top of page

How Cybersecurity attacks can exploit linux defenses

Exploiting misconfigurations, insecure scripting, or privilege escalation vulnerabilities, are examples of how Linux systems can be compromised.   One common example is abusing improperly secured shell scripts used in system automation or administration.

Vulnerable Senario:

A system administrator creates a shell script to clean up temporary files and schedules it with sudo privileges in cron.

​

Vulnerable Script (/usr/local/bin/cleanup.sh):

#!/bin/bash

rm -rf /tmp/* # Deletes all files in the /tmp directory

​

​​

​

Cron Job Entry:

 

​​​# Runs cleanup.sh every hour with root privileges

0 * * * * root /usr/local/bin/cleanup.sh

The Attack Scenario

   Malicious File in /tmp: An attacker places a symbolic link in the /tmp directory:

​

  • Execution of cleanup.sh:

               When the script runs as root, it executes the rm -rf /tmp/* command. Since the symbolic link (/tmp/malicious_link) points to                      /etc/passwd, the script inadvertently deletes the /etc/passwd file.

​

  • Result:

    • The system's user authentication database (/etc/passwd) is deleted.

    • This could render the system inaccessible or allow attackers to escalate privileges by planting malicious files.

More Exploitation Scenarios

  1. Code Injection in Environment Variables: If the script relies on environment variables without sanitizing them:

       bash

    ​

       # Vulnerable usage in cleanup.sh

          rm -rf $TARGET_DIR/*

​

​

        Attackers can manipulate TARGET_DIR to point to critical directories like /etc or include malicious commands:

          bash

​

          export TARGET_DIR="/; rm -rf /home/admin"

​

​

    2. Abusing Writable Scripts: If the script is writable by non-root users:

          bash

​

          chmod o+w /usr/local/bin/cleanup.sh

​

​

       An attacker could replace the script with malicious code:

          bash

​

          echo "rm -rf /" > /usr/local/bin/cleanup.sh

​

   3. Path Manipulation: If the script calls utilities like rm without absolute paths:

           bash

​

          rm -rf /tmp/*

​​

       An attacker could place a malicious rm binary earlier in the PATH variable to execute arbitrary commands.

How to Mitigate:

  1. Use sudo Carefully:

​​

  •    Avoid running scripts with unrestricted sudo access.

​​

  •    Use sudo -u to limit execution permissions.​

​​

   2. Restrict Permissions:

 

​​

         bash

​

          chmod 700 /usr/local/bin/edit_logs.sh

​

​

   3. Validate User Input:

​

          bash

​

          if [[ "$filename" =~ ^[a-zA-Z0-9._-]+$ ]]; then

               cat "$filename"

          else

               echo "Invalid filename"

          fi

​

​

   4. Use Secure Temporary Files:

 

​          bash

​

          TEMP_FILE=$(mktemp)

​

   5. Avoid Using Wildcards in rm:

 

  •    â€‹â€‹Use explicit file names instead of rm -rf *.

 

   6. Ensure Scripts Run with Least Privilege:

 

  •    Use sudo -u limited_user instead of running everything as root.

A Secure edit_logs.sh:

 

bash

 

#!/bin/bash
LOG_FILE="/var/log/syslog"
TEMP_FILE=$(mktemp)

​

​

# Ensure the user cannot manipulate paths
if [[ ! -f $LOG_FILE ]]; then
    echo "Log file does not exist."
    exit 1
fi

​

​

# Use a safer copy method instead of changing file ownership
cp $LOG_FILE $TEMP_FILE
chmod 600 $TEMP_FILE

nano $TEMP_FILE

​

​

# Securely move changes back
sudo mv $TEMP_FILE $LOG_FILE
chmod 600 $LOG_FILE

​

echo "Editing completed securely."
 

bottom of page