my system.

I tried adding a dangerous file with 777 and SUID permissions to my /bin directory; traitor without "-p" didn't flag it as dangerous.

Perhaps you could add to the README: run without "-p", then if no threats found, create file SOMETHING with permissions NNN and run again without "-p", see it reported as a threat. Or some other simple example of a deliberate threat.

Perhaps you could add to each exploitable case: some brief indication of what is wrong. For example, when run with "-p", it says "man" is exploitable on my machine, and pops a root shell. But I am left with no reason why, or how to fix it. /bin/man seems to have proper permissions on my machine. Is the vulnerability elsewhere ? How do I fix it ? Is there any vulnerability at all ?

Thanks.

Due to line: https://github.com/liamg/traitor/blob/main/pkg/state/sudoers.go#L33 that parses sudo -l output traitor is not able to understood messages from sudo when LANG isn't set to C or EN.

if strings.Contains(line, "may run the following") {

Solution: reset LANG or LC_MESSAGES to C or run traitor as LANG=C traitor/ LC_MESSAGES=C traitor

It would be great for the README to have a list of supported operating systems. Does this only work on Linux or can I also run it on BSD systems?

Could you consider adding support for the brand-new CVE-2024-1086?

Hey @liamg let's open up Discussions on this repo (Under Settings). Some of the issues that come by are not really tangible things to write code and submit pull-requests for 😅

I run the program on several different computers, but there is no test vulnerability information, as shown in the figure. Is it because I don't have an exp。
Or because the server does not have vulnerabilities

Please add support for CVE-2021-3156

The tool looks neat, but I tried running it on a fresh Vagrant instance as an unprivileged user and didn't se emuch:

Of course, it's a stock install and there are no services running on the box, but I think it would be neat if there were some instructions on example misconfigurations that could be made on a throwaway VM for Traitor to exploit.

If you're willing to give me a list, I'd be happy to add some examples into the README and submit a PR!

i dont know how you run or install this as there is no clear documentation, all help is greatly appreciated

If/when exploits are found you're left to your own devices. It'd be really useful if there was a catalogue of advice somewhere about resolving these exploits, perhaps in this project's wiki?

@liamg Are you planning on adding support for privesc CVEs? This might be a good one to add since there are so many affected platforms.

eBPF LPE: https://github.com/chompie1337/Linux_LPE_eBPF_CVE-2021-3490

https://github.com/Ruia-ruia/CVE-2022-29582-Exploit
this is the source. Hope it will take not much time. Thank you.

Ah, sorry for the clickbait title, but you see, it works!

Does exist any kind of Report Format Standard for the results that could be used for monitoring?

Example Go PoC here: https://github.com/mengzhuo/dirty-cow-golang

I may take a crack at this if I have some free time soon

Firstly, thank you creating and maintaining traitor, it's excellent.

I ran v0.0.8 on a fully-patched (at least as far as apt permits) Ubuntu 20.04LTS, and got this result:

$ /opt/traitor/traitor


▀█▀ █▀█ ▄▀█ █ ▀█▀ █▀█ █▀█
░█░ █▀▄ █▀█ █ ░█░ █▄█ █▀▄ v0.0.8
https://github.com/liamg/traitor

[+] Assessing machine state...
[+] Checking for opportunities...
[+][polkit:CVE-2021-3560] Polkit version is vulnerable!
[+][polkit:CVE-2021-3560] System is vulnerable! Run again with '--exploit polkit:CVE-2021-3560' to exploit it.

Looking at d3db221 where detection for CVE-2021-3560 was added, v0.105-26 is considered vulnerable:

Looking at https://ubuntu.com/security/notices/USN-4980-1, where Ubuntu 20.04LTS is concerned, that same version number is not vulnerable…and it's actually listed as being the version which addresses CVE-2021-3560.

Given that Ubuntu LTS is a relatively popular choice among server operating systems – and 20.04 is the most recent LTS cut – it might be worth clarifying what versions are affected by CVE-2021-3560 in this case.

Thanks for your consideration.

Per this guide.

The exploit via -a will fail.

Hi, I'd like to install following these instructions from the README but am not sure how to get the binary built:

CGO_ENABLED=0 go get -u github.com/liamg/traitor/cmd/traitor

This creates a go/pkg folder with a bunch of subfolders, but I have no idea where the built binary is.

Any help greatly appreciated! Using go 1.16.8.

What about adding the good old TTY privilege escalation? http://www.halfdog.net/Security/2012/TtyPushbackPrivilegeEscalation/

Most of the users aren't aware of it, since it has been discussed a decade ago and most of the distributions have set it on WONTFIX and without re-configuring sudo, this will remain a problem on all major distributions.

Just try it from root:

# su -l tobwen
$ id
uid=1001(tobwen) gid=1001(tobwen) groups=1001(tobwen)
$ ls -l /proc/$$/fd
total 0
lrwx------ 1 tobwen tobwen 64 Mar  6 20:15 0 -> /dev/pts/0
lrwx------ 1 tobwen tobwen 64 Mar  6 20:15 1 -> /dev/pts/0
lrwx------ 1 tobwen tobwen 64 Mar  6 20:15 2 -> /dev/pts/0
lrwx------ 1 tobwen tobwen 64 Mar  6 20:15 255 -> /dev/pts/0

Whoops, you're doomed.

Another privesc using polkit

https://seclists.org/oss-sec/2022/q1/80

When I try to go get, I get # cd .../src/github.com/liamg/traitor; git checkout master. No such branch exists.

I'm on go 1.4.

https://github.com/ChriSanders22/CVE-2023-35829-poc

the last commit was 7 months ago, yet this project is great, it doesn't deserve to die out like this

Hi there 🙂

I'm packaging this for the AUR and can't find a license. On what terms is this software made available?

Cheers!

Hello, I have sudo with permissive line:
%wheel ALL=(ALL) NOPASSWD: ALL

traitor reports false positive on all vulnerable test cases, and even pops a shell. But it can't exploit anything if the line is removed.

• Source: https://github.com/Markakd/CVE-2022-2588
  Would be cool if you can implement it, but it seems that it doesn't compile on arm64 system (or atleast not out of the box), lets see if you can do something about it

Heads up in case you weren't aware. 🙂