CVE-2013-1763 – Gaining Root access from Ubuntu 12.10 Guest Account

Ubuntu Root Shell from Guest

A Linux local privilege escalation vulnerability made public last week allows a Root level shell from a standard or guest account.

Last week an exploit was revealed that affected Linux Kernel versions 3.3 through 3.8. Successful use of the exploit allows the attacker to gain root level access on Linux machines.

I tried the attack on an Ubuntu 12.10 virtual machine and was able to escalate the “Guest” user to root.

Guest ID

As you can see from the image above I am logged into Ubuntu 12.10 as the security limited “Guest” account. This account is enabled by default with no password.

Running the exploit creates a Root level shell:

Switch to Root

Running the “id” command now returns the user ID (uid) 0, or root.

But do we really have root? Let’s try to add a user from this escalated terminal and one from a guest terminal:

Add User

The guest shell on the right failed, but as you can see it worked on our escalated shell.

This is a known issue and Ubuntu has released a Security Bulletin regarding it. Even better they have already supplied a patch to fix the exploit. All you need to do is run Ubuntu updates and the fix will automatically be installed.

It is imperative that you update your Linux systems immediately, especially if you allow public guest access.

Big Brother, Google and Drones – Could Drone Strikes be coming to a Neighborhood near You?

Map of Domestic Drone Authorizations in US from the EFF

We have more ways to connect to the internet than ever before. People are sharing information and thoughts on social media sites at a skyrocketing pace. And Governments all around the world want access to it. Now the Obama administration wants the option to perform drone strikes in the US.

The question is, though as far fetched as it once may have been seen, could Googling or tweeting the wrong information lead to a drone strike?

The thought that Big Brother is watching you is no longer a myth held by 40 year old’s wearing tin foil hats and living in their parents basement. Countries the world over have moved to block, filter or try to gain access to their citizen’s internet use. And the US is no exception.

Just this week, Google released information stating that the FBI is “secretly spying” on some of it’s users. Well, kind of. Though they could not give out the exact number of times the FBI requested information about their user’s Google use, for national security reasons, they could give out a range.

From 2009-2012 Google was asked to reveal information on 0-999 users on anywhere from 1,000-2,999 accounts.

Google NSL Requests

The range is on purpose, according to Richard Salgado, a Google legal director, “You’ll notice that we’re reporting numerical ranges rather than exact numbers. This is to address concerns raised by the FBI, Justice Department and other agencies that releasing exact numbers might reveal information about investigations. We plan to update these figures annually.”

(Google’s Policy on Government Data Requests can be found here)

And it is just not Google, multiple US government agencies want the ability to search your Social Media sites as well, as an FBI Request For Information states, to “quickly vet, identify and geo-locate breaking events, incidents and emerging threats.

This is obviously in an effort to crack down on terrorists that uses social media sites. But many are alarmed that this is an extension of warrantless wiretapping and an ever erosion of American privacy.

The problem does not stop there. This week, a letter from U.S. Attorney General Eric Holder stated that the US could use drone strikes on US soil against US citizens!

Well, under extraordinary circumstances of course:

The Obama administration believes it could technically use military force to kill an American on U.S. soil in an “extraordinary circumstance” but has “no intention of doing so.”

So who gets to decide that the situation is extraordinary?

And US citizens being executed without warning or trial sounds a bit, well, un-American. Sen. Rand Paul, R-Ky thought so too as he and a group of fellow Senators from both parties performed a 13 hour filibuster last night challenging the President’s authority to kill Americans with drones.

“My legs hurt. My feet hurt. Everything hurts right now,” Paul told Fox News shortly after stepping off the Senate floor, saying he believes “we did the best that we could.”

“I would be surprised if we didn’t hear back from the White House,” Paul said. 

So could an American be typing away on a social media site, safely in his suburban American home, and without warning be taken out by a drone strike?

One would have to think it is at least a possibility.

If the situation is extraordinary that is…

Chinese attacks on America and a Cyber Who Dunnit

Fingerprints and Magnifying Glass

Recently Mandiant released a very good and in-depth look at the flood of Chinese cyber attacks against US military and technology sites. Which of course China immediately refuted and claimed that it was America that was attacking them.

Who is right, and could we even tell for sure?

According to the Mandiant report, China’s secret Unit 61398 works out of a 12 story building in Shanghai and has stolen Terabytes of information from over 140 different targets. But China fired right back, claiming that the US was responsible for the majority of 144,000 hacking attempts a month that hit their military sites.

Nations the world over are reporting hacking attacks originating in China. US tech and military secrets are being pilfered at an alarming rate by hackers. It has even gotten to the point that some nations are warning about physical strikes in response to cyber attacks.

But with the ease of anonymity on the web, who would they strike?

From analysis of recently submitted malware samples from a single entity, you can see an alarming trend. Several of the malware samples included almost identical code, they were obviously written by the same person or group. They were all targeted phishing type attacks. Either they included malware disguised as an informational report to run or they linked to a malicious page.

The problem was, even though the source of the attack was obviously the same group, the servers that they sent the victims to were located all over the world!

One of the malware samples included a round-robin type list of servers in multiple countries. It would try to connect out to numerous servers, one after the other until it made a connection. These were located in Europe, England and even America!

One malware sample, when executed, connected out to a Chinese site, then transferred you to a Russian site and finally to a site in Turkey! One of the malicious sites was even hosted on a high speed game server located in America.

Which country was the actual attacker actually located in? Which one should be bombed in retaliation?

Only a basic level of analysis was performed, but without hacking into the malware servers (which would be illegal) there is really not much more a civilian could do at that point.

Sure they could report the individual malware site to get it shut down, but then all the attacker does is move to another server and continues the attack.

Law Enforcement officials would need to work together with the server hosting provider to attempt to back track it from that point to see who is logging into these servers to download the data. And if the hackers are using a program like TOR, that bounces traffic through several countries to retrieve the pilfered data, the job of finding the source attacker is even more difficult.

As you can see tracking down cyber espionage is not a simple game of Clue. It can be a long and arduous task involving several agencies and multiple countries.

A true Cyber Who Dunnit…