lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAGp_9Zh7b47xzkE_SfH=rTYeu-RCQTx1qG8Y=Fg8GC7-nDHHvA@mail.gmail.com>
Date: Fri, 18 Apr 2025 16:12:49 +0400
From: Housma mardini <housma@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] BBOT 2.1.0 - Local Privilege Escalation via Malicious Module
	Execution

Hi Full Disclosure,

I'd like to share a local privilege escalation technique involving BBOT
(Bighuge BLS OSINT Tool) when misconfigured with sudo access.

---

Exploit Title: BBOT 2.1.0 - Local Privilege Escalation via Malicious Module
Execution
Date: 2025-04-16
Exploit Author: Huseyin Mardinli
Vendor Homepage: https://github.com/blacklanternsecurity/bbot
Version: 2.1.0.4939rc (tested)
Tested on: Kali Linux Rolling (2025.1)
CVE: N/A
Platform: Linux
Type: Local

### Description:

BBOT allows execution of custom Python modules during OSINT scans. When
configured as a sudo-executable (e.g., via NOPASSWD), a malicious module
can escalate privileges via the `setup()` function.

### PoC Steps:

1. Clone:
   git clone https://github.com/Housma/bbot-privesc.git

2. Run with sudo:
   sudo /usr/local/bin/bbot -t dummy.com -p preset.yml --event-types ROOT

3. A root shell is spawned via `bash -p` from within the module.

### GitHub (Full Write-up + PoC):
https://github.com/Housma/bbot-privesc

---

This exploit highlights how trusted open-source tools can be abused in
real-world environments.

Regards,
Huseyin Mardinli
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