I often find myself building up vulnerable and/or misconfigured systems for a wide range of actives in my efforts to learn all the things. In doing so, I’ve found my first step is always the same, a simple one liner at the shell prompt that flips a machine on its head.
sudo chmod +s /bin/dash
This command, as many may very well know, sets the sticky bit on the dash shell, which is install in most debian based systems by default. Dash is a lot like the standard bash prompt that most users running Linux are accustom to. That being said the purpose of the sticky bit, in this case the setuid bit, is to launch the executable with the rights of the owner of the executable. In this case, the owner of dash is root by default, so all users with read and execute permission can run dash and get a root shell. So any user on the system could simply run dash from their shell and gain root access.
But the fun doesn’t stop there. By default on Lenny, Squeeze, and most other debain based distro’s the default shell, /bin/sh is just a system link to dash.
lrwxrwxrwx 1 root root 4 Mar 29 2012 sh -> dash
This means that by default all service accounts on the system and possibly even users now have root access on their default shells. In fact most daemon users installed on debian systems with aptitude or dpkg are given the default shell /bin/sh. This can easily be seen in /etc/passwd.
Most daemon’s these days do not need to shell out so my first recommendation is to just go through your /etc/passwd file and change all the /bin/sh to either /bin/bash a proper shell or /bin/false to disable the ability to gain an shell from a popped daemon in the first place.
My second recommendation is rather simple as well, just cast two commands to set up bash as the default shell and then remove dash.
dpkg –r dash
Of course there is no prefect fix for this issue, because even if you change your default shell and remove dash, it’s just three commands as a privileged user to be back in the same place. This is why I highly recommend setting non-user shells to /bin/false in your passwd file, while we all hope for a developer fix.