Linux Vulnerabilities

GNU/Linux is a free and open source operating system, combination of the Linux kernel and the GNU toolkit software collection, developed by Richard Stallman.

• Linux kernel is the core of the O.S.

• Linux distributions are variants of the same O.S.

• Typically deployed as a server O.S.

  • Linux server services and protocols can provide with an access vector that an attacker can use

Linux Exploitation

Apache - ShellShock

• CVE-2014-6271

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka ShellShock.

• Bash shell since v.1.3

• The Bash mistakenly exectutes trailing commands after a series of characters

• Apache web servers that run CGI or .sh scripts are also vulnerable

🗒️ Bash - *Nix shell part of the GNU project and default shell for most Linux distros.

🗒️ CGI (Commond Gateway Interface) - Apache executes arbitrary commands on the Linux system and the output displayed on the web server.

ShellShock Exploitation

1. Locate a script or input vector (legitimate Apache CGI scripts) to communicate with Bash

2. Input special characters within the HTTP headers (e.g. user-agent)

3. When CGI is executed, the web server will run it with Bash in a new process

The exploitation can be done manually and automatically.

🔬 Check the Bash - ShellShock Lab here

FTP

🗒️ FTP (File Transfer Protocol) - facilitate file sharing between a server and clients. Used for transfering files to and from a web server (e.g. CPanel or FTP credentials).

• Port: 21 (TCP) - default

• User Authentication - username & password

  • anonymous access may be configured on FTP - no credentials needed

FTP Exploitation

1. Credentials can be brute-forced on the FTP server

2. Exploit inherent vulnerability within FTP service

🔬 Check the FTP Brute force Lab here

SSH

🗒️ SSH (Secure Shell) - cryptographic remote administration protocol, tipically used for servers remote access

• Port: 22 (TCP) - default

• SSH Authentication:

  • User Authentication - username & password

  • Key based, 2 key pairs (public and private keys) - no username and password

SSH Exploitation

1. Credentials can be brute-forced on the SSH

2. With SSH legitimate credentials the attacker gain access to a full shell, with the utilized user account's privileges

🔬 Check the SSH Brute force Lab here

SAMBA

🗒️ SAMBA - network file sharing protocol, for file and peripherals sharing on a LAN. It is the Linux implementation of SMB

• Port: 445 (TCP)

• Not pre-packed, not a common running service

• User Authentication - username & password

SAMBA Exploitation

1. Credentials can be brute-forced

2. Use SMBMap or smbclient to retrieve information

🔬 Check the SAMBA Brute force Lab here

Linux Privilege Escalation

Linux Kernel Exploits

❗ Targeting Kernel can cause system crashes, data loss, kernel panics etc ❗

Linux kernel vulnerabilities can be targetted to execute arbitrary code and obtain privileged system shell.

• Kernel version and distribution is important

The Linux Privilege Exploitation process consists of:

1. Identify kernel vulnerabilities (Linux Exploit Suggester)

2. Download, compile, transfer kernel exploits onto the target system

Linux-Exploit-Suggester - a tool designed to assist in detecting security deficiencies for given Linux kernel/Linux-based machine.

• Assessing kernel exposure on publicly known exploits

• Verifying state of kernel hardening security measures

wget https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh -O linux-exploit-suggester.sh

chmod +x linux-exploit-suggester.sh

./linux-exploit-suggester.sh

• Very useful to get Kernel version, possible Exploits with detailed information on the CVEs

Misconfigured Cron Jobs

🗒️ Cron - a time-based daemon/service, scheduler of applications, scripts and commands. It executed non-interactive jobs.

• Tasks scheduled in cron are called cron jobs

  • e.g. backups, o.s. upgrades, patches, scripts, commands etc

• Default cron table/configuration file is /etc/crontab

• Cron Jobs can be run as any user

Cron Jobs Privesc

• The attacker will target root's privileged Cron Jobs

• Find and identify cron jobs scheduled by the root user or the files processed by te cron job.

🔬 Check the Cron Jobs Lab here

SUID Binaries

🗒️ SUID (Set owner User ID) - is a type of special access permission given to a file. A file with SUID always executes as its the owner, regardless of the user passing the command.

• Allows unprivileged users to run scripts or binaries with root permissions, and it's limited to the execution of that specific binary.

• This is not privilege escalation, but can be used to obtain an elevated session

  • e.g. the sudo binary

• The exploitation of SUID binaries to get privesc depends on:

  • the owner of the SUID file - e.g. look for root user's SUID binaries

  • access permissions - x executable permissions are required to execute the SUID binary

🔬 Check the SUID Lab here

Linux Credential Dumping

All the Linux accounts' information is stored in the passwd file stored in /etc/ directory.

Linux has multi-user support, this can increase the overall risk of a server.

cat /etc/passwd

Passwords cannot be viewed because they are encrypted and stored in the shadow file in the /etc/ directory.

• 📌 Only root account can access shadow file

sudo cat /etc/shadow

Linux Password Hashes

The hashed password have a prefix $id value that indicates the type of hashing algorithm that is being used, e.g.:

🔬 Check the Dumping Linux Hashes Lab here