eXploit X - 'Give Me Root' - Computerphile
The Discovery of a Linux Exploit: A Step-by-Step Guide to Full Root Control
A recent discovery has shed light on a powerful exploit that allows for full root control over a Linux machine. This exploit, which works on Linux and may also be applicable to other Unixes, can be achieved by typing in a single command.
The Command Revealed
To access the exploit, one must first enter the correct command into the system's interface. The specifics of this command are not disclosed here, but it is mentioned that it can be found on Twitter or through some online searches. Once the command has been entered, the user gains full control over the machine.
Setting Up the Linux Virtual Machine
To test the exploit, the author created a Linux virtual machine running CentOS 7. The virtual machine was set up by downloading the operating system from the official CentOS website and configuring it to run on the author's laptop. The virtual machine is now available for testing purposes.
Using the Command Line Interface
The author opted to use the command line interface to test the exploit, as it appears to work better in this environment than in the graphical user interface. By logging into the machine using a terminal application and entering the command, the user can gain full access to the system.
Exploiting the System
When attempting to change the password of the root user from its default setting, the system responds with an error message. This suggests that the exploit is working as intended, allowing the user to bypass standard security protocols. The author notes that not all Linux installations are set up in a way that makes this exploit workable.
Conclusion
The discovery of this exploit highlights the importance of vigilance when it comes to computer security. While the specifics of the command remain unknown to the general public, those interested in exploring this further may be able to find the necessary information through online research or by joining online communities such as Twitter. By taking steps to secure their systems and staying informed about potential exploits, users can reduce their risk of falling victim to unauthorized access.
"WEBVTTKind: captionsLanguage: enThere was an exploit found for—that works on Linux—and because of the way its works, you'll see when we take it apart, it'll probably work on other Unixes as well—that if you type this one command in,then what you end up doing is getting full root controlof the machine just by typing in this one command.I should say that it doesn't work on all Linuxinstallations, it has to be set up in the right way,but a lot of the major ones are set up like that.So yeah, if you can remember thecommand or can find it on Twitter,you can type this in and get fullaccess to control the machine.I think the best place to start is if I show it.So let me just start up the laptop.I've got a Linux virtual machine.It's running CentOS 7.I've just literally gone and downloaded this off theCentOS website and we can now see what's going.You could type it in from insidethe graphical user interface.I've found it works slightly betterif you switch to a command line.So I've logged in here to the machine and I'm justsitting at the command line in the standard place,and if I try and, say, change the passwordof root to something else, it'll say:\"Only root can specify a user name\";I'm not logged in with any sort of special permissions,but if I type in this commandthat's been tweeted and so on:cd /etc; Xorg -fp \"root\" -logfile shadow :1; suRight, so if we hit this...Boom! It goes off and sets a fewthings up, the screen goes black,but if I switch back to my otherone, if I type su again...It's logged me in as root, and of course, I can nowchange the password on root without any problems.How does this actually work?Well let's sort of break down this command,because actually it's made of three commands;the semi-colons in the thing thatwe're running actually just say,\"execute this command, followedby this one, followed by this one.\"So the first part of it, cd /etc. Now anyonewho's used any Linux will know what that does.It moves into the directory /etc, and if welook in there, there's a whole load of files in there,and that's a standard Unix directory.Inside there, you've got the configuration filesthat tell you how to mount the filesystems,how to start up the individual programs and things.Also what you have in there are the password fileand something called the shadow password file,which contain details of user's usernamesand passwords, what their user identifiers are,what their home directory is, and so on.So you've got those files in there.So that's the first command.Let's have a look at the last commandnext, so we'll come back to the middle one.So the last command is su. The sucommand basically says, \"go superuser.\"So the su command will log you in, in thesame session, as a superuser—as root, basically.Now, normally, that would ask you for a password,but as we saw here, after you've done thisexploit, it doesn't ask you for a password.So what's going on?What's the middle one?So we've got Xorg, and then wecall it with various commands.So we have -fp, and then we give it root: and thenvarious bits and pieces that I'm not going to write out,and then we have -logfile shadow :1.We're running the program Xorg. Xorg is theprogram that draws everything on the screen,handles the graphics card andthings under Unix-/Linux-type machines.Often this will run as root sothat it can control the hardware.I think there are ways you can have it not run asroot, but by default, often it will be running as root.Now, sometimes, you need to beable to start that as a non-root user,so there's a special way it's setup that we'll look at in a minutewhich enables us to run it as a normal userbut still let that program have access as root.Normally, doing this on its own would not let us getroot, because we don't know the password, normally,but after we've executed this command,this Xorg command, then we can get root.So what's going on here? Well, twothings we need to see what's happening on.First of all—certainly on this versionof Linux, not necessarily on all of them—this program is set up with what's calledthe \"SUID bit\", or the \"set UID bit\" set on it.So if we actually have a look at the program,which is in /usr/bin/Xorg, we cansee that when we look at the program,it has this s-flag on it in the listof attributes that it's got there.It's read/write and it's got thes-flag. This means \"set UID\".All that means is that when that program is run,it runs it as the user ID that theprogram is owned by on the disk,rather than by the current-user-that-started-it's ID.So this program then will run as root,and normally you'd want that to happen.That in itself isn't an