RayVentory Scan Engine Privilege Escalation Vulnerability via PATH Environment Variable Manipulation

A vulnerability in RayVentory Scan Engine in versions through 12.6 Update 8 allows for privilege escalation by manipulating the PATH environment variable. This issue arises because the application loads shared objects and system binaries using relative paths, enabling an attacker to interfere with the execution of these files. The vulnerability is considered a site-specific misconfiguration, as it depends on the ability to control the environment.

Impact

Exploitation of this vulnerability could lead to unauthorized privilege escalation by allowing a user to execute arbitrary binaries or shared objects with elevated rights.

Reproduction

The vulnerability can be reproduced by changing the PATH variable to include a directory where a malicious binary or shared object is placed. After uploading the crafted file, the PATH variable is adjusted to prioritize the custom directory. When a command is executed that calls a system binary or shared object, the tampered version is used, thereby exploiting the vulnerability. This can be done with the 'ndtrack' binary, which calls other commands using relative paths, or by directly invoking 'ndtrack' while the PATH variable is set to include the malicious binary.