Apr 11, 2011

--- UNIX Attacks ---

In this article i am going to discuss how to attack a Unix based system using LOCAL and REMOTE attacks.

Unix Local Attacks

What Does it means ? 

When you are up to gain root on a file server, one method  to start with is to gain at least limited access on the system. There are large number of exploits to "Exploit the root" but many require you have an account on the box. Here is an example : 

  • Gain access to server www.saurav.com via guest account 

  • The server is running older version of linux

  • Move around on Bugtraq or some other place with exploit code, and find an exploit for one of the outdated or unpatched programs or subsystems.

  • Compile it and run it to become the root

How the Exploits Work ?

There are several different attack techniques you can use from a local account and the handy exploit you are running. Here are a few common ones with  simple explanations:

If excessive permission exist on certain directories and files, these can lead to gaining higher levels of access. For example, if /dev/kmem is writable, it is possible to rewrite your UID to match root's. Another example would be if a .rhosts file has read/write permissions allowing anyone to write them. Yet another example would be a script launched at startup, cron, or respawned. If this script is editable, you could add commands to run with the same privileges as who started them (for startup rc files, this would be as root).
Sometimes you will find scripts (shell or otherwise) that perform certain tasks and run as root. If the scripts are writable by your id, you can edit it and run it. For example, we once found a shutdown script world writable. By adding a few lines at the beginning of the script it was possible to have the script create a root shell in /tmp.
Buffer Overflow
Buffer overflows are typically used to spawn root shells from a process running as root. A buffer overflow could occur when a program has a buffer for user-defined data and the user-defined data's length is not checked before the program acts upon it. See the next question for more details.
Race Conditions
A Race Condition is when a program creates a short opportunity for evil by opening a small window of vulnerability. For example, a program that alters a sensitive file might use a temporary backup copy of the file during its alteration. If the permissions on that temporary file allow it to be edited, it might be possible to alter it before the program finishes its editing process.
Poor Temp Files
Many programs create temporary files while they run. If a program runs as root and is not careful about where it puts its temp files and what permissions these temp files have, it might be possible to use links to create root-owned files.

Unix Remote Attacks

What are remote attacks ?

A remote hack is when you attack a server you are not logged into. Usually this is done from another server, although in some cases you can do it from your PC.(depends on your OS)

Remote hacks come in  different ways.Usually exploiting an existing service running on the victim server is the goal. Exporting a NFS mount read/write to anyone might not be a bad thing, but if you can NFS mount directories containing .rhosts files, then it can be a very bad thing. Also, certain daemons running might be subject to buffer overflows remotely, allowing someone from a remote location run arbitrary commands on the victim server.


 Here is a examples:

  1. You are root on a host named saurav.
  2. You discover the host victim is exporting /home2/old read/writable to the world.
  3. You also discover by fingering various accounts that user fred's home directory is /home2/old/fred and he hasn't logged in for months.
  4. Quickly, you create a fred account on saurav.
  5. Now you mount /home2/old and create an .rhosts file to establish trust with saurav.
  6. After you become fred on saurav, you rlogin to the victim as fred.

References- Wikipedia,nmrc

Happy Hacking



Post a Comment


Twitter Delicious Facebook Digg Stumbleupon Favorites More