creekorful/blog
1
0
Fork 0
Code Issues 7 Pull requests Projects Releases Packages Wiki Activity Actions

Reword blog post

Browse source
This commit is contained in:
Aloïs Micard 2020-09-18 06:38:32 +02:00
parent d9461ab4aa
commit 6a6406d59e
1 changed files with 13 additions and 12 deletions
Download patch file Download diff file Expand all files Collapse all files

25
content/posts/setuid-privilege-escalation.md
View file

@ -24,7 +24,7 @@ Access: (4755/-rwsr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root)
``` ```
will be executed as root (Uid 0), no matter what the current user is. will be executed as root (Uid 0), no matter what the current user is.
This feature allows un-privileged user to change their password by editing `/etc/shadow` (root owner) using passwd. This allows un-privileged user to change their password by editing `/etc/shadow` (root owner) using passwd.
# How setuid may be exploited? # How setuid may be exploited?
@ -40,13 +40,12 @@ Let's see how we can exploit a badly designed setuid program to gain root access
# Exploiting a setuid executable # Exploiting a setuid executable
They are multiple ways to exploit an executable (buffer overflow, stack overflow, etc...) They are multiple ways to exploit an executable (buffer overflow, stack overflow, etc...)
in this section we will focus on one of the most widely spread yet easy to use in this section we will focus on one of the easiest vulnerability to exploit: path injection.
vulnerability: path injection.
## Path injection ## Path injection
Path injection is a widely spread vulnerability. It happens when an executable refer to Path injection is a common vulnerability. It happens when an executable refer to
another executable without using the full path to it. Let's take an example: another one without using the full path to it. Let's take an example:
```sh ```sh
$ cat apt-updater.c $ cat apt-updater.c
@ -62,11 +61,12 @@ int main() {
} }
``` ```
this executable has been designed by a sysadmin to allows user to update the server packages to their latest version (very bad practice btw). this executable has been designed by a sysadmin to allows non-root users to update the server packages
to their latest version (very bad practice btw).
While it may look simple & secure, it has an **important** vulnerability: a path injection vulnerability: While it may look simple & secure, it has an **important** vulnerability: a path injection vulnerability:
It uses the [apt](https://manpages.debian.org/stretch/apt/apt.8.fr.html) It uses the [apt](https://manpages.debian.org/buster/apt/apt.8.en.html)
executable but doesn't invoke directly `/usr/bin/apt` but rather relies on apt to be in the [PATH](https://en.wikipedia.org/wiki/PATH_(variable)). executable but doesn't invoke directly `/usr/bin/apt` but rather relies on apt to be in the [PATH](https://en.wikipedia.org/wiki/PATH_(variable)).
Let's see how we can use this at our advantages by polluting the PATH. Let's see how we can use this at our advantages by polluting the PATH.
@ -74,7 +74,7 @@ Let's see how we can use this at our advantages by polluting the PATH.
### How the PATH work exactly? ### How the PATH work exactly?
The PATH variable is used to lookup executables when issuing command. It is composed of directories to include The PATH variable is used to lookup executables when issuing command. It is composed of directories to include
while searching, separated by a ':'. while searching, separated by a semicolon ':'.
For example: `/usr/local/bin:/usr/bin:/bin` means that executables will be searched in the following directories: For example: `/usr/local/bin:/usr/bin:/bin` means that executables will be searched in the following directories:
@ -88,7 +88,7 @@ be searched in the others directories.
### Exploiting the vulnerability ### Exploiting the vulnerability
Since the executable relies on the PATH to lookup apt location, we can simply create a dummy `apt` executable script Since the executable relies on the PATH to lookup apt location, we can simply create a dummy `apt` executable script
that will just open a shell (/bin/sh) and place it into a directory that will be in the PATH. that will open a shell (/bin/sh) and place it in a directory that will be in the PATH.
```sh ```sh
$ mkdir /tmp/foo # create random directory to put the script $ mkdir /tmp/foo # create random directory to put the script
@ -99,10 +99,10 @@ $ PATH=/tmp/foo:$PATH /usr/local/bin/apt-updater # override the PATH variable to
uid=0(root) gid=1001(creekorful) groups=1001(creekorful) uid=0(root) gid=1001(creekorful) groups=1001(creekorful)
``` ```
When the OS has looked up the apt executable it has search in the following location: When the OS has look up the apt executable it searches in the following location:
- /tmp/foo - /tmp/foo
- [...] [rest of the path]
since we have appended /tmp/foo at first, the OS was able to find the apt executable in it since we have appended /tmp/foo at first, the OS was able to find the apt executable in it
and has executed it (with root privileges since they are propagated). and has executed it (with root privileges since they are propagated).
@ -135,7 +135,8 @@ and may have been badly designed.
It is fairly easy to determinate if the executable is vulnerable: one could simply look if it calls It is fairly easy to determinate if the executable is vulnerable: one could simply look if it calls
other executables without using full path. other executables without using full path.
This is done easily by using [strings](https://linux.die.net/man/1/strings). This is done easily by using [strings](https://manpages.debian.org/buster/binutils-common/strings.1.en.html)
which is a program used to extract printable characters from a file.
```sh ```sh
$ strings /usr/local/bin/apt-updater $ strings /usr/local/bin/apt-updater