Posted on

Dirty Pipe vulnerability for beginners

Hello aspiring Ethical Hackers. In this article, we will explain you about the Dirty Pipe vulnerability and how it can be exploited to get root privileges. Considered to be more prevalent than the Dirty Cow vulnerability and more simpler to exploit, the Dirty Pipe vulnerability affects Linux kernels since 5.8. To make it worse, this vulnerability affects even Android as its OS is based on Linux. Dubbed as CVE-2022-0847, this vulnerability is fixed in kernel versions 5.16.11, 5.15.25 and 5.10.102.

To understand the Dirty Pipe vulnerability, readers need to understand a few concepts in Linux.

Pipe : A pipe is a data channel that is used for uni-directional inter-process communication in Linux.

Memory Page : Whenever some data is written to a pipe, a page is allocated to it. A page is ring of a struct pipe buffer implemented by the Linux kernel. The first write to any pipe is allocated a page which is over 4 kB worth of data. If the latest data written to a pipe does not fill the page completely, the following data written will be appended to the same page instead of being allocated a new page.

For example, let’s say 2Kb of data is written to a pipe for which a page is allocated. When the subsequent 1KB of data is written to a pipe, this 1KB of data is appended to the same page instead of being allocated a new page. Anonymous Pipe Buffers work like this.

Page Cache : Memory pages are handled by kernel subsystem called page cache. Whenever any file is read or being written, the data is put into the page cache. This is done to avoid accessing disk for any subsequent reads and writes. This data in the page cache remains for some time until the kernel decides it needs that space for a better purpose. A page cache becomes “dirty” when the data inside the cache has altered from what is on the disk. This is where the name of the vulnerability comes from.

Pipe Flag : The status and permissions for the data in the pipe are specified by Pipe Flags. For DirtyPipe vulnerability, a flag named PIPE_BUF_FLAG_CAN_MERGE plays an important role by specifying that the data buffer inside the pipe can be merged.

System Calls : System Calls or syscalls are methods that can send requests to the kernel from the user space (the portion of memory containing unprivileged processes run by a user). System Call is the fundamental interface between an application and Linux Kernel.

Splice() : Splice is a syscall that was introduced since Linux 2.6.16 that can move data between pipes and file descriptors without user space (the portion of memory containing unprivileged processes run by a user) interaction.

Now, since you have been explained the basic concepts that make this vulnerability work, let’s get into the vulnerability itself.

Whenever any data is copied from a file into the pipe using splice() function, the kernel will first load the data into the page cache as already explained above. Then kernel will create a struct pipe_buffer inside the page cache. However unlike anonymous pipe buffers, any additional data written to the pipe must not be appended to such a page because the page is owned by the page cache, not by the pipe.

Since the page cache is run by kernel (high privileges), any user with low privileges can exploit this vulnerability to take an action requiring high privileges. Enough theory. Let’s get into practical exploitation. We are going to try this on Debian 11 with kernel 5.10.0.

Dirty Pipe 1 1024x104

I will try to get a root shell by exploiting this vulnerability. For this, I will download a exploit as shown below.

Dirty Pipe 2 1024x283

I compile the exploit which is a C script.

Dirty Pipe 3 1024x78
Dirty Pipe 4 1024x105

Then I execute the exploit as shown below. This will create a new user named “rootz” with root privileges.

dirty pipe

Once you get the message saying “It Worked”, the exploitation is successful. All I have to do is login as the new user (rootz) as shown below.

Dirty Pipe 6 1024x103

Voila, I have a root shell. The exploitation is successful.

Posted on

PwnKit : Explained with POC

Hello aspiring ethical hackers. In this article, you will learn how to use PwnKit to elevate privileges on a Linux system. But first things first. What exactly is polkit?

Polkit is a component that controls system-wide privileges in Unix-like operating systems. Put simply, it provides an organized way for non-privileged processes in Linux to communicate with privileged processes. Known earlier as PolicyKit, it’s name was changed to polkit since version 0.105 which was released in April 2012 to emphasize the rewritten component and changed API.

In Linux, you use SUDO to usually execute commands with privileges of a root user. However, it can also be done with polkit by using command pkexec. But the fact is SUDO is more preferred as it is more easily configurable.

So how is this polkit exploited to elevate privileges on a Linux system. A memory corruption vulnerability PwnKit (CVE-2021-4034) was discovered in the pkexec command (which is installed on all major Linux distributions). The vulnerability is present in polkit since the original release of 2009.

