The Curious Case of Linux Privilege Escalation: Wildcard Style
In the thrilling world of Linux, wildcards are not just for poker games. They are symbols that represent other characters, commonly used in commands like cat
or rm
to list or delete files matching specific criteria. Our wildcard of interest here is the *
, a real wildcard in every sense, as it matches any number of characters.
Take, for example, cat *
, which displays the contents of all files in the current directory, or rm *
, efficiently (and somewhat ruthlessly) removing every file there. But, the real magic happens under the hood – the *
expands to all matching files. So, if your directory has files named 'a', 'b', and 'c', running rm *
is equivalent to declaring "rm a b c."
Now, let's sprinkle in some flags. These command-line flags modify how programs run. For instance, rm -rf
will recursively and forcefully delete files without asking, "Are you sure?" But what if you run rm *
with a file named -rf
in your directory? The shell expands *
to include -rf
, turning your innocent command into a potentially catastrophic rm -rf a b c
.
This scenario spells trouble when privileged users or scripts use wildcards in commands with dangerous flags, particularly those related to external command execution. It's like leaving your digital doors unlocked, an open invitation for privilege escalation.
Programs like chown
and chmod
can be exploited using wildcard injection. Let's focus on chown
, used to change file ownership. Imagine a script like this:
Here’s where the plot thickens. By creating specific files and using wildcard injection, an attacker can manipulate the chown
command to change ownership of critical files, like /etc/passwd
, potentially gaining root access. It's like convincing the system you're the new landlord with a dubious lease agreement.
Then there’s tar
, the Linux equivalent of a digital Swiss Army knife for file archiving. tar
has checkpoint flags that allow executing commands after archiving a certain number of files. An attacker can use these checkpoints to execute malicious commands. It's like hiding a surprise in a birthday cake, except the surprise is granting yourself root privileges.
Rsync, a common file-copying tool in Unix systems, also falls prey to wildcard injection. Using flags like -e
, one can execute any shell script. Imagine a script that adds your user to the sudoers
file, giving you the golden key to root privileges.
Fear not, for safeguarding against wildcard injection is simpler than it seems. Just add the full path in front of the wildcard. So, instead of some_command *
, use some_command /path/to/some/folder/*
. It’s like telling your command, "Hey, play only in this sandbox, not the entire playground."
At first glance, wildcards seem as harmless as a kitten, but in the realm of Linux, they can turn into a lion if not handled with care. So, next time you use *
, remember, it's not just a character; it's a character with character, capable of both streamlining your work and wreaking havoc if left unchecked.