aide 2014 - fundamentals of linux privilege escalation
TRANSCRIPT
AIDE 2014
Fundamentals of Linux Privilege Escalation
Elliott Cutright
Introduction
❖ Elliott Cutright!
❖ Sr. Red Team for a Large Multinational Company!
❖ Professional Pen Tester for 6 years!
❖ Linux and Web Applications!
❖ Past worked in Threat Intelligence and Systems Admin!
❖ Short time working on a 24/7/365 DOD SOC
Disclaimer
The views and opinions expressed here are !
those of Elliott Cutright only and in no way !
represent the views, positions or opinions - !
expressed or implied - of my employer or !
anyone else.
Setup
❖ This is NOT how to get in!
❖ How do we go from low privileges to high privileges!
❖ Webshells, Stolen SSH Keys, ect!
❖ We do not know the users password
Method 1:
Exploits
Exploits
❖ Most take advantage of a flaw in the Linux Kernel!
❖ Easier because reliable exploit code is widely available!
❖ Be careful, if unreliable good chance you will crash system as you might see in the demo!
❖ Generally low skill set can achieve grand results!
❖ Additional hardening capabilities exist (GRSecurity)
Exploits
❖ Identify OS and Kernel Version!
❖ Enumerate tools to build exploit (gcc, python, perl, ect)!
❖ Get the exploit to the system!
❖ Execute Exploit!
❖ …!
❖ ROOT
Exploit - ID System
❖ Determine kernel version!
❖ uname -a!
❖ Linux ubuntu-demo 3.8.0-19-generic #30-Ubuntu SMP Wed May 1 16:36:13 UTC 2013 i686 i686 i686 GNU/Linux!
❖ Linux cent-demo 2.6.18-8.el5 #1 SMP Thu Mar 15 19:57:35 EDT 2007 i686 i686 i386 GNU/Linux
Exploit - ID System❖ OS Release!
❖ Ubuntu - cat /etc/lsb-release!
❖ DISTRIB_ID=Ubuntu!
❖ DISTRIB_RELEASE=13.04!
❖ DISTRIB_CODENAME=raring!
❖ DISTRIB_DESCRIPTION="Ubuntu 13.04”!
❖ RedHat/CENT - cat /etc/redhat-release!
❖ CentOS release 5 (Final)
Exploit - Get the file on the Server❖ Any means available!
❖ curl/wget!
❖ NetCat!
❖ FTP!
❖ SCP/SFTP!
❖ SMB!
❖ TFTP!
❖ Copy/Paste - for source code!
❖ DNS TXT Records - for source code
Exploit - Where To Hide It?❖ Directories starting with a ‘.’ are hidden on Linux
Filesystem!
❖ /tmp/.nothinghere/exploit.c!
❖ /tmp/…/exploit.c!
❖ Verify you can run commands from your directory!
❖ mount!
❖ /dev/vda3 on /tmp type ext4 (rw,noexec)
Exploit - ID Build System❖ gcc -v!
❖ Using built-in specs.!
❖ COLLECT_GCC=gcc!
❖ Target: i686-linux-gnu!
❖ Configured with: ../src/configure ……..!
❖ gcc version 4.7.3 (Ubuntu/Linaro 4.7.3-1ubuntu1)!
!
❖ python -V!
❖ Python 2.4.3
Exploit - ID Build System
❖ gcc -v!
❖ -bash: gcc: command not found!
❖ Common on Servers!
❖ python -V!
❖ -bash: /usr/bin/python: No such file or directory!
❖ RARE
Exploit - Building The Exploit
❖ Most exploits have build directions in the headers!
❖ Most common method!
❖ gcc exploit.c -o exploit!
❖ ./exploit
Exploit - Build Local
❖ If GCC is not present, build a VM or VPS with the exact matching kernel and OS (Ex. Ubuntu 13.10 with Kernel 3.8.0-19-generic)!
❖ Once build on your local system, move the compiled exploit to your target system!
