1. Exploiting a Linux Environmenta.k.a. How to perform Privilege Escalation via an USB Drive Federico De Meo @mister_ade Enrico Scapin @springb0X

2. Our Masters... 3. How to Run Code via USBgconf setting: media automout /apps/nautilus/preferences/media_automountTRUE Nautilus window opening by default /apps/nautilus/preferences/media_automount_open 4. Thumbnails and DVI format Gnome support the generation of thumbnail images byexternal application evince-thumbnail generates the DVI files thumbnailers:gconf-editor /desktop/gnome/thumbnailers/application@x-dviDVI files: binary description of the documents visual layout preamble, one or more pages, postamble rely on external files to typeset the font PK font file: character code (cc ) for each character definitionwith some dimensional fields, w, h, x, y 5. evince-thumbnailerevince-thumbnailer -s 128 file:///media/usbName/fileName.dvi /tmp/.gnome_desktop_thumbnail.XXXXXX 6. How the Exploit Works Python code to generate DVI files referencing to two maliciousfonts (CVE-2010-2640). The first one casues the overwrite of ptr->info.lookup The second one is executed instead of looked up!Building a malicious font:cc value ~ [-236, -239]cc = (font->chars - &ptr->info.lookup) / sizeof(DviFontChar)pad valuesystem addresspart of /lib/libpthread-2.12.1.so, libc 7. FixThe fix simply consists in a check before thereading of the x, y, w, h values:Security mechanisms in Ubuntu:AppArmorAddress Space Layout Randomization (ASLR) 8. How to Become RootA rootkit which exploit 3 vulnerabilities in thelinux kernel:a)A failure to revert address limit override due to anOOPS (CVE-2010-4258).b)A local Denial of Service in the Econet protocolwhich causes a kernel OOPS (CVE-2010-3849,CVE-2010-3850). 9. How they worka) When an OOPS occurs, the kernel attempts: to clean up the process resources to kill it by calling the do_exit function ...but, it is still running in Kernel Mode! do_exit can write a NULL word in an user space location: CLONE_CHILD_CLEARTID flagset in the clone system call 10. Execution Flow1.Resolving two addresses of the Econet protocol.2.Calculating the address of the system call to overwrite.3.Calculating the result address of the overwrite.4.Copying the privilege escalation function in the previous address.5.Invoking the clone which executes the function that trigger theNULL pointer dereference.6.Termination of the thread which overrides the system calladdress calculated at point 2.7.Invoking this system call which will now cause to run the privilegeescalation function. 11. Resolving addresseseconet_ops (struct): information related to asocket network access protocoleconet_ioctl (pointer): refers to the functionsaddress to be used as Input/Output Control 12. Address to overwrite1. econet_ioctl has to be overwritten2. It will point to a controlled memory region3. target refers to the address to be overwritten4. ...while landing is the address after theoverwrite 13. The Privilege Escalation FunctionIt is copied in memorySo that, after the overwrite, it will be executedAn Heap Spray attack is performed to facilitatethe exploit 14. The Clone System CallCreates a new process (similar to fork)If the CLONE_CHILD_CLEARTID flag is used,a NULL word will be written to a user-specifiedpointer when exitsThe kernel checks if it can write to that pointerby simple compare against a boundary 15. Writing in Kernel SpaceAn OOPS causes a process to exitThe kernel kills it invoking the do_exitHowever the do_exit does not revert a previousaddress limit overrideThe use of CLONE_CHILD_CLEARTID willcauses a NULL write also in an arbitraryKernel Space location 16. The Trigger FunctionAn OOPS in KERNEL_DS is needed toterminate the cloned processTwo bugs in the Econet protocol are used:1.Missing capability check2.NULL pointer dereference in the econet_sendmsg 17. Getting RootAt this point the econet_ioctl is overwrite andpoint to our previously trampoline functionInvoking the ioctl on the Econet socket willnow run the trampoline instead 18. The trampolineThe function trampoline is copied directly in thememoryWhich means it has to be written in machinecode...and it simply executes another function 19. ...one last effort: Get Root!The trampoline refers to the getroot function...which changes the process capabilities 20. Got Root! 21. FixThe fixes consist in checks or resetsaddition:(CVE-4258): set_fs(USER_DS) reset(CVE-3849): CAP_NET_ADMIN check(CVE-3850): NULL pointer check 22. CombiningAs the rootkit is executed any kind of maliciousaction could be executed: opening a root terminal; installing a remote or local backdoor in order to leaveopen the access to the machine; adding a keylogger in order to capture importantinformation typed by the user; accessing to restricted area in order to stole usersprivate documents; executing other code which will lead the system in anunwanted state; ...or whatever else the attacker may want to do. 23. Dont worry...the end!What we have learnt:Dynamic analysis with GDB toolDeeper knowledge of the GNU/Linux environmentKernel system callsSecurity mechanisms: ASLR, AppArmorUSB driver managementIf you are looking for a smart project...look athere: http://www.vulnfactory.org/exploits/ANY QUESTION??