creekorful/blog
1
0
Fork 0
Code Issues 7 Pull requests Projects Releases Packages Wiki Activity Actions

Reword setuid blog post

Browse source
This commit is contained in:
Aloïs Micard 2020-09-18 14:15:15 +02:00
parent 6a6406d59e
commit 3c620d4947
2 changed files with 15 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

8
content/posts/docker-privilege-escalation.md
View file

@ -6,10 +6,14 @@ authorTwitter = "" #do not include @
cover = "" cover = ""
tags = ["Docker", "Security", "Privilege Escalation"] tags = ["Docker", "Security", "Privilege Escalation"]
keywords = ["", ""] keywords = ["", ""]
description = "" description = "How to gain root access by using a Docker engine running with default configuration."
showFullContent = false showFullContent = false
+++ +++
This blog post is part of a series around [security](/tags/security) & [privilege escalation](/tags/privilege-escalation).
---
I have done a little security audit on a friend VPS last week, he was providing Docker runtime I have done a little security audit on a friend VPS last week, he was providing Docker runtime
to some people, with SSH access, and wanted to know if his setup was secure. to some people, with SSH access, and wanted to know if his setup was secure.
@ -55,7 +59,7 @@ drwx------ 6 root root 4096 Aug 25 09:14 .
-rw-r--r-- 1 root root 5774 Aug 25 09:55 .bash_history -rw-r--r-- 1 root root 5774 Aug 25 09:55 .bash_history
``` ```
Since Docker has SUID bit set, we were able to mount the whole host disk Since Docker has setuid bit set, we were able to mount the whole host disk
inside the /mnt/root partition (*-v /:/mnt/root*). And since we are root, we can list */root*. inside the /mnt/root partition (*-v /:/mnt/root*). And since we are root, we can list */root*.
Now let's try to mount again the host filesystem Now let's try to mount again the host filesystem

13
content/posts/setuid-privilege-escalation.md
View file

@ -6,10 +6,14 @@ authorTwitter = "" #do not include @
cover = "" cover = ""
tags = ["Security", "Privilege Escalation"] tags = ["Security", "Privilege Escalation"]
keywords = ["", ""] keywords = ["", ""]
description = "" description = "How to gain root access by exploiting wrongly designed setuid executables."
showFullContent = false showFullContent = false
+++ +++
This blog post is part of a series around [security](/tags/security) & [privilege escalation](/tags/privilege-escalation).
---
[Setuid](https://en.wikipedia.org/wiki/Setuid) is a Unix access rights flag that allow users to run an executable [Setuid](https://en.wikipedia.org/wiki/Setuid) is a Unix access rights flag that allow users to run an executable
with the file system permissions of the executable's owner. with the file system permissions of the executable's owner.
@ -64,14 +68,14 @@ int main() {
this executable has been designed by a sysadmin to allows non-root users to update the server packages this executable has been designed by a sysadmin to allows non-root users to update the server packages
to their latest version (very bad practice btw). to their latest version (very bad practice btw).
While it may look simple & secure, it has an **important** vulnerability: a path injection vulnerability: While it may look simple & secure, it has a **serious** vulnerability.
It uses the [apt](https://manpages.debian.org/buster/apt/apt.8.en.html) It uses the [apt](https://manpages.debian.org/buster/apt/apt.8.en.html)
executable but doesn't invoke directly `/usr/bin/apt` but rather relies on apt to be in the [PATH](https://en.wikipedia.org/wiki/PATH_(variable)). executable but doesn't invoke directly `/usr/bin/apt` but rather relies on apt to be in the [PATH](https://en.wikipedia.org/wiki/PATH_(variable)).
Let's see how we can use this at our advantages by polluting the PATH. Let's see how we can use this at our advantages by polluting the PATH.
### How the PATH work exactly? ### How does the PATH work exactly?
The PATH variable is used to lookup executables when issuing command. It is composed of directories to include The PATH variable is used to lookup executables when issuing command. It is composed of directories to include
while searching, separated by a semicolon ':'. while searching, separated by a semicolon ':'.
@ -102,7 +106,8 @@ uid=0(root) gid=1001(creekorful) groups=1001(creekorful)
When the OS has look up the apt executable it searches in the following location: When the OS has look up the apt executable it searches in the following location:
- /tmp/foo - /tmp/foo
[rest of the path]
*[rest of the path]*
since we have appended /tmp/foo at first, the OS was able to find the apt executable in it since we have appended /tmp/foo at first, the OS was able to find the apt executable in it
and has executed it (with root privileges since they are propagated). and has executed it (with root privileges since they are propagated).