00:00:00
Hello guys and gals. Me Mudahar and uh
00:00:02
ladies and gentlemen, you know, nothing
00:00:04
is safe. Linux isn't safe, Windows isn't
00:00:07
safe, Mac isn't safe. And the reason I'm
00:00:09
making this video is because I am
00:00:11
looking at around a 12year-old
00:00:15
exploit that has actually been
00:00:16
discovered. So, this guy called Rich
00:00:17
Merch, uh researcher extraordinaire
00:00:19
here, actually found a 12-ear exploit
00:00:22
that remained unnoticed despite it being
00:00:25
present in the code all along. Now, one
00:00:28
of the things that I always hate is when
00:00:29
people get this false sense of security,
00:00:31
like, "Oh man, I use Linux. I should be
00:00:33
safe. I use Mac. I should be safe." You
00:00:36
know, they watch those old ads. I'm a
00:00:38
Mac. I'm a PC. And it's always the PC
00:00:40
that gets all the venerial diseases by
00:00:42
connecting to the internet, which can be
00:00:44
true. Windows is generally targeted
00:00:46
because most people use it. But, uh,
00:00:49
there's also people that target Mac
00:00:50
systems. We've looked at Mac viruses on
00:00:52
this channel, but today we're going to
00:00:54
be looking at something Linux related
00:00:56
that uh can be quite dangerous if you
00:01:00
don't update your stuff. So, the TLDDR,
00:01:01
if you want to be completely safe and
00:01:03
you're on Linux, just update your
00:01:05
system. Okay, all the updates are
00:01:06
floating out there. But let's say that
00:01:08
you haven't updated. How would some guy
00:01:10
who gets access to your computer just
00:01:12
decide to get complete and total access
00:01:14
by going all the way from the local user
00:01:17
to the super user? Now to give you an
00:01:19
idea of what the super user is inside
00:01:21
Linux. Okay, there is a command known as
00:01:24
pseudo. It it's not so much a command as
00:01:26
it is an actual uh program. So for
00:01:29
instance, let's say that you open up
00:01:31
that scary spooky terminal shell and uh
00:01:34
let's say that you ask you know what's
00:01:36
pseudo. So pseudo is just a program user
00:01:39
bin pseudo and of course over here it's
00:01:41
been marked for the process IDs of one.
00:01:43
It's been marked for root. Now, this is
00:01:45
a program that has been marked for
00:01:47
having that root access. Just the mere
00:01:49
act of running pseudo and reading these
00:01:51
usage prompts, it will basically be
00:01:54
running at that super user level. So,
00:01:56
it's kind of like when you get a program
00:01:57
on Windows and you rightclick and hit
00:01:58
run as administrator, you should only
00:02:01
ever do that for a program you trust. If
00:02:04
you just give everything arbitrary, like
00:02:06
complete super privileges on your
00:02:08
computer, you could land in some pretty
00:02:11
nasty water, okay? At least
00:02:12
security-wise. So, of course, how does
00:02:15
this actual attack work? It's actually
00:02:17
quite interesting. Uh, as much as it is
00:02:19
really scary. So, the guys over at Red
00:02:21
Hat, you know, they were saying that the
00:02:24
flaw was found in pseudo. This allows a
00:02:26
local attacker to escalate their
00:02:27
privileges by tricking pseudo. So, this
00:02:30
is more of a logic bug than it is like
00:02:33
something like a memory or something,
00:02:34
right? So basically we load an arbitrary
00:02:37
shared library using the user specified
00:02:40
root directory via a chroot option. An
00:02:44
attacker can run arbitrary commands as
00:02:46
root on systems that support etsy
00:02:49
nsswitch.comconf.
00:02:51
Now how do we convert this nerdspeak?
00:02:53
Let me walk you through it. Okay, that
00:02:54
etsy nssw switch conf. Yeah, most of
00:02:57
your Linux systems definitely support
00:02:59
it's a very crucial part of many Linux
00:03:01
systems. that chroot that they're
00:03:03
talking about. If you ever followed my
00:03:05
Arch Linux installation videos, that
00:03:08
should be a command that you know of.
