Day 67: Tar Cron 2 Root — Abusing Wildcards for Tar Argument Injection in root cronjob (Nix)

int0x33
int0x33
Mar 7, 2019 · 3 min read
Image for post
Image for post

The Backstory

So, you compromise a low-level user on a system and you figure out this command is running as root…

We see that the command uses an asterisk, known as a wildcard, to understand why this is an issue, see some common examples of wildcard usage…

# ls *.php
- List all files with PHP extension

# rm *.gz
- Delete all GZIP files

# cat backup*
- Show content of all files which name is beginning with 'backup' string

# ls test?
- List all files whose name is beginning with string 'test' and has exactly one additional character

The above examples were taken from this paper which I suggest you read if you have not…

https://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt

Ass you can see, * means all, meaning anything we put in /var/log/mon will be added to the compressed file generated by tar, write pwn.c to /var/log/mon then tar -xvf /tmp/mon.tar.gz we will see pwn.c. Perfect, this is exactly the behaviour we want because it can be exploited to elevate privileges.

Exploiting Wildcards

It’s possible for us to use a number of primitives to create a privilege escalation exploit. The first thing we want to consider is what we hope to execute as root, here are a number of suggestions…

Write to /etc/sudoers

Add an entry to /etc/sudoers file so that current user can execute any command with sudo

If you execute this as root then the user www-data can simply sudo bash to get a root shell.

SUID /bin/dash or other similar bins

If the s group of permissions has the user bit set (corresponding to u+s), then whenever anyone executes that program, the process takes on the privileges of whoever owns it. If root owns a file that’s marked u+s and o+x (everyone can execute it), then the file is called “suid root” — whenever anyone runs it, the program gets full root privileges.

Shell (Reverse/Bind)

When this executes as root, we will get a root session connect back to us…

The Glue

In order for these primitives to be used we need a way to execute the commands as root, time to go back to the example…

If you look at the tar manual you will see the following entries:

Finally, we know that the wildcard means that we can do simple argument injection by writing the arguments we need as filenames.

Putting It All Together

We want to go with sudoers file as we are lazy and just sudo bash, so let’s go…

Why two echos? Well, we want root to echo this otherwise we do not have the permissions we need to write to the file.

Once the cronjob executes we simply sudo to root…

The above is just one way to skin a cat so to speak, you can use any of the above primitives in countless other ways to achieve the same objective of escalation privileges. I really suggest you check out GTFObins for some inspiration on how to priv. esc.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store