Bypass /etc/passwd Script

TL;DR

This guide explains how to bypass a command or script specified in the shell field of `/etc/passwd`. This is a serious security vulnerability. We’ll cover identifying the issue, understanding its impact, and methods for exploitation and mitigation.

Identifying the Vulnerability

1. Examine /etc/passwd: Use a text editor or command-line tool to view the `/etc/passwd` file. Look for unusual entries in the shell field (the last colon-separated value). A normal shell would be something like /bin/bash, /bin/sh, /bin/zsh.
2. Suspicious Shells: Pay attention to shells that are scripts or point to unexpected locations. For example, /path/to/some_script.sh or /usr/local/bin/custom_command.
3. Check Permissions: Verify the permissions of any suspicious script identified in `/etc/passwd`. If it’s executable by a user who shouldn’t have access, that’s a red flag.

   ls -l /path/to/some_script.sh

Understanding the Impact

If an attacker can control the script specified in `/etc/passwd` for their user, they effectively have a root shell when they log in. This is because the system executes that script instead of a normal interactive shell.

Exploitation Methods

1. Script Modification (if writable): If you have write access to the script specified in `/etc/passwd`, you can modify it to execute arbitrary commands.
   • Add Commands: Add lines to the script that will run when a user logs in.
   • Overwrite Script: Replace the entire script with your malicious code.
2. Exploiting Existing Functionality (if readable): If you can read the script, look for vulnerabilities within it.
   • Command Injection: Check if the script uses user input without proper sanitization. This could allow command injection.
   • File Inclusion: See if the script includes other files based on user-controlled data.
3. Privilege Escalation (if setuid): If the script is setuid root, any commands executed within it will run with root privileges.

   ls -l /path/to/some_script.sh

   Look for an ‘s’ in the permissions string (e.g., -rwsr-xr-x). This indicates setuid.

Mitigation Steps

1. Strict Shell Control: Ensure that only standard, trusted shells are allowed in `/etc/passwd`. Avoid using custom scripts as login shells.
2. Permissions Review: Regularly review the permissions of all files and directories on the system, especially those related to user accounts and authentication.
   • Restrict Write Access: Limit write access to `/etc/passwd` to only authorized administrators.
   • Remove Executable Permissions: Ensure that scripts in `/etc/passwd` are not executable unless absolutely necessary.
3. Input Validation: If you must use a script as a login shell, carefully validate all user input to prevent command injection and other vulnerabilities.
4. Regular Audits: Conduct regular security audits of the system to identify and address potential vulnerabilities.

   sudo auditctl -w /etc/passwd -p wa -k passwd_changes

   This example sets up auditing for changes to `/etc/passwd`.

5. Use Strong Authentication: Implement strong authentication mechanisms, such as multi-factor authentication, to reduce the risk of unauthorized access.