🛠️ The Security Auditor's Checklist
Today’s session was a masterclass in identifying the "low-hanging fruit" of system exploitation.
1. The PATH Hijacking Danger
If a script runs tar instead of /usr/bin/tar, it searches the $PATH variable. If an attacker controls a directory listed in that path, they can place a malicious tar binary there.
-
The Audit Rule: Always use absolute paths in your
cronjobs and service configuration files.
2. The Wildcard Exploit
Running a command like tar -czf backup.tar * in a directory is dangerous. An attacker can create files named --checkpoint=1 and --checkpoint-action=exec=sh shell.sh. When the tar command runs, it interprets those files as options, not filenames, and executes the shell script as root.
3. SUID & Privilege Escalation
SUID binaries (-rwsr-xr-x) execute as the owner of the file, not the user running them. If you find a binary with the s bit, always check if it allows escaping to a shell (like vim or find with -exec).
4. Writable Directories
Directories like /tmp or /dev/shm are drwxrwxrwt. They are the most common places for attackers to store their malicious payloads because everyone has write access.
Follow my journey: #1HourADayJourney
Top comments (0)