While most commentators consider Linux and the greater Unix ecosystem much more secure as a whole than other technology platforms, one list on GitHub begs to differ. A project by the name of GTFOBins has been collecting the names of otherwise legitimate Unix binaries that can be abused by attackers to break out to a restricted shell or elevate privileges. As the name suggests, these binaries can all be used to get out of their regular operations and into something that gives an attacker the ability to do something nefarious to a compromised machine.
In the true spirit of open-source development, GTFOBins is a shared project and anyone can contribute additional binaries to the list as well as new techniques that could be used to misuse ones already on the list in new ways. This idea is sure to become popular since anytime these exploits can be caught before attackers attempt to use them system administrators will know what to look for if anyone ever does.
Most of the commands listed on the latest GTFOBins commit are ones that experienced Linux users are likely to see on a daily basis. Those working with the project have reported potentially insecure uses for generally safe binaries like awk, bash and tar.
Some of these exploits, like those involving the popular text editors vi and emacs, make use of the natural ability of certain pieces of software to read and write files. Others make use of the fact that python and ruby can offer an interactive programming shell and networking applications like sftp can be misused to download files from a remote location onto a local file system.
None of the listed exploits are expected to send shockwaves through the world of Linux security, and a few like the ability to download other binaries with wget have been well understood for years. The LOLBins project that the repository was inspired by lists countless more exploits for Windows, which seems to indicate that there are certainly fewer exploits by design.
Nevertheless, it’s important to keep in mind that the GTFOBins project only stretches back to May 21. Rephrasing and clarification of some exploits are as recent as a few hours ago at the time of this writing. It should be interesting to see if any popular scripts receive updates to prevent attackers from bypassing security restrictions using the methods this repository warns about.