Linux Setuid Vulnerabilities Explained (Sudo CVE-2021-3156)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hi youtube so back in february this year there was a critical vulnerability for the pseudo linux command which i created a public proof of concept for a few weeks later i gave a talk to my security club about the vulnerability and what is security access control what is set uid and how that works and how i exploited the vulnerability using a time of check time of use race condition so please enjoy the video so um when you run something in windows right as admin you're gonna get this kind of prompt right uh do you see it on your screen the uac prompt for do you want to allow notepad to make changes to your device do you guys see that okay cool um so the reason you have this is because normally when you're running as like your normal user all the programs and commands that you run are as an unprivileged user so that means even if you're in the administrator group right like i'm an admin like my user account on my laptop is an admin user right but all the uh programs and stuff that i run normally it's not run as an admin it's just run as a low privilege level because that limits the kind of damage you can do to up your own computer if you make a mistake right like let's say i accidentally press like ctrl a in my c drive because i'm careless and i press delete well normally if i was an admin that would just wipe out my file system right but as a low privileged user that's only going that's probably just going to fail right away it's going to be like um hey you like you're not an admin you can't delete all the files in the root file system right so to illustrate if i open a command prompt okay that's really small font um okay yeah so if i open a command prompt and i type and i type who am i right it's gonna tell me i am pc user so this is not an admin and on the other hand i can actually whip out a escalated shell if i open process hacker run as okay this is what the escalation does under the hood essentially um and you can now i can see i'm nt authority or empty system right so that would be an example of escalation on windows so that's an example that most people would be familiar with so like when you for example have a program that's like hey you need to run this program's admin or it's not going to work that's because it's probably doing some operations that require administrator level privileges on your computer right um some examples of stuff that might need that is like updating software right because if you go to your c program files if you're going to see program files uh and you go to the security who is this owned by right this is owned by trusted installer right so normally if i'm a normal user i can't just go in here and be like hey lmao make a new make a new um file or whatever if i want to make a new folder it's going to have to go through this escalation you see it's going to you need to be you need to provide administrator permission to delete this folder if it wasn't admin on my laptop i wouldn't be able to delete stuff in program files right obviously that makes sense because these program files it's like a global thing right these programs are shared by everyone on that's using this laptop right um for me it's a single user system but if you imagine like you have a workstation that has maybe three users sharing it you don't have one guy go in there and delete like google chrome or something or you don't or even worse you don't want someone to go in there and back door google chrome to log everyone's passwords right so that's an example of why certain files need to have different permissions and obviously this is very basic stuff they teach you in like your very first information security class now we're up to speed on basically how permissions on contemporary operating systems work right and for example this is my desktop in my home directory this is my personal desktop so obviously i have permission to write stuff here so does this make sense to everyone now i'm going to talk about um okay i guess just one more example to drive the point home if i open a notepad i cannot go and edit say like see windows system32 uh drivers i can't edit my hosts file normally if i try to save it it's not going to work but if i run notepad as admin then i can save my host file okay so on linux i'm ssh into a linux box right now so this is a ubuntu box that's a pretty typical linux so the way ubuntu does permissions is very similar to windows actually or not it's not totally similar but conceptually at the very high level it's the same kind of idea i just showed you earlier for example if i drop to an unprivileged user right so now it says who am i i'm just like an unprivileged user and i'm not an admin okay if i try to list the contents of the root users home directory those are obviously private because they belong to a different user right that's example of one thing i can't do as a non-privileged user root owns this folder right so this means that um root can read this but nobody else can there's no permissions for everyone else so that's something i cannot do as an unprivileged user i cannot um you know like look at other people's passwords i can't show the passwords file because the passwords are private that's secure data so you see that does not have read permissions for me right whereas if i make let's say a file for myself it does have read permissions for me and also it's owned by me right so this passwords file called the shadow file this is owned by root and it's not owned by me so obviously i cannot read it and if i make like a file for myself i do have permissions and i can't read it does that make sense so this is how permissions translate to linux another example is we have some critical system utilities right like maybe um ls right because ls is