goarilla wrote:
> Moe Trin wrote:
>
>> The dot (".") in the PATH (or ending the PATH with a colon ":" which
>> has the same effect) I can agree should not be in the PATH. Why do
>> you feel that the individual user's home/bin directory should not be
>> in the PATH. What exploit are you assuming is possible due to this?
>> Most sane setups do not have that directory writable by other than
>> the owner, and placing nasties there requires the same elevated
> > permissions that are needed to replace system binaries in /bin/ or
> > permissions that are needed to replace system binaries in /bin/ or
> > similar. Hence, if they can screw up the users ~/bin, they can also
> > screw the entire system. What's the point?
>
> huh system directories are owned and writeable only by root
> directories in the home directory are writeable by the user of that
> directory
> meaning: in case of system dirs the euid has to be root to dump
> malicious executables
> in case of the home dir, the euid can be root or the owner (normal user).
> this means a exploited program running as a normal user can dump an
> executable
> in that directory, if the attacker puts common unix executables in there
> and if that dir is put in PATH
> like this PATH="~/bin:$PATH". then you can be royally fucked, this is
> especially true if your sudo is configured very pragamatically eg the
> user is part of a group or can sudo anything without PASSWORD eg:
> ALL=(ALL) NOPASSWD:ALL
>
> now the attacker instead of actively trying to attack local running root
> processes
> or using exploits on executable SUID programs can just replace a common
> tool like
> iptables,lspci,ifconfig,kill,killall,... with a version that does the
> same but also launch a reverse shell running as ROOT
> now he can just go to bed and wait till the unknowing user uses sudo
> (unknowingly ) on the malicious binary
>
> yes this is dangerous !
>
>
>

my apologies for the incorrect quoting