top of page

How Cybersecurity actors can compromise unix code

Cybersecurity actors can compromise Unix systems or code by exploiting vulnerabilities such as command injection, file permission misconfigurations, or race conditions. A common attack is privilege escalation via vulnerable scripts or improper use of system utilities. Below is an example where attackers can compromise Unix code using a symlink attack and command injection.

Vulnerable Script

Consider a Unix system administration script that performs periodic log file cleanup and is scheduled with elevated privileges (e.g., via sudo or a root-owned cron job).

​

Vulnerable Script (/usr/local/bin/cleanup.sh):

    #!/bin/bash

​

    # Clean up log files in /var/log/


    rm -rf /var/log/*

​

    echo "Log cleanup completed."
 

​    Cron Job Entry:

​

​   bash

​

    # Cron job scheduled to run every day as root

    0 3 * * * root /usr/local/bin/cleanup.sh

       How an Attack Works:

​

       1. Symlink Attack Setup: An attacker exploits a race condition by creating a symbolic link in the /tmp directory that points to a                               critical system file (e.g., /etc/passwd).

​

               bash

​

               ln -s /etc/passwd /tmp/logfile

​

​

       2. Execution of cleanup.sh: The cron job executes cleanup.sh as root. The rm -rf /var/log/* command is designed to clean up log files,                 but since /tmp/logfile is a symbolic link pointing to /etc/passwd, the script will inadvertently delete the /etc/passwd file when it                       attempts to remove /var/log/*.

​

       3. Result:

​

              *     The cron job deletes critical files such as /etc/passwd, which stores user information and authentication data.

              *     The system may become unusable or vulnerable, potentially leading to further exploitation or a complete system compromise.

More Exploits in Unix Code:

       

       1. Command Injection: If a script executes system commands using user input without proper

           validation, attackers can inject malicious commands. Consider the following vulnerable script:

 

           Vulnerable Script (/usr/local/bin/backup.sh):

         

           bash

​

           #!/bin/bash

           echo "Enter a directory to back up:"

           read directory

           tar -czf backup.tar.gz $directory

​

           If an attacker enters ; rm -rf / as input, the script would execute:

           

           bash

​

           tar -czf backup.tar.gz ; rm -rf /

​

​

           This could lead to system-wide file deletion.     

​

       2. Improper File Permissions: If sensitive files or scripts have improper permissions, attackers can modify or replace them.

           For example, a script with write permissions for non-privileged users can be modified by an attacker to include malicious commands.

 

           bash

   

 

           chmod o+w /usr/local/bin/cleanup.sh

​

​

           An attacker could then replace the script with one that deletes critical files or opens a reverse shell.

​

       3. Race Condition in tmp Directory: A race condition vulnerability can arise if a script assumes

           that a file is created in a specific order or location, allowing attackers to manipulate files in /tmp. 

​

           For example, if a script creates a temporary file and writes to it using a predictable name, an

           attacker could create a symbolic link or overwrite the file before the script writes to it.

Mitigation Techniques:

 

1. Secure File and Directory Permissions: Ensure that critical files and scripts are not writable by

    non-administrative users.  For example:

 

    bash

​

    chmod 700 /usr/local/bin/cleanup.sh

​

 2. Validate and Sanitize Input: Always validate user input before using it in system commands. Use

     proper sanitization techniques to avoid command injection.

 

     bash

​

​

    if [[ "$directory" =~ ^/[a-zA-Z0-9/_-]+$ ]]; then

         tar -czf backup.tar.gz "$directory"

    else

         echo "Invalid directory."

         exit 1

    fi

​

3. Use Absolute Paths for Commands: Always use absolute paths for system commands to avoid the

    risk of executing unintended binaries if the PATH is manipulated.

​

    bash

​

 

    /bin/rm -rf /var/log/*

​

​

4. Avoid Using rm -rf: Instead of using rm -rf on directories, use safer alternatives or check that the files being removed are indeed the        ones intended to be cleaned up.

​

5. Apply Proper Logging and Monitoring: Log every execution of privileged scripts and monitor for any unusual or unauthorized activity.        Use tools like auditd to track access to critical files.

​

6. Avoid Use of chmod 777 on Critical Files: Avoid using overly permissive file modes, such as chmod 777, on scripts or sensitive files.

 

7. Create Immutable Files for Critical System Files: Use chattr to make critical files immutable,

    preventing modifications.

 

    bash

​

    chattr +i /etc/passwd

​

​

8. Ensure Secure Temporary Directories: Mount /tmp as noexec, nosuid, and nodev to minimize

    risks of file manipulation or execution:

​

    bash

​

    mount -o noexec,nosuid,nodev tmpfs /tmp

 

Example of a Secure Script

​

Here’s how the cleanup.sh script can be securely implemented:

   

    bash

     

    #!/bin/bash

    # Exit on errors, unset variables, or pipe failures

    set -euo pipefail

​

    # Ensure that the script cannot be manipulated by unauthorized users

i    f [[ $(id -u) -ne 0 ]]; then

    echo "This script must be run as root."

    exit 1

    fi

 

    # Ensure the /var/log/ directory exists and is writable

    if [[ ! -d /var/log/ ]]; then

    echo "Log directory does not exist."

    exit 1

    fi

   # Clean only specific log files, not entire directory

   find /var/log/ -name "*.log" -exec rm -f {} \;

 

    echo "Log cleanup completed."

bottom of page