just a program on this computer right ls is the command that lists the files in a directory right so if i find out where the bin ls is okay so the program is running off of this file uh whoops it would be pretty bad if as an unprivileged user i could just you know but backdoor this ls right so obviously if i try to um if i try to modify this file it's going to be like permission9 right or likewise there's also file on linux ls l etc password this is the file that stores the user data so this is like all the entries of who is a user what is their user id and what permissions do they have so this file is very system critical right so as as a normal user if i try to edit this file and let's say i just try to add a new user it's going to say it's unwritable and it's permission denied so i think i've driven the point home i know you guys aren't stupid these are just examples of how permissions work and you remember from earlier when i try to run notepad as admin it's going to give me do you want to do the thing or whatever and since i'm an admin user it's not going to add to me for my password my laptop but if i was not an admin user it's going to ask me for my password and similarly on linux if i try to do if i try to do some operations as admin the way that's done in linux is use sudo which stands for super user do okay you do the thing as a super user but um okay here it's not even giving me the password prompt because i'm not even an administrative user so it's gonna reject me right away it's not gonna let me do the thing on other systems if i try to become it's going to ask me for a password right so that's an example of what sudo does essentially it's logging in as it's like temporarily switching to administrative modes basically running something as admin does that make sense so that's what sudo does that's why sudo is so important because it's essentially a gateway to become the administrative user to perform some kind of task it's basically letting you run something as admin right so if you found some kind of flaw in sudo that which you let you do whatever you want as admin right with no kind of proper access control that would totally bypass all the permissions and access control in the system right how do you guys think how do you think sudo works because if i am an admin user right and i guess i'm just going to add myself to suitors real fast uh i think it's user mod a g of okay yeah user mod ag wheels i mean okay uh okay yeah so now i should have the pseudo privilege oh okay or maybe not i mean just maybe i'm just stupid oh that's right i need to relog okay there we go now i'm an administrative user because i have the pseudo privilege i'm in the sudo group which is like the admin group and what i did earlier is i did a user mod-ages dome which is i will modify my user meme to add myself to the group sudo uh if you're wondering how i memorize all these commands it's because i have no life so now that i'm a pseudo-user or administrative user on linux now if i try to do sudo it's going to ask me okay it's going to let me do the thing right i can do sudo ls i can do sudo who am i and oh you see now when i run who am i as root it i am root or pseudo id stuff like that right so that's how sudo works it basically temporarily switches your user to root to run a command so when you do sudo it's essentially my user id normally is 1001 which is like not a privileged user right but if i do pseudo id it's going to temporarily switch me to root and then run the command that i give it so if i do sudo ls slash um you know slash etsy password or etsy shadow or pseudo maybe pseudo cat at sea shadow it's going to actually let me read that file whereas if i do that normally i'm going to not have the privilege to do it because shadow is owned by root and since i'm temporarily switching to root that means i have the privilege to read that file because it's owned by root right so you can think of sudo as basically like uh running as admin and if i do sudo su that's like running a command prompt as admin you get a whole shell as root now i have a question for the chat how do you guys think sudo actually works because to become an admin like how do you how do you escalate privileges right it seems pretty simple to drop privileges right it seems pretty simple if you're a root user you just log in as like a low privileged user but how how come as a how come is a low privileged user are able to mysteriously become an admin if you think about it that seems kind of that seems kind of strange isn't it because if any unprivileged user can become an admin that's obviously no good so then how does this system know who can become admin and also when are these checks performed right because we think about it for example the configuration for who is an admin is in is partially an etsy suitors but a low privileged user can't even read that file right the database for who has admin privileges is stored in a privileged file so to switch to an admin mode you obviously have to check whether you're an admin right in this in the suitors file but how can a low privileged user make that check before they switch the admin mode so there seems to be some kind of chicken egg problem um to illustrate i will use ms paint my favorite program the chicken egg problem here is sudo is owned by root so we can't read it but we need to read it before we become admin so we can check if we're authorized or not so there's this there's this there's this loop here basically right it's because this problem causes this problem so there needs to be some kind of way to break this kind of dependency chain right because the the first problem is it's not owned by us so we can't read it but the second problem is we need to read it to become admin so the way this is done the way that linux breaks this loop is that it has the concept of suid