OHTS ASSIGNMENT
A.G.Malanga Mishad Vishwajith Thilakarathna.
IT16035836
BSc (Hons) in Information Technology Specializing in Cyber Security
Department of Information Technology
Sri Lanka Institute of Information Technology
Sri Lanka
MAY 2020
Brief description of vulnerability 4
DEMONSTRATION OF EXPLOTING THE VULNERABILITY 5
Figure 1: the command to check the sudo version 1
Figure 2: checking the passwd file: command 2
Figure 3: shows the password file 2
Figure 7: user will get a password 5
Figure 9: accessing sudo's file 6
Figure 11: ID command user privilege denied 7
Figure 12: sudo command user privilege denied 8
Figure 14: exploiting vulnerability 9
Sudo, abbreviated for Super User Do, is a program for UNIX and Linux systems that gives the user the permissions needed to run commands and scripts as the root of the system and logs all the commands and arguments. A sudo system administrator can:
- Give permissions for users to run root commands of the system operation
- Control the commands a user can use of each host
- See the commands used by the users via a log
- Control the time duration given for each user to enter commands after logging through the use of timestamp files
This is a file located at /etc/sudoers which controls the sudo command privileges within users, which includes elevated privileges. The best and safest way to edit this is by using the visudo command. This command allows you to edit and save the file by using vi editor. This will also put a filelock on the file to prevent other users from editing it. Once editing is done, it will parse the file for simple errors [2]
- Download Ubuntu 16.4 from a secure website, most commonly used is oxboxes.org [3]
- Install virtual box from the website
- Open virtual box and add a new machine
- Give a name to your virtual machine
- Set the file path to the image
- Give type as linux
- Set version as your downloaded file whether 64bit or 32bit
- Set RAM size and create
- Release date: 14th October 2019
- CVE ID: CVE-2019-14287
- Affected Versions: Versions prior to <= 1.8.28
- https://www.sudo.ws/alerts/minus_1_uid.html
Even though user permissions in the sudoer file mentions that it explicitly prevents users running commands as root, the security bypass vulnerability allows the users with Linux systems to execute commands as root.
A user which as ALL permissions in the Runas specifications can execute these commands on any or all the users of the system.
This vulnerability allows the users to specify their user ID as -1 or the unsigned equivalent of -1: 4294967295 and this allows the users to run commands and tools as root.
sudo -u#-1 /usr/bin/id or the unsigned equivalent of -1 sudo -u#4294967295 /usr/bin/id
Figure 1: the command to check the sudo version
- This demonstrates the command to check the sudo version.
- This shows that the sudo versions affected are version 1.8.16 and earlier.
Figure 2: checking the passwd file: command
- In linux systems there is a separate file for passwords. The command to check this password file is cat/etc/passwd. The password that is stored in the file is denoted with a letter X
Figure 3: shows the password file
Figure 4: hash file
- The hash values of the aforementioned passwords are found in the shadow file
Figure 5: hash values
- This shows the hash value of the password belonging the user called "osboxes"
Figure 6: making a new user
- To make the attack demonstration easier, I will be making a new user.
- s /bin/bash ohtsassignment
Figure 7: user will get a password
Figure 8: user ID checking
- The password file will be rechecked, and we can then notice that the user id has been increased by 1. In the linux system there are 2 user ID assigning methods. The System users will get user IDs greater than 0 less than 1000, and the user accounts will get greater than 1000. The user ID of the root will always be 0.
Figure 9: accessing sudo's file
- We are now going to access sudo's file. The command is as follows:
Figure 10: user privileges
- Inside sudo's file you can find user privileges, the commands that the users can and can't use
Figure 11: ID command user privilege denied
- The new privilege for user named ohts assignment to execute the ID command will be removed
Figure 12: sudo command user privilege denied
- It is now demonstrated that even if the ohts user executes the sudo commands, it will be denied
Figure 13: root user ID
- The user ID of the user named OHTS assignment is 10001. The user ID of root is zero. Even if the use the root and try to run the ID command, it will be denied
Figure 14: exploiting vulnerability
- I will now exploit this vulnerability. I will now be using user ID -1, which will bypass and give me access to all privileged. Accordingly, I can run the commands run denied to user ohts assignment by using the user id as -1