Today I found a security bug quite important in a Unix system. In fact the problem is very old and known. It was already used in the years 90. Looking at the PATH variable I found the following (for several users);
WOF-3(ora18):/ext/home4/ora18/ant# echo $PATH
Apparently it may look like it’s okay, but it’s not like that. The problem is the first character, the “.”, We are telling the shel to run the that executes (if we do not put absolute way to the commands to him) it looks for it in the directory in which we are. The risk in this case is that they strain us a kind of trojan, this is a program that does what it has and “something else”. The normal thing when you enter a directory is to see what there is, so the usual thing is to execute an ls, now, what happens if I create an ls, in this case a shell script, although I am more in favor of creating it in c and compiling to have a binary.
WOF-3(ora18):/ext/home4/ora18/ant# cat ls
date >> when_my_ls
The shell file that I have created calls the ls, the real one for it to do an ls, the one that executes it will see its ls, and apart I have put a payload, in this quite simple case, which is to put the current time in a log file, a kind of “keylogger” or what we could call an “executelogger”. Every time my ls is executed it will leave a record.
In this case the payload is very simple, but you can elaborate more and do many things, from a rm, a copy of a shadow file, or escalate privileges very quickly.
For it to work we give permission to the script
WOF-3(ora18):/ext/home4/ora18/ant# chmod 777 ls
WOF-3(ora18):/ext/home4/ora18/ant# ls -lrt
drwxr-xr-x 2 orap12 oinstall 4 May 18 09:16 cron
drwxr-xr-x 3 orap12 oinstall 5 Jun 20 10:14 oneoff_218934948
drwxr-xr-x 2 orap12 oinstall 2 Sep 13 16:25 automateX
-rwxrwxrwx 1 orap12 oinstall 34 Sep 24 12:38 ls
After running a few times the false ls, we see what the log has recorded
WOF-3(ora18):/ext/home4/ora18/ant# cat when_my_ls
Monday, September 24, 2018 12:40:44 PM CEST
Monday, September 24, 2018 12:40:58 PM CEST
Monday, September 24, 2018 12:41:43 PM CEST
#1 Never have the. As a first option, replace this .:/usr/bin:/bin: by /usr/ bin:/bin:.: first you look where you should look.
#2 Execute the commands with absolute path, although it can be quite heavy. It would do /usr/bin/ls instead of ls
HTH – Antonio NAVARRO