[ubuntu-hardened] CONFIG_DEVKMEM option and checksec.sh script: Syntax error, root user.

Mon Aug 29 16:04:53 UTC 2016

On 08/29/2016 10:31 AM, daniel curtis wrote:
> 
> Hello
> 
> Probably all of you known a 'checksec'[1] - a bash script to check/list
> the status of various Linux kernel protection mechanism and the
> properties of executables such as RELRO, NoExecute (NX), Stack Canaries,
> ASLR and PIE etc. It has been originally written by Tobias Klein.
> 
> A couple of days ago I decided to run 'checksec' 1.5 ver., on one of my
> testing machine with 12.04 LTS Release. And something strange happened.
> As we know by default, the root account password is locked in Ubuntu,
> right? This means that user cannot login as root or use the su(1)
> command etc.*
> 
> *
> So, I used 'chmod +x' command to make script executable and run
> 'checksec' with '--kernel' flag (for testing purposes). Here's the result:
> 
> user at test[~]$ ./checksec.sh --kernel
> user at test[~]$ sudo ./checksec.sh --kernel
> root at test[~]$
> 
> Wait, I've become a root user? How it is possible? There is a 'Syntax
> error:' during exiting:
> 
> root at test[~]$ exit
> exit
> ./checksec.sh: 232: ./checksec.sh: Syntax error: "(" unexpected
> (expecting "fi")
> 
> It's all happened when there was '/bin/bash' at the beginning instead of
> '#!/bin/bash'. I have done a mistake. But it is possible to become a
> root user in such situation? It seems that 232. line is responsible for
> checking PaX support etc. (see script: # first check for PaX support).
> 
> Everything seems to work okay after adding '#!/bin/bash' to the script.
> However, checking - for example - '/bin/ls' there is similar syntax error:
> 
> user at test[~]$ sudo ./checksec.sh --file /bin/ls
> ./checksec.sh: 232: ./checksec.sh: Syntax error: "(" unexpected
> (expecting "fi")
> 
> But it does not apply to my question about becoming a root user on a
> system where this account is locked.What do you think about this? This
> is normal or not? A lack of '#!/bin/bash' could provide a root access?

The root account is locked in the sense that you cannot directly log in
as root. However, you can use sudo to raise your privileges in order to
carry out system administration activities.

In your case, you had a script that incorrectly started with `/bin/bash`
instead of `#!/bin/bash`. If you ran that script with `sudo bash
<SCRIPT>` then it is effectively the same as running `sudo /bin/bash`.
Try it. You'll get a root shell if your user is part of the sudo group
and you enter your password correctly.

> One more thing: there is an information about CONFIG_DEVKMEM, whichis
> set to "n" (according to wiki) on Security/Feature wiki page[2], right?
> So why in 12.04 LTS Release this option is not set? I'm just asking...
> 
> [~]$ grep CONFIG_DEVKMEM /boot/config-3.2.0-109-generic-pae
> # CONFIG_DEVKMEM is not set

That comment saying that CONFIG_DEVKMEM is not set is the equivalent of
CONFIG_DEVKMEM=n. This is a quirk of the kernel config file.

Tyler

> 
> Best regards.
> _____________
> [1] http://www.trapkit.de/tools/checksec.html,
> https://github.com/slimm609/checksec.sh
> [2] https://wiki.ubuntu.com/Security/Features#dev-kmem
> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20160829/666af400/attachment.pgp>