eXploit X : "Give Me Root" - Computerphile

Computerphile · Intermediate ·📰 AI News & Updates ·7y ago

Key Takeaways

The video demonstrates the eXploit X vulnerability, which allows an attacker to gain root access on Linux systems using a specific command, and explains how the exploit works by manipulating the Unix directory and password file.

Full Transcript

there was an export you found for the works on Linux and because of the way it works you'll see when we take it apart it'll probably work on other unixes as well but if you type this one command in then what you end up doing is getting full root control of the machine just by typing in this one command I should say it doesn't work on all Linux installations it has to be set up in the right way but a lot of the major ones are set up like that so yeah if you can remember the command or you can find it on Twitter you can type this in and get full access to control the machine I think the best place to start is if I show it so let me just start up the laptop I've got a Linux virtual machine it's running Centos 7 I've just literally gone and downloaded this off Centos website and we can now see what's going you could type it in from inside the graphic user interface I found it works slightly better if you switch to a command line so I've logged in here to the machine and I'm just sitting at the command line in the standard place and if I try and say change password of root just something else it'll say only root can specify a username I'm not logged in with any sort of special permissions but if I type in this command that's been tweeted and so on CD slash Etc X org minus FP quote root minus log file Shadow okay the one semicolon Su all right so if we hit this boom it goes off and sets a few things up the screen goes black but if I switch back to my other one if I type Su again it's logged me in as roots and of course I can now change the password on root without any problems how does this actually work well let's sort of break down this command because actually it's made of three commands the semicolons in the thing that we're running actually just say execute this command followed by this one followed by this one so the first part of it CD slash Etc now anyone who's used any Linux will know what that does it moves into the directory slash Etc if we look in there there's a whole load of files in there and that's the standard Unix directory inside there you've got configuration files that tell you how to mount the file systems how to start up the individual programs as things also what you have in there are the password file and something called The Shadow password file which contain details of users usernames and passwords what their user identifiers are what the home directory is and so on so you've got those files in there so that's the First Command let's have a look at the last command next so we'll come back to the middle one so the last command is s u the Su command basically says go super user so the SQ command will log you in instead of in the same session as a super user as root basically now normally that would ask you for a password but as we saw here after you've done this exploit it doesn't ask you for a password so what's going on what's the middle one so we've got X org and then we call it with various commands so we have minus FP and then we give it root colon and then various bits and pieces which I'm not going to write out and then we have minus log file Shadow colon one we're running the program xor xorg is the program that draws everything on the screen handles the graphics card and things under Unix Linux type machines often this will run as root so that you can control the hardware I think there are ways you can have it not run as root but by default often it will be running as root now sometimes you need to be able to start that as a non-root user so there's a special way it's set up that we'll look at in a minute which enables us to run it as a normal user but still let that program have access as root normally doing this on its own would not let us get root because we haven't don't know the password normally but after we've executed this command this Excel command then we can get root so what's going on here well two things we need to see what's happening on first of all on certainly on this version of Linux not necessarily all of them this program is set up with What's called the sewage bit or the set you would bit um so if we actually have a look at the program which is in user bin xorg we can see that when we look at the program it has this s flag on it in the list of attributes that it's got there it's read write and it's got the yes flag this means it's secured all that means is that when that program's run it runs it as the user ID that the program is owned by on the disk rather than by the current user that started its ID so this program then will run as root and normally you'd want that to happen that in itself isn't an exploit that's what you want to happen there's lots of programs that work like that you want that to do it but it means that because that program is running as root because of the way it's set up it has access to files that the normal user wouldn't have access to for example slash the ones and slash Etc that set up the password file if we break this command down a bit further we've got two parts of this command we'll come back to this one in a second but the first one is relatively simple it's just setting up the log file to be output of the file Shadow which of course will be in the directory slash Etc because we've already moved into that directory so all that's telling it is when you write a log file telling you what's happening so you can track down any configuration errors if you want to see what's if things aren't working properly it's going to be called shadow in the current directory now slash Etc Shadow is one of the files which stores the password data for Linux and other unix's there's actually two originally it was Slash Etc slash password and that sort of things and that was