Privilege Escalation · Term

What is PATH hijacking?

When a privileged program calls another command by name instead of full path, an attacker can place a malicious binary earlier in the PATH and have it run with the program’s privileges. Here is what PATH hijacking is and how to find it.

Privilege Escalation · TermAll services
TL;DR

PATH hijacking is privilege escalation that exploits how Linux finds executables. When a privileged program (a SUID binary, a sudo-allowed command, or a root cron job) calls another command by name rather than by full path, the system searches the directories in the PATH variable in order. If an attacker can put a malicious binary of that name in a directory searched first, the privileged program runs the attacker’s code with its privileges. The fix is using absolute paths in privileged programs.

By John Dill, Red Team Lead, SecureLayer7Updated

What PATH hijacking is

When you run cat, the shell looks through each directory in the PATH environment variable, in order, and runs the first cat it finds. That lookup is the weakness.

If a privileged program calls a command by name (for example a SUID binary that runs service or a script that calls ps), and the attacker controls a directory that PATH searches first, the attacker can plant a fake service or ps that runs as the privileged program’s user.

The abuse and payload

The attacker finds a privileged program that calls a binary by name, then hijacks the lookup:

  • Identify a SUID binary or sudo command that runs another command relatively (inspect with strings/ltrace).
  • Create a malicious binary named like the called command: echo '/bin/bash -p' > /tmp/service && chmod +x /tmp/service
  • Put the attacker directory first in PATH and run the privileged program: export PATH=/tmp:$PATH then trigger it.
  • The privileged program finds /tmp/service first and runs the attacker’s shell as root.

Documented techniques shown for defenders.

How to defend

  • Use absolute paths for every command inside SUID binaries, sudo-allowed scripts, and root cron jobs.
  • Set a safe, fixed PATH in privileged scripts rather than inheriting the user’s.
  • Use `secure_path` in sudoers so sudo ignores the user’s PATH.
  • Avoid writable directories early in PATH, and never put . (current directory) in PATH.
  • Review privileged programs for relative command calls.

References

  1. [1]MITRE ATT&CK: Privilege Escalation (TA0004)(MITRE)
  2. [2]NIST SP 800-115 Technical Guide to Security Testing(NIST)
  3. [3]Linux man-pages: setuid(2)(man7.org)
Related terms

Common questions

Privilege escalation, asked often

Want your systems tested for these paths?

Scope an engagement

Find the privilege-escalation paths before an attacker does.

We run internal and host penetration tests that walk the real route from a low-privileged foothold to root or SYSTEM, then hand your team a report with reproducible evidence and a fix for every step. Free re-test included.

See all services30-min scoping call, fixed-price proposal in 48 hours.