Terminal size matters, hackers get root in unusual way

5 points by Iwillgetby ↗ HN
The command usr/bin/sudo /usr/bin/journalctl -n5 -u whatever.service prints out the log and exits. But we can't exploit it because journalctl exits right after printing. Our aim is to launch a shell from within the journalctl command. Journalctl uses less command by default to view the log. So we have to find a way to prevent the command from exiting. The trick can be found in the journalctl man page.

man journalctl | grep width -B 1 -A 2

        The output is paged through less by default, and long lines are "truncated" to screen width. 
        The hidden part can be viewed by using the left-arrow and right-arrow
        keys. Paging can be disabled; see the --no-pager option and the "Environment" section below.
So if we run this command in a small resized window, it won't exit after printing the log and then we can spawn a shell as root user.

7 comments

[ 2.8 ms ] story [ 25.6 ms ] thread
Original source can be found easily online. Link not included because this comes from an online CTF that discourages spoilers.
I don’t understand. If you can run

  usr/bin/sudo /usr/bin/journalctl
, what stops you from running

  usr/bin/sudo /usr/bin/bash
instead?
Some users can have permission to execute specific commands through sudo.
and if you as a sysadmin dont know these program that you allow to execute, wellll that is a bigger problem
Of course, when one can just add the user account to the systemd-journal group, it is questionable why one would grant access via sudo.
hummm, that's a less "problem", less is a software that allow execute programs with ! command, but not is a systemd problem, with man you can get the same behavior. The problem is the sysadmin that allow to execute that program with sudo.
The pager should not automatically be executed. If the user use a pipe then you can use that way instead, rather than putting everything in one program; it work better due to this reason explained.