Wednesday, December 7, 2011

Ubuntu Server Exploit (Local Privilege Escalation)

Today we're gonna talk about an "old" vulnerability discovered by Dan Rosenberg in the linux kernel. This bug affect versions previous than 2.6.38 and permit to an user with low privileges to gain root access.

Link to exploit: Linux Kernel<= 2.6.37 Local Privilege Escalation
 

The text below is taked from exploit description.
* This exploit leverages three vulnerabilities to get root, all of which were
 * discovered by Nelson Elhage:
 *
 * CVE-2010-4258
 * -------------
 * This is the interesting one, and the reason I wrote this exploit.  If a
 * thread is created via clone(2) using the CLONE_CHILD_CLEARTID flag, a NULL
 * word will be written to a user-specified pointer when that thread exits.
 * This write is done using put_user(), which ensures the provided destination
 * resides in valid userspace by invoking access_ok().  However, Nelson
 * discovered that when the kernel performs an address limit override via
 * set_fs(KERNEL_DS) and the thread subsequently OOPSes (via BUG, page fault,
 * etc.), this override is not reverted before calling put_user() in the exit
 * path, allowing a user to write a NULL word to an arbitrary kernel address.
 * Note that this issue requires an additional vulnerability to trigger.
 *
 * CVE-2010-3849
 * -------------
 * This is a NULL pointer dereference in the Econet protocol.  By itself, it's
 * fairly benign as a local denial-of-service.  It's a perfect candidate to
 * trigger the above issue, since it's reachable via sock_no_sendpage(), which
 * subsequently calls sendmsg under KERNEL_DS.
 *
 * CVE-2010-3850
 * -------------
 * I wouldn't be able to reach the NULL pointer dereference and trigger the
 * OOPS if users weren't able to assign Econet addresses to arbitrary
 * interfaces due to a missing capabilities check.

VIDEO EXAMPLE
Scenario:
- Victim: awesomeforum.dot (with ubuntu server 10.04 kernel 2.6.32 )
- Attacker: 192.168.2.13 (with backbox 2)

This forum has installed the lastest version of phpBB3 cms so there is no way to take advantage of some flaws.

To start we check the name of the forum administrator and if we are lucky will be the same for the ssh account. This time we are lucky and after a simple bruteforce attack with hydra we got john's password.

After the successfull attack we login and we try to see if the kernel version is vulnerable and if there is gcc (by default all linux distribution has it ). Now it's time to upload the exploit throught sftp and execute it. After got the root account we can inject javascript code in some phpbb3 files to spread malware as few months ago has happened to mysql.com or just install a rootkit.