I'm reading this and I'm little confused. What exactly is this setuid based script root spoofing?
Asked
Active
Viewed 2,817 times
1 Answers
4
This is a theoretical attack that could allow a user to elevate their privileges to root.
Say we have a setuid-root script.sh like this:
#!/bin/bash
echo Hello World!
When the script is executed, the OS reads the first line, the uses that program to run the script. The command it will execute is: /bin/bash script.sh
A twist on setuid scripts is that a user can create a link to the script, say myscript.sh
and now the command would be /bin/bash myscript.sh This is starting to be a bit worrying because perhaps the user could call their link -c ls - and run a command as root that they're not supposed to.
However, bash and Linux have a number of other defences that make this impractical. For example, the command on Linux would be /bin/bash "./-c ls" which is not exploitable. It's possible that other shells and OS are vulnerable.
All of this only applies if you have a setuid-root shell script. This is not recommended anyway - for these reasons and more. In fact, on Linux you can't have setuid shell scripts at all.
If you're interested in this area in general, Nebula is worth a look.
paj28
- 33,442
- 8
- 96
- 133