00:03:09
So, to give you an idea of what chroot
00:03:11
is, chain root, that's how it's, you
00:03:14
know, that's how it's named. The general
00:03:18
idea is, you know, you basically create
00:03:20
like a sandbox or a jailed environment
00:03:22
that you can root into. Now, when you
00:03:25
saw my Arch Linux installation videos, a
00:03:27
lot of that stuff was, you know, uh,
00:03:29
partitioning your system, putting up a
00:03:32
very basic installation of Linux, just
00:03:34
enough for you to chroot into it and
00:03:37
basically, you know, switch those root
00:03:39
accounts and you could modify that
00:03:41
version of Linux that you were building
00:03:43
and then eventually boot into it as it
00:03:45
was a native install. Right now the
00:03:47
context here is this is arch-root
00:03:50
which is more of a wrapper that is
00:03:52
specific for arch when setting up
00:03:54
environments correctly of course but
00:03:57
regular chroot which again is you know
00:04:00
inside Linux is more for general like
00:04:02
recovery sandboxing things of that
00:04:04
nature so again it's not entirely the
00:04:07
same context but again what you really
00:04:09
have to know is chroot is initially
00:04:12
meant for more like sandboxing things
00:04:14
like recovery other you know natures So
00:04:16
what's basically being leveraged over
00:04:18
here is a pretty interesting attack and
00:04:21
thankfully you know uh the individuals
00:04:24
behind here Stratoscale made a really
00:04:26
good docker container that allows me to
00:04:28
show you how this stuff kind of works.
00:04:30
Now underneath Linux that NS switch that
00:04:33
they were talking about is a pretty
00:04:35
integral part. So we call it the name
00:04:36
service switch. And I guess the best
00:04:39
idea, the best way to put it is like
00:04:40
when you're looking for information
00:04:41
regarding passwords, users, groups,
00:04:44
protocols, and so forth. What it does is
00:04:46
it provides Linux a way to, you know, it
00:04:48
tells Linux, it tells like the system
00:04:50
where to look for that kind of
00:04:52
information. So whether that be in your
00:04:53
file system, whether that be with the
00:04:56
systemd uh, you know, protocols, whether
00:04:58
that be with anything, it gives you a
00:05:00
place to look for information. Now, the
00:05:02
thing about this is obviously the best
00:05:04
close non- tech analog that I can
00:05:06
provide is I guess it's kind of like a
00:05:08
contact book in a way too, right? Like
00:05:10
you know how you have people named as
00:05:12
like mom or you know specific names and
00:05:14
those names have like actual nine-digit
00:05:17
cell phone numbers or however many
00:05:18
digits wherever you live attached to it.
00:05:21
So generally speaking, you probably
00:05:22
don't open up your phone app and enter
00:05:24
the numbers one by one. You probably go
00:05:26
to your contact book, tap a name, and as
00:05:28
soon as you tap the name, that human
00:05:30
readable input, it then goes to the
00:05:32
machine readable actual cell number and
00:05:35
just dials for you. I guess that's the
00:05:37
closest analog that I can put it. That's
00:05:39
about the closest way to provide. But on
00:05:42
the deep nitty-gritty technical side for
00:05:44
Linux, the name service switch is
00:05:46
exactly when it comes to querying
00:05:48
information. It just tells it where to
00:05:49
look for. Now inside the CVE the the
00:05:51
actual proof of concept they made they
00:05:53
provided this like code and just show
00:05:55
you what's kind of going on over here
00:05:57
they make their own shared library uh
00:06:00
you know relating to that actual NS
00:06:02
switch. Now what they're doing in this
00:06:04
proof of concept is they're actually
00:06:05
creating a shared object uh piece of
00:06:08
code over here and of course it's in C.
00:06:10
So they've got a constructor coming in
00:06:11
where you know it's running before the
00:06:13
main the the startup in this case
00:06:15
they're changing the user ID to to uh
00:06:17
zero. They're changing the group ID to
00:06:19
zero. They're changing the directory all
00:06:21
the way to root, which is that slash.
00:06:22
And then, of course, they're running all
00:06:24
of this stuff. And this is what's going
00:06:25
to happen. They're going to open a shell
00:06:26
in this situation. But again, you can't
00:06:29
just, you know, set your IDs to uh zero.
