During a recent pentest my team found the password of a user which allowed us to log into a server via SSH. This user was permitted through sudo to run a few commands as root without a password, including the find command.
The find command has an -exec flag which will pass the found files to the command specified. We were able to run sudo find . -exec /bin/bash \; -quit which gave us a root shell in bash.
What's the best way to mitigate such a vulnerability? My first thought was to replace the find binary with one compiled without the -exec flag, but I'm not seeing an official package to install to accomplish that. Is disallowing find through sudo the best path forward? Requiring a password for find might be adequate.
[link] [comments]
from hacking: security in practice https://ift.tt/e9b3nDN
Comments
Post a Comment