AOH :: P25-05.TXT

Unix Cracking Tips




                                ==Phrack Inc.==

                     Volume Three, Issue 25, File 5 of 11

       <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
        <><><><>                                            <><><><>
        <><><>                Unix Cracking Tips              <><><>
        <><>                                                    <><>
        <>                     by Dark OverLord                   <>
        <><>                                                    <><>
        <><><>                  March 17, 1989                <><><>
        <><><><>                                            <><><><>
       <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>


The purpose of this file is to present tips for budding Unix hackers.  The
audience this is aimed at are those that are experienced at working with basic
Unix, but not in the cracking aspects.

Most of the following material is based on actual experience with BSD boxes
(with some help from my friends).  Many of the bugs here may not apply to your
system; your mileage will vary.


When Cracking A System Remember --

     o ALWAYS cover your tracks
     o Don't get caught
     o Don't get malicious
     o Get off as soon as possible
     o Keep a bottle of "Wild Turkey" near the terminal
(IMPORTANT!)


About Logging:  Remember that many systems use paper terminals so that if a
warning message goes to the console, you can't erase it.

Hint:  If you know that you are going to be ringing a few bells, you may wish
       to send a bunch of bogus messages to the console so it runs out of paper
       before the important messages get there.


After you gain superuser privileges and you wish to stay root, here are
a few suggestions for installing backdoors:

- Disable checks for superuser in the kernel
- Install new system calls
- Patch a system binary to contain a backdoor
- Leave /dev/mem readable


An ancient method of extracting data from anything is to sort through its
trash.  The same applies to Unix and newly allocated data.
One trick is to look for old data in newly allocated data (eg: Allocate a
large amount of memory and search through it for old [useful?] data).  Given
enough time and an intelligent search algorithms, you could find quite a bit of
information including people's passwords and other private stuff like
mail, et al.


If the device "/dev/kmem" is readable, you should be able to write a quick C
program that intercepts the I/O to other terminals and catch other people's
password etc.

If the device "/dev/kmem" is writeable, it is possible to change your userid by
editing the user structure.


A Common Trick:  When looking to gain more system privileges, one of the first
things to investigate are other users' .rhost files since these can be used to
grant access to other accounts without the use of a password.  See the Unix
manual entry for rlogin for more information.


Another thing to look for are writeable .profile, .cshrc or .logins (to name a
few).  It these are left writeable, it is all too easy to install a Trojan
horse.


Look for readable .netrc files since these files may contain passwords to other
accounts.


If the man command is setuid, it might be possible to get a shell by typing
"!/bin/csh" from within the pager.


Some types of terminals can be "instructed" to issue commands using various
escape sequences.  This makes it possible to mail someone a "letter bomb" that
(when read) will send commands to the user's shell.


It is possible to mail commands to a system.  This is a feature of the
debugging mode of Unix's sendmail.  This trick was made fairly public through
its use by the Internet Worm.  The way it is done is by connecting to the SMTP
socket/port and turning on the debug mode.  The recipient that is mailed to is
"| sed '1,/$/d' | /bin/sh ; exit 0" and then the commands for the shell are
placed in the body of the letter/data section.


Under Unix it is trivial to forge mail.  The easiest way this is done is by
connecting to the SMTP port and pretending to be a foreign mailer program.


Some systems will crash if you issue the command "eval `\!\!`" from within the
C shell (/bin/csh).


When searching for data, do not forget to look for possible un-mounted file
systems.  [eg:  Look for disk partitions that are unaccounted for.]


Other things to try are illegal system calls and system calls with
illegal (strange?) arguments.  A good example is the fchown system call
under 4.3-Tahoe Release from Berkeley.  If you give it a negative
number for the group argument it grants permission for you to change
the ownership of any file.  Another example (on many systems) is the
"access" system call used by many, many programs.  Its problem is that
is only checks permissions on the requested file and neglects to check
the permissions of links and directories that lead to the file.  I have
seen some systems that allow any user to use the chroot system call;
this is VERY foolish since all I have to do in construct my own
sub-environment (with my own configuration files) and execute certain
commands from within it.


Yet another thing to look for are system structures stored in user accessible
memory.  These structures can be modified to suit your purposes.


Look for sloppy permission/ownership on system directories and on system
configuration files.  These can allow you to modify and/or control many aspects
of system behavior.  Here are a few files to look out for:
"/etc/rc",
"/etc/passwd", "/etc/group", "/etc/profile",
"/usr/lib/crontab" or
"/usr/spool/cron/crontabs/*".

Hint:  AT&T 3b1 systems are notorious for this problem.


If the system you are hacking has readable system logfiles and it logs failed
login attempts, a possible leak might be if a user had accidentally typed their
password at the login prompt.  You should scan through these logs looking to
strange and nonexistent account names and use these as the password for users
that logged in around that time (the command "last" will list the login time of
users).


Check to see if the system has source code on-line.  There is nothing more
useful then having system source code on-line for browsing.
Look for source code (normally found in the directory /usr/src) and scan it
for programming errors (or download it so you spend less time on the
system).


Look for other people's back doors.  If you can find any, they can make your
life a bit easier.


Check to see if the system has a good auditing system.  If so, run it since it
may find a few security problems for you.


Look for setuid shell scripts that may be on the system.  There is no
way way to secure a setuid shell script under the current release of
BSDish Unixes in the current market.  The command "find / -perm -6000 -ls"
will print out all setuid and setgid files on a system.  Look
through this list for setuid shell scripts.  One way in defeating a
setuid script is to make a link named "-i" to the file, then execute
the link.  Another way is to send it a signal at the right moment
during its start up.  The simplest way do this is to write a quick C program tha
   t sets a block on the signal, then sends
itself the signal, and then execs a setuid script. (Note: The signal
will not be processed because of the block, thus leaving it for the
setuid script).   Either of these bugs should give you an interactive
shell running as the userid of the setuid script.


