The art of penetration testing is one that takes a lot of fore-learned knowledge about a specific technology and system in order to really understand how they can be exploited. There are many loopholes that will allow potential malicious actors an opportunity to breach your systems. As a pentester, you want to continue to learn and build this playbook of checks to quickly execute within every engagement. One particular vulnerability that should be in every pentesting playbook is through the Linux OS and more specifically the file config editing tool called “VI”.
VI is a tool installed on almost every generic version of the Linux distribution OS to date. It is the word pad of text editors in the windows realm. It is a very simple tool that allows a user to open a file they have permissions to, make any changes if needed, and then save the file. Seems harmless right? There is a little secret that exists within VI that no patch can prevent as this is strictly a user driven vulnerability.
Let's say as a systems engineer, you locked down your Linux systems file editing permissions globally, where only the admin account can make changes to a certain file type. But in the same keystroke, you allowed anyone to run VI as admin, without fully understanding the total functionality of the VI tool. Now that we have established the settings, along comes malicious actor trying to execute a payload to give himself a backdoor into your Linux system. He receives a deny error when trying to run as admin. Instead of giving up, this threat actor is cunning and opens up the VI editor and is able to executes his file through the VI tool itself. Since VI has been granted admin permissions on the system, he is allowed to bypass any restraints enforced through normal means and the actor now has a backdoor shell into your box. This is the attention to detail that can be overlooked and is overlooked in everyday scenarios around the world. To mitigate this vulnerability, the engineer would explicitly set VI to not have the ability to fully execute certain file types as full admin, but maybe only read them, thus preventing the actor from bypassing traditional authentication.
No matter if you are a novice pentester or an expert, you need to be consistently learning new techniques, vulnerabilities, exploits and the return rate on how often these are abused. Being able to effectively incorporate these into your testing playbook is crucial to ensuring the success you will have in the future at identifying critical vulnerabilities when it matters most.