One good lesson I have learned over the years from the InfoSec perspective, is to be able to perform the boring things every UNIX admin knows by heart and is their daily routine. That is a full A-Z installation and setup of the environment and patching. (Yes – patching – lets put it this way .. Patch Management crash-course for Solaris 10 with pkgsrc bootstrap and OS installation basics)
It used to be difficult in the past to master all the various architectures simply because HW was hard to get, was expensive .. nowadays I believe things are much easier thanks to Virtualisation technology (Qemu, VirtualBox, VMWare, AlphaVM, simh)
This time we will look at the last true Solaris (Solaris 10) which died with Oracle ending the regular support on Jan-2018. We will use the x86 port and run the x86_64 version of it in Oracle VirtualBox on Linux x86_64 (Im using Mint 19.1)
So lets get started and install Solaris 10 in VirtualBox on Linux – here is what we will use and need (Assume we have some Linux distribution setup already)
- Linux x86_64 (Linux Mint 19.1)
- VirtualBox (6.0.10 – https://www.virtualbox.org/wiki/Linux_Downloads )
- Solaris 10 x86 ( ftp://ftp.deu.edu.tr/pub/Solaris/iso/Solaris-10,8_11/sol-10-u10-ga2-x86-dvd.iso)
- Solaris 10 x86 Oct-2017-CPU ( ftp://ftp.deu.edu.tr/pub/Solaris/patch/x86/10_x86_Recommended.zip )
- networking.sh (Custom script for setting up Host-Only-Adapter networking)
networking.sh #Setup tap and bridge tunctl -t tap0 -u user ifconfig tap0 up brctl addbr br0 brctl setfd br0 0 #ifconfig eth0 10.0.2.1 up ifconfig br0 10.0.2.2 netmask 255.255.255.0 broadcast 10.0.2.255 up brctl addif br0 tap0 vboxnet0 ifconfig tap0 0.0.0.0 sysctl net.ipv4.ip_forward=1 #iptables -A FORWARD --in-interface eth0 -j ACCEPT iptables --table nat -A POSTROUTING --out-interface wlan0 -j MASQUERADE
Make sure we have the uml-utilities and bridge-utils for the above to work (note the commented out eth0 entry – this is only used if you wish to connect the emulation to a physical network and made available to other devices there)
# apt-get install uml-utilities bridge-utils
Also an important note here for the vboxnet0 interface is only available on my system only after VirtualBox starts, so please bear that in mind after reboot and running the networking.sh script
So lets get going. Installing Solaris 10 in VirtualBox is really simple. We will use for the new VM creation the Oracle Solaris 10 10/09 and later (64bit) template available in VirtualBox. For network we will be using Host-only-Adapter and vboxnet0 For the disk we will set minimum of 30 GB because of /usr/pkgsrc
We will be using ZFS filesystem so choose the Grub entry with ZFS kernel support. Here is the network configuration I will be using for the Solaris10 VM
And following DNS entries (if you have your own, use your own DNS)
We will install everything from the Solaris 10 DVD ISO, setup your root password etc… Once the installer finishes shut down the system, remove the Solaris 10 DVD ISO from the VM and boot the new disk. Wait for a while in the console (do not yet login) for the X11 to come up. I love CDE, so I have switched the default desktop to CDE
After logging in as root (security !!) do not register to Oracle (we don’t need this since we will pkgsrc bootstrap anyways.
Next we download the 2017 October CPU patch for Solaris10 x86_64 and install it (This is the last Solaris10 CPU from Oracle, unless one has the extended support ..)
On our Linux host do the following
$ mkdir -p SOL10/patch $ cd SOL10/patch $ wget ftp://ftp.deu.edu.tr/pub/Solaris/patch/x86/10_x86_Recommended.zip $ unzip 10_x86_Recommended.zip $ mkisofs -iso-level 3 -J -joliet-long -rock -input-charset utf-8 -o patch.iso 10_x86_Recommended/
Next we add this new patch.iso to our VirtualBox CDROM and reboot to single-user mode (for CPU patching on Solaris its a good idea)
Actually this is how I got into a single user mode when I ran from CDE dtterm
# shutdown -g 0
Once in Single User mode in Solaris10, mount the ISO with the Oct2017 CPU
# mount -r -F hsfs /dev/dsk/c0t1d0s0/ /cdrom/cdrom # cd /cdrom/cdrom
Now we will run the patchset
# ./installpatchset --s10patchset
Lets prepare some tea or coffee now – this will take some time (Again this could be a good exercise to all InfoSec people to actually try and do some patching of Solaris, instead of just hacking everything .. ) Once the patching process is finished, reboot.
