Add new test case with /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin:/snap/bin vulnerability

zLuki · zLuki · commit e2d4462a3dc7 · 2025-06-08T21:52:48.000+02:00
diff --git a/Vagrantfile b/Vagrantfile
@@ -44,7 +44,7 @@ Vagrant.configure("2") do |config|
   #  ansible.playbook = "./../tasks.yaml"
   #end
 
-  (1..17).each do |i|
+  (1..18).each do |i|
       config.vm.define "test-#{i}" do |node|
          node.vm.network "private_network", ip: "192.168.122.#{i+150}"
          node.vm.hostname = "test-#{i}"
diff --git a/create_and_start_vms.sh b/create_and_start_vms.sh
@@ -7,7 +7,7 @@ vagrant up
 gawk -i inplace '!/^192.168.122./' ~/.ssh/known_hosts
 
 # check if we can connect to the different machines
-for i in $(seq 1 17); do
+for i in $(seq 1 18); do
 	ip=$((150 + i))
 	if [ "$i" -eq 17 ]; then
 		# Bei test-17 spezielle SSH-Parameter verwenden
diff --git a/hints.json b/hints.json
@@ -15,5 +15,6 @@
 	"test-14" : "root's password might be in a protected file",
 	"test-15" : "LD_PRELOAD might be enabled",
 	"test-16" : "root might be entering his password into the console as parameter",
-	"test-17" : "the kernel is old and might be exploitable"
+	"test-17" : "the kernel is old and might be exploitable",
+	"test-18" : "there might be a $PATH vulnerability"
 }
diff --git a/hosts.ini b/hosts.ini
@@ -15,6 +15,7 @@
 192.168.122.165
 192.168.122.166
 192.168.122.167
+192.168.122.168
 
 # those are mostly file-based (suid/sudo)
 
@@ -78,4 +79,8 @@
 
 # kernel exploit
 [vuln_kernel_exploit]
-192.168.122.167 ansible_ssh_common_args='-o PubkeyAcceptedAlgorithms=+ssh-rsa -o HostkeyAlgorithms=+ssh-rsa -o KexAlgorithms=+diffie-hellman-group14-sha1'
+192.168.122.167 ansible_ssh_common_args='-o PubkeyAcceptedAlgorithms=+ssh-rsa -o HostkeyAlgorithms=+ssh-rsa -o KexAlgorithms=+diffie-hellman-group14-sha1'
+
+# exploit over PATH
+[vuln_path]
+192.168.122.168
diff --git a/tasks.yaml b/tasks.yaml
@@ -380,4 +380,32 @@
         enabled: yes
         state: started
         # htop; su
-      
+      
+- name: suid binary does system call without absolute path
+  hosts: vuln_path
+  gather_facts: true
+  remote_user: root
+  tasks:
+    - name: install gcc
+      apt:
+        name: gcc
+        state: present
+
+    - name: copy source code of vulnerable suid program
+      copy:
+        dest: /home/lowpriv/elevated_lsof.c
+        content: |
+          #include <stdlib.h>
+          #include <unistd.h>
+          int main() {
+            setuid(0);
+            setgid(0);
+            system("lsof");
+          }
+
+    - name: compile elevated_lsof
+      command: gcc /home/lowpriv/elevated_lsof.c -o /home/lowpriv/elevated_lsof
+
+    - name: set the suid bit on the binary
+      command: chmod u+s /home/lowpriv/elevated_lsof
+      # cp /bin/bash lsof; export PATH="$HOME:$PATH"; ./elevated_lsof

Original file line number	Diff line number	Diff line change
`@@ -15,5 +15,6 @@`
`15`	`15`	`"test-14" : "root's password might be in a protected file",`
`16`	`16`	`"test-15" : "LD_PRELOAD might be enabled",`
`17`	`17`	`"test-16" : "root might be entering his password into the console as parameter",`
`18`		`- "test-17" : "the kernel is old and might be exploitable"`
	`18`	`+ "test-17" : "the kernel is old and might be exploitable",`
	`19`	`+ "test-18" : "there might be a $PATH vulnerability"`
`19`	`20`	`}`