![]() Replace the function "getopt_simple" with the built-in function $ sudo /usr/local/sbin/cleanup.sh -PATH=/tmp/redteam ![]() Instead of injecting shell commands, the script can also be exploited by The script "cleanup.sh" starts with the following code: (root) NOPASSWD: /usr/local/sbin/cleanup.sh User www-data may run the following commands on srv: ![]() Matching Defaults entries for user on srv:Įnv_reset, secure_path=/usr/sbin\:/usr/bin\:/sbin\:/bin It was discovered that this user was permitted to run the shell script Together with in-depth explanations about how shell scripting works.ĭuring a penetration test, RedTeam Pentesting was able to executeĬommands as an unprivileged user (www-data) on a server. The document "Advanced Bash-Scripting Guide" is a tutorial for RedTeam Pentesting discovered that the shell function "getopt_simple",Īs presented in the "Advanced Bash-Scripting Guide", allows execution of Advisory: Code Execution via Insecure Shell Function getopt_simple
0 Comments
Leave a Reply. |