00:06:32
You can't just set your ID to root. You
00:06:34
have to go through a different step. And
00:06:35
this is where they're going to build an
00:06:37
environment that's going to trick it. So
00:06:39
now, these next four lines are pretty
00:06:40
important. What's basically happening
00:06:42
over here is line one. We're making
00:06:44
directories, two directories, woot/ etsy
00:06:46
and libnss, which is where we're going
00:06:48
to be storing these malcrafted files. So
00:06:51
the next is where we're echoing a
00:06:53
password into a new file we make called
00:06:55
woot etsy nsswitch.com. Now remember a
00:06:58
normal nsswitch.com will ask you to
00:07:01
query things like your file systems. But
00:07:03
here the attacker is making the system
00:07:05
query woot 1337. So now when pseudo runs
00:07:09
with those you know root privileges as
00:07:11
it's given it will load up woot 1337 the
00:07:15
shared object in that lib NNS folder uh
00:07:18
from my understanding and this is where
00:07:20
again the real sauce starts to happen.
00:07:23
So what'll happen is the systems real
00:07:25
group will be copied into the chroot as
00:07:27
the third line shows. Um, and then the
00:07:30
last is of course the compilation of the
00:07:32
C code that was written above in that
00:07:35
woot 1337 shared object. So now when you
00:07:38
go underneath it where it's echoing
00:07:40
woot, right, that's pseudo- capital R
00:07:43
woot woot. What that'll effectively do
00:07:45
is it will, you know, uh, get pseudo to
00:07:48
chroot into the woot directory. And then
00:07:51
the next woot in this situation should
00:07:53
basically just be the command. And again
00:07:56
what's happening is once you're inside
00:07:59
pseudo runs in this controlled chrooted
00:08:01
environment that NS switch confosts to
00:08:03
the attacker code you know in that
00:08:05
password query that it's providing and
00:08:08
of course the malicious shared object is
00:08:10
then loaded and of course the exploit
00:08:12
runs you're set as user root and a shell
00:08:15
is spawned and now I get to show this
00:08:17
running in a provided uh docker
00:08:20
container that these researchers have
00:08:21
given. Now to show you how this works in
00:08:23
action, they provided a docker container
00:08:26
which is basically just like a uh
00:08:28
standard abuntu installation alongside
00:08:31
the affected versions of the pseudo
00:08:33
program. Right? So again the only thing
00:08:35
in here is that ch wootsh file that
00:08:38
script. So if we just uh run this ladies
00:08:40
and gentlemen what you have to look for
00:08:42
is the word pone. Right? So we're
00:08:44
currently in the user. Now if we hit
00:08:46
enter woo all of a sudden we're now in
00:08:48
that root directory ladies and
00:08:50
gentlemen. We have now gotten those
00:08:52
super duper elevated privileges. So if I
00:08:55
exit, you can see that all I can see is
00:08:57
all this stuff right here. Now if I go
00:08:59
back into the root directory, what you
00:09:01
can do over here is you can in fact nuke
00:09:04
your entire system. Now what can you do
00:09:07
as a super user? Well, you could run
00:09:10
really dangerous commands, ladies and
00:09:12
gentlemen. Now that you have access to
00:09:13
the whole file system, you could
00:09:16
theoretically go out of your way and run
00:09:18
a command known as pseudo
00:09:20
rmrf/norreserve
00:09:22
root. Slap that enter. Oh. Oh, wait. Did
00:09:25
we nuke it? Oh yeah. Oh yeah.
