AIDE 2014

Fundamentals of Linux Privilege Escalation

Elliott Cutright

Introduction

❖ Elliott Cutright!

❖ Sr. Red Team for a Large Multinational Company!

❖ Professional Pen Tester for 6 years!

❖ Linux and Web Applications!

❖ Past worked in Threat Intelligence and Systems Admin!

❖ Short time working on a 24/7/365 DOD SOC

Disclaimer

The views and opinions expressed here are !

those of Elliott Cutright only and in no way !

represent the views, positions or opinions - !

expressed or implied - of my employer or !

anyone else.

Setup

❖ This is NOT how to get in!

❖ How do we go from low privileges to high privileges!

❖ Webshells, Stolen SSH Keys, ect!

❖ We do not know the users password

Method 1:

Exploits

Exploits

❖ Most take advantage of a flaw in the Linux Kernel!

❖ Easier because reliable exploit code is widely available!

❖ Be careful, if unreliable good chance you will crash system as you might see in the demo!

❖ Generally low skill set can achieve grand results!

❖ Additional hardening capabilities exist (GRSecurity)

Exploits

❖ Identify OS and Kernel Version!

❖ Enumerate tools to build exploit (gcc, python, perl, ect)!

❖ Get the exploit to the system!

❖ Execute Exploit!

❖ …!

❖ ROOT

Exploit - ID System

❖ Determine kernel version!

❖ uname -a!

❖ Linux ubuntu-demo 3.8.0-19-generic #30-Ubuntu SMP Wed May 1 16:36:13 UTC 2013 i686 i686 i686 GNU/Linux!

❖ Linux cent-demo 2.6.18-8.el5 #1 SMP Thu Mar 15 19:57:35 EDT 2007 i686 i686 i386 GNU/Linux

Exploit - ID System❖ OS Release!

❖ Ubuntu - cat /etc/lsb-release!

❖ DISTRIB_ID=Ubuntu!

❖ DISTRIB_RELEASE=13.04!

❖ DISTRIB_CODENAME=raring!

❖ DISTRIB_DESCRIPTION="Ubuntu 13.04”!

❖ RedHat/CENT - cat /etc/redhat-release!

❖ CentOS release 5 (Final)

Exploit - Get the file on the Server❖ Any means available!

❖ curl/wget!

❖ NetCat!

❖ FTP!

❖ SCP/SFTP!

❖ SMB!

❖ TFTP!

❖ Copy/Paste - for source code!

❖ DNS TXT Records - for source code

Exploit - Where To Hide It?❖ Directories starting with a ‘.’ are hidden on Linux

Filesystem!

❖ /tmp/.nothinghere/exploit.c!

❖ /tmp/…/exploit.c!

❖ Verify you can run commands from your directory!

❖ mount!

❖ /dev/vda3 on /tmp type ext4 (rw,noexec)

Exploit - ID Build System❖ gcc -v!

❖ Using built-in specs.!

❖ COLLECT_GCC=gcc!

❖ Target: i686-linux-gnu!

❖ Configured with: ../src/configure ……..!

❖ gcc version 4.7.3 (Ubuntu/Linaro 4.7.3-1ubuntu1)!

!

❖ python -V!

❖ Python 2.4.3

Exploit - ID Build System

❖ gcc -v!

❖ -bash: gcc: command not found!

❖ Common on Servers!

❖ python -V!

❖ -bash: /usr/bin/python: No such file or directory!

❖ RARE

Exploit - Building The Exploit

❖ Most exploits have build directions in the headers!

❖ Most common method!

❖ gcc exploit.c -o exploit!

❖ ./exploit

Exploit - Build Local

❖ If GCC is not present, build a VM or VPS with the exact matching kernel and OS (Ex. Ubuntu 13.10 with Kernel 3.8.0-19-generic)!

❖ Once build on your local system, move the compiled exploit to your target system!

❖ WARNING: This is not the preferred method and can have unexpected results…but will work in a pinch

CVE-2009-2692 - sock_sendpage() exploit!

https://www.youtube.com/watch?v=65w7ROFbdqc

Demo

Method 2:

SetUID SetGID

SetUID and SetGID

❖ SetUID - SET User ID upon execution!

