Solaris 10 x86 in VirtualBox InfoSec exercise ( CVE-2019-2832)

One good lesson I have learned over the years from the  InfoSec perspective, is to be able to perform the boring things every UNIX admin knows by heart and is their daily routine. That is a full A-Z installation and setup of the environment and patching. (Yes – patching – lets put it this way .. Patch Management crash-course for Solaris 10 with pkgsrc bootstrap and OS installation  basics)

It used to be difficult in the past to master all the various architectures simply because HW was hard to get, was expensive ..  nowadays I believe things are much easier thanks to Virtualisation technology (Qemu, VirtualBox, VMWare, AlphaVM, simh)

This time we will look at the last true Solaris (Solaris 10) which died with Oracle ending the regular support on Jan-2018.  We will use the x86 port and run the x86_64 version of it in Oracle VirtualBox on Linux x86_64 (Im using Mint 19.1)

So lets get started and install Solaris 10 in VirtualBox on Linux – here is what we will use and need (Assume we have some Linux distribution setup already)

networking.sh 

#Setup tap and bridge 
tunctl -t tap0 -u user
ifconfig tap0 up
brctl addbr br0
brctl setfd br0 0
#ifconfig eth0 10.0.2.1 up 
ifconfig br0 10.0.2.2 netmask 255.255.255.0 broadcast 10.0.2.255 up
brctl addif br0 tap0 vboxnet0 
ifconfig tap0 0.0.0.0
sysctl net.ipv4.ip_forward=1
#iptables -A FORWARD --in-interface eth0 -j ACCEPT
iptables --table nat -A POSTROUTING --out-interface wlan0 -j MASQUERADE

Make sure we have the uml-utilities and bridge-utils for the above to work (note the commented out eth0 entry – this is only used if you wish to connect the emulation to a physical network and made available to other devices there)

# apt-get install uml-utilities bridge-utils

Also an important note here for the vboxnet0 interface is only available on my system only after VirtualBox starts, so please bear that in mind after reboot and running the networking.sh script

So lets get going.  Installing Solaris 10 in VirtualBox is really simple. We will use for the new VM creation the Oracle Solaris 10 10/09 and later (64bit) template available in VirtualBox.  For network we will be using  Host-only-Adapter  and vboxnet0   For the disk we will set minimum of 30 GB because of /usr/pkgsrc

We will be using ZFS filesystem so choose the Grub entry with ZFS kernel support. Here is the network configuration I will be using for the Solaris10 VM

And following DNS entries (if you have your own, use your own DNS)

We will install everything from the Solaris 10 DVD ISO, setup your root password etc…  Once the installer finishes shut down the system, remove the Solaris 10 DVD ISO from the VM and boot the new disk.   Wait for a while in the console (do not yet login) for the X11 to come up. I love CDE, so I have switched the default desktop to CDE

After logging in as root (security !!) do not register to Oracle (we don’t need this since we will pkgsrc bootstrap anyways.

Next we download the 2017 October CPU patch for Solaris10 x86_64 and install it (This is the last Solaris10 CPU from Oracle, unless one has the extended support ..)

On our Linux host do the following

$ mkdir -p SOL10/patch
$ cd SOL10/patch
$ wget ftp://ftp.deu.edu.tr/pub/Solaris/patch/x86/10_x86_Recommended.zip
$ unzip 10_x86_Recommended.zip
$ mkisofs -iso-level 3 -J -joliet-long -rock -input-charset utf-8 -o patch.iso 10_x86_Recommended/

Next we add this new patch.iso to our VirtualBox CDROM and reboot to single-user mode (for CPU patching on Solaris its a good idea)

Actually this is how I got into a single user mode when I ran from CDE dtterm

# shutdown -g 0

Once in Single User mode in Solaris10, mount the ISO with the Oct2017 CPU

# mount -r -F hsfs /dev/dsk/c0t1d0s0/ /cdrom/cdrom
# cd /cdrom/cdrom

Now we will run the patchset

# ./installpatchset --s10patchset

Lets prepare some tea or coffee now – this will take some time (Again this could be a good exercise to all InfoSec people to actually try and do some patching of Solaris, instead of just hacking everything .. ) Once the patching process is finished, reboot.

