Linux Privilege Escalation Abusing Shell Features

Yeah Fellows,

I would like to share interesting one of the way linux privilege escalation in by abusing the shell features. The technique is quite out of the box that is why i would like to put it in my blog post. This technique is basically has been known for so long.

Lets take the basic concept. This technique is only available witht the bash version <4.2-048

there is one features in bash that allow you to create function in bash scripting that allow the programmer to execute certain code. But due to the lack of programming syntax check we can abuse this like this

user@debian:~$ function /etc/rio { echo 'Magic Happened Here'; } 
user@debian:~$ export -f /etc/rio

with the above code that basically you are creating bash function with name /etc/rio. So whenever you run /etc/rio it will execute the echo

So how is the attack would be ?

Lets be creative. During my post enumeration on one of the box, We can find an application have a SUID assigned. It means whenever we run the application it will run as root. We can find SUID application using this find query

here we can see non normal applications are found those are suid-env, suid-env2 and suid-so. Lets take alook what is suid-env2 does. Lets do have a look with simple tools strings

We can see that this application (suid-env2) will execute apache2 with /usr/sbin/service apache2 start

with the bash function technique then basically we can override /usr/sbin/service to a function that run a specific command that we can use to escalate ourself to root

Lets do the hack

user@debian:~$ function /usr/sbin/service { /bin/bash -p; }
user@debian:~$ export -f /usr/sbin/service

Now it is time to run the application /usr/local/bin/suid-env2

so whenever the application reached the point where it needs to execute /usr/sbin/service apache2 start the /usr/sbin/service has been become a function rather than a path that whenever it is invoked then it will basically call /usr/sbin/service function that execute /bin/bash -p

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s