BIPI
BIPI

PATH Injection and Wildcard Abuse for Linux Privesc

Cybersecurity

Two boring classes of Linux privilege escalation that keep paying out, PATH variable hijacks on scripts and wildcard expansion abuse in cron and shell commands.

By Arjun Raghavan, Security & Systems Lead, BIPI · March 16, 2025 · 9 min read

#linux#privesc#path-injection#wildcards#tar

Two old bugs that refuse to die

PATH injection and wildcard abuse are not glamorous. They are also two of the most common ways an operator goes from low privilege to root on a fresh Linux box, especially in custom application environments.

How PATH injection works

When a script or binary calls a command without an absolute path, the shell or libc looks up the command in PATH. If you control PATH or a writable directory in PATH, you can drop a malicious binary with the same name and it runs as whoever invoked the script.

Finding candidates

  • Custom SUID binaries that call libc helpers on a bare command
  • Cron scripts that invoke commands like service, systemctl, or backup without /usr/bin
  • Sudo allowed scripts that call rm, cp, or other utilities by short name
  • Any application service unit with a script ExecStart that does not export PATH

Exploitation pattern

  1. Find a writable directory, /tmp or your home, and add it to PATH
  2. Create a file named after the hijacked command, for example service
  3. Make it a shell script that runs your payload, chmod +x
  4. Trigger the parent script, via cron, sudo, or whatever invokes it
  5. Your payload runs as the parent user, usually root

Wildcard abuse, the tar classic

Unix shell wildcards expand before being passed to the command. If a script runs chown -R user:group * in a writable directory, you can drop files whose names look like command line flags. The command interprets them as options, not filenames.

  • tar czf backup.tar.gz * with --checkpoint=1 --checkpoint-action=exec=sh shell.sh
  • chown -R with --reference=/path/to/setuid/file to change file owners
  • rsync with -e "sh shell.sh" if the wildcard hits the -e argument
  • chmod with --reference= for similar privilege manipulation
  • find * -type f -exec, where * lets you inject filenames that break parsing

Argument injection beyond wildcards

The same idea, attacker controlled filenames or arguments being interpreted as flags, shows up in zip, 7z, scp, and many homegrown shell scripts. Audit any script that takes user input and passes it through a wildcard expansion before reaching a command.

Detection and hardening

  • Use absolute paths in every shell script, /usr/bin/tar not tar
  • Quote variables and use -- to separate options from arguments
  • Set IFS and PATH explicitly at the top of every privileged script
  • Run shellcheck in CI, it catches both classes of bug
  • auditd on execve where argv[0] is in /tmp or /dev/shm
If you only learn two non kernel Linux privesc techniques, learn PATH injection and tar wildcard abuse. They will land more roots than any kernel CVE this decade.

Audit prompt for your own scripts

Grep your repo for tar with a wildcard, chown with a wildcard, rsync with a wildcard, and any command invocation without a leading slash. Each hit is a candidate for review. Most teams find at least one real bug on the first pass.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.