ifcf-<whatever> script to /etc/sysconfig/network-scripts

Full Disclosure: Redhat/CentOS root through network-scripts

If, for whatever reason, a user is able to write an ifcf- script to /etc/sysconfig/network-scripts or it can adjust an existing one, then your system in pwned.

For example:

/etc/sysconfig/network-scripts/ifcfg-1337

NAME=Network /bin/id  <= Note the blank space
ONBOOT=yes
DEVICE=eth0

In my case, the NAME= attributed in these network scripts is not handled correctly. If you have white/blank space in 
the name the system tries to execute the part after the white/blank space. Which means; everything after the first 
blank space is executed as root.

you can just run the script with sudo and do something like "Network bash" to get root.

Previousmount points Nextsudo -l wins!

Last updated 2 years ago