or set uid bit okay the way that suid works is i'll show you how sudo works so sudo is just another command on the computer right so which sudo is this running off this fall on the file system oh wow it's red red means scary so the way this works is if you'll notice um if you notice there's this s bit in the permissions field whereas all the other files don't have that so this s bit is very special okay this s stands for set uid okay pseudo is very important okay that's why it gets the suid field or the syd bit s2id is essentially how they break this loop that i was talking about earlier right the way that suid works is is that when you run sudo actually it doesn't perform any checks at all it just directly elevates you to uid 0 which is root the way suid works is that any program that's marked suid this suid bit right here any program that's marked suid will immediately switch to the user id of whoever owns that file right so when i run sudo because this pseudo file on the hard drive is owned by root that's going to the system is going to immediately switch me to uid 0 equals root without any checks at all yet so that's very dangerous right does that make sense to everyone now i'm an unprivileged user i'm daemon uid2 which is not privileged okay and if i run sudo su so now sudo is running okay and if i do a process list for all the processes on this system and i grab for the pseudo process you can see that sudo is actually running as root already before even authenticating me i haven't even put in the password yet right but this this process is already running as root even though i started it as a low privileged user and i didn't authenticate anything yet does that make sense so and i'm gonna i'm gonna like fail the the password prompt and it's gonna okay it's gonna it's gonna be through give me three tries and waste my time and it just drops and doesn't let me authenticate so it's technically okay to switch it to root immediately because the idea is is that we trust this pseudo program to be you know correct and not vulnerable and not hackable and not bypassable okay we're basically trusting this pseudo program to not have any you know uh any back doors in it or any like you know bypasses in it that let us get past the authentication we're basically trusting this pseudo-binary to be a gatekeeper of the system does that make sense so essentially we have we have okay we have this world which is like unprivileged okay so this is unproved and then we have this this privileged world which is like ah root okay and then there's gonna be like a big a big like gate okay a big like a big gate and and maybe the gate has like some spires on it's like a it's like a gate okay and then there's like a security guard this the security guard is like the security guard is like mr sudo okay that's the deal so i am meme and my user is 1001 and this is root okay does this make sense and to get through this gate we use the we have to pass through the pseudo program okay and we trust sudo to do his job okay we hope that we cannot just you know walk around him we hopefully we we have to go through mr sudo to become rude when we're when we're doing this set uid oh and mr mr sudo he has he he he has the he has the set uid okay he had he has the he has the set uid so we're basically trusting sudo to not up and let us just walk around him so if we could do some kind of you know like if we could do something like this and just you know maybe go around him maybe go around him that'd be very bad because then that would let us escalate privileges on the system for free right so we're basically trusting pseudo to not up and set uid is used on linux basically whenever you need to let an unprivileged user do something that is normally privileged but in a way that you think is safe and contained essentially like it can't possibly go tits up if it goes tits up then that would be very bad um another example of a set uid binary and this might be surprising to you is do you guys know what ping is have you got you guys you guys know what ping is right like you ping ip addresses being a website to see if it's up right so what if i so obviously any user can just ping something right because it's just ping like what can you do with that okay so on a lot of systems ping is actually a suid binary because uh to use ping you have to use these things called raw sockets which are normally not available to low privileged users but ping is just ping so we trust thing to not like up and let the user do something super violent and aggressive in you know like uh you know something that can be used to exploit the system right so that's why bin ping is suit we basically trust ping to not up and not let the user exploit the system using using it now an example of an suid up nano is just a text editor okay i can open files i can save files i can write files a big up is if i take uh let's say you know where is nano if i take nano and i just make a copy of it i don't know let's just put it uh i'll just call it an lol okay so now i have this copy of nano in this lol and root so it says nano it says text editor there's no up yet a big up is if i add the suid bit to lol okay and it's owned by root so imagine if i am a low privileged user like uh okay i'm damon and now guess what now i can just do lol okay now we have a text editor that's running as root and i can do whatever the i want so now there's just a text editor running as root with root privileges so for example i can just um open etsy password okay and you notice it didn't say not writable now i can just add a user here let's just say i'm going to change uh my user id to zero and become root that is that is free real estate okay so that was a big up because you know nano is something that lets users do a whole lot of and one of those shits is escalate filters on the system