2. Automated tasks
Linux systems pack a useful and familiar
task scheduler named crontab. The
reason crontab has become popular
with privilege escalation is due to the
fact it may be scheduled to run an
automated process as root.
Having an automated process running as
root makes the whole exploitation much
easier. One need only to tamper with
the task and then wait until the task is
re-initiated.
2
3. Listing Tab Jobs
Crontab jobs can be found with crontab -
l for scheduled tasks for the current user,
or crontab -l -u [username] for other
users.
Since using crontab -u requires privileges
by itself, a more efficient searching can
be done by exploring ‘/etc/cron.[period]’
directories.
ls -la /etc/cron* will do the job, but
usually an enumeration script will yield
better results.
3
4. Reading Crontab Jobs
Reading crontab jobs is divided into two
parts; the first part involves the tasks
themselves. Some system wide jobs can
be found with more /etc/crontab. Others
will only be visible to the user they
belong to.
The second part of reading crontab
involves the files executed. These files
reside in the mentioned directories
‘/etc/cron.[period]’.
4
5. 5
Crontab Schedule Format
01,31 04,05 1-15 1,6 * /etc/cron.daily/script
Creating Crontab Jobs
Crontab jobs are created by putting a bash script into one of crontab’s directories. Later on, the job becomes an automatic
process initialized by crontab -e. All crontab jobs will have the same format, as well as the details of the timing, followed by
the bash script location to be executed.
Below is slightly more graphical explanation:
Bash script locationDays of
week
Days of
month
minutes
months
hours
The above example will run ‘/etc/cron.daily/script’ at 01 and 31 past the hours of 4:00am and 5:00am on the 1st through
the 15th of every January and June.
6. Crontab Escalation Types
Crontab jobs can also be executed frequently.
For example, a task may be run once an hour.
Due to the fact that crontab jobs themselves
won’t be visible to the attacker, the time of
execution can only be speculated.
Write Permissions
Having “write” permissions over a
scheduled script, we can simply alter the
script to perform a different task to fit our
needs. Since most jobs run a root, simply
executing a shell will do.
Wildcards
Wildcards are signs used to select
multiple or arbitrary files. The most
common wildcard used is “*” which
means “select” all files and is usually
passed to a command.
Bad PATH Configuration
When running a program or a command
in Linux, and the program is not in the
current working directory, Linux will
address the PATH variable and search
within the directories listed there.
6
7. Write Permissions
Write permissions on a crontab job
script is, for the most part, self-
explanatory. An important thing to
remember is that the crontab job cannot
be used to actively open a root shell.
However, we can simply add our user to
the sudo group by inserting sudo
adduser [username] sudo into the script.
7
8. Bad PATH Configuration
As seen in the example, the user has a
crontab job which runs ‘backupTool’.
Since the directory for ‘backupTool’ is
not in a ‘/bin/’ subfolder, we can assume
it is being searched for in the PATH.
When looking at the PATH variable, we
see that we can write to ‘/usr/local/bin/’
and that there is a directory called
‘/root/scripts/’ in which it is most likely
present.
With a fake ‘backupTool’ in
‘/usr/local/bin/’ , we can assume our
fake tool will be used instead of the real
one.
8
9. 9
The Trick
Searching for Files
When encountering an executable, a Linux system has a specific procedure for searching for the executable in the filesystem.
Failing to specify the full path when using an executable may result in the system becoming vulnerable to bad PATH
configuration attacks.
Below is the order in which directories are searched for executables:
PRRIORITY LOCATION DESCRIPTION
1 Aliases Checks if the executable is a ‘nickname’ given to another command
2 Exported functions Checks if the executable is an exported command of a shared Linux library
3 Built-in shell command Checks if the executable is a built-in shell command
4 PATH Searches for the executable in the directories written in the PATH variable
The Path is searched from start to end and will use the first occurrence of the executable.
10. Wildcard Injection
As seen in the example, the user has a
crontab job which runs desktopBackup.
This script backs up all the users
documents using tar with ‘*’.
Knowing this, we can create two files
named ‘--checkpoint=1’ and ‘--
checkpoint-action=“sudo adduser vitaly
sudo” ‘
Because tar is being used with ‘*’, both
files will be interpreted as commands
rather than actual files allowing code
execution.
10
11. Protection
The best way to prevent PE over automated
tasks all together is to follow the principle of
least privileges, having a dedicated user
running crontab jobs instead of root.
Write Permissions
If the command is simple, it can be written in
the crontab job itself and not in separate
script. Monitor write permissions on
scheduled scripts.
Wildcards
when actually crafting crontab jobs, we
should refrain from using wild cards, and
instead be explicit within the declarations.
Bad PATH Configuration
Always specify the full directories for
executable binaries. Avoid having ‘.’ in the
PATH.
11