headers
Lucio Crusca | 21 Jul 22:43

help: I need to crack my box

Believe it or not, I have a linux box (mine, yes it's mine) I need to own...
the problem is that it phisically resides a few 100km from here and someone
else has changed the root password... I can still log in as luser and I
wonder if I have a chance to become root again. It's a more or less current
debian lenny i386 with gnome. Have you got anything for me?

Thanks in advance,
Lucio.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Permalink | Reply |
headers
Paul Schmehl | 22 Jul 01:21

Re: help: I need to crack my box

--On Monday, July 21, 2008 22:47:26 +0200 Lucio Crusca <lucio <at> sulweb.org> wrote:

> Believe it or not, I have a linux box (mine, yes it's mine) I need to own...
> the problem is that it phisically resides a few 100km from here and someone
> else has changed the root password... I can still log in as luser and I
> wonder if I have a chance to become root again. It's a more or less current
> debian lenny i386 with gnome. Have you got anything for me?

Ask the hosting company if they have an ipkvm they can connect to the box.  If 
they do, you can reboot and go into single user mode and reset the root 
password.  I would then take down the net interfaces until you clean the box. 
Otherwise your info might be disclosed while you're working on it.

If you can't reboot it remotely, have their staff reboot it for you while 
you're logged in to the ipkvm.  Then get into single user mode and regain 
control of the box.

--

-- 
Paul Schmehl
As if it wasn't already obvious,
my opinions are my own and not
those of my employer.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Permalink | Reply |
headers
Alex Howells | 22 Jul 01:50

Re: help: I need to crack my box

2008/7/21 Lucio Crusca <lucio <at> sulweb.org>:
> Believe it or not, I have a linux box (mine, yes it's mine) I need to own...
> the problem is that it phisically resides a few 100km from here and someone
> else has changed the root password... I can still log in as luser and I
> wonder if I have a chance to become root again. It's a more or less current
> debian lenny i386 with gnome. Have you got anything for me?

Probably not and I can't think anyone hiding a 0-day is going to
release it for this. Sorry.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Permalink | Reply |
headers
Lucio Crusca | 22 Jul 09:35

Re: help: I need to crack my box

Alex Howells wrote:

> Probably not and I can't think anyone hiding a 0-day is going to
> release it for this. Sorry.
No 0-day needed here, Lenny does not have security updates, so all I need is
some PoC code already released in the last few months...

Paul Schmehl wrote:
> Ask the hosting company 
It's a firewalled LAN machine that had the VNC port open for a while, but
it's not hosted by a provider, my customer has it under its desk (yes, ok,
it's not really mine, but my customer doesn't even know what a computer
is). I can access it now with ssh through a tunnel, that's all I have.

Lucio.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Permalink | Reply |
headers
Paul Schmehl | 22 Jul 16:09

Re: help: I need to crack my box

--On Tuesday, July 22, 2008 09:35:03 +0200 Lucio Crusca <lucio <at> sulweb.org> 
wrote:

> Alex Howells wrote:
>
>> Probably not and I can't think anyone hiding a 0-day is going to
>> release it for this. Sorry.
> No 0-day needed here, Lenny does not have security updates, so all I need is
> some PoC code already released in the last few months...
>
> Paul Schmehl wrote:
>> Ask the hosting company
> It's a firewalled LAN machine that had the VNC port open for a while, but
> it's not hosted by a provider, my customer has it under its desk (yes, ok,
> it's not really mine, but my customer doesn't even know what a computer
> is). I can access it now with ssh through a tunnel, that's all I have.
>

So call your customer up and walk him through rebooting, going into single user 
mode and changing the password.

--

-- 
Paul Schmehl
As if it wasn't already obvious,
my opinions are my own and not
those of my employer.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
(Continue reading)

Permalink | Reply |
headers
Lucio Crusca | 23 Jul 08:46

Re: help: I need to crack my box

Paul Schmehl wrote:

> So call your customer up and walk him through rebooting, going into single
> user mode and changing the password.

Ahahah, I had to walk him through typing an '@' once, and it was hard
enough...

Lucio.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Permalink | Reply |
headers
razi garbie | 22 Jul 09:29

Re: help: I need to crack my box

Are you sure that a 0day is even needed? perhaps its a rather old
kernel thats locally exploitable?
shell# uname -r
and then go google.

2008/7/22 Alex Howells <astinus <at> gentoo.org>:
> 2008/7/21 Lucio Crusca <lucio <at> sulweb.org>:
>> Believe it or not, I have a linux box (mine, yes it's mine) I need to own...
>> the problem is that it phisically resides a few 100km from here and someone
>> else has changed the root password... I can still log in as luser and I
>> wonder if I have a chance to become root again. It's a more or less current
>> debian lenny i386 with gnome. Have you got anything for me?
>
> Probably not and I can't think anyone hiding a 0-day is going to
> release it for this. Sorry.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

--

-- 
R. Garbie

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
(Continue reading)

Permalink | Reply |
headers
Lucio Crusca | 22 Jul 10:51

Re: help: I need to crack my box

razi garbie wrote:

> Are you sure that a 0day is even needed? perhaps its a rather old
> kernel thats locally exploitable?
> shell# uname -r
2.6.24-1-686

> and then go google.
tried looking for "2.6.24-1-686 exploit" and "2.6.24-1-686 poc" but I can't
find anything. Is there any PoC repository where one can browse whatever
has been released until today? If there is not, I think it's time to invent
one, noobs like me would find it very useful.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Permalink | Reply |
headers
pUm | 22 Jul 11:00

Re: help: I need to crack my box

http://www.milw0rm.com/exploits/5092

2008/7/22 Lucio Crusca <lucio <at> sulweb.org>:
> razi garbie wrote:
>
>> Are you sure that a 0day is even needed? perhaps its a rather old
>> kernel thats locally exploitable?
>> shell# uname -r
> 2.6.24-1-686
>
>> and then go google.
> tried looking for "2.6.24-1-686 exploit" and "2.6.24-1-686 poc" but I can't
> find anything. Is there any PoC repository where one can browse whatever
> has been released until today? If there is not, I think it's time to invent
> one, noobs like me would find it very useful.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Permalink | Reply |
headers
Valdis.Kletnieks | 22 Jul 16:50

Re: help: I need to crack my box

On Tue, 22 Jul 2008 10:51:48 +0200, Lucio Crusca said:

> tried looking for "2.6.24-1-686 exploit" and "2.6.24-1-686 poc" but I can't
> find anything.

Hint - try being a bit less restrictive in the version, and remember that
usually, the posting either includes the release that the hole was introduced,
or when it was fixed.  See Brad Spengler's recent thread, which included
this text:

> To illustrate the point, in the 2.6.25.10 kernel, the following fix was 
> included with the commit message of:
> Roland McGrath (1):
>      x86_64 ptrace: fix sys32_ptrace task_struct leak

> The kernel was released with no mention of security vulnerabilities in 
> the announcement, only "assorted bugfixes".

> Put simply, it only took about an hour or so to develop a PoC for this 
> exploitable vulnerability which affects 64bit x86_64 kernels since 
> January.

Linus released 2.6.24 on Jan 24.  Do the math. ;)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Permalink | Reply |
headers
the.soylent | 22 Jul 19:42

Re: help: I need to crack my box


hi,
i think you should reinstall that box!
when "someone" gets root on it, it is more likely he/she installed also
some sort of rootkit. For the case he/she has done something illegal,
you should also make a image of the hole disk before re-install.

/soylent
Permalink | Reply |

Gmane