World readable so you could actually read the hashed versions of people's passwords watch Mike's video on what password hacking is up here so that wasn't a good idea so what they did was they sort of kept the password file took the hashes out of it and put the hashes in a copy of the password file called Shadow which shadowed the password file hence the name so that was only accessed by root which meant that when you needed to check a password the root stuff could access it and do that and so on so we're overwriting that file Shadow with the log file so okay well why does that help us well we get to the first part of the command which is this one here which is setting the font path so we're setting the font path which is what the minus FP flag does to have this string root colon blah blah blah blah blah so why does setting the font path how about we're setting logging into the shadow file enable us to grab root access well let's have a look at the log file that was created when we ran the exploit what we see is all the X logging information as it started up telling you what version it is what operating system we're running on build IDs various information about what's happening and so on so then we get down to this line here at the bottom which is telling us what we've set the font path to and it happily outputs every single line that we set the font path to now what if we set the font path to we set it to the root colon blah blah blah blah and so on and the interesting thing about that is one has been copied out on a line on its own in the new Shadow file okay some spaces at the beginning but that's not a problem but the format of that line we've written is the exact format required to tell the operating system the password for root and all its details but in this case the password would normally be between the first two colons and that's blank there's no hash there so when you run Su the program the operating system looks at the pass Shadow password file says there's no password there I'll let you log in and so you've got this wonderfully clever it almost old school exploit explodes there's quite a few like this there was one in Emax back in the 80s which um Clifford stole documented in his book The Cuckoo's egg and various others where you could do similar things you could have programs that had access to writer's root could copy files into the right place and then give you at route access where perhaps you weren't meant to have it and exactly the same things happen here we're allowed to run xorg because we want to display things on the screen and sometimes you'll have the machine set up so the users start it when they need it rather than starting up in that environment so running it would be okay but having the set uid bit set is what you need in those cases but coupled with the fact that we can write out arbitrary data in the font path um into the file comfortably the fact we can then log that into the shadow file which we wouldn't normally have access to we can change the password for root or any other user we'd want to and then log in as that user without any issue now of course the problem is is that as soon as you do this you've overwritten the shadow password file with basically junk and our line so you'd probably want to be able to revert things back whether you can do that is an interesting um question hopefully it's made a backup of the file shadow.old looks like it might be a thing so yeah there's a backup that we could then move back into place and hide it if we wanted to but we've now managed to to get root access once we've got that we can set up our own user raise our Privileges and then we've got full control of the machine the person that discovered it probably sort of thought well actually okay I can log into different places I can write the log file into various different places and you think well okay if I can write the log file into different places can I use that as a sort of um way to get the data I want into the right place so that's what you're trying to do so I can write this file in here but of course as we saw the format is very different you've got all those square brackets at the beginning of lines and so you couldn't just use it to say overwriter a program file so some of the other ones we've looked at um enabled us to override a standard program file and get an export that way and so you look at what options you've got and you think okay well this this font path thing will print out the list of all the font pass if you've got more than one font path you'd see them all on separate lines one after the other okay I can use that because you can then write out a font path which isn't a path but it's actually the data you need for the shadow password file and suddenly you've got your exploit that works now the reason this actually happened the reason this has been there and apparently it's been in the code for two years before someone discovered it there used to be a check on the log file command and the module path command there's another site where you can export this as well that would check whether you're running with elevated privileges IES root if you were it wouldn't let you use the log file command it also wouldn't let you change the module path which is another slight way you can export this as well you could put some arbitrary code and get that into the system as well and when they were refractor in the code then they for some reason that bit of the check didn't get put back in and so on so the things will be dead simple you just put that bit of code back in so I think patches will be available but the the quickest way to fix this is if you do is to remove the um set UE boot from xorb today we're going to talk a bit about how you actually write a hash function to do this how do we take something that essentially isn't random with a very known structure and turn it into something that looks like nonsense such that we can use it now there'll be people raising a few eyebrows I'm using sha one as an example to do this but actually there's fairly reasonable

