Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Breaking into root from standard user via SSH
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Techbart
n00b
n00b


Joined: 24 Jun 2014
Posts: 23
Location: Sweden

PostPosted: Sun Jun 29, 2014 8:20 am    Post subject: Breaking into root from standard user via SSH Reply with quote

I have a bit of an odd question to ask. Is it possible for a user who has been created with useradd to somehow gain access to root tty via SSH? I only ask because last night I added a user through SSH using VX Connect Bot on my android, logged out as root, then logged the new user in so they could change their password. I can't be 100% if my memory serves me correctly, but when I checked my phone again I noticed root was logged in, but I only remember logging in the new user before handing it to them for setting up their password, and have no memory of logging in as root again afterwards.

I know this sounds a bit vague, but I'm driving myself crazy wondering if either the person I handed my phone to was some kind of evil genius who could log into root from a freshly created account with no special permissions, or if I had simply forgotten that I'd logged back into root later. Any thoughts on the matter would be greatly appreciated
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 43764
Location: 56N 3W

PostPosted: Sun Jun 29, 2014 8:26 am    Post subject: Reply with quote

Techbart,

Yes, its possible, even trivial. Your ssh user could root your phone the same way you did.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
Techbart
n00b
n00b


Joined: 24 Jun 2014
Posts: 23
Location: Sweden

PostPosted: Sun Jun 29, 2014 9:18 pm    Post subject: Reply with quote

Ah, sorry I should have been a bit more clear in my description. What I meant was that they seemed to be able to gain root to my Gentoo box via an SSH session from my android phone, after I had logged out root for setting up their account, and logging their newly-made account so they could change their own password. I'm wondering if it's somehow possible to gain access to root via SSH to my Gentoo box from a standard user account, also on the Gentoo box.
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 43764
Location: 56N 3W

PostPosted: Mon Jun 30, 2014 4:42 pm    Post subject: Reply with quote

Techbart,

That depends on your install. I had it done to me. The intruder removed /etc, so it didn't go undetected for long.
It needs a locally exploitable privilege escalation bug in your install and the attacker needs to be willing and know how to exploit it.

Look at the suspect users .bash_history.
If .bash_history is blank, then its been deliberately removed ... be suspicious.
It might hold some evidence of what the user was doing.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
Techbart
n00b
n00b


Joined: 24 Jun 2014
Posts: 23
Location: Sweden

PostPosted: Mon Jun 30, 2014 10:15 pm    Post subject: Reply with quote

Hmm, it's seeming more like it was a case of bad memory on my part by the sound of it. My Gentoo install was done following the Handbook, and I also installed sudo after, adding only my user account to the list. The only other thing that has been done after finishing a full Gentoo install using the latest x64 image (which was checksummed from official source), was to install samba, Oracle java and a Minecraft server on top of that. The guy I handed my phone to for setting up his password had it for no more than 5 minutes, so unless he knew ahead of time of an exploit that could be done using an Android phone that was SSHd into my Gentoo box, it's probably unlikely that he'd managed to get to my root, and that I'd simply forgotten that I'd logged root myself after he'd finished with the phone.

Coincidentally enough, the first thing I tried was to look through the bash history for all accounts, but I'd also forgotten to setup his user account with a /home folder, so there was no bash history I could find there. I'm just putting it down to a night of terrible memory on my part and sloppy account management, but it was driving me crazy not knowing :p. Either way, thanks for helping to clear my paranoia on that one :)
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum