0

I read about this malicious Sudo function on Nullbyte where by inserting this bash function into a victims .bashrc/.bash_profile an attacker could exfiltrate sudo passwords fairly easily.

This got me thinking about other possible malicious functions, aliases, or commands that could be hidden and secretly executed here.

What are some well-known exploits of the .bashrc/.bash_profile files outside this one?

Kyle Fennell
  • 921
  • 4
  • 12
  • 1
    List-based answers are [considered off-topic](https://security.stackexchange.com/help/dont-ask), as it invites a large amount of answers, where every single answer is equally valid. Feel free to join the [chat](https://chat.stackexchange.com/rooms/151/the-dmz) however, where such "subjective" questions are a better fit. –  Jan 21 '20 at 10:01
  • Let me try to reword this so I’m not off-topic. – Kyle Fennell Jan 21 '20 at 10:06
  • Perhaps the question "How can `.bashrc` be used to attack a system?" would be a better fit? –  Jan 21 '20 at 10:28
  • Agreed. Changed title. – Kyle Fennell Jan 21 '20 at 10:35
  • Use `sudo chattr +i .bashrc` to protect it from changes and deletion. Use the argument -i to remove this protection. – Joakim L. Christiansen Dec 17 '21 at 17:24

1 Answers1

3

This is not an exploit, as there is no underlying vulnerability to be exploited. It's more akin to malware, in the sense that it does something malicious on your system.

As you probably know, .bashrc and .bash_profile run after a user runs bash and authenticates successfully. This is not a vulnerability and very much so by design and/or necessity, however you want to look at it.

On the surface, it seems like a straightforward thing to use for an attacker to escalate their privileges. A file that executes anything as soon as the user does a trivial task. In practice however, this is more difficult. In order to edit the .bashrc or .bash_profile file, you need some way to edit arbitrary files with the permissions of the user you would like to attack. This is already an incredibly strong position to be in, and modifying those files will likely not get you into a better position. An analogy for this would be if you are holding a gun, then a toothpick will not be a better weapon.

Therefore, an attacker wants to either escalate their privileges even more, or they want to make their current access more consistent or more convenient. This is something that modifying .bashrc can help with. The example you already made shows this very well. By gathering the user's credentials, access to the machine could either be easier (connecting directly via SSH rather than using e.g. a web shell or some other exploit) or it could allow the attacker to execute commands rather than only writing files.

Other things an attacker may want to do is:

  • Modify system files to include malicious behavior (to persist access)
  • Gather administrative credentials to act as root (to escalate privileges)
  • Launch other malicious software (to make further exploitation more convenient)

How exactly those are done is not rocket science. .bashrc executes whatever you put there with the permission of the current user. You can use your imagination to come up with examples.

  • 1
    There's also this: *How do I explicitly and safely force the use of a built-in command in bash* https://unix.stackexchange.com/questions/188327/how-do-i-explicitly-and-safely-force-the-use-of-a-built-in-command-in-bash – mr.spuratic Jan 21 '20 at 12:35
  • @mr.spuratic It's a nice read, although more of a bash puzzle than an actual security risk. As I mentioned above, if an attacker can alias `cd`, then I am already neck-high in shit. –  Jan 21 '20 at 12:51