How Cybersecurity actors can compromise unix code
Cybersecurity actors can compromise Unix systems or code by exploiting vulnerabilities such as command injection, file permission misconfigurations, or race conditions. A common attack is privilege escalation via vulnerable scripts or improper use of system utilities. Below is an example where attackers can compromise Unix code using a symlink attack and command injection.
Vulnerable Script
Consider a Unix system administration script that performs periodic log file cleanup and is scheduled with elevated privileges (e.g., via sudo or a root-owned cron job).
​
Vulnerable Script (/usr/local/bin/cleanup.sh):
#!/bin/bash
​
# Clean up log files in /var/log/
rm -rf /var/log/*
​
echo "Log cleanup completed."
​Cron Job Entry:
​
​bash
​
# Cron job scheduled to run every day as root
0 3 * * * root /usr/local/bin/cleanup.sh
How an Attack Works:
​
1. Symlink Attack Setup: An attacker exploits a race condition by creating a symbolic link in the /tmp directory that points to a critical system file (e.g., /etc/passwd).
​
bash
​
ln -s /etc/passwd /tmp/logfile
​
​
2. Execution of cleanup.sh: The cron job executes cleanup.sh as root. The rm -rf /var/log/* command is designed to clean up log files, but since /tmp/logfile is a symbolic link pointing to /etc/passwd, the script will inadvertently delete the /etc/passwd file when it attempts to remove /var/log/*.
​
3. Result:
​
* The cron job deletes critical files such as /etc/passwd, which stores user information and authentication data.
* The system may become unusable or vulnerable, potentially leading to further exploitation or a complete system compromise.
More Exploits in Unix Code:
1. Command Injection: If a script executes system commands using user input without proper
validation, attackers can inject malicious commands. Consider the following vulnerable script:
Vulnerable Script (/usr/local/bin/backup.sh):
bash
​
#!/bin/bash
echo "Enter a directory to back up:"
read directory
tar -czf backup.tar.gz $directory
​
If an attacker enters ; rm -rf / as input, the script would execute:
bash
​
tar -czf backup.tar.gz ; rm -rf /
​
​
This could lead to system-wide file deletion.
​
2. Improper File Permissions: If sensitive files or scripts have improper permissions, attackers can modify or replace them.
For example, a script with write permissions for non-privileged users can be modified by an attacker to include malicious commands.
bash
chmod o+w /usr/local/bin/cleanup.sh
​
​
An attacker could then replace the script with one that deletes critical files or opens a reverse shell.
​
3. Race Condition in tmp Directory: A race condition vulnerability can arise if a script assumes
that a file is created in a specific order or location, allowing attackers to manipulate files in /tmp.
​
For example, if a script creates a temporary file and writes to it using a predictable name, an
attacker could create a symbolic link or overwrite the file before the script writes to it.
Mitigation Techniques:
1. Secure File and Directory Permissions: Ensure that critical files and scripts are not writable by
non-administrative users. For example:
bash
​
chmod 700 /usr/local/bin/cleanup.sh
​
2. Validate and Sanitize Input: Always validate user input before using it in system commands. Use
proper sanitization techniques to avoid command injection.
bash
​
​
if [[ "$directory" =~ ^/[a-zA-Z0-9/_-]+$ ]]; then
tar -czf backup.tar.gz "$directory"
else
echo "Invalid directory."
exit 1
fi
​
3. Use Absolute Paths for Commands: Always use absolute paths for system commands to avoid the
risk of executing unintended binaries if the PATH is manipulated.
​
bash
​
/bin/rm -rf /var/log/*
​
​
4. Avoid Using rm -rf: Instead of using rm -rf on directories, use safer alternatives or check that the files being removed are indeed the ones intended to be cleaned up.
​
5. Apply Proper Logging and Monitoring: Log every execution of privileged scripts and monitor for any unusual or unauthorized activity. Use tools like auditd to track access to critical files.
​
6. Avoid Use of chmod 777 on Critical Files: Avoid using overly permissive file modes, such as chmod 777, on scripts or sensitive files.
7. Create Immutable Files for Critical System Files: Use chattr to make critical files immutable,
preventing modifications.
bash
​
chattr +i /etc/passwd
​
​
8. Ensure Secure Temporary Directories: Mount /tmp as noexec, nosuid, and nodev to minimize
risks of file manipulation or execution:
​
bash
​
mount -o noexec,nosuid,nodev tmpfs /tmp
Example of a Secure Script
​
Here’s how the cleanup.sh script can be securely implemented:
bash
​
#!/bin/bash
# Exit on errors, unset variables, or pipe failures
set -euo pipefail
​
# Ensure that the script cannot be manipulated by unauthorized users
if [[ $(id -u) -ne 0 ]]; then
echo "This script must be run as root."
exit 1
fi
# Ensure the /var/log/ directory exists and is writable
if [[ ! -d /var/log/ ]]; then
echo "Log directory does not exist."
exit 1
fi
# Clean only specific log files, not entire directory
find /var/log/ -name "*.log" -exec rm -f {} \;
echo "Log cleanup completed."