Original Description

One line of code can get root access on many Linux systems. Dr Steve Bagley demos the exploit. More info from The Register (updated link): https://bit.ly/2AAQnRT On the subject of the 'censored' part, we fully appreciate that anyone can find out what that code is, but we're demoing & explaining it, not giving a resource for those who want to do it. If anyone wants to know the code simply look in the comments! hth -Sean SHA: Secure Hashing Algorithm https://www.youtube.com/watch?v=DMtFhACPnTY Hardware Hacking: https://www.youtube.com/watch?v=eOPLQxGNmHA https://www.facebook.com/computerphile https://twitter.com/computer_phile This video was filmed and edited by Sean Riley. Computer Science at the University of Nottingham: https://bit.ly/nottscomputer Computerphile is a sister project to Brady Haran's Numberphile. More at http://www.bradyharan.com
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from Computerphile · Computerphile · 0 of 60

← Previous Next →
1 Follow the Cookie Trail - Computerphile
Follow the Cookie Trail - Computerphile
Computerphile
2 EXTRA BITS - Follow the Cookie Trail - Computerphile
EXTRA BITS - Follow the Cookie Trail - Computerphile
Computerphile
3 Musical Floppy Drives - Computerphile
Musical Floppy Drives - Computerphile
Computerphile
4 The Hair Algorithm - Computerphile
The Hair Algorithm - Computerphile
Computerphile
5 Getting Sorted & Big O Notation - Computerphile
Getting Sorted & Big O Notation - Computerphile
Computerphile
6 Quick Sort - Computerphile
Quick Sort - Computerphile
Computerphile
7 Hyper History and Cyber War - Computerphile
Hyper History and Cyber War - Computerphile
Computerphile
8 Entropy in Compression - Computerphile
Entropy in Compression - Computerphile
Computerphile
9 Original Elite on the BBC B - Computerphile
Original Elite on the BBC B - Computerphile
Computerphile
10 IP Addresses and the Internet - Computerphile
IP Addresses and the Internet - Computerphile
Computerphile
11 A Career in Video Games - Computerphile
A Career in Video Games - Computerphile
Computerphile
12 Error Detection and Flipping the Bits - Computerphile
Error Detection and Flipping the Bits - Computerphile
Computerphile
13 Programming BASIC and Sorting - Computerphile
Programming BASIC and Sorting - Computerphile
Computerphile
14 Birthplace of the World Wide Web - Computerphile
Birthplace of the World Wide Web - Computerphile
Computerphile
15 Punch Card Programming - Computerphile
Punch Card Programming - Computerphile
Computerphile
16 Programming Paradigms - Computerphile
Programming Paradigms - Computerphile
Computerphile
17 CERN Computing Centre (and mouse farm) - Computerphile
CERN Computing Centre (and mouse farm) - Computerphile
Computerphile
18 Error Correction - Computerphile
Error Correction - Computerphile
Computerphile
19 Home-Made Code - Computerphile
Home-Made Code - Computerphile
Computerphile
20 Security of Data on Disk - Computerphile
Security of Data on Disk - Computerphile
Computerphile
21 Gesture Controls - Computerphile
Gesture Controls - Computerphile
Computerphile
22 How Intelligent is Artificial Intelligence? - Computerphile
How Intelligent is Artificial Intelligence? - Computerphile
Computerphile
23 Encryption and Security Agencies - Computerphile
Encryption and Security Agencies - Computerphile
Computerphile
24 Virtual Machines Power the Cloud - Computerphile
Virtual Machines Power the Cloud - Computerphile
Computerphile
25 Hacking Websites with SQL Injection - Computerphile
Hacking Websites with SQL Injection - Computerphile
Computerphile
26 How Huffman Trees Work - Computerphile
How Huffman Trees Work - Computerphile
Computerphile
27 Cracking Websites with Cross Site Scripting - Computerphile
Cracking Websites with Cross Site Scripting - Computerphile
Computerphile
28 Cloud Computing (Cloudy with a Chance of Pizza) - Computerphile
Cloud Computing (Cloudy with a Chance of Pizza) - Computerphile
Computerphile
29 Texting Cabbage with a Recorder - Computerphile
Texting Cabbage with a Recorder - Computerphile
Computerphile
30 Hashing Algorithms and Security - Computerphile
Hashing Algorithms and Security - Computerphile
Computerphile
31 How YouTube Works - Computerphile
How YouTube Works - Computerphile
