I'm researching an embedded device running Linux, busybox, and a few custom services. I've found a way to obtain unprivileged shell access, and trying to see if it's possible to escalate privileges.
The kernel is old and looks vulnerable, however the biggest obstacle is that the entire filesystem is read-only (including /tmp and /dev/shm), i.e. 644/755 and everything is owned by root.
What are some possible ways to execute custom native code on a read-only filesystem, having only shell access?
Some possible avenues I've tried:
- Get the system to mount your filesystem (requires root or physical access)
- Get the system to save an ELF binary somewhere on the filesystem, then run
/lib/ld-linux.so.2with it (couldn't find a way to do this) - Run
/lib/ld-linux.so.2with a pipe or/proc/self/environ(doesn't work,ld-linuxrequires the file to bemmap-able) - Use
dd of=/proc/self/memto clobberdd's stack (the kernel is pre-2.6.39, where writing to/proc/self/memis disabled) - Find a program with a vulnerability in handling command-line or environment arguments (nothing so far)
- Find a scripting language capable of making syscalls (the only scripting facility is busybox's shell)
- Write to a UNIX socket and get the service listening on it to do something (no utilities exist on the filesystem which would allow sending arbitrary data to UNIX sockets)
Have I overlooked anything?