00:09:30
Again, I don't think I entered this
00:09:31
entirely right right over here. But
00:09:33
again, just to give you a visual
00:09:34
understanding, if you ran this command
00:09:36
underneath most modern Linux
00:09:38
distributions, uh you can basically nuke
00:09:41
your entire installation. you can just
00:09:42
delete everything. Okay? You know, much
00:09:44
like the old days of deleting system 32,
00:09:46
which isn't super duper possible these
00:09:48
days, just because Microsoft has a lot
00:09:50
more permissions in place to prevent
00:09:52
people from doing something so
00:09:53
utterly stupid. Uh, Linux is just like,
00:09:56
"Hey, buddy, it's okay. If you want to
00:09:57
get rid of everything, you can." Now,
00:09:59
the reason why I showed you this command
00:10:01
is it should it should present you the
00:10:04
uh the understanding visually that
00:10:06
giving any program access like this to
00:10:09
your computer, well, they can just do
00:10:11
about anything. If they can delete your
00:10:13
whole goddamn file system, who knows
00:10:15
what else they can do. And really,
00:10:17
that's why you have to be careful
00:10:18
anytime you super user or like pseudo or
00:10:21
run something as an administrator. and
00:10:23
you give something really privileged
00:10:25
access to your system, you're basically
00:10:28
letting it have unfettered access to
00:10:29
your files and god knows what else. Now,
00:10:32
again, this was a pretty serious serious
00:10:35
serious exploit that apparently existed
00:10:38
in Linux for over 10 years. And the
00:10:40
reason why I'm showing it to you is
00:10:42
because a thankfully it's been dealt
00:10:44
with. There's been a lot of patches that
00:10:46
have come out. Chances are if you're on
00:10:48
Linux, whatever distribution out there,
00:10:50
you've probably received a amazing
00:10:53
pseudo patch and you probably don't have
00:10:55
to worry about this. But if you're
00:10:57
somebody that's administering systems
00:10:59
and if you're somebody that is not
00:11:00
actively updating your stuff, then you
00:11:03
probably should understand that this is
00:11:04
a pretty common vector of attack. That
00:11:07
pseudo program, just pseudo in general,
00:11:09
has always been a very popular form to
00:11:11
attack.
00:11:13
You know, for over a decade at this
00:11:14
point, well over a decade now. Before
00:11:16
any of you guys go in the audience, but
00:11:18
Muda, what about those Mac guys? Are
00:11:20
they unsafe? They also have stuff like
00:11:22
pseudo and chroot. And while you're
00:11:25
right that does exist underneath Macs,
00:11:27
the reality is the big key contention
00:11:30
here was NS switch. And uh since that
00:11:33
doesn't exist underneath Linux, at least
00:11:35
in a similar capacity, and because
00:11:38
underneath or sorry, that doesn't exist
00:11:39
under Mac and also underneath Mac
00:11:41
there's things like system integrity
00:11:43
protection. So, generally speaking,
00:11:45
unless you really unsecured your Mac,
00:11:48
which is not a real use case, these
00:11:51
exploits wouldn't really be attacking a
00:11:53
Mac user, right? Again, you really have
00:11:55
to go out of your way to make
00:11:57
really unsafe on your MacBook product.
00:12:01
Otherwise, you'll you'll pretty much be
00:12:02
fine, okay, for the most part, right?
00:12:04
Again, totally different circumstances,
00:12:07
different security parameters there.
00:12:09
This is very much a Lunix thing. And
00:12:11
there's been many other ways that pseudo
00:12:13
has been attacked, but this is one of
00:12:15
those ways where I think just
00:12:17
demonstrating how easy it it was to go
00:12:20
from a account that had no privileges
00:12:23
all of a sudden to an account that had
00:12:24
every single privilege in the book can
00:12:26
be very dangerous. And again, if you
00:12:28
don't update your if you don't
00:12:29
keep things, you know, always on the up
00:12:31
and up, then uh chances are you're
00:12:33
always opening up a back door some other
00:12:35
way for people to get. If somebody got
00:12:37
access to your computer and let's say it
00:12:39
wasn't encrypted, they just were able to
00:12:41
log into a local account. Well, they can
00:12:43
escalate themselves even higher and do
00:12:45
whatever they wanted. If you ran even
00:12:47
just a program that was able to leverage
00:12:49
this exploit locally and it gained
00:12:51
access to superprivileged parts of your
00:12:53
system, they can start to do whatever
00:12:55
they want from it. They can run other
00:12:57
pieces of program. They can open up
00:12:59
network. They can they can do whatever
00:13:00
it is that you can conceive with this
00:13:03
level of access. So yeah, if you want to
00:13:05
be safe, just update your system. But
00:13:08
hopefully hopefully you saw some cool
00:13:10
stuff today. Hopefully you had a laugh.
00:13:12
Uh hopefully you learned interesting
00:13:14
ways to nuke your system. Uh if if you
00:13:16
ever felt like it. But ladies and
00:13:18
gentlemen, I found this to be
00:13:19
particularly entertaining to me. If you
00:13:21
like what you saw, please like, comment,
00:13:22
and subscribe. Dislike if you dislike
00:13:24
it. I am out.
