Warchall got rooted
Global Rank: 253
Totalscore: 87267
Posts: 1636
Thanks: 1338
UpVotes: 886
Registered: 16y 64d
Last Seen: 7h 9m
The User is Offline
Warchall got rooted
May 09, 2012 - 11:54:37 (11y 347d)
May 09, 2012 - 11:54:37 (11y 347d)
Yesterday i got an unexpected PM from one of the users, g00bER.
It only consists of a single line with a kind note
Of course i did a cat /root/g00ber_was_here_too ... and here is the contents:
This file nicely explains how he did it.
Many thanks from my side for playing nice and fair, and showing me my noobish mistakes on the challenge cronjobs.
Very well done!
gizmore
It only consists of a single line with a kind note
Quote from g00bER
You might want to check /root/g00ber_was_here_too on warchall.net ;-)
Of course i did a cat /root/g00ber_was_here_too ... and here is the contents:
GeSHi`ed Plaintext code for g00ber_was_here_too
1 2 3 4 56 7 8 9 1011 12 13 14 1516 17 18 19 2021 22 23 24 2526 27 28 29 3031 | Hey roots, This is another root... g00r00t, originally known as g00bER! :-) Getting the root-level access in a wargame is a nice cherry on the top of the cake and the most rewarding one... and it wasn't any different in this case. Now, how did I do that? The magic trick was a race condition on the level5 daemon (probably applicable to level6 too; didn't really try): - It creates a file in user's homedir and changes the ownership and permissions for the file to that user. - Ding, that smells like a race condition -- you can replace the file by a (hard)link to some sensitive file between its creation and the permissions/ownership modification. - A suitable file could be /etc/passwd -- owning that one sounds like owning the machine; which is what I did; adding a new root-equivalent account. A crude "proof of concept" code can be found in /home/user/g00ber/level/5; it's not perfect since it doesn't wait for the access rights to be set (to the weird value) before trying the race -- this widens the window, but has the adverse effect of putting weird permissions on /etc/passwd. How to prevent it from happening in the future? - It might be better to use fchmod/fchown (you know which file you're modifying at that time; since it's the same one you've been writing to) rather than chmod/chown. Of course, the file creation should be done in O_EXCL | O_CREAT mode. - Also, having the user-writable files on one partition and the "important stuff" on another one helps with preventing hardlink-based attacks quite well. - Probably the safest option is to create the "solution" files in a different place -- one that the user doesn't have write access to. All the modifications should be back to their original state (i.e. ownership of /etc/passwd restored, g00r00t account removed); I'm sorry if I forgot something. Also, there are a few ways of circumventing the sudosh thingy: ... removed ... removed ... removed ... removed Okay, enough babbling for now -- if you want to discuss this hack or anything else, feel free to PM me. g00bER, 2012-05-08, 01:30 GMT |
This file nicely explains how he did it.
Many thanks from my side for playing nice and fair, and showing me my noobish mistakes on the challenge cronjobs.
Very well done!
gizmore
The geeks shall inherit the properties and methods of object earth.
Last edited by gizmore - May 09, 2012 - 12:00:07
tunelko, quangntenemy, TheHiveMind, Z, balicocat, Ge0, samuraiblanco, arraez, jcquinterov, hophuocthinh, alfamen2, burhanudinn123, Ben_Dover, stephanduran89, braddie0, JanLitwin17, SwolloW, dangarbri have subscribed to this thread and receive emails on new posts.
1 people are watching the thread at the moment.
This thread has been viewed 3256 times.
1 people are watching the thread at the moment.
This thread has been viewed 3256 times.