Upload File

uid=0 is deprecated: a trick unix-privesc-check doesn’t yet know

  • Home
  • Internet
  • UID=0 is deprecated: A trick unix-privesc-check doesn’t yet know
5
Portcullis Computer Security UID=0 IS DEPRECATED: A TRICK UNIX-PRIVISEC-CHECK DOESN’T KNOW YET

Upload: portcullis-computer-security

Post on 13-Apr-2017

220 views

Category:

Internet


1 download

Report

TRANSCRIPT

Page 1: UID=0 is deprecated: A trick unix-privesc-check doesn’t yet know

Portcullis Computer SecurityUID=0 IS DEPRECATED: A TRICK UNIX-PRIVISEC-CHECK DOESN’T KNOW YET

Page 2: UID=0 is deprecated: A trick unix-privesc-check doesn’t yet know

Uid=0 is deprecated: a trick unix-privisec-check doesn’t know yet

Just like Linux, the modern Solaris install doesn’t simply rely on UID/GID to determine privilege. Instead there are roles and profiles to contend with. The following is a loose explanation of how they work:

1. User = user + group + user_attr + /etc/security/auth_attr + /etc/security/auth_attr.d/*

2. 1. user = Raw privileges (PRIV_DEFAULT + !PRIV_LIMIT)2. user_attr = List of profiles (/etc/security/prof_attr + /etc/security/prof_attr.d/*)

1. prof_attr = List of authorisations (/etc/security/auth_attr + /etc/security/auth_attr.d) Additionally, /etc/security/exec_attr specifies what privs a particular

command will execute under a given profile.

Page 3: UID=0 is deprecated: A trick unix-privesc-check doesn’t yet know

The first user added will get root by virtue of this scheme. Having said that, for Solaris 11, Oracle pretty much canned this and moved to sudo instead. It’s still there though, if you look.

So today, we were looking at a Solaris 11 box which was mostly being managed via sudo. I say mostly because we found this (isolated) gem in user_attr:

It’s likely not a backdoor but it is rather odd given the beautiful /etc/sudoers.d hirearchy that also existed on the same system. This authorised them to use the solaris.smf.manage and solaris.smf.modify privileges.

This could be bad. To quote the man page, users authorised with the solaris.smf.modify privilege are:

Whilst solaris.smf.manage is:

So is it exploitable? Well, it turns out that the users with those particular authorised privileges can run the following

http://docs.oracle.com/cd/E23824_01/html/821-1474/smf-security-5.html
Page 4: UID=0 is deprecated: A trick unix-privesc-check doesn’t yet know

This, when executed, will cause the named service to have a new environment variable defined (LD_PRELOAD) which points at our malicious code (/tmp/libdoor.so) which will be loaded by the service when it is restarted. As a result, our malicious code will be run as the same user as the victim user, giving us persistent privileged access to the victim machine.Without these privileges, the same command will result in an error:

Bottom line, if you compromise a modern Solaris box, try running auths (and roles) to check what privileges may have been left behind, it may be more than you think.

Page 5: UID=0 is deprecated: A trick unix-privesc-check doesn’t yet know

Request to be added to the Portcullis Labs newsletterSign up here

https://labs.portcullis.co.uk/portcullis-labs-newsletter-sign-up/

New, changed, or deprecated features (PDF)

U NIQUE ID ENTIFICATION (UID) Unique Identification (UID) of Items

Uid Forum - Uid 201 Final 4-19-06 (1)

Deprecated List (Java Platform SE 8 )

CDA: Characterising Deprecated Android APIs

S2 AIX Privesc En

Package ‘perry’ · perry-deprecated Deprecated functions in package ’perry ... References Tukey, J.W. and McLaughlin, D.H. (1963) Less vulnerable confidence and significance

PHP 5.6 New and Deprecated Features

Intro to Meteor [Deprecated]

Command Line Interface (CLI) Migration from Deprecated to

Akash uid ppt3

this page Function set_magic_quotes_runtime() is deprecated in /home/www/957b7960f6450b59e40ca68807dc0634/web/libraries/tcpdf/tcpdf.php on line 2814 Deprecated: Function set_magic_quotes_runtime()

New, Changed, and Deprecated Features for Microsoft ... · PDF file3 NEW, CHANGED, AND DEPRECATED FEATURES FOR MICROSOFT DYNAMICS AX 2012 Table of Contents New, Changed, and Deprecated

Erlebniswelt UID (UID World Of Experience)

The PHP Security Checklist...• Deprecated features in PHP 7.0.x • Deprecated features in PHP 7.1.x • Deprecated features in PHP 7.2.x • Migrating a PHP 5 App to PHP 7 Use a

New, Changed, and Deprecated Features for Microsoft Dynamics

Uid Data Updation

Brunner, John - Oile Privesc in Sus

Polkit Authentication bypass Local Privesc vulnerability

Address: Kotak Infinity, 6th floor, Building No 21 ... · DINI UID 3b. DINI UID 3b. DINI UID 3b. DINI UID 3b. DINI UID Date: INSTRUCTIONS/CHECK LIST FOR FILLING KYC FORM A. IMPORTANT

UID - Information System

Chapter 2 ( UID)

Touch Research 1: Inspiration and History [Deprecated Revision]

UID UNIT 1

Uid brochure India

UID Basics

UID and NCEES

Touch Research 2: HCI Details [Deprecated Revision]

Uid 2009 27102009

report on uid

Mission UID

€¦Translate this pageDeprecated: Function set_magic_quotes_runtime() is deprecated in /home/lainebox/www/libraries/tcpdf/tcpdf.php on line 2814 Deprecated: Function set_magic_quotes_runtime()

Zendesk REST API v1 (deprecated)

Uid overview english

Classical sheet music gratis | Just another WordPress site...Deprecated: Function create_function() is deprecated in /home/class711/public_html/harmonia-irredentist.php on line 1