If you are familiar with programming with assemblers/dissemblers, you can look
for bugs and/or modify existing software to suit your needs since most
installations do not strip debugging symbols from system binaries and leave the
executables readable.  There is an enormous amount of hacking information that
can be learned this way.


Under UNIX-V7 & 4.1BSD, programs that were setgid were only a security problem
because if you were able to get them to dump a core file, the core would be
owned by you and setgid to the groupid of the program that generated it.  Since
you owned this file, you could copy a shell of a command script into it and
have it run as the groupid of the file.  This will allow you access to to any
file that is owned by the group.


If the system you are hacking supports bidirectional modems, it is possible to
use them for stealing passwords.  This can be done by using tip to connect to
the modem and then waiting for a user to call.  When a user calls in, you
simply answer the phone and simulate the login process.  Once the user has
surrendered their password, you simulate line noise and hang up.


The Unix login program (the program that prompts you for the account name and
password) is tricky in the way that the error message for bad accounts and bad
passwords are the same.  This is to stop account/password guessing.  I guess it
works if your only access to a system is either a terminal line or a modem
connection.  If you have access through a LAN you can check account names with
the finger command.  This neat little Unix goodie will give you all sorts of
information about people's accounts.  If the finger utility is turned off,
there is another way through a program called ftp.  The ftp (File Transfer
Program) command can be used to confirm the existence of a user account/bad
password selection.  I have also noted that the ftp command does not do as much
logging, thus repeated bad password guesses not logged as much via ftp.
[See next section also.]


If the Unix system you wish to crack is networked via UUCP or TCP/IP, it should
be fairly simple to extract the password file from the remote system using the
ftp utility.  Once you have a copy of the password file, you can simply back
away from the system (thus reducing the chances of getting caught!).


See Phrack Inc. Issue 22, File 6 -- "Yet Another File On Hacking Unix by
>Unknown User<" for a slow but effective password grinder.


Another network based attack involves tapping in on the LAN (Local Area
Network) and listening for people's passwords since most systems transmit them
in clear text.


On systems that disable account logins after N number of bad logins, it is
sometimes useful to use the feature to lock out staff members from logging in
thus giving you [the cracker] more time to clean up after yourself and escape.


Here are a few bugs in the su (set userid) command that may come in handy:

The first was that the "-c" option did not check to see if the user being su'ed
to had a valid shell.  The "-c" option is used to instruct the su command to
run another command instead of a shell [eg:  "su davis -c foobar" tells su to
run foobar instead of davis's default shell].  This comes in handy with
accounts like "sync::0:1::/:/bin/sync" because you can execute any arbitrary
command [eg: su sync -c /bin/csh].

Another bug in the su command exists in some System V ports where if su was
unable to open the password file ("etc/passwd"), it would grant root access
(without checking the reason for the failure).  I guess the programming can
tell that something is wrong and grants access so someone can fix things.  The
security problem occurs when when su is executed with a full file descriptor
table; this will force su to fail its open request on the password file.


Some Unix system's mkdir (MaKe DIRectory) command can be subverted into aiding
you in gaining root.  This is done by exploiting a race condition that can
occur between processes.  The following command script will eventually cause
the error to occur and cause the password file to be owned by you:

    while : ; do
        nice -10 (mkdir a;rm -fr a) &
        (rm -fr a; ln /etc/passwd a) &
    done

The race condition happens when the "ln" command runs while the mkdir command
is in the middle of running.  This works because the mkdir does its job by
doing the two system calls:  mknod and then chown.  If the now inode (allocated
by mknod) is replaced with a link to the password file before the chown system
call is made, then the password file is "chown"ed instead.  To become root from
here, all you have to do is add a new entry into the password file.


The print command ("lpr" or "lp") has an option to delete a file after it is
printed.  This option will work (print & delete the file) even if you do not
own the file.


The mail command has the option to save your mail after you read to another
file.  Some versions of this command will save (append) your mail to a file
after it is read.  A bug exists where the mail program does not check to see if
you have write permission to the file you are saving the mail to, thus allowing
you to (for example) add new accounts to the password file.


A quick word on the crypt command (and vi -x since it uses the crypt command):
The algorithm used is not hard to break (it takes about twenty minutes to
decrypt a file with the right tools).  See the "Bell Systems Technical
journal," Vol. 63, 8, part 2 for more information.


If the UUCP configuration files are readable [default on many systems], you can
obtain the login names, passwords, and phone numbers to all of the mail links
to and from the system you are hacking.  With the use of the a public domain
program, "uupc", you can make the connections yourself and intercept and/or
filter all incoming mail.

There are so many ways to crack Unix just through UUCP that I am not going to
expand and list the many ways and their permutations.  Instead, I am going to
save them for an article to be done at some random time in the future.


If you are hacking on a system that supports sharable memory you may be able to
access these memory segments.  On Sun systems, there is a command called ipcs.
This command lists available sharable memory segments.  If this command does
not exist (nor has a equivalent command available), you may have to either
write one or use blind exploration.  Once you have identified these segments,
you can gain control to the data contained therein and/or other programs
utilizing the data contained within.


If you are caught:  Grasp the bottle of "Wild Turkey" (the one near your
terminal) and drink it.

===============================================================

AOH Site layout & design copyright © 2006 AOH