Linux – the EGG environment variable

exploitlinuxSecurityshell

A user on our (openSuSE) linux systems attempted to run sudo, and triggered an alert. He has the environment variable EGG set –

EGG=UH211åH1ÒH»ÿ/bin/shHÁSH211çH1ÀPWH211æ°;^O^Ej^A_j<X^O^EÉÃÿ

This looks unusual to say the least.

Is EGG a legitimate environment variable? (I've found some references to PYTHON_EGG_CACHE – could be related? But that environment variable isn't set for this user). If it's legit, then I imagine this group has the best chance of recognizing it.

Or, given the embedded /bin/sh in the string above, does anyone recognize this as an exploit fingerprint? It wouldn't be the first time we had a cracked account (sigh).

Best Answer

In some cases of exploits, the payload which causes the exploit to execute might have to be very small. In these cases, a common technique is to have a small bootstrap payload which can load a payload delivered differently (this larger payload need not trigger the exploit).

In case of sudo etc, the user has control of the environment. So the user can potentially deliver larger payload using the environment, and have the relevant payload small enough, which can then search/load the actual.

Some typical bootstrap payloads search for a particular environment variable (like an easter EGG HUNT) to load and so would be named EGGS.

See here for instance: http://www.hick.org/code/skape/papers/egghunt-shellcode.pdf

In this case, looks like you have found yourself a script kiddie

The best way

export VAR=value

The difference

Doing

VAR=value

only sets the variable for the duration of the script (.bashrc in this case). Child processes (if any) of the script won't have VAR defined, and once the script exits VAR is gone.

export VAR=value

explicitly adds VAR to the list of variables that are passed to child processes. Want to try it? Open a shell, do

PS1="foo > "
bash --norc

The new shell gets the default prompt. If instead you do something like

export PS1="foo > "
bash --norc

the new shell gets the prompt you just set.

Update: as Ian Kelling notes below variables set in .bashrc persist in the shell that sourced .bashrc. More generally whenever the shell sources a script (using the source scriptname command) variables set in the script persist for the life of the shell.

Difference Between ‘unlink’ and ‘rm’ in Linux

Both are a wrapper to the same fundamental function which is an unlink() system call.

To weigh up the differences between the userland utilies.

rm(1):

More options.
More feedback.
Sanity checking.
A bit slower for single calls as a result of the above.
Can be called with multiple arguments at the same time.

unlink(1):

Less sanity checking.
Unable to delete directories.
Unable to recurse.
Can only take one argument at a time.
Marginally leaner for single calls due to it's simplicity.
Slower when compared with giving rm(1) multiple arguments.

You could demonstrate the difference with:

$ touch $(seq 1 100)
$ unlink $(seq 1 100)
unlink: extra operand `2'

$ touch $(seq 1 100)
$ time rm $(seq 1 100)

real    0m0.048s
user    0m0.004s
sys     0m0.008s

$ touch $(seq 1 100)
$ time for i in $(seq 1 100); do rm $i; done

real    0m0.207s
user    0m0.044s
sys     0m0.112s

$ touch $(seq 1 100)
$ time for i in $(seq 1 100); do unlink $i; done

real    0m0.167s
user    0m0.048s
sys     0m0.120s

If however we're talking about an unadulterated call to the system unlink(2) function, which I now realise is probably not what you're accounting for.

You can perform a system unlink() on directories and files alike. But if the directory is a parent to other directories and files, then the link to that parent would be removed, but the children would be left dangling. Which is less than ideal.

Edit:

Sorry, clarified the difference between unlink(1) and unlink(2). Semantics are still going to differ between platform.

Best Answer

Related Solutions

Linux – the best way to set an environment variable in .bashrc

The best way

The difference

Difference Between ‘unlink’ and ‘rm’ in Linux

Related Topic