so that's very bad so now if i you know if i now if i do uh this okay it's giving me a hard time now i'm root even though i'm running as damon so that's like pretty not great oh i'm gonna undo that uh i'm gonna undo that change but that's an example of an s2id up okay so you can see how s uid binaries need to be very trustworthy and not up okay so did you do you guys see how that works right so what happened earlier is now we have now we have maybe like uh you know like when we when we made nano that was a big up it's like ah there's a big hole in the gate got him so that's why we cannot make sure to binaries that are vulnerable but if there is a vulnerability saud program to me as an attacker my hat my shirt even says hacker one on it as as me as an attacker i'm like ah that's free real estate that's free real estate i can just do the suid up and we can become root even though we shouldn't be okay uh okay and i should probably remove my self uh from that group uh is it in etc groups uh yeah okay easy clap okay so no longer an administrative user so i'm going to show you what tonight's lecture is actually about so all of that up to now is this setup for what is suid what is privileges and all that now we're gonna get to the really juicy part okay oh and by the way um the s2id up i told you about okay so if you're like an attacker right and you do for example you audit systems and you do pen testing where you do penetration testing when you land a shell in a box when you get your when you get your your first little shitty shell on the box and you're like some little privileged user like maybe wwe data or apoche or some like that you're like wow it would be really great it'd be really great if i could become rude on this box one thing you can do is you can just look on the system for like a big suit up but then you can run a command to basically find all the syd binaries and then you can go through each of them and be like oh wow this one is like this one should not be so id i can use this to escalate privileges on the system and a lot of times for some reason people just like it up and there's this so-80 binder is chilling around that really shouldn't be suid and then you can use that to escalate this happens all the time this happens all the time and another thing that happens um is okay let's say you um you're doing a pen test and you land a shell in the box and one thing that's really funny is when you notice like somebody else has put a bad binary there for whatever reason as like a back door for example if i wanted to make a back door um this is how i would make a back door i would just uh you know i would just go to city bin and i will just take maybe like sh or ash or sh i can just do mod plus x bash and then every show on the system is now s2id that's one way you can make like uh like a back door a really funny thing is when you get a show on a system and you realize somebody else has already like been there before like some other attacker has already hacked this system and you just find their back door chilling chilling around you just find their sod backdoors is chilling there that's really funny so we trust mr sudo here to not to not up and not uh make the system insecure right uh so we we obviously we need to make it so even if we are you know very rude to mr sudo mr sudo should not be vulnerable to the attack okay mr sudo needs to be very good at defending himself you cannot have the you know you cannot have like buffer overflow or some like a command injection that's very bad we cannot have that okay so mr sudo we expect to have the very high reliability okay we do not want him to crash we do not want him to buffer overflow we don't want him to seg fault okay but recently about two weeks ago there was a new disclosure from qualis about the fact that sudo does have a a big vulnerability in it we can crash sudo we can even buffer overflow the pseudo and i'll show you that right now watch this it's as simple as this okay so i'm an unprivileged user okay now watch this this is the trick i'm gonna run sudo which with some fancy arguments okay this is not so bad now watch happens if i do this and add a bunch of a's okay is about to get really spicy with a bunch of a's uh okay oh that's right it needs to be pseudo edit okay pseudo edit is like sudo's cousin you can think of it like that okay sudo edit actually is just a link to sudo but as a different name so anyways we can run sudo edit with a big a and uh oh no we uh got the double free or corruption so we just did the memory corruption on the pseudo that is very bad uh also i can show you the big a at the end and it will have a different crash i think hey okay yeah and depending on how many a's we give it it will exhibit different types of crashes so oh this is you know this is this is very interesting very interesting i thought mr sudo was not supposed to not supposed to mess up like this okay so depending on how many a's we give it that's like that's that's really interesting it's very interesting and maybe i put the a's here okay well let's just i'm very curious i wonder what will happen if i make the big a's okay if you read the advisory um essentially what's happening is the code for parsing the command line arguments to sudo which are specified from an untrusted unprivileged user right the code for parsing the parameters essentially has a bug in it they have an off by one error that leads to a buffer overflow so what that means is the program is only allocating this much space on like in memory for the arguments okay but then you can smash it and go way past the end of the buffer and just over it whatever is next to it in memory with whatever you want so that is very that is very that's very cool if there is let's say you know a data structure containing um whether you're authorized or not you can smash that