We check the kernel version to see if the patch applied, great we are running the October 2017 kernel so this should keep those pesky NSA hackers out with the Ebbisland and Extremeparr exploits right ? (What about Raptor’s  https://github.com/0xdea/exploits/blob/master/solaris/raptor_dtprintname_intel.c ) Nice CDE local privilege escallation exploit ? – we will get to this later on..)

# uname -a
SunOS solaris10 5.10 Generic_150401-55 i86pc i386 i86pc

Now lets double-check if  GCC compiler  is installed and install if its not.  Mount the Solaris 10 installation DVD iso in VirtualBox once again and Solaris will automount the ISO in the OS.

# cd /cdrom/sol_10_811_x86/Solaris_10/Product
# pkgadd -d . SUNWgcc (answer y)

We verify the install and that we have a working GCC compiler (3.4.3 from 2010)

# /usr/sfw/bin/gcc -v

OK now we should be ready to prepare for pkgsrc bootstrap. Lets download the Q2-2019 stable snapshot first.

# cd /usr
# ftp ftp.netbsd.org (login as anonymous or ftp)
ftp> pass
ftp> cd pub/pkgsrc/pkgsrc-2019Q2
ftp> get pgsrc.tar.gz
ftp> quit
# gunzip pkgsrc.tar.gz
# tar -xvf pkgsrc.tar
# rm pkgsrc.tar

Once the tarball is extracted we can setup the bootstrap environment accordingly
https://wiki.netbsd.org/pkgsrc/how_to_use_pkgsrc_on_solaris/
Do not run the bootstrap with the shipped bash shell in Solaris use the default sh !

# cd /usr/pkgrc/bootstrap
# env CFLAGS=-O2 CC=/usr/sfw/bin/gcc ./bootstrap

If all goes well we should get the nice success status printed after a while (took 5 minutes for me on Core i5 Panasonic CF-53)

Before we build anything we need to set some options in /usr/pkg/etc/mk.conf

CC= /usr/sfw/bin/gcc !! (this is needed to get newer GCC compiled, we will change it later)
X11_TYPE= modular
PKG_DEVELOPER=yes
PKG_DEFAULT_OPTONS+=freetype truetype mmx subpixel official-mozilla-branding
FETCH_USING=fetch

Also we must prepare a couple of other things before we start compiling GCC6  …
We can use the native bash now (which makes thing a little easier)

# bash

Lets set additional binary paths to our shell (you can add this to your profile later on)

# export PATH=/usr/sbin:/usr/bin:/usr/dt/bin:/usr/ucb:/usr/ccs/bin:/usr/sfw/bin

Cleanup digest working directory and install it

# cd /usr/pkgsrc/pkgtools/digest
# rm -rf .work
# /usr/pkg/bin/bmake install clean clean-depends

And build perl first since there is an error during package creation  “perl interpreter for Trace.pm not existing”  if we compile with PKG_DEVELOPER=yes in mk.conf  , so for perl we will change this to no as -> PKG_DEVELOPER=no in /usr/pkg/etc/mk.conf

# cd /usr/pkgsrc/lang/perl5
# /usr/pkg/bin/bmake install clean clean-depends

Then once perl builds we can set it back to PKG_DEVELOPER=yes in mk.conf  and continue the build.

We now finally move on to GCC 6 !