The vulnerable targets include but may not be limited to Red Hat 8, Fedora 21, Debian Testing ‘Bullseye” and Ubuntu 20.04. Most of the systems would have now received patches but any OS with no updates should still be vulnerable.

The version of polkit installed can be checked as shown below.

Polkit 1

We are testing it on Debian Testing 11.2 (BullsEye). There is another command apart from “pkexec” to interact with polkit from the command line. It is “dbus-send”. It is a general purpose tool used mainly for testing but installed by default on systems that use D-Bus. For example, on a Linux system, D-Bus can be used to create a new user named “hackercool” as shown below.

dbus-send –system –dest=org.freedesktop.Accounts –type=method_call –print-reply /org/freedesktop/Accounts org.freedesktop.Accounts.CreateUser string:hackercool string:”blackhat Account” int32:1

This is as simple as that. This command will manually send a dbus message to the accounts daemon to create a new user named “hackercool” with a description of “blackhat Account” and will make the new user a member of SUDO group (as we set the int32:1 flag). Then all that’s left is setting the password to the newly created user.

But before we do any of this, we need to check the time taken to run the above command? This can be done by prepending the time command to the above command as shown below.

Polkit 4

It takes almost 7 seconds to execute this command. But wait, why do we need to check the time taken to execute this command? Because we have to kill it at the correct time. Once again why we need to kill it? Well, here’s the answer.

When you run the above command (without time) and terminate it after some time and then polkit asks dbus-daemon for the connection, dbus-daemon correctly returns an error. Here’s where polkit goes wrong. Instead of rejecting the request it treats the request as it came from root process and viola we have an authentication bypass.

However, the timing of the vulnerability is very difficult to detect. Hence we need to kill the command after over half time. Why? it seems polkit asks d-bus daemon for the terminated connection multiple times on different codepaths. Almost all the codepaths handle it correctly except one. We are looking for this one codepath. So if we terminate the command early, privilege escalation may not work correctly.

I hope everything is explained. Now, let’s get into practical exploitation. So what I want to do is run the same command as we ran above to create a new user named “hackercool” but this time killing the process after 5 seconds. As the command takes 7 seconds to complete, I have chosen to terminate this command after 5 seconds. i.e almost more than half time.

Polkit 5

As you can see in the image below, a new user named “hackercool” is created and added into SUDO group.

Polkit 8

Now, all we have to do is create a password for this user. Note that we have to create a SHA-512 hash. This can be done using OPenssl. Once the hash is created use the dbus-send command once again but this time to create the password for this newly created user. This can be done as shown below.

dbus-send –system –dest=org.freedesktop.Accounts –type=method_call –print-reply /org/freedesktop/Accounts/User1000 org.freedesktop.Accounts.User.SetPassword string:'<SHA-512 HAsh’ string:’Ask the pentester’ & sleep 5s; kill $!

pwnkit

It’s done. Let’s login as the new user.

Polkit 9
Polkit 10

As you can see, we successfully elevated privileges on a target system by creating a new user. To learn Real World Ethical Hacking, Please subscribe to our Monthly Magazine.

Posted on

SetUID privilege escalation in Linux

Hello, aspiring Ethical Hackers. In this article, you will learn how to perform SetUID privilege escalation in Linux. In our previous article, we have exploited cron jobs to change SetUID bit of an executable. What exactly is a SetUID bit?

SETUID stands for Set User ID on execution. This allows a user with low privileges to run a command with higher privileges. The difference between SUDO and SETUID is that in SUDO you can execute a command only if the root user can do it.

With the concept of SETUID understood, let’s see how binaries with SETUID bit set can be found. One way to find them is by using find command as shown below.

setuid privilege escalation


Here are some examples of gaining root privileges by exploiting programs with SETUID bit set.

1. bash

Emp116

2. csh

Emp117

3. env

Emp117 1

4. nice

Emp119

5. node

Emp120

6. setarch

Emp121

7. stdbuf

Emp122

8. strace

Emp123

9. taskset

Emp124

10. tclsh

Emp125

11. time

Emp126

12. timeout

Emp127

13. unshared

Emp128

14. xargs

Emp129

15. php

Emp130

16. expect

Emp131

17. find

Emp132

18. python

Emp133

19. flock

Emp134

20. gdb

Emp135

21. ionice

Emp136

22. logsave

Emp137

23. make

Emp138

These are some examples of linux privilege escalation by exploiting SETUID bit.

