hackerfantastic.x Profile picture
May 1 22 tweets 6 min read Read on X
Lennart Poettering intends to replace "sudo" with systemd's run0. Here's a quick PoC to demonstrate root permission hijacking by exploiting the fact "systemd-run" (the basis of uid0/run0, the sudo replacer) creates a user owned pty for communication with the new "root" process.
Image
Image
This isn't the only bug of course, it's not possible on Linux to read the environment of a root owned process but as systemd creates a service in the system slice, you can query D-BUS and learn sensitive information passed to the process env, such as API keys or other secrets.
I have only spent a little bit of time digging through the new implementation, I do not see how it is "safer" or more "secure" than existing SUID "sudo" or "su" implementations. It certainly seems to add additional attack surface to Linux as every sudo command is a service.
The exploit above works by hijacking the master end of the pty from the process which is communicating with the root process, it uses "reptyr" - a tool for doing these attacks which were common on UNIX in the 90's. This is just quick demo to highlight replacing sudo ends poorly.
@DPA168 @pid_eins I'm not bothering to weaponize this exploit as I'm using it to point out that systemd is undoing decades of UNIX philosophy and security engineering. Linux is not UNIX but it becomes less UNIX like every day under systemd.
@edu4rdshl @skid9000 Understand the actual bug and then you'll understand the example exploit more easily. Its not the only way todo it but as I don't work for systemd and find the maintainer to be an ass, I'm not giving this further time. Use it if you want, I won't use distros that adopt it.
@ProgrammerDude @pid_eins I fully understand its returning the properties in the .service file that *every* command run under their "sudo" replacement will create.
"systemd-run --pipe" will reuse your user owned pty with the root process and "systemd-run --pty" will create a new root-owned one but root terminal still accessible through the local user pty. Ptrace used for PoC only to hijack the tty fully. tty/sys gid are not required.
@pid_eins Similarly if you don't understand that subsystem like ptrace is frequently used by Linux users and just one quick method to reparent a process between tty's to demo a PoC, then I have little further to discuss with you. All future exploits of mine in systemd will be private.
@pid_eins It's also supported behavior in "gdb" with "set inferior-tty" to reparent processes during debugging. Using systemd-run as a sudo replacement enables procrsses with same-pty elevation as an auth bypass, similarly when debugging is enabled on Linux (common) bypass is from any tty.
@pid_eins You do not need "tty" group to exploit this issue at all, just execution in the same user context that requested elevation via systemd.
@halfline I've no time to debate this with every person on the Internet further, I've shared what I consider to be the issue with two different methods of exploiting it that a new "sudo" which is "safe" and "secure" should take into account. Beyond that, am done giving free time to systemd
@halfline This isn't re-writing .bashrc or hijacking the user's execution environment, it is a child process obtaining elevated permissions when they do not have authorization for them (the vulnerability). Address the vulnerability, or don't, your choice.
@halfdebate @halfline "You've explained a vulnerability, but I am not going to acknowledge that vulnerability, because other vulnerabilities like keyloggers exist" - that's you. That's how you sound. Try, "thanks for sharing about this flaw, we should find ways to address it".
@halfline As an aside, the YAMA ptrace specifically was created to prevent risks between same-user debugging and was touted by systemd as being a protection here. I posted that wasn't the case and showed other ways. I don't appreciate my time being wasted further with this.
@halfline You also haven't even asked me how ptypwn.c works which is how I know you are disingenuous in our discussion - you just incorrectly assume that no boundary was being crossed yet it clearly shows a child process without controlling terminal taking over and using the root program.
@jspaleta @halfline Everything else can be found on my timeline including several lengthy discussions with ArchLinux security maintainer. The systemd project maintainer's only contribution to the discussion was insults and I really don't feel like giving more of my time away for free.
@Gabbymua4 There is also the matter of user confusion, a "sudo" replacement does not respect "sudoers" file or rights previously placed on sudo, instead it uses policy-kit enforcement which adds users by default to this new sudo without explict consent.
@apstrusus84 @two_d @artem_zin Some of the people commenting on these topics have been alive less time than you and I have been auditing and building systems, the fact that this new ethos is particularly prevalent amongst younger generations is telling. Systemd is an abomination, full of unnecessary bloat.
@two_d @apstrusus84 @artem_zin Oh sorry you wanted my prior work, here are 4 of them, though I used libc to target "su" in 2 of them - there's others I didn't release yet -



