[#thread 🧵] For this second day of #CyberAdvent (2/24), we will be talking about a common #PrivilegeEscalation when using the * (wildcard) in shell scripts. Almost everyone has used at least once the * (wildcard) in a shell script but what really happens with the #wildcard ? 🦋
[#thread 🧵(2/7)] We will take as an example this shell script, performing a backup of a website using tar and a wildcard:
[#thread 🧵(3/7)] In this script, the shell replaces the wildcard with matching files from the current directory then executes the command. The * character is never sent to the command (TAR in our case) instead a list of matched files will be sent as arguments to the command.
The thing is, filenames can be interpreted as options by the program if you create filenames beginning with dashes. WTF is going on here ?
[#thread 🧵(4/7)] If we list files using ls * in a folder with normal files in it, everything goes well and we have the expected output:
[#thread 🧵(5/7)] Now if an attacker can create files in this folder and creates files beginning with dashes like in program options, the wildcard will be replaced by these files, and these filenames will be treated as options:
[#thread 🧵(6/7)] After the wildcard expansion in the shell, the command will be transformed from ls * to:
ls -lha file1 file2 file3
And the filenames beginning with dashes will be considered as options and will be interpreted by ls:
[#thread 🧵(7/7)] As an attacker we can leverage this behavior to exploit the program to escalate our privileges using legitimate program options to execute commands. Many of these techniques to exploit well known programs on linux can be found here:
gtfobins.github.io
Share this Scrolly Tale with your friends.
A Scrolly Tale is a new way to read Twitter threads with a more visually immersive experience.
Discover more beautiful Scrolly Tales like this.