# cd /usr/pkgsrc/lang/gcc6
# /usr/pkg/bin/bmake install clean clean-depends

Once we have GCC6 compiled we must set the /usr/pkg/etc/mk.conf to use the new CC and CXX variables as follows:

CC=    /usr/pkg/gcc6/bin/gcc
CXX=   /usr/pkg/gcc6/bin/g++

P.S  I will keep this part open, and add additional notes as I build pkgsrc packages on Solaris10, you can check further details here https://astr0baby.wordpress.com/2019/07/29/pkgsrc-2019q2-on-solaris-10-x86/

Now is a good time to add /usr/pkg/bin:/usr/pkg/sbin/usr/pkg/gcc6/bin/ to our path since we have a new working compiler

# export PATH=/usr/sbin:/usr/bin:/usr/dt/bin:/usr/ccs/bin:/usr/pkg/bin:/usr/pkg/sbin:/usr/pkg/gcc6/bin
# ln -s /usr/ccs/bin/ar /usr/bin/ar
# ln -s /usr/ccs/bin/ranlib /usr/bin/ranlib

INFOSEC  part  – testing some 0days on Solaris ! CVE-2019-2832

We can use the shiny new GCC6 or the rusty old GCC3, both work either way, I have used in this example the native gcc 3.4.3 for those that want to skip the gcc6 compilation step (it takes considerable amount of time)

We will create our standard user now and set password

# useradd -m -d /export/home/user user -s /usr/bin/bash
# passwd user

And define some new .profile variables so that we can use the /usr/pkg goodies  , login as user (or # su – user)

Once we are logged in as user, lets download and build Raptor’s https://twitter.com/0xdea dtprintinfo exploit. On the Linux host download the the exploit code from here https://raw.githubusercontent.com/0xdea/exploits/master/solaris/raptor_dtprintname_intel.c  and FTP upload to the Solaris 10 VM

$ wget https://raw.githubusercontent.com/0xdea/exploits/master/solaris/raptor_dtprintname_intel.c
$ ftp 10.0.2.12 
user Name (10.0.2.12:user): user
331 Password required for user.
Password:
ftp> put raptor_dtprintname_intel.c

On the Solaris 10 VM we compile the code under user in the DT session and run.

$ /usr/sfw/bin/gcc raptor_dtprintname_intel.c -o raptor_dtprintname_intel -Wall 
$ ./raptor_dtprintinfo_intel 10.0.2.12:0

But we get na error that Xlib: connection to 10.0.2.12:0.0 was refused by the server (default behaviour after install) so lets allow all connections to the X shall we ? (security !!)  Run below as root to grant/disable X11 connections from remote hosts

# xhost +    (this is to allow all to connect to X11; not a good idea) 
# xhost -    (forbid all who are not authorized) 
# xhost +10.0.2.12 (in our case this would be better, so only trusted hosts can connect to X11)

As user lets re-run the exploit code again, it works this time :)

So now we can fix the above CDE privilege escallation from the exploited root shell, even if we do not have the official patch from Oracle (If you are lucky and have access to extended user support from Oracle then you can apply the July-2019-CPU patch just like we did earlier)  because after-all this is UNIX and there are many ways to get things done there

All that is needed is to remove (S)etuid bit from the /usr/dt/bin/dtprintinfo binary

# chmod -s /usr/dt/bin/dtprintinfo

This time obviously the exploit does not work, because the setuid bit it gone

If interested about the above bug, you can read more about it here https://lab.mediaservice.net/advisory/2019-01-cde-dtprintinfo.txt

So here we have learned a few thing right ? I hope you have enjoyed going throgh this just as I have enjoyed writing it and setting it up.

 

About astr0baby

Please run Adblock or similar... we have been told to do so since Carl Sagan wrote the Contact .
Gallery | This entry was posted in Uncategorized. Bookmark the permalink.

2 Responses to Solaris 10 x86 in VirtualBox InfoSec exercise ( CVE-2019-2832)

  1. Pingback: Solaris 10 x86 in VirtualBox InfoSec exercise ( CVE-2019-2832) – Astr0baby’s not so random thoughts _____ rand() % 100; – The Library 6.0

  2. Pingback: 在Virtualbox中练习Solaris 10 x86漏洞的配置修补与利用 – NEWS.ALL

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.