carlospolop
commented
3 years ago This is quiet an interesting behaviour, thanks for sharing.
Closed hfz1337 closed 3 years ago
carlospolop
commented
3 years ago This is quiet an interesting behaviour, thanks for sharing.
The current linpeas.sh script does not find and parse invisible crontab entries. An attacker could install a somewhat invisible crontab entry by adding a carriage return after that malicious entry, then hiding it using the next line that should be longer or the same length as the malicious one. By removing the carriage return, we can make the malicious entry visible so that the script shows it to the user. The following screenshot explains the idea:
On the left hand side is what the script currently does to find out which crontab entries are installed. On the other side is what the script should do to uncover hidden crontab entries.
In this example, the attacker would have added his malicious entry followed by a space, a hash mark (#) and finally the carriage return after which comes the next line. (notice that we don't put a line feed character here (\n) as this will render the trick useless) The purpose of adding the hash mark is to comment out the carriage return so that it doesn't get interpreted by the shell and ruins the command.
To fix this, we remove the carriage return byte from the output before parsing it. This could help in a scenario where the system got backdoored using a covert cron job.
This was inspired from a story that happened in DEFCON finals.