RedTeam
5.Machine
1.Linux
General
Exploitation
1.Privilege-Escalation
4.path Abuse

General

Path abuse vulnerabilities occur when an attacker is able to manipulate the search path that is used by the operating system to locate executables. The search path is a list of directories that the operating system looks in, in a specific order, to find an executable file when it is launched. If an attacker can modify the search path, they can potentially execute arbitrary code with the privileges of the user or process that is trying to launch the file.

One way an attacker might exploit a path abuse vulnerability is by placing a malicious executable in a directory that is earlier in the search path than the directory that contains the legitimate executable. For example, if the search path is set to look in the attacker's home directory before looking in the system directory, the attacker could place a malicious version of the ls command in their home directory, and it would be executed instead of the legitimate version when the user runs the ls command.

Example to understand the concept Imagine you have a toy box with all of your toys in it. When you want to play with a toy, you have to go to the toy box and find the toy you want. The toy box is like the search path on your computer, and the toys are like the programs or commands you want to run. ㅤ Now, let's say that someone comes along and hides one of your favorite toys in a different place, like under the couch or in the closet. When you go to the toy box to find the toy, it's not there! But, if you look under the couch or in the closet, you might find the toy. This is kind of like what happens when someone takes advantage of a path abuse vulnerability. They can hide a "fake" version of a program you want to use somewhere else on the computer, and when you try to run the program, the fake version will be used instead of the real one. ㅤ To protect against this, you can make sure that only the toy box is used to find toys, and not the couch or the closet. On a computer, you can do this by making sure the search path is set up correctly and only includes trusted directories. You can also make sure to use the full path to a program (like the exact location of the toy in the toy box) instead of just the name of the program. This will help make sure you always find the real version of the program you want to use.

Commands

Attack Vectors from $PATH vulnerability - Adding a directory to the search path: If an attacker can add a directory that they control to the search path, they can place a malicious version of a commonly used command in that directory and potentially execute arbitrary code when the command is run. ㅤ - Modifying a binary: If an attacker can modify a binary file in a directory that is earlier in the search path than the directory that contains the legitimate version of the file, they can potentially execute arbitrary code with the privileges of the user or process that is trying to launch the file. ㅤ - Exploiting symbolic links: If an attacker can create a symbolic link to a malicious executable in a directory that is earlier in the search path than the directory that contains the legitimate executable, they can potentially execute arbitrary code with the privileges of the user or process that is trying to launch the file.

  1. Check the search path of the user
echo $PATH
  1. Check for directories in the search path that might have vulnerable permission
ls -ld     ---> Run the following in each directory from the $path (Check permission)
  • If you have write access, you can simply change a binary to run a evil script
    • Make sure your evil script get run before the real script in the order of the $PATH
  1. Check for symbolic links in the search path (Create/Modify)
ls -l  ---> Symbolic Links create shortcut to folders (Might have access to other dir)
  • Check if your able to create Symbolic Links (ln -s /usr/local/EVIL.sh Symbolic-Link)
    • You can call evil executable from other directory where you might have write access
  1. Create Evil Binary (If you have access to a directory that is earlier in the search path than the directory that contains the legitimate executable)
# Example ls binary
touch ls
echo 'echo "PATH ABUSE!!"' > ls
chmod +x ls
  1. Checkl if you can modify the $PATH (Add your path before others and create evil binary)
export PATH=$PATH:/usr/local/EVIL-DIR  ---> Append folder at the end of the $PATH
export PATH=/usr/local/EVIL-DIR:$PATH  ---> Append folder at the begining of the $PATH