Wtf? The VPN client I installed before (Dell’s NetExtender) created a SUID binary! Let’s try something with that.
In the same days I was working on a script to test for PATH spoofing vulnerabilities [Note: PA(TH)ZUZU, it works just fine now] so actually one of the first things I thought it would be fun to try was… Spoofing the PATH.
What’s that? How does this help me?
The PATH bash variable ($PATH) contains all the directories (colon-separated) from where binaries can be called without typing the full, you can guess it, path.
Let’s try with an example:
default OSX $PATH
This is the default $PATH from OSx.
Splitting ‘em you can see that they’re actually 5 directories:
So if I run a command the file with the command name will be searched from the directories listed above.
Example with ping:
So now the question is: what happens if you change (spoof) the $PATH variable before running an executable?
Boom, from now on if I’ll try to run any program without specifying the full path the only directory they will be searched from it’s exactly “/tmp”.
Let’s get the party started.
First thing to try was: let’s see if there are some interesting strings in the binary.
Wow setuid! If we can pwn this script we can probably become root without any issue!
And all the other strings seems a lot like… flags passed directly to bash.
Let’s try the spoofing magic.
Let’s just point the PATH to a directory with nothing interesting inside. The current directory (“.”).
Wait what?? It worked!
From this picture we can see that 3 programs were called from the uninstaller:
Let’s try to write an exploit that will create a “fake” dscacheutil executable (it will just call bash) in the current directory and calls the uninstaller with the $PATH spoofed to “.”
echo"PATH=$PATH /bin/bash 2>&1">>dscacheutil
Let’s chmod +x it and run it:
(Note: this exploit worked on both OSx & Linux)
Always check what it’s on your PC before and after you install something, even if you trust the source: it could save you from bad things.