cbcvebase.
CVE-2022-37706
published 2022-12-25

CVE-2022-37706: enlightenment_sys in Enlightenment before 0.25.4 allows local users to gain privileges because it is setuid root, and the system library function mishandles…

PriorityP353high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
EXPLOIT
EPSS
5.49%
91.8th percentile
enlightenment_sys in Enlightenment before 0.25.4 allows local users to gain privileges because it is setuid root, and the system library function mishandles pathnames that begin with a /dev/.. substring.

Affected

2 ranges
VendorProductVersion rangeFixed in
debiane17< e17 0.25.4-1 (bookworm)e17 0.25.4-1 (bookworm)
enlightenmentenlightenment< 0.25.40.25.4

Detection & IOCsextracted from sources · hover to see the quote

path/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_sys
command${file} /bin/mount -o noexec,nosuid,utf8,nodev,iocharset=utf8,utf8=0,utf8=1,uid=$(id -u), "/dev/../tmp/;/tmp/exploit" /tmp///net
processenlightenment_sys
sigma
sequence by host.id, process.parent.entity_id with maxspan=5s
[process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
process.name == "enlightenment_sys" and process.args in ("/bin/mount/", "-o","noexec","nosuid","nodev","uid=*") ]
[process where host.os.type == "linux" and event.action == "uid_change" and event.type == "change" and user.id == "0"]
  • Look for enlightenment_sys (setuid root binary) being invoked with mount arguments containing /dev/../tmp/ path patterns, which is the core exploit primitive — a path traversal via /dev/.. substring passed to the system() library call.
  • Detect enlightenment_sys spawning with mount-related args (noexec, nosuid, nodev, uid=*) followed within 5 seconds by a uid_change event to uid 0 on the same host and parent process entity.
  • Monitor for creation of directories /tmp/net and paths matching /dev/../tmp/;/tmp/exploit, and creation of a shell script at /tmp/exploit with execute permissions — these are staging artifacts of the exploit.
  • Hunt for enlightenment_sys SUID binary using: find / -name enlightenment_sys -perm -4000. Presence of this binary on a system is a prerequisite for exploitation.
  • The exploit injects a command via a semicolon in the mount path argument: the path /dev/../tmp/;/tmp/exploit causes enlightenment_sys to execute /tmp/exploit as root via the system() call.
  • ·The vulnerability is fixed in Enlightenment 0.25.4; versions 0.25.3 and earlier are affected. Debian stable (bullseye) fix is in 0.24.2-8+deb11u1.
  • ·Exploitation requires local access to a machine with Enlightenment installed and the enlightenment_sys binary present as a setuid-root SUID binary.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_debian7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.