Posted on

Linux Privilege Escalation : Cron Jobs

Hello aspiring Ethical hackers. In this article you will learn how to exploit Cron jobs for Linux Privilege Escalation. If you are familiar with Windows Task Scheduler you will readily understand what cron is. Yes, it is used to schedule jobs or commands in Linux.
For example you have a Linux server and want to clean cache regularly once a day. You can do this manually everyday or schedule a job to do this daily without your intervention. Here’s where cron jobs assist you. You can assign a job in cron. Sometimes these jobs are assigned with root privileges and these can be exploited to gain root privileges. Let’s see it practically.

For this article, we have a target on which we already gained a shell. Then I ran the PE.sh privilege escalation script on the target to find ways to elevate privileges on the target.

As I scroll down the output of our PE.sh file, we can see our target has some cron jobs set.

linux privilege escalation with cron jobs
Emp106i
Emp107

As you can see in the above images, we can set cron jobs monthly, daily or hourly. But our job here is to not schedule cron jobs. It is to exploit them. As we scroll down further, we can see the format of a cron job.

Emp108

In the above image, you can see the exact format of a cron job. It is minutes first, hours, day of month, month and day of week. We can see a cron job named /opt/new_year.sh that is scheduled to run at the 00:00 time of first day of the first month of every year. That is the occasion of New Year.

But what does * * * * * mean? It means these cron jobs are scheduled to run every minute of every hour of every day of the week (i.e daily) , every month. That typically means these jobs run each and every minute. The important thing to notice here is that all these jobs are running as user “root”.

Let’s manipulate one the these scripts, let’s say /opt/my_script.sh. We have a SETUID bit set on “dash” shell, one of the shells installed on the target system.(We will see in a short while what SETUID is). This can be seen in the image below.

Emp111

We are editing the my_script.sh file with a command “chmod u-s /bin/dash”. This will remove the SETUID bit. Wait for one minute and check the /bin/dash command.

Emp112

The SETUID bit is removed. Not just that, we can add new users on the target system as shown below.

Emp114

That’s how cron jobs can be exploited for linux privilege escalation.

Posted on

PrintNightmare, Privilege Escalation in Powershell

PrintNightmare is a critical vulnerability affecting the Microsoft Windows operating systems. The recently disclosed vulnerability is present in the print spooler service of Microsoft Windows. The printer spooler service is used for printing services and is turned on by default. The versions of Windows vulnerable to PrintNightmare include Windows 7 to Windows 10 and windows Server 2008 to the latest version of Windows Servers.

The PrintNightmare vulnerability has two variants : one is enabling remote code execution (CVE-2021-34527) and the other privilege escalation (CVE-2021-1675). In this article, readers will see a demonstration of exploiting the privilege escalation vulnerability in PrintNightmare.
For this demonstration, we will use Windows 10 version 1809. The Powershell Script we used in this demo can be downloaded from Github.

In this scenario, imagine I already have access to the target machine as a user with low privileges. Let me demonstrate it to you. The first thing I need to confirm is whether the printer spooler service is running on the target system or not. This can be done using powershell command “Get-Service -Name “spooler”“.

PNm Powershell Lpe 1

The print spooler service is running. Now I can exploit it. Before that let me show you that I am a user with limited privileges i.e as “user 1” with very limited privileges.

PNm Powershell Lpe 3
PNm Powershell Lpe 4

Next, I already downloaded the Powershell script I need to exploit the Printnightmare vulnerability .So I moved to the Downloads folder where the Powershell script is saved. Once I am inside that folder, I run the command

Import-Module .\ <script Name>“as shown below.

PNm Powershell Lpe 5

Once the Powershell module is imported, I can execute the script with command
Invoke-Nightmare -NewUser “<username to create >” -NewPassword <password for that new user> DriverName “PrintMe”
This command will create a new user with administrator privileges.

How to exploit printnightmare

In the image above, you can see the existence of new user named “hacker” which I created. Now, let’s check the privileges of this user.

PNm Powershell Lpe 7

As readers can see, the new user I created belongs to the local administrators group. I reboot the system and try to login as that user.

PNm Powershell Lpe 9 1024x576
PNm Powershell Lpe 10

The exploitation is successful.