[Hacking-Contest] Hiding stuff from the terminal

The file /proc/sys/kernel/core_pattern typically contains the name of the coredump file which is created if a process crashes. Instead of a simple filename, /proc/sys/kernel/core_pattern can also contain a pipe character and a program. In this case the kernel launches the given program as root and pipes the coredump data to this process instead of writing it to a simple file. Since the program is executed as root, it provides a simple way of adding a local root backdoor to a Linux system. This trick has been used in the LinuxTag Hacking Contest for many years and well-prepared teams will typically check the contents of /proc/sys/kernel/core_pattern during phase 2 to detect this kind of manipulation.

In order to still successfully use this backdoor, I have come up with the following trick:

echo -e "|/tmp/lego \rcore      " >  /proc/sys/kernel/core_pattern

The carriage return character (\r) makes the terminal jump to the beginning of the line when displayed in the terminal. Contrary to a newline character (\n), the terminal does not jump to the next line on the screen. So the contents at the beginning of the line are overwritten with the stuff after the carriage return. When displaying the contents of /proc/sys/kernel/core_pattern using cat, you see just the string "core" with a few appended spaces, which won't raise any suspicion since "core" is the default content of /proc/sys/kernel/core_pattern. However, when a process crashes, the kernel still executes the binary /tmp/lego (which can be created by an unprivileged local user).

Leave a Reply

Your email address will not be published. Required fields are marked *