checking for user-writable files and directories

Question

checking for user-writable files and directories

rudeyak opened this issue 8 years ago · 3 comments

Hi, there. I love the idea of this project, thought I'd offer a contribution. Whenever I test for vulnerable sudo configurations, a helpful check is to see if I am able to overwrite a sudo-enabled command with my own. Below is a small script I wrote to automate that process, would be neat if something along the same lines was part of yodo!

Cheers,

Erick.


#!/bin/bash
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin

VICTORY=1
for POTENTIAL in `sudo -l | awk '{for (i = 1; i <= NF; i++) print $i}'|grep -e ^/|sed -e "s/,$//"`
do
        >&2 echo "Testing [${POTENTIAL}]..."
        # if we can write to this, it's game over
        sudo -l $POTENTIAL > /dev/null 2> /dev/null
        if [ $? -eq 0 -a -w $POTENTIAL -a -x $POTENTIAL ] ; then
                echo "[*] $POTENTIAL is writable and executable, likely privesc issue for command ${POTENTIAL}"
                VICTORY=0
        fi
        # if we can't write to the executable file itself, maybe we can write to one of its parent directories
        DIRNAME=`dirname $POTENTIAL`
        while [ ! -z "${DIRNAME}" ] ;
        do
                >&2 echo "Testing [${DIRNAME}]..."
                if [ -w ${DIRNAME} ] ; then
                        echo "[*] ${DIRNAME} is writable, likely privesc issue for command ${POTENTIAL}"
                        VICTORY=0
                        break
                fi
                OLD_DIRNAME=${DIRNAME}
                DIRNAME=`dirname ${DIRNAME}`
                if [ "x${OLD_DIRNAME}" = "x${DIRNAME}" ] ; then
                        #we've reached /
                        break
                fi
        done
done
exit $VICTORY

Answer 1 · 2016-11-21T13:35:10.000Z

Hi rudeyak and thank you for the support :D
I would love to integrate this option in the menu!
what would you like to call it?

regards

b3

Answer 2 · 2016-11-21T16:17:28.000Z

I get to name something? Cool! Hmm... how about "vulnerable script permissions" or something to that effect?

Get Outlook for iOShttps://aka.ms/o0ukef

On Mon, Nov 21, 2016 at 7:35 AM -0600, "b3rito" <notifications@github.com mailto:notifications@github.com> wrote:

Hi rudeyak and thank you for the support :D
I would love to integrate this option in the menu!
what would you like to call it?

regards

b3

You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHubhttps://github.com//issues/1#issuecomment-261939938, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AJl4ONKtBbX-tYe7xzrYgI_xTSURaPWKks5rAZ4OgaJpZM4K3dYZ.

Answer 3 · 2016-11-22T15:52:09.000Z

VSP = Vulnerable Script Permissions added + contributor ;)

regards

b3