Shulou(Shulou.com)06/02 Report--

This article will explain in detail how to practice the configuration repair and utilization of 10x86 vulnerabilities in Virtualbox. The content of the article is of high quality, so the editor will share it for you as a reference. I hope you will have a certain understanding of the relevant knowledge after reading this article.

You will learn how to practice configuration patching and exploitation of Solaris 10 x86 vulnerabilities in Virtualbox. In fact, this is a very boring thing for me who has been engaged in information security for many years, especially if you are a UNIX system administrator.

In the past, it was difficult for you to master all the architectures. Because the hardware was very rare at that time, and the price was very expensive. Now, with the popularity of virtualization technology (Qemu,VirtualBox,VMWare,AlphaVM,simh), all this is beginning to become easy.

Solaris (Solaris 10)

Solaris is a computer operating system developed by Sun Microsystems. Updates to Solaris 10 were officially stopped in January 2018.

We will use the x86 port to run the x86room64 version of it in Oracle VirtualBox on Linux x86room64 ((I'm using Mint 19.1).

Next, let's start installing Solaris 10 in VirtualBox on Linux-here's what we're going to use (assuming we've made some basic settings for the Linux distribution)

Linux x86x64 (Linux Mint 19.1)

VirtualBox (6.0.10-https://www.virtualbox.org/wiki/Linux_Downloads)

Solaris 10 x86 (ftp://ftp.deu.edu.tr/pub/Solaris/iso/Solaris-10,8_11/sol-10-u10-ga2-x86-dvd.iso)

Solaris 10 x86 Oct-2017-CPU (ftp://ftp.deu.edu.tr/pub/Solaris/patch/x86/10_x86_Recommended.zip)

Networking.sh (a custom script for setting the network adapter host-only mode)

Networking.sh # Setup tap and bridge tunctl-t tap0-u userifconfig tap0 upbrctl addbr br0brctl setfd br0 0#ifconfig eth0 10.0.2.1 up ifconfig br0 10.0.2.2 netmask 255.255.255.0 broadcast 10.0.2.255 upbrctl addif br0 tap0 vboxnet0 ifconfig tap0 0.0.0.0sysctl net.ipv4.ip_forward=1#iptables-A FORWARD-in-interface eth0-j ACCEPTiptables-table nat-A POSTROUTING-out-interface wlan0-j MASQUERADE

Please make sure that you have installed the uml-utilities and bridge-util packages and made them work properly. (note: the eth0 entry annotated here-this is enabled only if you want to connect the analog simulation network to the physical network and make it available to other devices)

# apt-get install uml-utilities bridge-utils

In addition, there is an important note about the vboxnet0 interface that can only be used on my system after virtualbox is started. Therefore, keep this in mind after restarting and running the networking.sh script.

Now, let's get started! Installing Solaris 10 in VirtualBox is very simple. We will create a new virtual machine using the Oracle Solaris 10 10bot 09 and later (64-bit) templates available in virtualbox. For the network, we will use Host-only-Adapter and vboxnet0. For disks, we will allocate no less than 30 GB of storage space (due to / usr/pkgsrc).

We will use the ZFS file system, so choose the Grub entry with ZFS kernel support. The following is the network configuration I will use for Solaris10 VM.

And follow the following DNS entry (if you have your own DNS, you can also use your own DNS)

We will install everything in Solaris 10 DVD ISO, set the root password, and so on. Once the installer has finished shutting down the system, remove the Solaris 10 DVD ISO from VM and boot the new disk. Wait in the console for a while (not yet logged in), waiting for X11 to appear. I like CDE, so I change the default desktop to CDE

Do not register for Oracle after logging in as root (we don't need to do this because we have pkgsrc bootstrap.

Next, we download the October 2017 CPU patch for Solaris10 x86x64 and install it (this is the last Solaris10 CPU for Oracle unless there is extension support..)

Do the following on our Linux host

$mkdir-p SOL10/patch$ cd SOL10/patch$ wget ftp://ftp.deu.edu.tr/pub/Solaris/patch/x86/10_x86_Recommended.zip$ unzip 10 "x86" Recommended.zip$ mkisofs-iso-level 3-J-joliet-long-rock-input-charset utf-8-o patch.iso 10_x86_Recommended/

Next, we add this new patch.iso to our VirtualBox CDROM and restart to single-user mode (this is a good idea for CPU patching on Solaris)

In fact, this is how I entered single-user mode when I ran from CDE dtterm.

# shutdown-g 0

After entering single-user mode in Solaris10, install ISO using Oct2017 CPU

# mount-r-F hsfs / dev/dsk/c0t1d0s0/ / cdrom/cdrom# cd / cdrom/cdrom

Now, we will run the patch set

#. / installpatchset-s10patchset

You can relax by making a cup of coffee or tea now, because it may take you a while to wait. After the repair process is complete, restart.

Let's check the kernel version to see if a patch has been applied. As you can see, we are currently running the kernel of October 2017. Two years ago, two tools developed by NSA specifically to attack Solaris systems, "EXTREMEPARR" and "EBBISLAND", were disclosed. Login users can use these two tools to upgrade to Root privileges and gain Root access remotely through the network. These two tools work with Solaris versions 6 to 10 running on x86 and Sparc, and version 11 is not immune. The exploit code can be obtained here. CDE raises the rights locally, exploit, which we will discuss later.

# uname-aSunOS solaris10 5.10 Generic_150401-55 i86pc i386 i86pc

Now, let's check carefully to see if the GCC compiler is installed, and if not, install it. Installing Solaris 10 installation DVD iso,Solaris in VirtualBox again will automatically install ISO in OS.

