File read/write and prompt switch issues while using 'effective' user/group IDs
See original GitHub issueBug Description
While trying to upload or download a file to which we have access through euid
or egid
, pwncat
shows an access error.
pwncat version
$ pwncat --version
0.4.3
Target System (aka “victim”)
Regular Kali Linux as a VM
Steps to Reproduce
Steps to reproduce the behavior:
- Prepare a SUID binary for
bash
owned byroot
- Get a session in
pwncat
using a normal user (non-root
) - Use that SUID binary to elevate your privileges
- Upload a test file to
/root
- See the error
Expected Behavior
pwncat
should upload the test file without any access errors
Screenshots
Found during KoTH
Read issue
Write issue
NOTE: I had updated the
PROMPTS
list forzsh
anddefault
, thus the prompt doesn’t showroot
as the user($(whoami))
Possible solution
Before performing upload
or download
, we need to refresh_uid()
In pwncat/platform/linux.py
491 class LinuxPath(pathlib.PurePosixPath):
...
494 def readable(self):
495 """Test if a file is readable"""
496
497 # refresh the uid, to pick up any changes
498 self._target.refresh_uid()
499
...
504 # get the stats for the current path
505 _stat = self.stat()
506
507 file_uid = _stat.st_uid
508 file_gid = _stat.st_gid
509 file_mode = _stat.st_mode
510
511 # check for uid, euid, gid, egid <<<<<
...
520 def writable(self):
521 """Test if the path is writable"""
522
523 # refresh the uid, to pick up any changes
524 self._target.refresh_uid()
...
530 # get the stats for the current path
531 _stat = self.stat()
...
Issue Analytics
- State:
- Created 2 years ago
- Comments:10 (9 by maintainers)
Top Results From Across the Web
Client, service, and program issues can occur if you ...
This article describes incompatibilities that can occur on client computers that are running Windows XP, or an earlier version of Windows, when you...
Read more >Prepare for LPIC-1 exam 1 - topic 104.5: Manage file ...
The first group indicates the read, write, and execute permissions for the file's owner. A - indicates that the corresponding permission is not...
Read more >Managing Group Accounts in Ubuntu
After a file has been created, a user can change the group ownership of the file to another group by using the chgrp...
Read more >[Chapter 4] 4.3 su: Changing Who You Claim to Be
Sometimes, you may want to take on the identity of another user to access some files or execute some commands. You might do...
Read more >Working with users, groups, and permissions at the ...
Files and directories in an Amazon EFS file system support standard Unix-style read, write, and execute permissions based on the user ID and...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
If you have some time to do some independent testing of the above pull request, I’d appreciate it. The tests pass, and some anecdotal testing seems positive, but I haven’t thoroughly tested these changes yet.
I’m not sure what the best solution is here. There’s fundamentally two problems detailed here:
euid
permissions are lost duringPopen
calls due to/bin/sh -c
euid
set cannot read/proc/$$/exe
regardless of using/bin/sh -c
Lost Permissions during
Popen
I think this can be solved by simply not using
/bin/sh -c
. Looking at the code, I don’t think this is strictly speaking needed. Theshell
argument toPopen
is documented as using/bin/sh -c
to execute the command, but that is already effectively how commands are executed by pwncat anyway. I think this is fine to remove and effectively ignore theshell
argument toPopen
. I tried this locally, and at the very least all tests pass. I’m going to do a little more testing and then push a branch.Failure to read
/proc/$$/exe
This is a trickier problem. I’m not sure why we are unable to read that file. Interestingly, my local machine (Arch Linux), this doesn’t happen, but in a Ubuntu container it does.
In the short-term, I think that catching the
OSError
is the best course forward. Ifreadlink()
raises an exception, we can simply catch theOSError
and fallback to theSHELL
environment variable as was intended if that method fails. This doesn’t fix the problem, but it at least ensures pwncat doesn’t crash and lose your session. A sad side-effect of this is that in this situation, we lose the nice syntax highlighting as pwncat ends up falling back to assumingSHELL=/bin/sh
in most cases. This isn’t the end of the world, and is mostly cosmetic, though.In the long term, I need to implement a module to correct
euid != uid
situations. Since this doesn’t always work, the above needs to be implement to ensure pwncat functions in that situation, but the real fix is just replacinguid
witheuid
so we have the full permissions of the target user.