with like oh yes i am authorized if there's a function pointer you could smash that with a function pointer that gives you a shell and if there is you know like a file name there maybe you can smash that file name to point to some file that you control and do some very like interesting memes with that does that make sense to everyone why buffer overflow memory corruption is very dangerous when you have memory corruption it basically means that the program has no more guarantees anymore because you can basically just manipulate the memory in whatever way is convenient for the attacker to do whatever you need to do does that make sense okay so how the attack works is essentially like this smash that like button yeah don't forget to like and subscribe ring the bell all notifications on so how that's how this vulnerability works is that this this um this trailing uh this trailing semicolon is what causes the bug so we always need that to be there the number of a's before the semicolon or just n arguments in total controls the size of the buffer that we are going to overflow so if i allocate like this it's going to make enough space for the the dash s and the a's and the backslash okay so it's gonna allocate like a buffer of size uh one two three four uh six it's gonna allocate a buffer or size seven which gets rounded up to six teams but yeah that's just all details it's gonna allocate a buffer of whatever size based on how big the arguments are and all the in the environment that comes uh before the pseudo right now that is all the stuff that will get overflown passing to the buffer so this is the size of our arguments and this is the size of the environment variables that we can use to overflow that buffer so this is all the that we're smashing a lot of times you just you just give a big number of a's and the program crashes well that used to be more of the case like maybe 10 15 years ago and then like people really started getting their act together but this still happens from time to time and in critical programs like sudo too so that's just very it's very funny it's very cool so uh the reason i wanted to show this exploit another reason why is because it's family self-promotion um i actually wrote the i wrote one of the proof of concepts for this vulnerability as music came out which is very fun because nobody has patched it yet basically like very few people have patched this because it came out two weeks ago and nobody updates their system still so that's that's pretty funny so a lot of a lot of um a lot of boxes are still vulnerable to this i'll show you the exploit for it so one of the ways that you can exploit this is essentially you overwrite a file name and because you overwrite that file name it's going to basic that file name is the file name for a file that sudo creates every time you run sudo and normally it's supposed to go to some place that is like just you know some standard expected location but if you overwrite that full name with something bad then you can just make sudo create whatever falls as root which is very interesting okay so i'll show you that um i just compile my exploit okay yeah so if i run my exploit okay yeah uh i just have to do this i'm going to back up my password file because i'm going to mess it up using the exploit so what i'm going to do is i'll run the exploit free just to show the very obvious effect okay now i got pseudo i i i did the memory corruption i smashed a file name that was chilling in sudo's memory and it replaced it with a la mao big chungus and then a bunch of garbage okay so if you'll notice all these directories are actually created as root which is can i can i stop this okay yeah so all these directories are okay not all of them are created as root but some of them are created as root which is very very interesting because i should not be able to create files and directories as root right as an unplugged user obviously right because if i can create stuff as root then i could probably you know overwrite some very important file does that make sense or in the very least i can make some files that you can't delete because like they're owned by root so obviously sudo should not be making directories called a lemon big chunks right what actually goes on is is that it's going to write a file uh okay it's going to write a file called uh with the name of the current user and it's going to uh write some to that file uh what it writes to is not really important all you have to know is that it's controllable by us okay we can control what gets written to that file using our memory corruption so it's going to right to a file called ailment big chunk is and inside that directory it's going to make a folder called meme because my current user is me and it's going to write some that we control into that file that's pretty that's pretty cool and all but how can i use this you know like really do some bad the the what we're going to do is we're going to basically make a link um to the password file on the system that's the file that has the list of all the users and their details right and their user ids so we're going to do is we're going to just make a link to the password file and we're going to try to hopefully get pseudo we're going to trick sudo into writing the that we control into this passwords file and we can just put whatever we want in there and then that will let us uh essentially make new users or give ourselves uh your user id equal zero so that's that's that's a game plan we're going to we're going to trick sudo into writing some that we control to make ourselves admin by writing into this very important file and we use the sim link because it always writes this file name and it does not like it if we try to write to etsy password directly that's just one of the the things for the attack that has to work also um it's