❖ WARNING: This is not the preferred method and can have unexpected results…but will work in a pinch
CVE-2009-2692 - sock_sendpage() exploit!
https://www.youtube.com/watch?v=65w7ROFbdqc
Demo
Method 2:
SetUID SetGID
SetUID and SetGID
❖ SetUID - SET User ID upon execution!
❖ SetGUID - SET Group ID upon execution!
❖ Allows you to run programs as another user upon execution!
❖ Generally executed as elevated privilege user (root)
SetUID Risks
❖ Binaries run with elevated privileges can access privileged information!
❖ SetUID on ‘ls’ will allow you to list directories you otherwise wouldn’t have rights to!
❖ SetUID on ‘vim’ will allow you to edit files you otherwise would’t have rights to
SetUID Risks
❖ Buffer overflow exploits on SetUID applications will result in the attacker running code with elevated privileges
Find SetUID
❖ ls -l /bin/ls!
❖ -rwxr-xr-x 1 root root 108708 Jan 17 2013 /bin/ls!
❖ dir:owner:group:world!
!
❖ ls -al /bin/ping!
❖ -rwsr-sr-x 1 root root 34780 Oct 2 2012 /bin/ping
Find SetUID
❖ sudo find / -xdev \( -perm -4000 \) -type f -print0 -exec ls -l {} \;!
❖ note: sudo is not required, you just wont be able to check directories you don't have permissions to
Exploiting SetUID
❖ Use the functionality of the tool in unintended ways for elevated privileges (more on this idea later)!
❖ Find an application that has public exploit or start fuzzing on your own!
❖ Command Injection
Method 3:
Permissive SUDO
SUDO
❖ su do!
❖ note: su does not mean SuperUser, its Substitute User!
!
❖ Allows you to run commands as elevated user with user password rather then root (or other privileged) password
/etc/sudoers
❖ Config file for sudo!
❖ Limits what users and groups can run what commands!
❖ ex:!
❖ root! ALL=(ALL:ALL) ALL!
❖ %sudo ! ALL=(ALL) NOPASSWD:ALL
/etc/sudoers❖ Can allow for very granular configurations!
❖ User_Alias! FULLTIMERS = millert, mikef, dowdy!
❖ Host_Alias! SERVERS = master, mail, www, ns!
❖ Cmnd_Alias! SHUTDOWN = /usr/sbin/shutdown!
❖ Cmnd_Alias! REBOOT = /usr/sbin/reboot!
❖ FULLTIMERS! ALL = NOPASSWD: ALL!
❖ mikef! ! ALL, !SERVERS = ALL
Concerns
❖ With great power come great responsibility!
❖ sudo will allow you to shoot yourself in the foot!
❖ THINK about the commands you allow via sudo
Problems?
❖ Why are these commands an issue?!
❖ vi/vim!
❖ more/less/cat!
❖ echo!
❖ nmap
Similar: http://www.offensive-security.com/vulndev/freepbx-exploit-phone-home/
Demo
Method 4:
PATH issues
Linux PATH
❖ An environment variable that contains the location of executables!
❖ printenv!
❖ PATH=/usr/local/rvm/gems/ruby-1.9.3-p448/bin:/usr/local/rvm/gems/ruby-1.9.3-p448@global/bin:/usr/local/rvm/rubies/ruby-1.9.3-p448/bin:/usr/local/rvm/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
Linux PATH
❖ ruby -v!
❖ ruby 1.9.3p448 (2013-06-27 revision 41675) [i686-linux]!
❖ which ruby!
❖ /usr/local/rvm/rubies/ruby-1.9.3-p448/bin/ruby
Linux PATH Issues
❖ What would happen if the ‘.’ was prepended to the path?!
❖ Where would it look for ruby first?!
❖ What if a script was calling ruby?!
❖ As root…….
Attack Path Example❖ Lazy sysadmin has ‘.’ in his path!
❖ Email and say you can’t list the files in your home dir!
❖ Admin logs in as root (He’s lazy, remember)!
❖ Make bash script called ‘ls’ that sends a reverse shell and hides itself from the admin!
❖ Goes to your home dir and runs ls!
❖ Shellz
ls reverse shell
Demo