from Hacker News

Terminal size matters, hackers get root in unusual way

by Iwillgetby on 1/17/20, 2:41 PM with 7 comments

The command usr/bin/sudo /usr/bin/journalctl -n5 -u whatever.service prints out the log and exits. But we can't exploit it because journalctl exits right after printing. Our aim is to launch a shell from within the journalctl command. Journalctl uses less command by default to view the log. So we have to find a way to prevent the command from exiting. The trick can be found in the journalctl man page.

man journalctl | grep width -B 1 -A 2

        The output is paged through less by default, and long lines are "truncated" to screen width. 
        The hidden part can be viewed by using the left-arrow and right-arrow
        keys. Paging can be disabled; see the --no-pager option and the "Environment" section below.
So if we run this command in a small resized window, it won't exit after printing the log and then we can spawn a shell as root user.
  • by Iwillgetby on 1/17/20, 2:44 PM

    Original source can be found easily online. Link not included because this comes from an online CTF that discourages spoilers.
  • by lfdominguez on 1/17/20, 8:49 PM

    hummm, that's a less "problem", less is a software that allow execute programs with ! command, but not is a systemd problem, with man you can get the same behavior. The problem is the sysadmin that allow to execute that program with sudo.
  • by Someone on 1/17/20, 8:29 PM

    I don’t understand. If you can run

      usr/bin/sudo /usr/bin/journalctl
    
    , what stops you from running

      usr/bin/sudo /usr/bin/bash
    
    instead?
  • by zzo38computer on 1/18/20, 12:48 AM

    The pager should not automatically be executed. If the user use a pipe then you can use that way instead, rather than putting everything in one program; it work better due to this reason explained.