Is $PATH hijacking a serious threat vector? | allinfosecnews.com

Nov. 29, 2022, 10:15 a.m. | /u/dimitriye98

cybersecurity www.reddit.com

Suppose our hypothetical attacker manages to execute a script on a user who doesn't have admin on their local machine, but has sudo rights on a server. The script installs a malicious ssh wrapper somewhere, doesn't really matter where, and edits the `.env` file to insert it into the path. When the wrapper is run, it installs a similar exploit into the user's remote environment to hijack sudo. The server has effectively been pwned, without needing any form of privilege …

cybersecurity hijacking path serious threat threat vector

More from www.reddit.com / cybersecurity

FBI Director Wray Issues Dire Warning on China's Cybersecurity Threat 5 hours ago | www.reddit.com

china cybersecurity cybersecurity threat director +3

New Android Trojan 'SoumniBot' Evades Detection with Clever Tricks 6 hours ago | www.reddit.com

android android trojan cybersecurity detection +1

MITRE says state hackers breached its network via Ivanti zero-days 13 hours ago | www.reddit.com

breached cybersecurity hackers ivanti +4

Control Self-Assessments 14 hours ago | www.reddit.com

assessments control controls cybersecurity +4

Managing the E5 security stack by myself 17 hours ago | www.reddit.com

admin breached cyber cyber security +11

MITRE says state hackers breached its network via Ivanti zero-days 17 hours ago | www.reddit.com

amp att cybersecurity mitre +2

How does your organization handle software requests that have not made it to the approved … 17 hours ago | www.reddit.com

cyber cybersecurity government helpdesk +5

Any thoughts on making Dropbox less blacklistable more secure? 17 hours ago | www.reddit.com

cybersecurity docs documents dropbox +13

Chinese Government Poses 'Broad and Unrelenting' Threat to U.S. Critical Infrastructure, FBI Director Says 18 hours ago | www.reddit.com

SOC 2 Manager, Audit and Certification

@ Deloitte | US and CA Multiple Locations

View on infosec-jobs.com

Information Security Engineers

@ D. E. Shaw Research | New York City

View on infosec-jobs.com

Staff DFIR Investigator

@ SentinelOne | United States - Remote

View on infosec-jobs.com

Senior Consultant.e (H/F) - Product & Industrial Cybersecurity

@ Wavestone | Puteaux, France

View on infosec-jobs.com

Information Security Analyst

@ StarCompliance | York, United Kingdom, Hybrid

View on infosec-jobs.com

Senior Cyber Security Analyst (IAM)

@ New York Power Authority | White Plains, US

View on infosec-jobs.com