<!DOCTYPE  HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"><HTML>
<HEAD>
 <META NAME="GENERATOR" CONTENT="SGML-Tools 1.0.6">
 <TITLE>The Hack FAQ: Unix Local Attacks</TITLE>
 <LINK REL="next" HREF="hackfaq-29.html">
 <LINK REL="previous" HREF="hackfaq-27.html">
 <LINK REL="contents" HREF="hackfaq.html#toc28">
</HEAD>
<BODY BGCOLOR="black" VLINK="gray" TEXT="white" LINK="gray" HLINK="red">
<A HREF="hackfaq-29.html">Next</A>
<A HREF="hackfaq-27.html">Previous</A>
<A HREF="hackfaq.html#toc28">Contents</A>
<HR>
<H2><A NAME="unixlocalattacks"></A> <A NAME="s28">28. Unix Local Attacks</A></H2>

<P>This section deals with attacking Unix from a local account or from the console itself.
<P>
<H2><A NAME="ss28.1">28.1 Why attack locally?</A>
</H2>

<P>When you are trying to attack and gain root on a file server, a method to start with
is to gain at least limited access on a system. There are large numbers of exploits
to "bust root" but many require you have an account on the box. Here is an example
attack scenario:
<P>
<UL>
<LI> Gain access to server lame.nmrc.org via guest account (note to idiots: this is
a non-existant example of a server).</LI>
<LI> Note that it's running an older version of Linux.</LI>
<LI> Prowl around on Bugtraq, rootshell, or some other place with exploit code, and 
find an exploit for one of the outdated or unpatched programs or subsystems.</LI>
<LI> Compile and run it to become root.</LI>
<LI> Brag to all your friends and on IRC so you get caught and go to jail (this step
is optional).</LI>
</UL>
<P>
<H2><A NAME="ss28.2">28.2 How do most exploits work?</A>
</H2>

<P>There are several different attack techniques you can use from a local account and the
handy exploit you are running. Here are a few common ones with extremely simple
explanations:
<P>
<DL>
<DT><B>Misconfiguration</B><DD><P>If excessive permission exist on certain directories and files,
these can lead to gaining higher levels of access. For example, if /dev/kmem is writable
it is possible to rewrite your UID to match root's. Another example would be if a .rhosts
file has read/write permissions allowing anyone to write them. Yet another example would
be a script launched at startup, cron, or respawned. If this script is editable, you could
add commands to run with the same privileges as who started them (particularly for startup
rc files this would be as root).
<P>
<DT><B>Poor SUID</B><DD><P>Sometimes you will find scripts (shell or Perl) that perform certain tasks
and run as root. If the scripts are writable by your id, you can edit it and run it. For
example I once found a shutdown script world writable. By adding a few lines at the beginning
of the script it was possible to have the script create a root shell in /tmp.
<P>
<DT><B>Buffer Overflow</B><DD><P>Buffer overflows are typically used to spawn root shells from a process
running as root. A buffer overflow could occur when a program has a buffer for user-defined data
and the user-defined data's length is not checked before the program acts upon it. See the next
question for more details.
<P>
<DT><B>Race Conditions</B><DD><P>A Race Condition is when a program creates a short opportunity for evil
by opening a small window of vulnerability. For example, a program that alters a sensitive
file might use a temporary backup copy of the file during its alteration. If the permissions
on that temporary file allow it to be edited, it might be possible to alter it before the
program finishes its editing process.
<P>
<DT><B>Poor Temp Files</B><DD><P>Many programs create temporary files while they run. If a program runs
as root and is not careful about where it puts its temp files and what permissions these
temp files have, it might be possible to use links to create root-owned files.
</DL>
<P>
<H2><A NAME="ss28.3">28.3 So how does a buffer overflow work?</A>
</H2>

<P>A buffer overflow works as follows:
<PRE>
- Program eleetd has unchecked user input and is owned by root.
- Hacker creates program that sends user input greater than what eleetd's buffer for the input
will hold.
- Hacker has made sure that this data when placed upon the stack will alter the next instruction
the CPU will execute.
- Hacker runs evil program and the hacker's command, /bin/sh, runs as root, dropping the hacker
to a shell running as root.
</PRE>
<P>For example, if the buffer holds 108 bytes, the hacker creates a program that sends more than
108 bytes to that buffer. By carefully crafting the extra bytes starting at byte 109, the
hacker can make the program execute additional commands.
<P>For more information on buffer overflows, check out Mudge's tutorial on writing them at 
<A HREF="http://www.l0pht.com/advisories/bufero.html">http://www.l0pht.com/advisories/bufero.html</A>,
or read this overview in a paper called "Compromised - Buffer Overflows, from Intel to SPARC Version 8",
available from 
<A HREF="http://www.l0pht.com/advisories/bufitos.pdf">http://www.l0pht.com/advisories/bufitos.pdf</A>
(Acrobat version) or 
<A HREF="http://www.l0pht.com/advisories/buf.ps">http://www.l0pht.com/advisories/buf.ps</A>
(PostScript version). Another fine article appeared in Phrack 49, File 14, called "Smashing The Stack
For Fun And Profit" by Aleph One. Phrack issues can be downloaded from 
<A HREF="http://www.phrack.com/">http://www.phrack.com</A>.
<P>
<P>
<HR>
<A HREF="hackfaq-29.html">Next</A>
<A HREF="hackfaq-27.html">Previous</A>
<A HREF="hackfaq.html#toc28">Contents</A>
</BODY>
</HTML>