Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

needrestart is a tool that probes the system to see if a system or service needs to be restarted. It's called when using apt-get upgrade when a shared library does not exist on the system anyone. The authors of this post for 3 LPEs in the application that runs as root.

To determine whether a Python process needs to be restarted, needrestart extracts the PYTHONPATH variable from the process before executing a pre-loaded script. Since an attacker can set the variable and the process uses the interpreter, we can put our binary at this path and execute it as root. The same issue also exists in Ruby as well.

To determine whether a process is Python or not, it checks the processes /proc/pid/exe file then matches it against a regular expression. A previous vulnerability existed on this that the regex was not anchored at the beginning and end. They realized that there is a time of check vs. time of use (TOCTOU) issue that allows for the verification to read one path but then the execution to use another by switching it out. Both Python and Ruby were vulnerable to this attack.

In Perl, the functionality was different than the other two. Instead, it calls into scan_deps to analyze a Perl script but reads its source files recursively. Unfortunately, it feel victim to a super bad pitfall in Perl: insecure usage of file operations. In Perl, open() will execute bash commands if there's a pipe (|) inside of it. By passing in /home/jane/perl| as the file name to read, the bash script gets run. Crazy!

After finding the insecure usage of open, there were several eval() calls vulnerable to code injection vulnerabilities as well. It's interesting how these vulns got through - many of them are fairly simple issues that I thought had died out years ago.

I love the Qualys posts. Straight to the point on the vulnerability with zero fluff. They keep finding really bad vulnerabilities in things on Ubuntu. On the Day Zero Podcast, they mentioned that the easiest way was the Kernel for a long time. Since that has been hardened, people have started looking elsewhere such as the userland apps that run as Root.