diff --git a/src/SUMMARY.md b/src/SUMMARY.md index 78a38276770..e9fee61ce5d 100644 --- a/src/SUMMARY.md +++ b/src/SUMMARY.md @@ -112,6 +112,7 @@ - [Checklist - Linux Privilege Escalation](linux-hardening/linux-privilege-escalation-checklist.md) - [Linux Privilege Escalation](linux-hardening/privilege-escalation/README.md) - [Android Rooting Frameworks Manager Auth Bypass Syscall Hook](linux-hardening/privilege-escalation/android-rooting-frameworks-manager-auth-bypass-syscall-hook.md) + - [Imunify360 Ai Bolit Deobfuscation Rce](linux-hardening/privilege-escalation/imunify360-ai-bolit-deobfuscation-rce.md) - [Vmware Tools Service Discovery Untrusted Search Path Cve 2025 41244](linux-hardening/privilege-escalation/vmware-tools-service-discovery-untrusted-search-path-cve-2025-41244.md) - [Arbitrary File Write to Root](linux-hardening/privilege-escalation/write-to-root.md) - [Cisco - vmanage](linux-hardening/privilege-escalation/cisco-vmanage.md) diff --git a/src/linux-hardening/privilege-escalation/README.md b/src/linux-hardening/privilege-escalation/README.md index 262fede8f50..6a571a9e961 100644 --- a/src/linux-hardening/privilege-escalation/README.md +++ b/src/linux-hardening/privilege-escalation/README.md @@ -306,7 +306,10 @@ strings /dev/mem -n10 | grep -i PASS ProcDump is a Linux reimagining of the classic ProcDump tool from the Sysinternals suite of tools for Windows. Get it in [https://github.com/Sysinternals/ProcDump-for-Linux](https://github.com/Sysinternals/ProcDump-for-Linux) -``` +
+ProcDump example output + +```text procdump -p 1714 ProcDump v1.2 - Sysinternals process dump utility @@ -333,6 +336,9 @@ Press Ctrl-C to end monitoring without terminating the process. [20:21:00 - INFO]: Core dump 0 generated: ./sleep_time_2021-11-03_20:20:58.1714 ``` +
+ + ### Tools To dump a process memory you could use: @@ -415,14 +421,6 @@ cp /bin/bash /tmp/rootshell && chmod 6777 /tmp/rootshell /tmp/rootshell -p # root shell ``` -Hardening -- Do not run Crontab UI as root; constrain with a dedicated user and minimal permissions -- Bind to localhost and additionally restrict access via firewall/VPN; do not reuse passwords -- Avoid embedding secrets in unit files; use secret stores or root-only EnvironmentFile -- Enable audit/logging for on-demand job executions - - - Check if any scheduled job is vulnerable. Maybe you can take advantage of a script being executed by root (wildcard vuln? can modify files that root uses? use symlinks? create specific files in the directory that root uses?). ```bash @@ -955,10 +953,6 @@ BASH_ENV=/dev/shm/shell.sh sudo /usr/bin/systeminfo # or any permitted script/ # You should now have a root shell ``` -- Hardening: - - Remove `BASH_ENV` (and `ENV`) from `env_keep`, prefer `env_reset`. - - Avoid shell wrappers for sudo-allowed commands; use minimal binaries. - - Consider sudo I/O logging and alerting when preserved env vars are used. ### Sudo execution bypassing paths @@ -1747,6 +1741,15 @@ Learn more and see a generalized pattern applicable to other discovery/monitorin vmware-tools-service-discovery-untrusted-search-path-cve-2025-41244.md {{#endref}} +## Imunify360 Ai‑Bolit deobfuscation RCE (abusing AV/scanner deobfuscators) + +Imunify360's PHP deobfuscation engine executed attacker-recovered function names (via call_user_func_array), enabling sinks like system/exec/eval during scans. If Ai‑Bolit runs as root, dropping a crafted PHP anywhere it scans yields RCE during routine scans. See details and PoC: + + +{{#ref}} +imunify360-ai-bolit-deobfuscation-rce.md +{{#endref}} + ## Kernel Security Protections - [https://github.com/a13xp0p0v/kconfig-hardened-check](https://github.com/a13xp0p0v/kconfig-hardened-check) diff --git a/src/linux-hardening/privilege-escalation/imunify360-ai-bolit-deobfuscation-rce.md b/src/linux-hardening/privilege-escalation/imunify360-ai-bolit-deobfuscation-rce.md new file mode 100644 index 00000000000..96f5badf591 --- /dev/null +++ b/src/linux-hardening/privilege-escalation/imunify360-ai-bolit-deobfuscation-rce.md @@ -0,0 +1,125 @@ +# Imunify360 Ai-Bolit deobfuscation RCE (abusing AV/scanner deobfuscators) + +{{#include ../../banners/hacktricks-training.md}} + +Abuse pattern: a malware scanner/deobfuscator dynamically resolves function names from untrusted files and executes them (e.g., via call_user_func_array). If the resolved name is a sink such as system/exec/shell_exec/passthru/eval/assert, the scanner runs attacker-controlled code under its own privileges (often root). + +This page documents an instance affecting Imunify360 AV (Ai‑Bolit) prior to v32.7.4.0 and generalizes the technique. + +## Affected scenario (Ai‑Bolit) + +- Component: Imunify360 AV (Ai‑Bolit) PHP deobfuscation engine +- Versions: < v32.7.4.0 +- Privilege: Scanner typically runs as root on hosting servers +- Root cause: Deobfuscation pipeline recovers function names/args from untrusted PHP and executes them without an allow-list + +Key internals observed: +- A helper (e.g., Helpers::executeWrapper) wraps call_user_func_array() and returns the function result. +- Multiple deobfuscation flows feed attacker-influenced function names into that wrapper without validation. + +Two exploitable flows seen in practice: +- Eval-hex function pattern: function names/arguments are hex-escaped and then executed. +- Delta/Ord chain: a routine (e.g., deobfuscateDeltaOrd) builds a list of function names from content and applies them sequentially via the wrapper; if the list contains a sink, it gets invoked during “deobfuscation”. + +## Why it triggers in production + +- The CLI default disables deep deobfuscation unless -y/--deobfuscate is passed: +```php +if (!defined('AI_DEOBFUSCATE')) { + define('AI_DEOBFUSCATE', false); +} +... +if (isset($options['deobfuscate']) || isset($options['y'])) { + define('AI_DEOBFUSCATE', true); +} +``` +- Imunify360’s orchestrator always enables it by passing --deobfuscate to the Ai‑Bolit wrapper for all scan types (background, on‑demand, user‑initiated): +```python +cmd = [ + "/opt/ai-bolit/wrapper", + AIBOLIT_PATH, + "--smart", + "--deobfuscate", # ALWAYS ENABLED + "--avdb", MalwareSignatures.AI_BOLIT_HOSTER, + "--no-html", + "--memory", get_memory(intensity_ram), +] +``` +Result: simply dropping a malicious file in a scanned path can trigger RCE during routine scans. + +## Exploitation + +Preconditions +- Ai‑Bolit is installed and scanning a path you can write to (e.g., shared hosting webroot) +- Orchestrator invokes Ai‑Bolit with --deobfuscate (default in Imunify360) + +Steps +1) Place an obfuscated PHP that resolves to a sink and arguments the engine will decode and invoke. +2) Wait for a scan (scheduled/on‑demand) or trigger one. +3) The deobfuscator resolves names/args and executes the sink via call_user_func_array() under scanner privileges. + +PoC (writes /tmp/l33t.txt) +```php + +``` + +Manual triage/trigger (if running Ai‑Bolit standalone during analysis) +```bash +php ai-bolit.php -y -j poc.php +``` + +Notes +- Sinks commonly reachable via this design: system, exec, shell_exec, passthru, eval, assert +- Payloads often include safe-looking transforms (hex/base64/gzinflate/str_rot13/strrev/pack/urldecode) and then terminate in a sink + +## Detection and triage + +- Process lineage during scan windows: look for ai-bolit/wrapper spawning shells or commands +```bash +ps aux | grep -E "ai-bolit|--deobfuscate" +``` +- Unexpected artifacts written by scans: files in /tmp or webroots created around scan times (e.g., /tmp/l33t.txt) +- Network egress from scanner processes (if payloads exfiltrate) +- Review orchestrator configs to confirm --deobfuscate is forced + +## Hardening and remediation + +- Update to v32.7.4.0+ (patch enforces allow-listing of deterministic, pure decoding helpers) +- Never execute attacker-influenced function names; enforce a strict allow-list: +```php +public static function isSafeFunc($func) { + $safeFuncs = [ + 'base64_decode','gzinflate','strrev','str_rot13','urldecode','substr','chr','ord', + ]; + return in_array(strtolower($func), $safeFuncs, true); +} +``` +- Run deobfuscators/scanners in least-privileged sandboxes/containers with no outbound network and minimal FS access +- If immediate patching is not possible, temporarily disable or remove the vulnerable component and/or isolate it + +## Generalizing the technique: abusing deobfuscators + +- Dynamic function invocation anti-pattern: Any analysis pipeline that “applies recovered function names” to untrusted data must validate the function set against a known-safe allow-list and treat everything else as data +- Function-sequence chaining: If a pipeline accepts a list of functions extracted from content and applies them in order, controlling that list → terminal sink execution +- Orchestrator mismatch: Even if CLI defaults are safe, production wrappers may force deep deobfuscation; test the real invocation path + +## Version status + +- Affected: Imunify360 AV (Ai‑Bolit) < v32.7.4.0 +- Fixed: v32.7.4.0 (and subsequent backports) – disallow execution of unsafelist functions recovered from arbitrary files + +## References + +- [Patchstack – Critical: Remote Code Execution via Malicious Obfuscated Malware in Imunify360 AV (AI-bolit)](https://patchstack.com/articles/remote-code-execution-vulnerability-found-in-imunify360/) +- [CloudLinux notice – Ai-Bolit security vulnerability before v32.7.4.0](https://cloudlinux.zendesk.com/hc/en-us/articles/23364954576540-Ai-Bolit-security-vulnerability-before-v32-7-4-0) +- [Imunify changelog (DEF-36789)](https://changelog.imunify.com/imunify-av) + +{{#include ../../banners/hacktricks-training.md}}