We recently had a client who couldn’t sudo to become root. They received an error indicating that the “/etc/sudoers” file was corrupt. Being security minded people, they’d prevented the root user from logging in via SSH – which is a good idea by the way. Their only options were to restore from backups, login at the console with the root user or hack it!
Not wanting to wait, one of our security technicians decided to try a few hacks and see what he could do. Long story short, he succeeded in elevating his user account to root without a working sudo. And he did so in about 5 minutes.
Here’s how he did it. The exploit is know as “Dirty Cow” and in the words of Wikipedia:
Dirty COW (Dirty copy-on-write) is a computer security vulnerability for the Linux kernel that affects all Linux-based operating systems including Android. It is a local privilege escalation bug that exploits a race condition in the implementation of the copy-on-write mechanism in the kernel’s memory-management subsystem. The vulnerability was discovered by Phil Oester. Because of the race condition, with the right timing, a local attacker can exploit the copy-on-write mechanism to turn a read-only mapping of a file into a writable mapping. Although it is a local privilege escalation bug, remote attackers can use it in conjunction with other exploits that allow remote execution of non-privileged code to achieve remote root access on a computer. The attack itself does not leave traces in the system log.
The “Dirty Cow” exploit gets you part way there but you still have to deal with SELinux. SELinux “IS” enabled, right?! If not, call the technician responsible and ask why SELinux was disabled in the first place. The fire him or her. SELinux is all that stands in the way of this exploit working (on a Redhat-like system) as far as i could tell.
So you have to put SELinux into permissive mode before you can actually become root. You can “appear” to be root without touching SELinux but SELinux will stop you from doing some things until you disable it. And by disable i mean putting it into permissive mode. Don’t disable it fully.
Another important note is that the technician who succeeded in this hack had a local account on that target system.