like a race condition it's like a time-based thing so like we're trying to do the thing right as sudo does it to basically pull out the rug under from sudo as it's doing its thing basically uh sudo doesn't like to write to stuff that is not owned by root okay because that's like oh it's not safe it's not safe so what we're going to do is we're going to be like ah it's going to first going to do the check this this is called the time of check time of use vulnerability by the way um so talk to stands for time of check versus time of use so sudo tries its very very best to you know to not it up because it it tries to be very secure it tries very best but it does have a mistake in it this is another mistake that apart from the memory corruption this is the second mistake that we're going to leverage in sudo first sudo is going to check if the file the timestamp file is the one we're overwriting the file is owned by root and it's like if not root like fail but if root write the so this is this is in theory this is secure right because um as unplugged user i cannot make this link i cannot make this link to the the password file the very important file i cannot make the link because this link is owned by me and it does not like that okay it's like okay so if we're just doing this normally okay so first our attacker is gonna you know make the make make make the bad link make the bad link okay oh a link by the way it's just like a it's like a shortcut whenever you reference that file it references the destination fault so if like if i ls um if i if i just cap that okay uh it's wasting my time if i cat that's going to give me the whatever isn't the destination fault it's basically like a shortcut so we're going to make the bad link and then sudo will be like we'd be like this fall is not owned by root so we're just going to fail and not and not do the right okay so then we cannot exploit it but what if we do something like this what if we just do it right as soon as making that check so what if we do this what if we do this we what look we're gonna let sudo check the thing first it's like ah like ah it's like ah ah doesn't exist okay okay and and then then before it can before it can write the ah now we make the bad link now we make the bad link right the to the bad link to the and actually talk to us very important is a very important concept in security tacto happens in all kinds of applications not to sudo not even just c programs not even linux programs but it happens all over the place happens in linux kernel happens windows kernel that happens in web applications right basically any time that you have this anti-pattern the attacker can just slip in here after the check happens to make sure the bad thing's not going on just and to just do the bad thing after the check but before the use so that's why it's very important that the solution to talk to is you have to do this all atomically meaning you do the check and the right at the same atomic operation so there's no way for the attacker to jam in there and do the thing but normally that's very tricky and it's very hard to do so that's why you see talk to happen all over the place because doing atomically is just like a lot of work like why do it properly if i can just you know make the talk to vulnerability like okay i'm not paid to make this secure like come on right so talk to us something that happens all over the place and we're going to be using this talk to a mistake this talk to a bug in sudo to also to to to to to do our bad attack so our first our first mistake our first mistake was keep up for overflow the second mistake is tacto granted this this second tacto is not normally a big deal if there wasn't for the heap overflow but it's still uh it's still a weakness that we can uh leverage either way right so that's why we have to try like a bajillion times each of these folders is me running is the exploit running pseudo one time the reason we have to try a bajillion times is because we have no idea when it's going to do the check so we're just basically going to run sudo and just wait a little bit and hope that we get the timing right does that make sense so in this in the exploit code you can actually see that um i wait for 10 milliseconds or uh 10 000 microseconds what i do is i i run pseudo in the background okay i run suit on the background and i went and i wait for 10 milliseconds and i just hope that we got the timing right and then we try to make the bad link does that make sense do you see how this is going on the code we're going to run pseudo in the background with fork we're going to fork the background we're going to run sudo and we're going to wait for 10 milliseconds because maybe maybe it'll just work maybe that is just the right time on some systems it might be 20 milliseconds on some systems it might be 5 milliseconds depends how fast the computer is that's that's pretty funny the exploit is not reliable but anyways we we just hope that after 10 milliseconds okay maybe maybe after 10 milliseconds this is 10 milliseconds maybe 10 milliseconds later it's past the the check but it didn't didn't do the right yet so we made it 10 minutes and then we make the bad link okay so does everyone see what's going on here now okay obviously it's not reliable because you know waiting for 10 milliseconds is kind of because you know like oh well the the system somebody might have like you know run the process and now there's more cpu loads and the cpu is like ah there's more work so processes run a little bit slower because there's more processes running so it's it's kind of not reliable it's kind of luck based but if you just run it like a bajillion times at least one of those times has to succeed right so that's the big idea we're going to run it a bajillion times and try to get our race condition to succeed this is