Warchall got rooted
Clasificación global: 252
Puntuación total: 87258
Mensajes: 1644
Agradecer: 1343
Voto positivo: 894
Registrado: 16A 119d
Última vez visto: 1d 16h
El usuario está desconectado
Warchall got rooted
Mayo 09, 2012 - 11:54:37 (12A 38d)
Mayo 09, 2012 - 11:54:37 (12A 38d)
Yesterday i got an unexpected PM from one of the users, g00bER.
It only consists of a single line with a kind note
Of course i did a cat /root/g00ber_was_here_too ... and here is the contents:
This file nicely explains how he did it.
Many thanks from my side for playing nice and fair, and showing me my noobish mistakes on the challenge cronjobs.
Very well done!
gizmore
It only consists of a single line with a kind note
Cita de g00bER
You might want to check /root/g00ber_was_here_too on warchall.net ;-)
Of course i did a cat /root/g00ber_was_here_too ... and here is the contents:
GeSHi`ed Plaintext código para g00ber_was_here_too
1 2 3 4 56 7 8 9 1011 12 13 14 1516 17 18 19 2021 22 23 24 2526 27 28 29 3031 | Hey roots, This is another root... g00r00t, originally known as g00bER! :-) Getting the root-level access in a wargame is a nice cherry on the top of the cake and the most rewarding one... and it wasn't any different in this case. Now, how did I do that? The magic trick was a race condition on the level5 daemon (probably applicable to level6 too; didn't really try): - It creates a file in user's homedir and changes the ownership and permissions for the file to that user. - Ding, that smells like a race condition -- you can replace the file by a (hard)link to some sensitive file between its creation and the permissions/ownership modification. - A suitable file could be /etc/passwd -- owning that one sounds like owning the machine; which is what I did; adding a new root-equivalent account. A crude "proof of concept" code can be found in /home/user/g00ber/level/5; it's not perfect since it doesn't wait for the access rights to be set (to the weird value) before trying the race -- this widens the window, but has the adverse effect of putting weird permissions on /etc/passwd. How to prevent it from happening in the future? - It might be better to use fchmod/fchown (you know which file you're modifying at that time; since it's the same one you've been writing to) rather than chmod/chown. Of course, the file creation should be done in O_EXCL | O_CREAT mode. - Also, having the user-writable files on one partition and the "important stuff" on another one helps with preventing hardlink-based attacks quite well. - Probably the safest option is to create the "solution" files in a different place -- one that the user doesn't have write access to. All the modifications should be back to their original state (i.e. ownership of /etc/passwd restored, g00r00t account removed); I'm sorry if I forgot something. Also, there are a few ways of circumventing the sudosh thingy: ... removed ... removed ... removed ... removed Okay, enough babbling for now -- if you want to discuss this hack or anything else, feel free to PM me. g00bER, 2012-05-08, 01:30 GMT |
This file nicely explains how he did it.
Many thanks from my side for playing nice and fair, and showing me my noobish mistakes on the challenge cronjobs.
Very well done!
gizmore
The geeks shall inherit the properties and methods of object earth.
Última edición por gizmore - Mayo 09, 2012 - 12:00:07
tunelko, quangntenemy, TheHiveMind, Z, balicocat, Ge0, samuraiblanco, arraez, jcquinterov, hophuocthinh, alfamen2, burhanudinn123, Ben_Dover, stephanduran89, braddie0, SwolloW, dangarbri, kalungmas se suscribieron a este tema y reciben emails en nuevas publicaciones.
1 personas están viendo el tema ahora mismo.
Este tema ha sido visto 3298 veces.
1 personas están viendo el tema ahora mismo.
Este tema ha sido visto 3298 veces.