Guides, Linux, Privilege Escalation

Linux Privilege Escalation – Exploiting Shell Sessions

April 19, 2021 | by Stefano Lanaro | Leave a comment

Introduction

The Linux shell (or terminal) is a program that receives commands from the user, gives them to the operating system to process, and then displays the output on the screen. To make life easier when interacting with a system through a shell, terminal multiplexers can be used; these are software applications that have the ability to combine several separate pseudoterminal-based login sessions inside a single terminal display and they are particularly useful when dealing with multiple programs from a command-line interface and for creating sub-processes that will continue running even when the user is disconnected. Their main purpose is to increase productivity, by allowing users to run multiple programs within a single interface and switch between them seamlessly.

If a terminal multiplexer session is still active as a privileged user (or a different user from the current one), a low-privileged user could be able to attach to it to elevate its access to the user the multiplexer session is running as.

Identifying Active Multiplexer Sessions

There are several tools that allow multiplexing of shell sessions, and most of these can potentially be exploited to escalate privileges:

  • GNU Screen
  • Tmux
  • Byobu
  • Abduco
  • DVTM
  • MTM

The command below can be used to identify any running sessions that may be exploitable:

#list running sessions
screen -ls; tmux ls; byobu ls; abduco -l;
#list running multiplexer processes to identify socket
ps aux | grep 'screen\|tmux\|byobu\|abduco\|dvtm\|mtm'

Exploitation

This section will demonstrate how to attach to an existing multiplexer with some of the most common terminal multiplexing tools available for Linux. There are mainly two ways to exploit multiplexers and elevate privileges:

  • Attaching to a running session directly – this will not allow users to view other users’ sessions unless they are root.
  • Attaching to a running session through a non-default socket with insecure permissions set.

GNU Screen

GNU Screen is a terminal multiplexer, a software application that can be used to multiplex several virtual consoles, allowing a user to access multiple separate login sessions inside a single terminal window.

When listing running Screen session, it appears a “stef” session is running:

The following command can be used to attach to an existing Screen session:

Screen does not allow to initiate a session of insecure permissions are set against the socket and it also does not allow to connect by providing the socket path, so unfortunately this is the only way of potentially exploiting this..

Tmux

Tmux is an open-source terminal multiplexer for Unix-like operating systems. It allows multiple terminal sessions to be accessed simultaneously in a single window. It is useful for running more than one command-line program at the same time.

When listing running Tmux session, it appears a “stef” session is running:

The following command can be used to attach to an existing session:

tmux attach -t session_name

The -S flag can be used to specify an alternative path to the server socket used for the shell session. If is specified, the default socket directory (which is normally /tmp/tmux-[user id]) is not used. If a non-privileged user has access to the socket, they could attach to the running session, thus gaining the same privileges as the user running the Tmux shell.

As shown in the command below, a Tmux session running as root is present, with the socket being under /tmp/supersecureshell:

When checking the permissions against /tmp/supersecureshell, it looks like it can be accessed by all users on the system:

By running the following command, a user can attach to to a current Tmux session:

tmux -S path_to_socket

Other terminal multiplexers will have similar ways of attaching to an existing session, as many of them are based on Screen or Tmux.

Conclusion

Although terminal multiplexers can be lifesavers when it comes to productivity, at the end of the day they are just shell sessions that if improperly configured could be attached to by low-level users, and if run as a privileged account such as root it could allow a potential attacker to escalate privileges fully compromise a system…