Feel free to read.
github.com/hackerhouse-op…
github.com/hackerhouse-op…
github.com/hackerhouse-op…
github.com/hackerhouse-op…
github.com/hackerhouse-op…
@two_d @apstrusus84 @artem_zin It's actually extremely interesting to me that a Microsoft developer is the one driving these changes in the Linux eco-system, considering the history lessons that could be learned looking at their own commercial design decisions here.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with hackerfantastic.x

hackerfantastic.x Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @hackerfantastic

Jun 25
Buy a stingray device for intercepting cellular traffic, only $100k on eBay 😂 ebay.com/itm/4049333960…
Image
That eBay seller must have gotten his hands on some liquidated government-backed monitoring equipment. This is old equipment but a bargain at $600 - frequency counter, AOR wide-band receiver and numerous antennas for wireless signal detection and monitoring. Used to cost $1000's Image
131? What a coincidence I have the same combination on my luggage.... :P
Image
Image
Read 9 tweets
Jun 11
Someone left a "secure" Russian phablet on the back of a bus in Salisbury, England. It was running Aurora OS, a so-called "trustphone" device for use by Russian Government and corporations... here's the flash ROM dumps for 4.0.2.249, 4.0.2.82 and 3.2.1.65. mega.nz/file/V3tgEAKJ#…



Image

Image
Image
When generating "secure random" passwords in "SecretKeeper", it's important to always seed random number generator qsrand() with the current time. That way you can easily recover your passwords for sensitive Russian environments in case you were ever logged out of them....
Image
Image
Nobody knew how the devices worked, conveniently the owner also left a briefcase with design notes, architecture, documentation, implementation, marketing material and internal Zoom demos about "trusted" devices too! We'd all have been lost without those. mega.nz/file/0r9D0Z5K#…



Image
Image
Image
Image
Read 7 tweets
Jan 2
Stinger is a Vault7 privilege escalation module from "Fine Dining", the only information is that it is a "UAC bypass that obtains the token from an auto-elevated process, modifies it, and reuses it to execute as administrator" - the video shows my implementation.
I started with only the information above, and tried to work out what this UAC bypass could be. It turns out you can read the process token of an auto-elevated binary (even on Win 11!), ShellExecuteEx returns process handle to high integrity process and you can access its token.
Token hijacking is alot of fun and turns out reading a high IL token from a UAC restricted proc was easy part - I was able to duplicate the token without issue and then elevate thread, even on Windows 11. As pictured - left, low privileged and on right, my high privileged thread.
Image
Image
Read 12 tweets
Dec 30, 2023
This is more likely work of an intelligence agency, not an APT. APT is contractor service organized or reporting to the intelligence agencies of a nation-state or an OCG and does not have the same level of bureaucracy with payload delivery. The selective targeting gives it away.
I do not consider GCHQ or NSA TAO as APT in the traditional sense, they are vastly superior threat when compared to contractor hired by say the FSB to steal western secrets through drive-by downloads. There is cross-over but one is a wide industry threat, the other very specific.
As an industry doing simulated breaches, cyber-enabled intellectual property theft or financially motivated crimes, our strategies and assessment programs are designed to simulate and detect adversary behavior from threat's that you are most likely to face in your industry.
Read 20 tweets
Dec 22, 2023
Here is an example of the CIA's Marble Framework being used in a simple project to obfuscate and de-obfuscate strings. I used AI to re-create missing library and components needed to use the framework in Visual Studio projects, usually handled inside CIA with "EDG Project Wizard"


Image
Image
Image
Image
This shows the complete workflow that an analyst would use when creating malware at the CIA using Marble for string obfuscation. An attacker could essentially now follow leaked wiki instructions to obfuscate their strings in runtimes they create. More: wikileaks.org/ciav7p1/cms/pa…
The leaked framework supports 106 obfuscation methods known as "marbles", with some being generic C based and others C++ based, it introduces three data-types CARBLE, WARBLE and BARBLE for char, wchar and byte respectively. It can be controlled by header defines.
Read 10 tweets
Mar 30, 2023
The "EU Digital Green Certificates (DGC)" which was implemented to curb freedom of movement unless individuals gave over medical decisions to their government, against all of our human rights - is leaking the Health Authority of Bulgaria's private keys since 2021. #NoGreenPass
The above private key could be used to authenticate to the "on-boarding gateway" and falsify health records as authentic & valid from Bulgaria, additionally as it allowed authentication it could've been used to exploit Log4Shell (post-authentication) which was patched last year.
How did I get the private key you wonder? It was trivial, I reconstructed it from their Github history when private key elliptic curve variables were committed in error, then deleted. By recovering these variables from the project git history, I was able to regenerate the key.
Read 7 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

:(