Someone I have know for a while was aware of my growing interest in information security and I had warned them a while ago that their network was probably vulnerable to attack because I had seen some web services that were not password protected running out of their home public IP address.
I saw them over the Christmas/new year period and they gave me permission to try and penetrate their network, specifically they challenged me to change the root password on their unRAID server.
I started off by firing up my Backtrack 5r3 VM and updating everything before registering Nessus and performing a scan of his public IP address.
Nessus didn’t find anything that was listed as critical, but it did show me that we had ssh running on port 22 and it also showed me all other ports that were open and had web servers running on them. I checked them all out and I found on various ports; the default Lion server webpage, SABNZBd, SickBeard, Transmission, and the unRAID server.
The website served by the unRAID server was asking for a username and password using basic access authentication. That was no use so I started looking into the other services. Not only were the operating interfaces unsecured, but their configuration sections were also open to anyone. I saw that SABNZBd was running as “admin” and that it had an option of running scripts when a download had completed. The method was to point SABNZBd to a folder containing scripts, start a download and then choose what script to run on completion. I knew I could download a file using SABNZBd or Transmission to any directory that the admin user had write permissions to, but I didn’t know at this stage how to make it executable.
I saw in SABNZBd’s preferences that I could specify the permissions (in octal format) of files and folders that were downloaded, so I ran SABNZBd on my machine, created a binary post on a newsgroup containing a script that was basically a reverse shell and tested a download to my machine with SABNZBd set to mark everything at 777. It created a folder with 777 permissions, but the file was only 555. Presumably this was for security reasons – damn!
At this point I was wishing that his machine was running Windows not OSX because SABNZBd on Windows only requires that a scripts file extension is in the PATHEXT environment variable. That would have been much easier than getting a file marked as executable.
I had to find another way of making an executable script on that machine. How could I get that machine to run my commands without having an executable script set… The web server or course. I created my single line PHP shell again (mentioned in a previous post) and set Transmission to download files to the Lion web server default folder, created a torrent containing my php script and downloaded the torrent to the server using transmission. I tested it, with the command whoami, and it worked. I was in, but I was only the user _www.
What could I do as _www? Not much, but I was able to create a reverse shell using netcat and take a look around the system. I couldn’t access admin’s files yet, but of course I could write to /tmp. If I could write to /tmp, I could create a script and mark it as executable by everyone. Then I could get SABNZBd to run it! I started thinking about making a script that would create a reverse shell, then it dawned on me: create a public/private key pair and add it to /Users/admin/.ssh/authorized_keys.
I uploaded my public key using my php shell script, and then created an executable script in /tmp that appended my key to authorized_keys.
I started a new SABNZBd download (I decided to just download something that was small, free and released under the CC license) so as no to upset anyone. Obviously I now set my script to run. All went well and I could now ssh into the machine as the admin user without a password.
At this point I cleaned up everything I had downloaded and just left my key in place so I could log in. I took a look around, but I couldn’t see anything to do with the unRAID server, so I thought I should report how far I had got.
They were surprised, and while I didn’t get into the unRAID server, I had gotten a lot further than they thought anyone would be able to. As a result of this, they have since enabled logins on all their web services and removed my public key, but they still do have some vulnerabilities, like ssh running on a default port and allowing password authentication (ripe for brute forcing). They are a lot safer than they were, but it may well be worth me going back and having another go at some point in the future.
A lot of the methods that I have used in this test were inspired by the challenges I have been working through in hackthissite.org and exploit-excercises.com and I’m very grateful to them for making the challenges.
I’m tempted to try and create a VM with this vulnerable setup and release it. I would have to check the licences, but I think most of it could be done using open source solutions (linux, apache, sabnzbd, transmission)
I didn’t believe those skills from hackthissite/nebula could be of any use, but you proved me wrong! Nice job man, I love this article. Just one consideration for you: how about creating RSS feed for your website? 🙂
Thanks for the comment. To be honest I didn’t think I would update this blog often enough that anyone would want to subscribe to an RSS feed, but if you’d like I can probably set that up?
Well, I would like to subscibe to your blog. Frequency of updates doesn’t matter, at least you won’t spam my RSS reader 😉 But of course, that depends on you, I never set up RSS feed before so I have no idea how much trouble it is.
Done, check the top of the column on the right just under the beans!
I think I love you! Thank you very much 😀
hi Graeme, very interesting article. i wonder if you know – is it possible to password-protect the transmission webgui under UNRAID?
I’m not sure as I don’t have an UnRAID box myself, but I can’t see why not. I know someone who uses UnRAID and probably also uses transmission so I can ask them if you’d like?
Update: Oh – this person used both, though transmission wasn’t running on his UnRAID sever. I’ll ask them if they moved transmission over to the UnRAID
Hey. Just wondering — what about sniffing the UnRAID credentials? You said that it’s running over basic access authentication, which is only base64 encoded. Maybe that interface is running over HTTPS, but you now have root so you can get the certificate for that, start sniffing traffic, and then have your friend log into UnRAID. You could even sabotage UnRAID to force him to login and fix it if asking him to log in is not realistic.
That’s a great idea, nice one. Unfortunately he’s tightened up his security and removed most of the attack surface that I used, so I’d have to start all over.