var img = document.createElement('img'); img.src = "https://calabrone.net/piwik.php?idsite=2&rec=1&url=https://stinger.io" + location.pathname; img.style = "border:0"; img.alt = "tracker"; var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(img,s);
Skip to main content

Files and Directories

Misconfigured world-writable files and directories can allow for privilege escalation.

Search for files with world-writable permissions:

find / -type f -perm -0002 -exec ls -l {} \;

Example output:

-rwxrwxrwx 1 root  wheel  12345 Jan 1 12:34 /tmp/misconfig.txt

If a directory is world-writable (e.g., /tmp), malicious scripts or binaries can be placed in that directory and executed by a root process or a process with higher privileges.

Example:

echo '/bin/bash' > /tmp/myscript && chmod +x /tmp/myscript
sudo /tmp/myscript

Examine Setuid and Setgid Binaries

Setuid and Setgid binaries allow users to run certain programs with the permissions of the program’s owner (usually root).

Search for binaries with the setuid bit set:

find / -type f -perm -4000 -exec ls -l {} \;

Example output:

-rwsr-xr-x 1 root  wheel  123456 Jan 1 12:34 /usr/bin/sudo

Abuse Setuid Programs

For example, the perl interpreter (if setuid) could be used to spawn a root shell:

/usr/bin/perl -e 'exec "/bin/sh";'

Using world-writable files and directories for privilege escalation is a well-known attack vector in penetration testing. World-writable files and directories are those that allow any user, even low-privileged ones, to modify their contents. If such files are executable or contain sensitive information, they can be exploited by attackers to gain higher privileges or execute arbitrary code with elevated permissions (often root).

Exploiting World-Writable Directories

The /tmp directory is often used by programs for temporary storage. By default, this directory is usually world-writable. If a service running with higher privileges (like root) creates files or runs scripts in this directory, an attacker can potentially exploit it.

Example 1: Malicious Script in /tmp

If the /tmp directory is world-writable and there is a service running as a privileged user (e.g., root), it might execute scripts from this directory without proper validation. An attacker could place a malicious script in /tmp and wait for a service to run it.

Step 1: Create a malicious script in /tmp

echo '/bin/bash' > /tmp/myscript
chmod +x /tmp/myscript

Step 2: Wait for a service to execute this script

If a service runs scripts from /tmp without proper validation, it might execute the attacker’s script, giving the attacker a root shell.

Example Exploit:

sudo /tmp/myscript

Outcome:

The attacker receives a shell with root privileges if the service running with root executes the /tmp/myscript.

Real-World Example:

CVE-2017-7494 (Samba vulnerability):

A vulnerability in the Samba service allowed remote attackers to upload a crafted shared library to a world-writable directory, which Samba would then load with elevated privileges. This led to privilege escalation on vulnerable systems.

Exploiting World-Writable Files with Setuid Binaries

Setuid is a permission flag in Unix-like systems that allows executables to run with the privileges of the file owner (often root) rather than the user executing the binary. If a world-writable Setuid binary exists, an attacker could modify the binary or replace it with their own payload, leading to privilege escalation.

Example 2: Replacing a World-Writable Setuid Binary

Step 1: Locate world-writable Setuid binaries

First, find binaries with the setuid bit set that are also world-writable.

find / -type f -perm -4000 -exec ls -l {} \; | grep 'w'

Example output:

-rwsrwxr-x 1 root root 12345 Jan 1 12:34 /usr/bin/vulnerable_binary

Here, /usr/bin/vulnerable_binary is a setuid binary that is world-writable.

Step 2: Replace the world-writable binary with a malicious payload

If an attacker has write access to the binary, they can replace it with a payload that grants them root access when executed.

echo '/bin/bash' > /usr/bin/vulnerable_binary
chmod +x /usr/bin/vulnerable_binary

Step 3: Execute the binary to escalate privileges

The attacker can now execute the binary with root privileges because of the Setuid flag.

/usr/bin/vulnerable_binary

Outcome:

The attacker gets a root shell because the Setuid binary is executed with root privileges.

