Hello, Khabrovites. On the eve of the start of the course “Administrator Linux. Professional “ our expert, Alexander Kolesnikov, has prepared an interesting article, which we are happy to share with you.
We also invite future students and everyone who wants to attend an open lesson on the topic “Methods and Features for Debugging Bash Shell Scripts.”
The Linux operating system has proven to the world all the power of open source projects – thanks to it, today we have the opportunity to look into the source code of a working operating system and, on its basis, assemble our own system for solving certain problems. Due to its openness, Linux was supposed to become the most secure operating system in the world, since open source allows developing and improving subsystems for protecting against attacks on the operating system and improving the operating system itself. Indeed, at the moment there are a large number of community-created protections: today it is simply not so easy to exploit buffer overflow vulnerabilities to gain elevated privileges in the same way as 20 years ago. Nevertheless, today you can find exploits in the public domain that can elevate user privileges even on the latest versions of the kernel. Let’s take a look at how it works and why it happens in this article. We’ll go through the main components of exploits and see how some of them work.
All information provided has been collected for informational purposes only.
Let us choose a general term by which we will denote what is exploit – an algorithm that disrupts the normal functioning of the operating system, namely, access control mechanisms. We also introduce the concept vulnerabilities Is a software imperfection that can be exploited by the exploit algorithm. Without vulnerability, an exploit cannot exist.
Let’s introduce a classification of exploits. The basic division of exploits into subgroups for any operating system begins at the architecture level. Operating systems today include at least 2 levels of privileges that they use for their work. Below is a figure that illustrates the separation of privileges. Picture taken from here…
The picture very clearly shows that the operating system has a Kernel Space level, usually this is the most privileged mode, this is where what we call the operating system is. And the second level is User Space: this is where the usual applications and services that we use every day are launched.
Historically, vulnerabilities can be found for each of the above levels, for which an exploit can be created, but exploits for each of the levels have their own limitations.
At the user level, any exploit that affects the application will have exactly the same privileges that the user who launched the affected application used. Therefore, this type of exploit allows full control over the OS only if the application is launched by the system administrator. In contrast to the user level, kernel levelif it contains vulnerable code, it can immediately give the ability to manage the operating system with maximum privileges. Below we will focus on investigating these exploits.
Let us present a small statistics on the disclosure of vulnerabilities for the Linux kernel of the Debian, SUSE, Ubuntu, Arch Linux distributions of the last 4 years.
Data taken from here… The picture does not claim to be complete, but it shows that there are a lot of vulnerabilities, and even today there is plenty to choose from for building an exploit. Let’s try to describe what an exploit is.
Any exploit for any level of the operating system today consists of parts that must be implemented in its code:
1) Setting the required memory display
2) Creating the necessary objects in the OS
3) Bypassing OS protection mechanisms for the vulnerability used
Calling the vulnerable part of the software.
1) To open access to the OS
2) To change the OS configuration
3) To disable the OS
By following all the points above, you can write a workable exploit. Let’s take a few exploits from past years for research and try to find out if we can find any patterns or borrowings that are used to violate access control in the Linux operating system. As objects of research, let’s take exploits that exploit the following vulnerabilities with CVE identifiers:
CVE-2020-8835 RIt applies to the Linux kernel from version 5.5.0. Vulnerability is in technology implementation
ebpf… The technology was developed to enable the user to create custom handlers to filter network traffic. The main component for performing filtering is a virtual machine with its own set of commands. The code that is executed by the virtual machine lives in the kernel: a bug in this code gives the attacker the ability to work with memory with maximum privileges. In the case of the described vulnerability, the problem was that 32-bit instruction processing operations were not processed correctly, and the virtual machine could write and read data in the kernel’s RAM.
How the exploit author exploits this vulnerability and what payload is being executed will be discussed further.
The next part of the code is responsible for this stage.
Line 394 – create an object in memory that will store the command data for
ebpf… Line 400 loads code into memory that will be executed in the virtual machine and will violate the conditions for processing 32-bit commands. Memory preparation is over, the following lines will create a socket object, which will ensure that the loaded commands are called for
bpf… After that, the stage of invoking the vulnerability will begin.
Calling vulnerable code
Calling the vulnerable code, or rather, working with the commands of the virtual machine, is carried out from lines 423 to 441. The main task of this code is to get the base address of the structure that is in memory, in this case it is the heap of the process. Once these commands are executed, the exploit will be able to detect data in memory that the operating system uses to control access control. In Linux operating system, this data is stored in the structure
The payload of this exploit is that after it is executed, you can start a process with user rights.
root… To do this, the exploit code modifies the fields of the Linux kernel structure –
cred this is the structure that goes into the structure
taskstruct… Structure source code
cred can be found here…
Actions to modify fields
struct cred can be seen on the lines
472,473,474… That is, this action clears the value
uid, gid, sgid the process being created. From the OS point of view, this is setting the identifier values that are usually used
root… The method is very similar to the one used to attack the Windows operating system.
You can protect yourself without updating the OS if you make the following changes to the config:
sudo sysctl kernel.unprivilegedbpfdisabled=1
CVE-2020-27194 – again vulnerability in
ebpf… Available for kernel versions 5.8. *. The creators of this technology joke that
The exploit designed to exploit the described vulnerability performs the same operations as the CVE-2020-8835 exploit. The exploit algorithm is as follows:
Load code with processing 64-bit operations into memory
Create a socket and send data to invoke commands
Find the address of a structure in memory
taskstructby executing commands in a virtual machine
uid,gid,sgidand start an interactive shell.
The author wrote the source code with new features and additional functions. We invite the reader to take a look at the code for himself. The above stages of the exploit operation will not let you get confused.
Protection against this vulnerability without using the update is the same:
sudo sysctl kernel.unprivilegedbpf_disabled=1
What’s the bottom line?
Based on the two exploits that were discussed in the article, it can be assumed that privilege escalation in modern Linux is no longer the dark magic of programming, but a completely debugged boilerplate process that includes the reuse of functions and objects in RAM. In this case, you do not even need to write base-independent (shellcode) code that will perform most of the actions. It is easy enough to change the IDs that are used to assign privileges to users.
Learn more about the course “Administrator Linux. Professional “.
Register for an open lesson “Methods and Features for Debugging Bash Shell Scripts.”
Linux Experiments LAB
How to trust the operating system again. Search for traces of compromise. Analysis of malware
Bypassing terminal restrictions