# cd / cdrom/sol_10_811_x86/Solaris_10/Product# pkgadd-d. SUNWgcc (answer y)

To verify the installation, you can see that there is a working GCC compiler (version 3.4.3)

# / usr/sfw/bin/gcc-v

Now, we should prepare for pkgsrc bootstrap. Let's download the Q2-2019 stable snapshot first.

# cd / usr# ftp ftp.netbsd.org (login as anonymous or ftp) ftp > passftp > cd pub/pkgsrc/pkgsrc-2019Q2ftp > get pgsrc.tar.gzftp > quit# gunzip pkgsrc.tar.gz# tar-xvf pkgsrc.tar# rm pkgsrc.tar

Once the tarball is extracted, we can set up the bootstrap environment accordingly

Https://wiki.netbsd.org/pkgsrc/how_to_use_pkgsrc_on_solaris/

Do not run bootstrap with the included bash shell in Solaris, use the default sh!

# cd / usr/pkgrc/bootstrap# env CFLAGS=-O2 CC=/usr/sfw/bin/gcc. / bootstrap

If all goes well, we should see a hint of success status (it took about 5 minutes on Core i5 Panasonic CF-53).

Before we can build anything, we need to set some options in / usr/pkg/etc/mk.conf

CC= / usr/sfw/bin/gcc!! (this is needed to get newer GCC compiled, we will change it later) X11TYPE = modularPKG_DEVELOPER=yesPKG_DEFAULT_OPTONS+=freetype truetype mmx subpixel official-mozilla-brandingFETCH_USING=fetch

In addition, there are some other things we need to prepare before we start compiling GCC6.

Now we can use the local bash

# bash

Let's set an extra binary path for shell (you can add it to your configuration file later)

# export PATH=/usr/sbin:/usr/bin:/usr/dt/bin:/usr/ucb:/usr/ccs/bin:/usr/sfw/bin

Clear the summary working directory and install it

# cd / usr/pkgsrc/pkgtools/digest# rm-rf. Work # / usr/pkg/bin/bmake install clean clean-depends

If you are compiling with PKG_DEVELOPER= yes in mk.conf, build perl first, because the error "perl interpreter for Trace.pm not existing" occurs during package creation, so for perl, we will change it to no as-> PKG_DEVELOPER=no in / usr/pkg/etc/mk.conf.

# cd / usr/pkgsrc/lang/perl5# / usr/pkg/bin/bmake install clean clean-depends

Once the perl build is complete, we can set it back to PKG_DEVELOPER = yes in mk.conf and continue building.

Now we finally switch to GCC 6!

# cd / usr/pkgsrc/lang/gcc6# / usr/pkg/bin/bmake install clean clean-depends

Once we have compiled GCC6, we must set / usr/pkg/etc/mk.conf to use the new CC and CXX variables, as follows:

CC= / usr/pkg/gcc6/bin/gccCXX= / usr/pkg/gcc6/bin/g++

P.S. I'll keep this section open and add additional comments when building the pkgsrc package on Solaris10. You can see more details here.

Now we add / usr/pkg/bin:/usr/pkg/sbin/usr/pkg/gcc6/bin/ to our path because we have a new working compiler.

# export PATH=/usr/sbin:/usr/bin:/usr/dt/bin:/usr/ccs/bin:/usr/pkg/bin:/usr/pkg/sbin:/usr/pkg/gcc6/bin# ln-s / usr/ccs/bin/ar / usr/bin/ar# ln-s / usr/ccs/bin/ranlib / usr/bin/ranlib

INFOSEC section-test some 0days on Solaris! CVE-2019-2832

We can use the latest GCC6 or the older version of GCC3, both of which work fine. In this case, I'm using native gcc 3.4.3, which takes a lot of time for those who want to skip the gcc6 compilation step.

We will now create a standard user and set the password

# useradd-m-d / export/home/user user-s / usr/bin/bash# passwd user

And define some new .profile variables so that we can log in as user using / usr/pkg (or # su-user)

Once we log in as user, we can download and build Raptor's https://twitter.com/0xdea dtprintinfo exploit. On the Linux host, you can download the exploit code: https://raw.githubusercontent.com/0xdea/exploits/master/solaris/raptor_dtprintname_intel.c, and upload it to Solaris 10 VM via FTP.

$wget https://raw.githubusercontent.com/0xdea/exploits/master/solaris/raptor_dtprintname_intel.c$ ftp 10.0.2.12 user Name (10.0.2.12:user): user331 Password required for user.Password:ftp > put raptor_dtprintname_intel.c

On Solaris 10 VM, we compile the user's code and run it in a DT session.

$/ usr/sfw/bin/gcc raptor_dtprintname_intel.c-o raptor_dtprintname_intel-Wall $. / raptor_dtprintinfo_intel 10.0.2.12 Wall 0

However, an error occurred that the Xlib connection to 10.0.2.12 0.0 was rejected by the server (the default behavior after installation), so let's allow all communication connections to X to run as root to authorize / disable X11 connections to the remote host

# xhost + (this is to allow all to connect to X11; not a good idea) # xhost-(forbid all who are not authorized) # xhost + 10.0.2.12 (in our case this would be better, so only trusted hosts can connect to X11)

Let's run the exploit code again, and this time it will work:)

So now we can fix the above CDE rights issue from the exploited root shell, even if we don't have an official patch from Oracle (if you're lucky and have access to Oracle's extended user support, then you can apply the July-2019-CPU patch as we did before).

All you need is to remove the (S) etuid bit from the / usr/dt/bin/dtprintinfo binary.

# chmod-s / usr/dt/bin/dtprintinfo

This time it is clear that exploit is no longer working because it has been patched

On how to practice the configuration repair and utilization of 10x86 vulnerabilities in Virtualbox, this is it. I hope the above content can be helpful to everyone and learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.