Computerphile
32 How NOT to Store Passwords! - Computerphile
How NOT to Store Passwords! - Computerphile
Computerphile
33 A New Golden Age of Video Games - Computerphile
A New Golden Age of Video Games - Computerphile
Computerphile
34 A Universe of Triangles - Computerphile
A Universe of Triangles - Computerphile
Computerphile
35 Cross Site Request Forgery - Computerphile
Cross Site Request Forgery - Computerphile
Computerphile
36 The True Power of the Matrix (Transformations in Graphics) - Computerphile
The True Power of the Matrix (Transformations in Graphics) - Computerphile
Computerphile
37 The Great 202 Jailbreak - Computerphile
The Great 202 Jailbreak - Computerphile
Computerphile
38 EXTRA BITS - Printing and Typesetting History - Computerphile
EXTRA BITS - Printing and Typesetting History - Computerphile
Computerphile
39 Triangles to Pixels - Computerphile
Triangles to Pixels - Computerphile
Computerphile
40 The Problem with Time & Timezones - Computerphile
The Problem with Time & Timezones - Computerphile
Computerphile
41 The Visibility Problem - Computerphile
The Visibility Problem - Computerphile
Computerphile
42 Lights and Shadows in Graphics - Computerphile
Lights and Shadows in Graphics - Computerphile
Computerphile
43 The Penguin Barcode - Computerphile
The Penguin Barcode - Computerphile
Computerphile
44 Typesetters in the '80s - Computerphile
Typesetters in the '80s - Computerphile
Computerphile
45 The Font Magicians - Computerphile
The Font Magicians - Computerphile
Computerphile
46 The Little Mac with the Big Bite - Computerphile
The Little Mac with the Big Bite - Computerphile
Computerphile
47 EXTRA BITS - More on the Original Mac at 30 - Computerphile
EXTRA BITS - More on the Original Mac at 30 - Computerphile
Computerphile
48 XP to Ubuntu with an 8yr old Hacktop - Computerphile
XP to Ubuntu with an 8yr old Hacktop - Computerphile
Computerphile
49 EXTRA BITS - Hacktop Real-Time Boot Comparison - Computerphile
EXTRA BITS - Hacktop Real-Time Boot Comparison - Computerphile
Computerphile
50 EXTRA BITS - Making a Bootable USB in Linux - Computerphile
EXTRA BITS - Making a Bootable USB in Linux - Computerphile
Computerphile
51 EXTRA BITS - Installing Ubuntu Permanently - Computerphile
EXTRA BITS - Installing Ubuntu Permanently - Computerphile
Computerphile
52 The Dawn of Desktop Publishing - Computerphile
The Dawn of Desktop Publishing - Computerphile
Computerphile
53 What is Bootstrapping? - Computerphile
What is Bootstrapping? - Computerphile
Computerphile
54 Reverse Polish Notation and The Stack - Computerphile
Reverse Polish Notation and The Stack - Computerphile
Computerphile
55 Home-Made Z80 Retro Computer - Computerphile
Home-Made Z80 Retro Computer - Computerphile
Computerphile
56 Should Everybody Learn to Code? - Computerphile
Should Everybody Learn to Code? - Computerphile
Computerphile
57 Programming in PostScript - Computerphile
Programming in PostScript - Computerphile
Computerphile
58 Heartbleed, Running the Code - Computerphile
Heartbleed, Running the Code - Computerphile
Computerphile
59 YouTube's Secret Algorithm - Computerphile
YouTube's Secret Algorithm - Computerphile
Computerphile
60 YouTube Search & Discovery - Computerphile
YouTube Search & Discovery - Computerphile
Computerphile

The video explains the eXploit X vulnerability, which allows an attacker to gain root access on Linux systems, and demonstrates how to execute the exploit using a specific command. The exploit works by manipulating the Unix directory and password file, and can be fixed by removing um set UE boot from xorb.

Key Takeaways
  1. Execute the command `cd /etc/X11/xorg -fp root -log file Shadow : 1 ; su` to gain root access
  2. Switch to the command line to execute the command
  3. Type `su` to switch to the root user
  4. Manipulate the Unix directory and the password file to gain access to the root user
  5. Run the exploit command
  6. Set the font path to 'root:...'
  7. Observe the output of the log file
💡 The eXploit X vulnerability allows an attacker to gain root access on Linux systems by manipulating the Unix directory and password file, and can be fixed by removing um set UE boot from xorb.

Related Reads

Up next
How to Handle the AI Shift
Matt Tutorials
Watch →