id: root-path-dot

info:
  name: Root PATH Contains Current Directory
  author: songyaeji
  severity: high
  description: |
    root user’s PATH environment variable included the current directory (“.”).This allowed scripts or binaries in the working directory to be executed with root privileges. The misconfiguration resulted in potential privilege escalation and unsafe behavior.
  reference:
    - https://isms.kisa.or.kr/main/csap/notice/
    - https://www.hackingarticles.in/linux-privilege-escalation-using-path-variable/
  metadata:
    verified: true
  tags: local,linux,audit,privesc,kisa

self-contained: true

code:
  - engine:
      - sh
    source: |
      echo $PATH | grep -Eq '(^\.?:|:.:|:\.$|^\.$)' && echo "dot-in-path" || echo "safe-path"

    matchers:
      - type: word
        part: response
        words:
          - "dot-in-path"
# digest: 4b0a004830460221009bc443da27ba4a09097561e6237be8676c76bea133bb051901740f075e5ffe6d022100b56139ecfd6da3702a70cee28aba51fbdc9dde4be9ae7742a31c020ee5bccebb:922c64590222798bb761d5b6d8e72950