May 29, 2008

Do you know how easy it is to pwn an Ubuntu box?

Maybe I'm not being 100% fair here. This is a quick and easy trick that I stumbled on yesterday while screwing around with my test Ubuntu server at work. In order to do this, one must have physical access to the machine. Like any piece of equipment, if you have physical access to the box, you can pwn the box.

The thing about Ubuntu is that by default it is just as easy to own it as a Windows machine if you leave things to their default values. The reason being is that since the root account isn't enabled by default, and users sudo their way around, they sometimes forget that the root account is still there and is all powerful. All someone has to do to login as root, change passwords, create new users, or anything else they want to do (They are root after all) is reboot, select esc when grub pops up, then boot into recovery mode.

Ubuntu recovery
Once in recovery you can select to drop to a root shell prompt:

ubuntu recovery root
Since root isn't activated by default, guess what.... root has no password! When you select this option you are automatically logged in as root!

Sure, but what if you don't know any Linux command line? Then what? No problem, you can run startx from the root shell, and now you are running X as root, and can continue pwning the machine.

What is a quick way to fix this you may ask. Well, I first thought that if you give root a password by typing the following in a console:

sudo passwd root

It would fix it, but when I tried it I didn't get prompted when I went into recovery. I suppose a quick fix would be to backup your /boot/grub/menu.lst file, then comment out the recovery mode boot option. For example:

title Ubuntu hardy (development branch), kernel 2.6.24-8-generic (recovery mode)
root (hd0,0)
kernel /boot/vmlinuz-2.6.24-8-generic root=UUID=062c96e8-709f-4f60
-bb64-6779bc4ea1f8 ro single

initrd /boot/initrd.img-2.6.24-8-generic

would become:

#title Ubuntu hardy (development branch), kernel 2.6.24-8-generic (recovery mode)
#root (hd0,0)
#kernel /boot/vmlinuz-2.6.24-8-generic root=UUID=062c96e8-709f-4f60-bb64-6779bc4ea1f8 ro single
#initrd /boot/initrd.img-2.6.24-8-generic

This isn't a perfect fix though, as anyone with a live cd could boot up to their live cd and uncomment your menu.lst file, but it is better than nothing, and certainly better than a sharp stick in the eye.

Do you have any other tips or suggestions to secure your Ubuntu box? Hit me up in the comments!

Twitter Delicious Facebook Digg Stumbleupon Favorites More

Design by Free WordPress Themes | Bloggerized by Lasantha - Premium Blogger Themes | stopping spam