Real-World Example:

CVE-2016-5195 (Dirty COW exploit):

This was a well-known kernel vulnerability that allowed local privilege escalation by exploiting a race condition in the mmap() system call. The attacker could overwrite a world-writable file mapped in memory, ultimately escalating privileges.

Exploiting World-Writable Log Files

Many services (e.g., web servers, databases, system daemons) write log files to locations that are often world-writable (e.g., /var/log). If these logs are not properly sanitized or validated, an attacker could write arbitrary commands to the log files. A script or service reading these log files could then execute the attacker’s code with higher privileges.

Example 3: Injecting Malicious Code into World-Writable Log Files

Step 1: Check for world-writable log files

find /var/log -type f -perm -0002 -exec ls -l {} \;

Example output:

-rw-rw-rw- 1 root root 12345 Jan 1 12:34 /var/log/webserver.log

Here, /var/log/webserver.log is a world-writable log file.

Step 2: Inject malicious code into the log file

An attacker can append a malicious command to the log file that will be executed by a script that processes the log.

echo "echo '/bin/bash' > /tmp/shell; chmod +x /tmp/shell" >> /var/log/webserver.log

Step 3: Wait for the service to process the log file

If a service or script automatically processes log files and executes any commands within them (e.g., log monitoring or post-processing scripts), it will execute the malicious code.

Step 4: Access the root shell

Once the command is executed, the attacker can access the shell at /tmp/shell:

/tmp/shell

Outcome:

The attacker gains root access if the log processing mechanism runs with elevated privileges (e.g., root).

Real-World Example:

CVE-2019-9213 (Apache HTTPD vulnerability):

Apache HTTPD has a vulnerability where it allows attackers to inject arbitrary commands into log files, which could be executed if the log files were processed by vulnerable services running as root.

Exploiting World-Writable Configuration Files

Many software applications store sensitive information, including credentials, in configuration files. If these files are world-writable, attackers can modify the configuration to escalate privileges or inject malicious code.

Example 4: Modifying World-Writable Configuration Files

Step 1: Check for world-writable configuration files

find /etc -type f -perm -0002 -exec ls -l {} \;

Example output:

-rw-rw-rw- 1 root root 1234 Jan 1 12:34 /etc/myapp/config.conf

Here, /etc/myapp/config.conf is a world-writable configuration file.

Step 2: Modify the configuration file to run arbitrary commands

The attacker can insert commands to be executed when the application runs. For example, if the application runs a script upon startup, the attacker can modify the configuration file to include a command like:

echo "myapp --run /bin/bash" > /etc/myapp/config.conf

Step 3: Trigger the application to execute the modified configuration

When the application restarts or loads the configuration, it will run the attacker’s command.

Outcome:

The attacker executes the arbitrary code with the privileges of the application (often root if the application runs as root).

Real-World Example:

CVE-2018-16535 (Vulnerability in sudo):

A misconfiguration in sudo allowed unauthorized users to escalate privileges by modifying a configuration file that controlled access to sudo commands.

Exploiting world-writable files and directories is a classic and effective method for privilege escalation. Common attack vectors include:

  1. World-writable directories like /tmp: Placing a malicious script that will be executed by a privileged process.

  2. World-writable Setuid binaries: Replacing the binary with a malicious payload that runs with root privileges.

  3. World-writable log files: Injecting commands into log files that are later executed by a service or script.

  4. World-writable configuration files: Modifying configuration files to execute arbitrary commands when an application loads the configuration.

These vulnerabilities highlight the importance of proper file and directory permissions, as well as the need for continuous monitoring and hardening of sensitive files and services.

File System Misconfigurations

Misconfigurations in file system permissions or symbolic links can be leveraged for privilege escalation. Check if directories like /bin, /usr/bin, /Library are writable by non-root users:

ls -ld /bin /usr/bin /Library

Symlinks can be leveraged to overwrite sensitive files if misconfigured.

Example:

ln -s /bin/bash /tmp/symlink
sudo /tmp/symlink

Exploiting Weak File Permissions in Applications

Weak file permissions in installed applications can lead to privilege escalation. Look for applications with setuid/setgid permissions or world-writable files:

find /Applications -type f -perm -4000 -exec ls -l {} \;