exploit,that's what you want to happen.There's lots of programs thatwork like that, you want that to do it,but it means that, because that program isrunning as root, because of the way it's set up,it has access to files that thenormal user wouldn't have access to.For example, the ones in /etcthat set up the password file.If we break this command down a bit further,we've got two parts of this command.We'll come back to this one in a second,but the first one is relatively simple.It's just setting up the log fileto be output to the file shadow,which, of course, will be in the directory /etcbecause we've already moved in to that directory.So all that's telling it is, \"when youwrite a log file telling me what's happening,\"so you can track down any configuration errors if youwant to see what's— if things aren't working properly,it's gonna be called shadow in the current directory.Now, /etc/shadow is one of the files whichstores the password data for Linux and other Unixes.There's actually two—originally, it was /etc/passwd,and that stored things, and that was world-readable,so you could actually read the hashedversions of people's passwords—watch Mike's video on whatpassword hashing is up here.So that wasn't a good idea.So what they did is they sort of kept thepassword file, took the hashes out of it,and put the hashes in a copy ofthe password file called shadow,which \"shadowed\" the password files, hence the name.So that was only accessed by root, whichmeant that when you needed to check a password,the root stuff could access it and do that, and so on.So we're overwriting that file, shadow, withthe log file. So, okay, well, why does that help us?Well, we get to the first part of the command,which is this one here, which is setting the font path.So we're setting the font path—which is what the -fp flag does—to have this string, \"root:, blah, blah, blah\". So why does setting the font path,coupled with setting— logging into theshadow file, enable us to grab root access?Well, let's have a look at the log filethat was created when we ran the exploit.What we see is all the X logginginformation as it's started up,telling you what version it is, whatoperating system we're running on, build IDs,various information about what's happening and so on.So then we get down to this line here at the bottomwhich is telling us what we've set the font path to,and it happily outputs every singleline that we set the font path to.Now, what have we set the font path to?We've set it to the \"root:, blah, blah, blah\", and so on,and the interesting thing about that is—One: it's been copied out on a lineon its own in the new shadow file—okay, some spaces at the beginning,but that's not a problem—but the format of that line we'vewritten is the exact format requiredto tell the operating system thepassword for root and all its details,but in this case, the password would normallybe between the first two colons, and that's blank;there's no hash there.So when you run su, the program— theoperating system looks at the shadow password file,says, \"there's no password there! I'll let you log in,\"and so you've got this wonderfully clever, almostold-school exploit. There's quite a few like this.There was one in Emacs back in the '80s, which Clifford Stoll documented in his book, The Cuckoo's Egg,and various others where you could do similar things.You could have programs thathad access to write as root,could copy files into the right place and then give youroot access when perhaps you weren't meant to have it,and exactly the same thing has happened here.We're allowed to run Xorg, because wewant to display things on the screen,and sometimes you'll have the machineset up so the users start it when they need it,rather than it starting up in that environment.So running it would be okay, but having the\"set UID\" bit set is what you need in those cases,but coupled with the fact that we can writeout arbitrary data in the font path into the file,coupled with the fact that we can then log that into theshadow file, which we normally wouldn't have access to,we can change the password for root,or any other user we'd want to,and then log in as that user without any issue.Now, of course, the problemis that as soon as you do this,you've overwritten the shadow passwordfile with, basically, junk and lines,so you'd probably want to be able to revert things back.Whether you can do that is an interesting question.Hopefully, it's made a backup of the file;shadow.old looks like it might be a thing.So yeah, there's a backup that we could then move back into place and hide it if we wanted to,but we've now managed to get root access. Once we've got that, we can set up our own user, raise our privileges,and then we've got full control of the machine.The person that discovered it probably sort of thought,\"well, actually, okay, I can log into different places,I can write the log file into various different places,\"and you think, \"well, okay, if I canwrite the log file into different places,\"can I use that as a sort of way to getthe data I want into the right place?\"So that's what you try and do, you say,\"I can write this file here,\"but, of course, as we saw, the format is very different,you've got all those squarebrackets at the beginning of lines,and so you couldn't just use itto, say, overwrite a program file.So, some of the other ones we've looked at,and they were just to overwrite a standardprogram file and get an exploit that way,and so you look at what options you've got,and you think, \"okay, well this font path thingwill print out the list of all the font paths,\"so if you've got more than one font path, you'dsee them all on separate lines, one after the other.\"Okay, I can use that, because you canthen write out a font path which isn't a path,\"but is actually the data youneed for the shadow password file,\"and suddenly, you've got your exploit that works.Now the reason this actually happened,the reason this has been there—and apparently it's been in the code fortwo years before someone discovered it—there used to be a check on the log filecommand and the module path command—there's another slight way you can exploit this as well—that would check whether you wererunning with elevated privileges, i.e. as root.If you were, it wouldn't letyou use the -logfile command.It also wouldn't let you change the module path,which is another slight way you can exploit this as well.You could put some arbitrary codeand get that into the system as well,and when they were refactoring thecode, then they— for some reason,that bit of the check didn't get put back in, and so on.So the fix would be dead simple, you just put that bitof code back in, so I think patches will be available,but the quickest way to fix this is—if you do—is to remove the \"set UID\" bit from Xorg.\n"