Linux Shell Environment File Permission Check Vulnerability

漏洞信息

漏洞名称： Linux Shell Environment File Permission Check Vulnerability

漏洞类型： 配置问题

漏洞等级： 中危

漏洞描述： 该漏洞涉及Linux系统中用户主目录及shell环境文件（如.bashrc、.bash_profile、.bash_logout）的所有权和权限配置不当问题。如果这些文件不被用户或root拥有，或者设置了不安全的写入权限，恶意用户可能操纵环境变量或注入恶意命令。受影响的系统包括所有使用这些shell环境文件的Linux发行版。漏洞的技术根源在于文件权限管理不当，允许未授权用户修改关键配置文件。这可能导致环境变量被篡改，进而引发恶意命令执行、数据泄露或其他安全风险。由于这类文件在用户登录时自动执行，攻击者可以利用此漏洞在用户不知情的情况下植入持久性后门。漏洞利用通常需要本地访问权限，但在多用户系统或共享主机环境中，风险尤为突出。

产品名称： Linux Shell Environment

来源： https://github.com/projectdiscovery/nuclei-templates/blob/dfc176303ffebe3d9f231045fa3abe2cf2ca9874/misconfiguration%2Flinux%2Fhome-env-permission-check.yaml

类型： projectdiscovery/nuclei-templates:github issues

POC详情

id: home-env-permission-check

info:
  name: User Home Directory and Shell Environment File Ownership & Permission Check
  author: songyaeji
  severity: medium
  description: >
    If shell startup and environment files (e.g. .bashrc, .bash_profile, .bash_logout) are not owned by the user or root,
    or have insecure write permissions, malicious users can manipulate environment variables or inject malicious commands.
  tags: linux,local,permissions,home,shell,compliance
  reference:
    - https://isms.kisa.or.kr
    - Cloud Vulnerability Assessment Guide(2024) by KISA
  metadata:
    os: linux
    verified: true
    max-request: 1

self-contained: true

code:
  - engine:
      - bash
    source: |
      for user in $(awk -F: '$6 ~ /^\/home/ {print $1}' /etc/passwd); do
        HOME_DIR=$(eval echo ~$user)
        find "$HOME_DIR" -maxdepth 1 -type f \( -name ".bashrc" -o -name ".bash_profile" -o -name ".bash_logout" \) -exec ls -l {} \;
      done
    matchers:
      - type: regex
        name: insecure-perms
        part: code_1_response
        regex:
          - "^-..w..w..w"
          - "^-.{2}w.{2}w.{2}w"
      - type: negative-word
        name: not-owned-by-user
        words:
          - "root"
        part: code_1_response