UNIX Permissions and Root Access

Previous page
Table of content
Next page
 < Day Day Up > 

The majority of servers on the Internet are running some flavor of UNIX. UNIX has two types of user accounts: normal users and superusers. Users can be further placed into groups to provide added flexibility in assigning permissions.

In UNIX architectures, everything is a file. Directories are files, and devices are files. You can assign three types of permissions to files:

  • Read

  • Write

  • Execute

Permissions are assigned in three parts:

  1. Assign permissions to the superuser, or root user.

  2. Assign permissions to the group owner.

  3. Assign permissions to normal users.

For example, the following output shows the permissions assigned to a file:

-rw-r--r--    1    root   root      1024    Apr  15 15:23 penfile

In this example, the root superuser is assigned read and write permissions, whereas the group and normal users only have read permissions. Permissions are assigned in binary format using the chmod command. Figure 13-3 shows the binary values for the three sets of permissions.

Figure 13-3. UNIX Permissions


To set read, write, and execute permissions for the root user while leaving the group and normal user permissions to read only, enter the following command:

#chmod 744 penfile #ls -l penfile -rwxr--r--    1   root   root      1024   Apr  15 15:23 penfile

Elevation Techniques

As a penetration tester, your goal is to obtain root access, because the root user typically has the most permissions granted on a system. To do this, you need to execute an elevation technique to elevate a normal user to a root user.

Stack Smashing Exploit

Probably the most common method of obtaining root access on a Linux-based machine is through a buffer overflow technique originally introduced in the paper "Smashing the Stack for Fun and Profit" by Aleph One in Volume Seven, Issue Forty-Nine of the Phrack E-zine (http://www.phrack.org/). In this paper, Aleph One shows how you can execute a buffer overflow as a normal user and gain shell access as a root user. In Example 13-2, his code has been compiled and named exploit. Note how the user goes from andrew to root after running the exploit code.

Example 13-2. Running Privilege Escalation Exploit Code
Linux:/home/pentest >whoami andrew Linux:/home/pentest >id uid=500(andrew) gid=100(users) groups=100(users),14(uucp),16(dialout),17(audio),33(video) Linux:/home/pentest > ./exploit bash-2.05b# whoami root bash-2.05b# id uid=0(root) gid=100(users) groups=100(users),14(uucp),16(dialout),17(audio),33(video) bash-2.05b#

For more information about how this exploit works, see Chapter 14, "Understanding and Attempting Buffer Overflows."

Note

The most common method of exploiting UNIX systems and gaining root access is by using buffer overflows. For many code examples, go to http://ftp4.de.freesbie.org/pub/misc/www.rootshell.com/.


rpc.statd Exploit

The rpc.statd exploit allows normal users to remove and create files with root privileges on Solaris 2.x (SunOS 5.x) and Solaris 1.x (SunOS 4.1.x). This exploit uses the vulnerability in rpc.statd, which does not validate information it receives from rpc.lockd.

According to CERT advisory CA-96.09:

When an NFS server reboots, rpc.statd causes the previously held locks to be recovered by notifying the NFS client lock daemons to resubmit previously granted lock requests. If a lock daemon fails to secure a previously granted lock on the NFS server, it sends SIGLOST to the process that originally requested the file lock.

The vulnerability in rpc.statd is its lack of validation of the information it receives from what is presumed to be the remote rpc.lockd. Because rpc.statd normally runs as root and because it does not validate this information, rpc.statd can be made to remove or create any file that the root user can remove or create on the NFS server.

You can find code for this exploit at http://ftp4.de.freesbie.org/pub/misc/www.rootshell.com/hacking/statdx86.c.

irix-login.c

David Hedley has written code that exploits a vulnerability in the login script on Irix UNIX machines that grants a root shell to normal users. After running his code, you are prompted for a password. If you do not type a password but instead press Enter, you are granted a root shell.

The Hedley code is available at http://ftp4.de.freesbie.org/pub/misc/www.rootshell.com/hacking/irix-login.c.

Note

Many other exploits are related to web server and database attacks. Chapter 7, "Performing Web-Server Attacks," covers web server exploits, and Chapter 8, "Performing Database Attacks," covers database attacks.


Rootkits

After you have gained access to a system, you might want to hide files so that others cannot detect your presence. A common way to do this is through rootkits.

The following are two well-known rootkits for UNIX and Linux systems:

  • Linux Rootkit IV

  • Beastkit 7.0

Linux Rootkit IV

Linux Rootkit IV is a popular rootkit for Linux systems, although it is limited in that it hides only certain system commands such as ps (used to view processes), crontab (used to view scheduled tasks), ifconfig (used to view interface information), and others. Hiding these commands makes it difficult for system administrators to detect that they have been infected by rootkits.

For example, you can use a Trojaned version of ifconfig to hide the fact that you are running your network interfaces in promiscuous mode. Your interfaces need to be in promiscuous mode to sniff network traffic, but you might want to hide the fact that your network card is capturing traffic. Using Linux Rootkit IV, you can replace the ifconfig that comes with Linux with its own that does not state that the card is running in promiscuous mode.

Beastkit

Like the Linux Rootkit, Beastkit replaces common files used in routine system tasks. Beastkit even replaces files such as dir and ls, which allow you to view the contents of a directory. These replaced files hide malicious files on an infected system, making it difficult for system administrators to detect the presence of this rootkit.

Beastkit is unique in that it also comes with several tools that are placed at /lib/ldd.so/bktools. Included in these tools are bks, a packet sniffer, and bkscan, a SYN scanning program to search for open TCP ports.

Beastkit also installs a Trojan backdoor program called arobia that listens on port 56493. It is password-protected with the password arobia.

     < Day Day Up > 

    Previous page
    Table of content
    Next page
    Penetration Testing and Network Defense
    Penetration Testing and Network Defense
    ISBN: 1587052083
    EAN: 2147483647
    Year: 2005
    Pages: 209
    Authors: Andrew Whitaker, Daniel Newman
    BUY ON AMAZON
    Beginning Cryptography with Java
    CISSP Exam Cram 2
    Introduction to 80x86 Assembly Language and Computer Architecture
    The New Solution Selling: The Revolutionary Sales Process That Is Changing the Way People Sell [NEW SOLUTION SELLING 2/E]
    Ruby Cookbook (Cookbooks (OReilly))
    VBScript in a Nutshell, 2nd Edition
    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net
    Privacy policy