CVE-2021-31154

Vulnerability

pleaseedit, a component of the privilege escalation tool pleaser (also known as please) versions before 0.4, uses predictable temporary filenames in /tmp and the target directory. This lack of randomness allows a local attacker to stage a symlink race attack. [1][2][3]

Exploitation

An attacker must have a local user account and be permitted to run a command via please (i.e., be listed in the please.ini configuration). By pre-creating a symbolic link with the predictable temporary filename pointing to a sensitive system file (e.g., /etc/shadow), the attacker can trick the setuid-root pleaseedit process into writing attacker-controlled content to that file, thereby overwriting critical system files. The attack requires precise timing to win the race condition between the temporary file creation and the write operation. [1]

Impact

Successful exploitation allows a local attacker to gain full root privileges. By overwriting files such as /etc/passwd or /etc/shadow, the attacker can escalate to root, leading to complete compromise of system confidentiality, integrity, and availability. [1][2][3]

Mitigation

The vulnerability is fixed in pleaser version 0.4 and later. Users should upgrade to version 0.4 or newer. There are no known workarounds for versions prior to 0.4. This CVE is not listed in CISA's Known Exploited Vulnerabilities catalog. [1][3]