CVE-2013-1763 – Gaining Root access from Ubuntu 12.10 Guest Account

Ubuntu Root Shell from Guest

A Linux local privilege escalation vulnerability made public last week allows a Root level shell from a standard or guest account.

Last week an exploit was revealed that affected Linux Kernel versions 3.3 through 3.8. Successful use of the exploit allows the attacker to gain root level access on Linux machines.

I tried the attack on an Ubuntu 12.10 virtual machine and was able to escalate the “Guest” user to root.

Guest ID

As you can see from the image above I am logged into Ubuntu 12.10 as the security limited “Guest” account. This account is enabled by default with no password.

Running the exploit creates a Root level shell:

Switch to Root

Running the “id” command now returns the user ID (uid) 0, or root.

But do we really have root? Let’s try to add a user from this escalated terminal and one from a guest terminal:

Add User

The guest shell on the right failed, but as you can see it worked on our escalated shell.

This is a known issue and Ubuntu has released a Security Bulletin regarding it. Even better they have already supplied a patch to fix the exploit. All you need to do is run Ubuntu updates and the fix will automatically be installed.

It is imperative that you update your Linux systems immediately, especially if you allow public guest access.

Advertisements

An Eleven Character Linux Denial of Service Attack & How to Defend Against it

Sometimes it is the oddest, harmless looking things that could cause problems. I can’t think of anything more innocuous looking than the following Linux shell command:

But DO NOT run this on a Linux system, or chances are that you will perform a Denial of Service attack on your own machine! You may have to hard reset your system to get it back and you COULD LOSE DATA!

This is not new, I have seen this floating around, and it looked interesting. It was referenced in a 2007 post that said it didn’t work anymore because most modern OS’s are configured to protect against it. So of course I just HAD to try it.

I booted up my Ubuntu 12.04 system, opened a command shell, entered the command and…

It locked dead!

Okay just what is this command???

FORK BOMB PROCESS ATTACK

Meet the “Fork Bomb”. Basically all it does is instruct Linux to open processes – over and over again for an almost infinite number of times. Your RAM and CPU usage rises until the system no longer responds to input.

Let’s see what it does to an Ubuntu 12.04 system.

Here is an Ubuntu 12.04 System Monitor screenshot of a system before I ran the Fork Bomb:

The CPU and Memory usage are steady.

Now once the Fork Bomb is started:

Notice the significant increase in CPU and RAM usage. It even doubled the CPU usage on the virtual host, taking it from 8% to 17% while the attack was running.

I lost all control of the Ubuntu system. Even the keyboard lights were unresponsive. Supposedly some operating systems will recover if left alone long enough. But I waited a while and I never got control back.

(Okay, for all those out there claiming that it was just a Virtual Machine, I tried it on a stand alone Ubuntu 12.04 system with the same results. Okay, there was a quarter second pause before I lost control of the machine!)

DEFENDING AGAINST THE ATTACK

This is very easy to defend against. All you need to do is set limits to the number of processes that a user can open. These can be set per user, per group or globally. And you can set this one of two ways.

You can use the ulimit command for instant change that only lasts until the user logs off, or make the change permanent by editing the /etc/security/limits.conf file.

To use the ulimit command simply type “ulimit -u” with the number of processes that you want users to be allowed to run. So to set the limit to 512 just type:

sudo ulimit -u 512

Does this work? Absolutely – after running ulimit, the fork bomb is effectively throttled:

As you can see from the screenshot above, there is very little increase in RAM usage and the CPU usage is much more tolerable. And more importantly, I had full control of the system.

You can also change the /etc/security/limits.conf file to make the change permanent. Full instructions can be found on AskUbuntu.com, but basically just add the following line to the config file:

*    hard    nproc    512

The “*” means apply the change to everyone, “Hard” means it is a hard limit, and “nproc 512” locks the number of processes to 512.

You need to adjust the number of processes to a number that would be the best setting for your system. 512 seemed to work great on mine. Don’t set the number to low, or you may have other “denial of service” type issues, lol.

Oh, and for all the Mac Fanboys out there, this command didn’t seem to have any effect when run on a newer Mac. Okay, my friend ran it and it ate up 24 Gb of RAM, but seeming he had 64Gb of RAM on the system, it just laughed the attack off.

Even running it on a Mac with 24Gb of RAM had no discernible effect, other than getting a screen full of “Bash Fork: Resource Temporarily Unavailable” error messages like above. Looks like Mac’s have process limits enabled by default. (Thanks Command_Prompt and Bill!)

This should be obvious, but for the record, you should never run this command on systems that you do not own… Or put it in someone’s startup script.

But knowing how to limit a user’s ability to run processes is very important and throttling them on Linux systems where it is not done by default could curtail some problems before they surface.

Practice Linux Penetration Testing Skills with Metasploitable

Okay, you have been reading up on computer security, and even played around with Backtrack some. You have been gaining some penetration testing skills, but now you want to try them out. What do you do?

There are several sites that exist that allow you to (legally) test your abilities, but why not try them out on Metasploit’s own Metasploitable?

Metasploitable is a VMWare Ubuntu 8.04 image that is purposefully left with several vulnerabilities so you can check out your mad skills. Okay, before I get a bunch of e-mails about this, yes Ubuntu (Linux) has vulnerabilities. That is why you need to update your Linux software just as you would your Windows boxes.

Metasploitable is running several services that have not been patched and it is a non-persistant image (changes are not saved) so you can play to your hearts content and if you really mess up, just re-boot and the Ubuntu image will be restored to original.

The best way to become a good penetration tester is to practice. And Metasploitable is a good Linux platform to play with. I will not go into to much depth (there are plenty of Metasploitable tutorials out there already) but in my next post (Metasploitable – Gaining Root on a Vulnerable Linux System) I will show you how to get root access on the image using Backtrack 5R2.

Metasploitable – Check it out!

Linux Mint to take Linux Crown from Ubuntu?

Linux Mint is now the 4th most used home operating system in existence. But can it unseat Ubuntu as the top Linux OS?

Ubuntu, currently number 3 (behind Windows and Mac) in the home OS theater, has received some stiff competition from Linux Mint. Distrowatch shows that Linux Mint has been the most popular Linux distribution over the last year, and their Linux Mint page has had about 2.5 times more visitors than Ubuntu’s page. Though Distrowatch claims that their stats are for entertainment purposes only, Linux Mint is definitely on the rise.

Add to that long time Ubuntu users dislike of the Unity desktop, now the main GUI by default,  and several issues with upgrading to 11.10 and you can see why some people are starting to look elsewhere.

Linux Mint may be an attractive alternative to many users. The install is familiar, it looks like Ubuntu, acts like Ubuntu and most importantly, it comes with the classic Gnome interface – not Unity.

With reports that it is very stable, I couldn’t resist anymore and decided to give it a whirl.

The installation was almost completely identical to Ubuntu’s. And once it is up and running, it looks just like Ubuntu with the classic gnome interface installed. Just a quick glance around and I fell in love very quickly.

First I liked the way it notifies you of available updates:

Also, looking through the menu, I found that it comes with the Firewall graphical user interface installed. You have to install it yourself in Ubuntu:

Just surfing around I felt very at home and familiar with the Gnome interface and the Ubuntu feel.

Okay, what didn’t I like about Linux Mint?

The color scheme! There is just something about green on gray that just turns me off. But a quick theme download and background change and things looked much better:

Linux Mint 12, check it out!