War Stories: Unix Security
This article is Part 8 in a 12-Part Series.
- Part 1 - War Stories: Loops that Permanently Broke the Network
- Part 2 - War Stories: Switches Lying about Duplex Mismatches
- Part 3 - War Stories: Check Point Meltdown
- Part 4 - War Stories: Dual-Vendor Firewall Strategy
- Part 5 - War Stories: Proxy ARP Auto-Configuration
- Part 6 - War Stories: Gratuitous ARP and VRRP
- Part 7 - War Stories: Cursed VLANs
- Part 8 - This Article
- Part 9 - War Stories: ITIL Process vs Practice
- Part 10 - War Stories: Closing out Projects
- Part 11 - War Stories: Backup NICs, DNS and AD
- Part 12 - War Stories: Always Check Your Inputs
A different kind of war story this time: Unix security blunders. Old-school Unix-types will mutter about how much more secure Unix systems are than Windows, but that glosses over a lot. In a former life I worked as an HP-UX sysadmin, and I saw some shocking default configurations. I liked HP-UX - so much better laid out than Solaris - but it was very insecure by default. Here’s a few things I’ve come across:
Gaining Root
We’d lost the root password for a test HP-UX server. We had user access, but not root. The server was located in a different DC, and we didn’t really feel like going and plugging in a console cable to reset the root password. So we started looking around at how we might get access. After a while I found these two things:
- root’s home directory was
/- this was the default on HP-UX - The Remote Login service was running
And now for the kicker:
1
2
hpux lhill$ ls -ld /
drwxrwxrwx 30 root wheel 1020 1 Nov 13:57 /
Put those together, and you can see it’s easy to gain root. All we needed to do was create /.rhosts, and add whatever we wanted. We set it up to allow root login from another server, and bingo - remote access as root. Saved a trip out to the DC.
World-writable directories in $PATH
Another classic mistake was the permissions for /usr/local/bin:
1
2
hpux lhill$ ls -ld /usr/local/bin
drwxrwxrwx 30 root wheel 1020 1 Nov 13:57 /usr/local/bin
Can you see the problem here? Yup - any user can add executable they like to /usr/local/bin, and then you just need to trick someone into running it. A classic typo is to run mroe instead of more - so what would happen if we put a script called mroe into /usr/local/bin? We could put whatever commands we wanted in there.
1
2
3
4
5
6
7
8
#!/bin/sh
if [ $(whoami) -eq "root" ]
then
# Do_bad_stuff
fi
echo
echo "-sh: $0: command not found" >&2
exit 127
The malicious commands might involve creating a new user, with UID 0. Now all we have to do is wait for an admin to make a typo, and we’ve got root access.
Chargen vs Echo
HP-UX shipped with both chargen and echo enabled by default. One service that responds to connections with a random character, the other one echoes back whatever it receives. So think about what happens if you fake a packet with a source of chargen and a destination of echo? Fun times. Lucky that one’s easy to see with an IPS. Sure, things aren’t perfect with other Operating Systems. But next time someone starts going on about how great Unix security is, just remember that it wasn’t always true.