[luau] Lilo to get root shell

[Dustin Cross]

Just received this from the ITworld LINUX SECURITY news letter and thought
some would find it interesting.


--- July 02, 2002
Published by ITworld.com -- changing the way you view IT
http://www.itworld.com/newsletters


Another Backdoor to Root Access
By Brian Hatch

In last week's article, I showed you how to enter single user mode at the
lilo prompt, ala:

    lilo: linux single

or

    lilo: linux 1

Both of those arguments tell init to boot into runlevel 1. If you have
sulogin set to run, then single user mode is only available if you know the
actual root password, which is a good thing. However, another method exists
for you to gain passwordless root access without using single user mode at
all.

Normally, the linux kernel will launch /sbin/init once it's finished
loading. init is responsible for starting all the programs appropriate for
your given runlevel based on the entries in the /etc/inittab file. That's
why init is always process #1 when you do a 'ps'. However, we can tell the
Linux kernel to run a different program instead of /sbin/init by using
the 'init=' option on the lilo command line:

    lilo: linux init=/bin/bash

Now the kernel will launch /bin/bash as root. Viola! A root shell, no
questions asked. You could run anything you wanted, but /bin/bash is
probably the most convenient method.

When you boot Linux in this manner, you'll find that your disks are mounted
read-only[1]. Once you're at a shell though, fixing this is trivial:

    # fsck /
    # mount -orw,remount /

So you can see that enabling sulogin is not sufficient to prevent someone
at the console from getting a root shell; you must create password
restrictions for your kernel definitions to prevent anyone from passing
command-line arguments to the kernel. I showed you how to do this last
week, but let's recap.

Add 'restricted' and 'password' options to the relevant /etc/lilo.conf
kernel definition[2]:

    image=/boot/vmlinuz
        label=linux
        restricted
        password=suLoginIsntSufficient
        read-only
        root=/dev/hda7

Of course, don't forget to make the lilo.conf file unreadable by local
users:

    # chmod 600 /etc/lilo.conf

And now re-run lilo when you're done:

    # lilo

If you're paranoid, then you can always make lilo.conf immutable
(unchangeable) with chattr[3]

    # chattr +i /etc/lilo.conf

If you ever do need to make changes, then you'll need to turn off the
immutable bit first:

    # chattr -i /etc/lilo.conf
    # $EDITOR /etc/lilo.conf
    # chattr +i /etc/lilo.conf

So, does this mean we're completely secure now? Nope, sadly not. Other ways
remain that provide root access to the machine, such as booting from
alternate devices like a floppy/CD[4] or just pulling out the disk and
mounting it on a different machine and accessing it there directly, but
we've covered the most direct and simple methods via our lilo
configurations.

NOTES

[1] You could have the kernel mount '/' read write by specifying:

        lilo: linux rw init=/bin/bash

at the lilo prompt. However, I like to fsck the drive manually and remount.
Call me paranoid.

[2] Actually, you can use restricted or password in the global section as
well, not just in an image definition. However, I like having different
passwords for each image, so I don't put 'password' in the global section.
Restricted, on the other hand, is fine if you want them all restricted.

[3] chattr only works on ext2/ext3 file systems.

[4] Most BIOS can disable or password-protect the ability to boot off other
devices. I leave that as an exercise for the reader so we can get onto more
interesting topics again next week.

About the author(s)
-------------------
Brian Hatch is Chief Hacker at Onsight, Inc, and author of Hacking Linux
Exposed and Building Linux VPNs. Brian can be reached at
brian at hackinglinuxexposed.com.