Assuming that I can delete arbitrary files on a linux system as a non-privileged user, what methods exist to escalate my privileges this way?
2 Answers
A great candidate is anything in a directory with the "sticky" bit (typically /tmp and /var/tmp). The sticky bit on a directory causes files to only be renamable or deletable by their owner (typically, renaming or deleting - or creating - a file only requires the "write" permission on the directory, and no permissions on the file itself are needed). This is commonly used on temp directories and anywhere else that multiple users are expected to be able to write, but not to interfere with one another. Since each users' umask presumably prevents other users from writing to their files, and since the sticky bit prevents anybody from replacing the files, multiple mutually-distrusting users can share a common directory (so long as they don't ever need to create two files with the same name).
With your vulnerability, you can bypass the sticky bit on the directory. Find a file owned by another user (presumably root, but it could be any user you don't have total control over) that looks like it will be read[*] again in the future. Create your own version of that file, with content of your choosing. Using your vulnerability, delete the file from the sticky directory, and then replace it with your own file (or a link to it). Make sure permissions on your file are such that the normal owner of that file can open it with the expected permissions, of course!
Note that you might need to win a "race" to do this. For example, if a program downloads a script or binary to a temp file, and later executes it, this can get you arbitrary code execution as another user, but you have only a very narrow window to replace the file with your own (and technically might not have one at all, if they hold an open file descriptor on the temp file and use fexecve, but most programs aren't that smart). On the other hand, you can potentially try as many times as you need, and you can automate the attack by monitoring the directory for changes and acting automatically after the target file appears.
[*] Or written to! If a privileged program is going to write something - ideally something you can control - to a temp file, then by replacing the temp file with a symlink to some other file, you can overwrite arbitrary files even in locations where you can't create files at all.
"Cron script overwriting and symlink": https://book.hacktricks.xyz/linux-unix/privilege-escalation#cron-script-overwriting-and-symlink
- Hi Nexx - link only answers are of low value here and likely to be deleted. Can you edit your post with a summary of the method.2022-04-03 09:25:51 +00:00Commented Apr 3, 2022 at 9:25
- This requires write access.user16910689– user169106892022-04-03 11:08:06 +00:00Commented Apr 3, 2022 at 11:08