CVE-2023-30630

Dmidecode is a tool for dumping a computer's DMI (SMBIOS) table contents in a human-readable format. This table contains descriptions of system hardware components, serial numbers, and BIOS revisions.

With root permissions to dmidecode, a low-privileged user can exploit a file write vulnerability to escalate privileges to root.

Key Vulnerability Details

Important Notes

Files created through dmidecode will have owner root. Overwriting existing files preserves their permissions.
Directories cannot be created with dmidecode. The .ssh directory must already exist for SSH key-based exploitation.
dmidecode adds junk data at the beginning of files (invisible with cat, visible in vi/vim). Place SSH keys on row 2 or below to avoid corruption.
Version 3.3 has a SEGFAULT bug when exploited. This vulnerability works on "all versions between 1.8 and 3.4, except 3.3".
For root SSH access, PermitRootLogin must be enabled in /etc/ssh/sshd_config.

Exploitation Process

Identify the vector using sudo -l to confirm dmidecode access
Create a malicious payload using the dmiwrite tool
Upload the crafted DMI file to the target system
Execute the exploit with the --dump-bin flag to write to privileged locations
Authenticate using the injected credentials

Example Command

N/ABASH

sudo /usr/sbin/dmidecode -d authorized_keys.dmi --no-sysfs --dump-bin /root/.ssh/authorized_keys

This approach allows writing SSH public keys to root's authorized_keys file, enabling direct root login without a password.

██╗ ██████╗ ███████╗██╗███████╗███╗ ██╗██████╗ ██║██╔═══██╗██╔════╝██║██╔════╝████╗ ██║██╔══██╗ ██║██║ ██║█████╗ ██║█████╗ ██╔██╗ ██║██║ ██║ ██║██║ ██║██╔══╝ ██║██╔══╝ ██║╚██╗██║██║ ██║ ██║╚██████╔╝██║ ██║███████╗██║ ╚████║██████╔╝ ╚═╝ ╚═════╝ ╚═╝ ╚═╝╚══════╝╚═╝ ╚═══╝╚═════╝