❖ SetGUID - SET Group ID upon execution!

❖ Allows you to run programs as another user upon execution!

❖ Generally executed as elevated privilege user (root)

SetUID Risks

❖ Binaries run with elevated privileges can access privileged information!

❖ SetUID on ‘ls’ will allow you to list directories you otherwise wouldn’t have rights to!

❖ SetUID on ‘vim’ will allow you to edit files you otherwise would’t have rights to

SetUID Risks

❖ Buffer overflow exploits on SetUID applications will result in the attacker running code with elevated privileges

Find SetUID

❖ ls -l /bin/ls!

❖ -rwxr-xr-x 1 root root 108708 Jan 17 2013 /bin/ls!

❖ dir:owner:group:world!

!

❖ ls -al /bin/ping!

❖ -rwsr-sr-x 1 root root 34780 Oct 2 2012 /bin/ping

Find SetUID

❖ sudo find / -xdev \( -perm -4000 \) -type f -print0 -exec ls -l {} \;!

❖ note: sudo is not required, you just wont be able to check directories you don't have permissions to

Exploiting SetUID

❖ Use the functionality of the tool in unintended ways for elevated privileges (more on this idea later)!

❖ Find an application that has public exploit or start fuzzing on your own!

❖ Command Injection

Method 3:

Permissive SUDO

SUDO

❖ su do!

❖ note: su does not mean SuperUser, its Substitute User!

!

❖ Allows you to run commands as elevated user with user password rather then root (or other privileged) password

/etc/sudoers

❖ Config file for sudo!

❖ Limits what users and groups can run what commands!

❖ ex:!

❖ root! ALL=(ALL:ALL) ALL!

❖ %sudo ! ALL=(ALL) NOPASSWD:ALL

/etc/sudoers❖ Can allow for very granular configurations!

❖ User_Alias! FULLTIMERS = millert, mikef, dowdy!

❖ Host_Alias! SERVERS = master, mail, www, ns!

❖ Cmnd_Alias! SHUTDOWN = /usr/sbin/shutdown!

❖ Cmnd_Alias! REBOOT = /usr/sbin/reboot!

❖ FULLTIMERS! ALL = NOPASSWD: ALL!

❖ mikef! ! ALL, !SERVERS = ALL

Concerns

❖ With great power come great responsibility!

❖ sudo will allow you to shoot yourself in the foot!

❖ THINK about the commands you allow via sudo

Problems?

❖ Why are these commands an issue?!

❖ vi/vim!

❖ more/less/cat!

❖ echo!

❖ nmap

Similar: http://www.offensive-security.com/vulndev/freepbx-exploit-phone-home/

Demo

Method 4:

PATH issues

Linux PATH

❖ An environment variable that contains the location of executables!

❖ printenv!

❖ PATH=/usr/local/rvm/gems/ruby-1.9.3-p448/bin:/usr/local/rvm/gems/ruby-1.9.3-p448@global/bin:/usr/local/rvm/rubies/ruby-1.9.3-p448/bin:/usr/local/rvm/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

Linux PATH

❖ ruby -v!

❖ ruby 1.9.3p448 (2013-06-27 revision 41675) [i686-linux]!

❖ which ruby!

❖ /usr/local/rvm/rubies/ruby-1.9.3-p448/bin/ruby

Linux PATH Issues

❖ What would happen if the ‘.’ was prepended to the path?!

❖ Where would it look for ruby first?!

❖ What if a script was calling ruby?!

❖ As root…….

Attack Path Example❖ Lazy sysadmin has ‘.’ in his path!

❖ Email and say you can’t list the files in your home dir!

❖ Admin logs in as root (He’s lazy, remember)!

❖ Make bash script called ‘ls’ that sends a reverse shell and hides itself from the admin!

❖ Goes to your home dir and runs ls!

❖ Shellz

ls reverse shell

Demo

AIDE 2014

Questions? e: elliott.cutright@gmail.com!t: @nullthreat