called a race condition because you're racing two tasks right you have you have one you have one exploit guy like uh you have one exploit guy running this way and then you have and then you have pseudo running at the same time so it's a race is it see oh we can get there first and race conditions are just like so fun to exploit as an exploit developer i just love writing race condition exploits because i just love it when i have no idea whether my timing is wrong or my just exploit is wrong it's so much fun to write race condition exploits okay so first i need to clean up all this all this that the previous attempt left behind but now i'm just gonna run the exploit and uh hopefully it'll work okay let's do the the thang let's see if it works i hope it works it should work ah target file has a bra moment success okay so do you guys remember what etsy password looks like before this is what etsy password looks like before okay now let's look at what etsy password looks like after so this is after our target file etsy password had a bra moment ah there is some uh here that's just you know some random memory from the process that we leaked no way around that and then there's the contents that we specified so this is all the that we control this is all the that we control we told it to write some bad in here and look at this look at this i am meme normally what was the old password like the old the old password was meme with user id 1001 which is not root but now our password is a bunch of the normal password and then the meme which is my user with user id 0 okay user id 0 so now we're root right and then some at the end too so if i run bash again and i do meme with id 0 poggers and i can even edit a privilege fall and now i'm going to unfuck up my system because that is not cool so yeah that that is how the exploit works i just walked you through a real world exploit that is you know still possible on a lot of systems like i would say probably at least 50 percent of systems do not have this patch so uh yeah not saying uh don't you know use this knowledge ethically i'm not responsible for whatever stupid you get yourself into um but yeah that that's pretty poggers okay you can escalate from unprivileged user to a privileged user using this exploit on ubuntu 18.0 for 24.04 there's uh you know there's proof of concepts for this exploit on github you just literally download the exploit you compile it you run it you just get root it's very cool it's very pop it's very pogers podcamp okay answering questions so is the goal to have the bad link made at the exact time it takes to check the pseudo yes exactly right because sudo is going to make sure the bad link does not exist but if we make the if we make the thing right after it does the check but before actually uses that file name then that's gucci does this make sense so we're basically racing it to make sure that happens at the exact right time because right think about what happens if it happens too early let's say we make the bad link too early then it's gonna be like oh well it exists and it's not owned by roots so we're gonna fail so that's what happens we make it too early so if we make it too early it's going to not satisfy this check and it's get angry it's going to fail okay and then let's say we made make the the bad link too late if we make the bad link too late it's going to write the before it even uses our link because it's not even there we didn't make it yet so that's what happens if we make our bad link too late if we make it just right if we make it just right then it will bypass the check but also be used by the right how to heap overflow uh okay okay let me tell you about explaining this bug this is so piece of i did this for three days i worked on this book for like 10 hours a day for three days i skipped all my lectures and all my homework too so keep overflows are insanely uh you know tricky to exploit they're very very hard to explain what i did was remember how earlier i was just like making random number of a's uh so first of all i wrote a program to automate trying out different numbers of a's it's like oh if i make 100 850 a's here and you know 30 a's there what will happen okay what if i use b's instead of a's okay so i made a fuzzer to basically automate that and i would take the crash dumps from pseudo called core files and it would load them into a debugger gdb and would parse those core files to see where it crashed and what the back trace was and then i went through all those crash logs and see which crashes are interesting oh this crashes in a very you know very interesting location it's a very interesting place for it to crash very very interesting spot for it to crash because i overrode some very juicy reducer data right so i basically went through all those and uh it didn't work i didn't find any interesting crash logs then on the fourth day um i was just trying random out and i did find this one and i was like oh pogchamp i can use this and then we use that and that that's the pocket so basically i just tried random until it worked uh this happens all the time actually it's called fuzzing it's it's actually a big field of research and security right now you just try random and see if it crashes in a bad way or see if it crashes in general yeah that's that is called fuzzing you should just just try random just try random so in summary we uh we basically we basically went to mr sudo and we just you know kicked the out of him we just you know we just kicked the out of him and uh and then we and then we got the privilege that that's basically what happened okay so uh that's the end of lecture yeah thanks for coming

Info

Channel: BasteG0d69

Views: 5,496

Rating: undefined out of 5

Keywords:

Id: 9DQ9zfRtrV8

Channel Id: undefined

Length: 44min 16sec (2656 seconds)

Published: Thu Jun 10 2021