TAR backups
Last updated
Was this helpful?
Last updated
Was this helpful?
If root is doing anything as a job, you can attempt to re-direct it
Copy the script back to your host and decompose it for analysis
Examples of root running TAR:
Extracting TAR
Similar to "NFS Root Squashing" and the "jail" box
Make setuid root owned
gzip the setuid
copy back inject into the 'temp' check folder
root will extract to 'check' the files
and thinks it belongs to him!
Works just fine as 'user'
Backup script runs TAR as Root every 5 minutes
Deletes the previous checks: /var/tmp/.* and /var/tmp/check.
Creates a gzip file of the directory /var/www/html with user-perms
Saves it in the file /var/tmp/.randomsha1
Sleeps for 30 seconds.
Creates the directory /var/tmp/check
Extracts gzip with Root /var/tmp/.randomsha1 to /var/tmp/check
If /var/www/html is different from backup: /var/tmp/check/var/www/html
Report error.
Otherwise, move file /var/tmp/.randomsha1 to /var/backups/onuma-wwww-dev.bak
And delete 'check' directory and .randomsha1
Script design is to tar as user, then untar as root
Then compare previous version (which gives us 5 minutes)
We can inject our evil tar:
Script will: tar/copy/extract/compare.. and fail with error..
Giving us 5 minutes to use root-unzipped-files
TAR embeds the userid that owns the file - in the actual archive
We create this file and TAR as root .. it will stay root when extracted
diff runs as root
updates to readable error file:
/var/backups/onuma_backup_test.txt
tar an evil symlink that root will extract/diff
tartarHTB
REF:
to find the backup/script/job running