Python Library Hijacking

Wrong Write Permissions

$ ls -l mem_status.py

-rwsrwxr-x 1 root mrb3n 188 Dec 13 20:13 mem_status.py
#!/usr/bin/env python3
import psutil

available_memory = psutil.virtual_memory().available * 100 / psutil.virtual_memory().total

print(f"Available memory: {round(available_memory, 2)}%")
$ grep -r "def virtual_memory" /usr/local/lib/python3.8/dist-packages/psutil/*

/usr/local/lib/python3.8/dist-packages/psutil/__init__.py:def virtual_memory():
/usr/local/lib/python3.8/dist-packages/psutil/_psaix.py:def virtual_memory():
/usr/local/lib/python3.8/dist-packages/psutil/_psbsd.py:def virtual_memory():
/usr/local/lib/python3.8/dist-packages/psutil/_pslinux.py:def virtual_memory():
/usr/local/lib/python3.8/dist-packages/psutil/_psosx.py:def virtual_memory():
/usr/local/lib/python3.8/dist-packages/psutil/_pssunos.py:def virtual_memory():
/usr/local/lib/python3.8/dist-packages/psutil/_pswindows.py:def virtual_memory():


htb-student@lpenix:~$ ls -l /usr/local/lib/python3.8/dist-packages/psutil/__init__.py

-rw-r--rw- 1 root staff 87339 Dec 13 20:07 /usr/local/lib/python3.8/dist-packages/psutil/__init__.py

Module Contents - Hijacking

Library Path

To be able to use this variant, two prerequisites are necessary.

  1. The module that is imported by the script is located under one of the lower priority paths listed via the PYTHONPATH variable.

  2. We must have write permissions to one of the paths having a higher priority on the list.

Create psutil.py in /usr/lib/python3.8

Python first checks for modules in the current working directory, before looking in the other paths. If vulnerable script is on /home, create new file here

PYTHONPATH Environment Variable

Moved the previous python script psutil.py from the /usr/lib/python3.8 directory to /tmp

Resources

LogoPrivilege Escalation via Python Library Hijacking | rastating.github.ioiamrastating
LogoLinux Privilege Escalation: Python Library HijackingHacking Articles
PreviousShared Object HijackingNextsu bruteforce

Last updated