Complete.Org: Mailing Lists: Archives: discussion: June 2002:
[aclug-L] FW: Boot Access is Root Access

[aclug-L] FW: Boot Access is Root Access

[Top] [All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index] [Thread Index]

To:	"Aclug Discussion" <discussion@xxxxxxxxx>
Subject:	[aclug-L] FW: Boot Access is Root Access
From:	"Dale W Hodge" <dwh@xxxxxxxxxxxxxxxx>
Date:	Tue, 18 Jun 2002 09:11:04 -0500
Reply-to:	discussion@xxxxxxxxx

-----Original Message-----
From: Linux_Security@xxxxxxxxxxxxxxx
[mailto:Linux_Security@xxxxxxxxxxxxxxx] 
Sent: Tuesday, June 18, 2002 2:33 AM



LINUX SECURITY --- June 18, 2002
Published by ITworld.com -- changing the way you view IT
http://www.itworld.com/newsletters
____________________________________________________________________

HIGHLIGHTS

* Mistakes happen. More importantly though, how do you access your 
  machine to clean up after they happen? Yet even more importantly, can 
  you stop unauthorized users from exploiting these same techniques? 
____________________________________________________________________

Boot Access is Root Access
By Brian Hatch

Ever accidentally lose the ability to become root on your own system?
Perhaps you accidentally changed root's shell to /bin/bish because of a
typo when adding that new user. Perhaps you simply forgot what you
changed the root password to since you always use sudo. (Sudo == good --
logging in as root == bad.) Or maybe when trying to remove that old
/etc.bak directory you hit a space instead of dot. Whoops.

When these mistakes happen, it's nice to know that you have options to
get on your machine as root to clean up your mess and I'll show you some
of them. When you see how easy they are, you may make the logical (and
disturbing realization) that even unauthorized folks can use these same
techniques to take over your machine.

All the methods I'm going to talk about here are possible if an attacker
has physical access to your machine. With physical access, the baddie
has some pretty impressive power. I usually just call this the 'Boot
access is Root access' effect.

When your Linux box boots, it generally goes through several stages.
First the BIOS [1] gives you a chance to hit F8, F5, or whatever other
fun key combo it likes to let you mess with things. It'll probably
initialize some hardware, and you'll get a nice text splash screen or
two. Eventually, you get to the Lilo prompt. [2]

Most likely you've never spent time at the Lilo (Linux loader) prompt,
since it will boot Linux automatically if you don't press a key right
away. However, this is your opportunity to tell Linux how it should
boot. Say your default kernel is called 'linux' in lilo.conf, but you
have an older kernel, say 2.2.15 named linux.old. All a malicious hacker
needs do at the console is type:

   linux.old

at the lilo prompt and the older kernel will boot.

Since 2.2.15 has several instant ways for a normal user to become root,
the attacker can simply log in (this assumes they have an account, or
method of obtaining one) and they'll have root access in seconds.

To prevent someone at the console from booting an alternate kernel you
have several options:

Comment out the Alternate Kernel Definitions from /etc/lilo.conf
The definition starts with 'image=' and goes until the next 'image='
line (or end of file). For example to make our linux.old kernel
unavailable, you'd find the kernel definition, which would look like
this:

    image=/boot/vmlinuz-2.2.15
        label=linux.old
        read-only
        root=/dev/hda7

Comment these out by putting a '#' at the beginning of the line. When
you're done editing the file, run lilo to make the changes:

    # lilo
    Added linux *
    Added openbsd
    #

Make sure that you don't see 'linux.old' as one of the entries.
Whichever is marked with a '*' is the default kernel, the one that will
launch if you don't explicitly specify one.

Password Protect the Other Kernel Definitions
You simply add a 'password' line to the configuration, such as this:

    image=/boot/vmlinuz-2.2.15
        label=linux.old
        password=TalkAboutAnOldKernel
        read-only
        root=/dev/hda7

When attempting to boot the linux.old kernel, lilo will require the
password you specify in lilo.conf. I only suggest you do this with old
kernels that could be useful at some time and which are hopefully not
known to have instant root bugs. All completely unneeded kernels should
be removed from lilo.conf, and from your hard drive for that matter.

Again, make sure to re-run lilo when finished.


Next Week: Single User Mode


[1] Yes, I'm being PC centric. Forgive me, fellow non-x86 users.
[2] Now I must apologize to all non-lilo users -- I can't win.
    Other boot loaders have similar security precautions: RTFM.

About the author(s)
-------------------
Brian Hatch is Chief Hacker at Onsight, Inc. and author of "Hacking 
Linux Exposed" and "Building Linux VPNs".  During the writing of "HLE", 
he once had twelve kernels installed and running on his test system at 
one time, using both User Mode Linux and VMWare.  He hopes never to 
have that many again.  Brian can be reached at 
brian@xxxxxxxxxxxxxxxxxxxxxxx.
____________________________________________________________________

ADDITIONAL RESOURCES

An in-depth look at LILO
http://itw.itworld.com/GoNow/a14724a60152a76028222a6

Linux lilo vulnerabilities
http://itw.itworld.com/GoNow/a14724a60152a76028222a1

LIDS and Mandatory Access Control (MAC) on Linux
http://itw.itworld.com/GoNow/a14724a60152a76028222a2

Hacking into Linux (NEWBIE SERIES)
http://itw.itworld.com/GoNow/a14724a60152a76028222a5
____________________________________________________________________

ITWORLD.COM NEWSLETTER ARCHIVE

Index of Linux Security
http://itw.itworld.com/GoNow/a14724a60152a76028222a7

Investigating Processes, Part 1
http://itw.itworld.com/GoNow/a14724a60152a76028222a3

Our Continuing /proc and lsof Investigation
http://itw.itworld.com/GoNow/a14724a60152a76028222a4
___________________________________________________________________

CUSTOMER SERVICE

SUBSCRIBE/UNSUBSCRIBE:
- Go to: http://www.itworld.com/newsletters
- Click on "View my newsletters" to log in and manage your account
- To subscribe, check the box next to the newsletter
- To unsubscribe, uncheck the box next to the newsletter 
- When finished, click submit

Questions? Please e-mail customer service at: mailto:support@xxxxxxxxxxx
_____________________________________________________________________

CONTACTS

* Editorial: Andrew Santosusso, Newsletter Editor, 
  andrew_santosusso@xxxxxxxxxxx
* Advertising: Clare O'Brien, Vice President of Sales, 
  clare_obrien@xxxxxxxxxxx
* Career Corner: Janis Crowley, Vice President/General Manager, IDG 
  Recruitment Solutions, janis_crowley@xxxxxxxxxxxxx
* Other inquiries: Jodie Naze, Senior Product Marketing Manager, 
  jodie_naze@xxxxxxxxxxx

_____________________________________________________________________

PRIVACY POLICY

ITworld.com has been TRUSTe certified 
http://www.itworld.com/Privacy/

Copyright 2002 ITworld.com, Inc., All Rights Reserved.
http://www.itworld.com






-- This is the discussion@xxxxxxxxx list.  To unsubscribe,
visit http://www.complete.org/cgi-bin/listargate-aclug.cgi

[Prev in Thread]

Current Thread

[Next in Thread]

[aclug-L] FW: Boot Access is Root Access, Dale W Hodge <=

Prev by Date: [aclug-L] Hi from Pisa
Next by Date: [aclug-L] International Slashdot MEETUP Day
Previous by thread: [aclug-L] FW: Gaming the System with Python
Next by thread: [aclug-L] International Slashdot MEETUP Day
Index(es):
- Date
- Thread