Tutorial: Linux Privilege Escalation: Wildcards

by RangeForce Team

The Curious Case of Linux Privilege Escalation: Wildcard Style

In the thrilling world of Linux, wildcards are not just for poker games. They are symbols that represent other characters, commonly used in commands like cat or rm to list or delete files matching specific criteria. Our wildcard of interest here is the *, a real wildcard in every sense, as it matches any number of characters.

Take, for example, cat *, which displays the contents of all files in the current directory, or rm *, efficiently (and somewhat ruthlessly) removing every file there. But, the real magic happens under the hood – the * expands to all matching files. So, if your directory has files named 'a', 'b', and 'c', running rm * is equivalent to declaring "rm a b c."

The Wildcard Predicament

Now, let's sprinkle in some flags. These command-line flags modify how programs run. For instance, rm -rf will recursively and forcefully delete files without asking, "Are you sure?" But what if you run rm * with a file named -rf in your directory? The shell expands * to include -rf, turning your innocent command into a potentially catastrophic rm -rf a b c.

This scenario spells trouble when privileged users or scripts use wildcards in commands with dangerous flags, particularly those related to external command execution. It's like leaving your digital doors unlocked, an open invitation for privilege escalation.

The Usual Suspects: chown, chmod, and tar

Programs like chown and chmod can be exploited using wildcard injection. Let's focus on chown, used to change file ownership. Imagine a script like this:

Screenshot 2023-11-20 at 6.33.13 PM

Here’s where the plot thickens. By creating specific files and using wildcard injection, an attacker can manipulate the chown command to change ownership of critical files, like /etc/passwd, potentially gaining root access. It's like convincing the system you're the new landlord with a dubious lease agreement.

Then there’s tar, the Linux equivalent of a digital Swiss Army knife for file archiving. tar has checkpoint flags that allow executing commands after archiving a certain number of files. An attacker can use these checkpoints to execute malicious commands. It's like hiding a surprise in a birthday cake, except the surprise is granting yourself root privileges.

Rsync: The File Copying Tool That Copies More Than Files

Rsync, a common file-copying tool in Unix systems, also falls prey to wildcard injection. Using flags like -e, one can execute any shell script. Imagine a script that adds your user to the sudoers file, giving you the golden key to root privileges.

Safeguarding Against Wildcard Mayhem

Fear not, for safeguarding against wildcard injection is simpler than it seems. Just add the full path in front of the wildcard. So, instead of some_command *, use some_command /path/to/some/folder/*. It’s like telling your command, "Hey, play only in this sandbox, not the entire playground."

At first glance, wildcards seem as harmless as a kitten, but in the realm of Linux, they can turn into a lion if not handled with care. So, next time you use *, remember, it's not just a character; it's a character with character, capable of both streamlining your work and wreaking havoc if left unchecked.

Related posts

(AR)² Readiness Program™

Learn More about (AR)2

Get a custom demo

Take your team's cyber readiness to the next level

Request Demo