The following document is a checklist of linux local privilege escalation opportunities. Depending on the circumstances of each of the vulnerabilities the escalation might be horizontal or vertical (dont ask).
Environment variables abuse
Many applications depend on environment variables to determine where things might be located on a system
(eg PATH) as well as determine how to interact with the system and its users (eg TERM).
PATH
Unix and Windows operating systems depend on the PATH environment variable which contains the locations of where executables can be found. This allows us to run command without necessarily knowing their exact location
on the filesystem.
In general every user can have their own PATH variable and most often there are no restrictions on users setting their own locations.
Lets take the following example of a script which all it does is print the current date:
#!/bin/bash
date
This script, when executed, will be parsed by bash and when the date command is reached, it will try to locate it under the locations defined in the PATH variable. This opens up the possibility to make this script execute a command of our liking.
All we have to do is create an executable of our liking and give it the same name. In the following example
we create a folder bin under our home folder and copy the ls into it, but we rename it to date.
mkdir ~/bin
cp /bin/ls ~/bin/date
As soon as we can make our bin location comes before any other defined location of the system we will be able to execute our own date command (which in reality is ls)
PATH=~/bin:$PATH which date
sudo -E
Sometimes the binary we want to override is run through sudo which by default resets the environment before executing a command. In this instance we can try to use the -E parameter, which instructs sudo to preserve
the current environment variables.
In such cases we can either provide the variable override during the command invocation or export our variables, so that they can become accessible into follow up command invocations.
sudo -E PATH=~/bin:$PATH which date
or
export PATH=~/bin:$PATH
sudo -E which date
Set UID and GID binaries
Shared libraries
LD_PRELOAD, LD_LIBRARY_PATH, LD_DEBUG, rpath/runpath
Writable system files and folders
- /etc/passwd
- /etc/shadow
- /etc/ld*
- /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin, /usr/local/sbin