We check the kernel version to see if the patch applied, great we are running the October 2017 kernel so this should keep those pesky NSA hackers out with the Ebbisland and Extremeparr exploits right ? (What about Raptor’s https://github.com/0xdea/exploits/blob/master/solaris/raptor_dtprintname_intel.c ) Nice CDE local privilege escallation exploit ? – we will get to this later on..)
# uname -a SunOS solaris10 5.10 Generic_150401-55 i86pc i386 i86pc
Now lets double-check if GCC compiler is installed and install if its not. Mount the Solaris 10 installation DVD iso in VirtualBox once again and Solaris will automount the ISO in the OS.
# cd /cdrom/sol_10_811_x86/Solaris_10/Product # pkgadd -d . SUNWgcc (answer y)
We verify the install and that we have a working GCC compiler (3.4.3 from 2010)
# /usr/sfw/bin/gcc -v
OK now we should be ready to prepare for pkgsrc bootstrap. Lets download the Q2-2019 stable snapshot first.
# cd /usr # ftp ftp.netbsd.org (login as anonymous or ftp) ftp> pass ftp> cd pub/pkgsrc/pkgsrc-2019Q2 ftp> get pgsrc.tar.gz ftp> quit # gunzip pkgsrc.tar.gz # tar -xvf pkgsrc.tar # rm pkgsrc.tar
Once the tarball is extracted we can setup the bootstrap environment accordingly
https://wiki.netbsd.org/pkgsrc/how_to_use_pkgsrc_on_solaris/
Do not run the bootstrap with the shipped bash shell in Solaris use the default sh !
# cd /usr/pkgrc/bootstrap # env CFLAGS=-O2 CC=/usr/sfw/bin/gcc ./bootstrap
If all goes well we should get the nice success status printed after a while (took 5 minutes for me on Core i5 Panasonic CF-53)
Before we build anything we need to set some options in /usr/pkg/etc/mk.conf
CC= /usr/sfw/bin/gcc !! (this is needed to get newer GCC compiled, we will change it later) X11_TYPE= modular PKG_DEVELOPER=yes PKG_DEFAULT_OPTONS+=freetype truetype mmx subpixel official-mozilla-branding FETCH_USING=fetch
Also we must prepare a couple of other things before we start compiling GCC6 …
We can use the native bash now (which makes thing a little easier)
# bash
Lets set additional binary paths to our shell (you can add this to your profile later on)
# export PATH=/usr/sbin:/usr/bin:/usr/dt/bin:/usr/ucb:/usr/ccs/bin:/usr/sfw/bin
Cleanup digest working directory and install it
# cd /usr/pkgsrc/pkgtools/digest # rm -rf .work # /usr/pkg/bin/bmake install clean clean-depends
And build perl first since there is an error during package creation “perl interpreter for Trace.pm not existing” if we compile with PKG_DEVELOPER=yes in mk.conf , so for perl we will change this to no as -> PKG_DEVELOPER=no in /usr/pkg/etc/mk.conf
# cd /usr/pkgsrc/lang/perl5 # /usr/pkg/bin/bmake install clean clean-depends
Then once perl builds we can set it back to PKG_DEVELOPER=yes in mk.conf and continue the build.
We now finally move on to GCC 6 !
# cd /usr/pkgsrc/lang/gcc6 # /usr/pkg/bin/bmake install clean clean-depends
Once we have GCC6 compiled we must set the /usr/pkg/etc/mk.conf to use the new CC and CXX variables as follows:
CC= /usr/pkg/gcc6/bin/gcc CXX= /usr/pkg/gcc6/bin/g++
P.S I will keep this part open, and add additional notes as I build pkgsrc packages on Solaris10, you can check further details here https://astr0baby.wordpress.com/2019/07/29/pkgsrc-2019q2-on-solaris-10-x86/
Now is a good time to add /usr/pkg/bin:/usr/pkg/sbin/usr/pkg/gcc6/bin/ to our path since we have a new working compiler
# export PATH=/usr/sbin:/usr/bin:/usr/dt/bin:/usr/ccs/bin:/usr/pkg/bin:/usr/pkg/sbin:/usr/pkg/gcc6/bin # ln -s /usr/ccs/bin/ar /usr/bin/ar # ln -s /usr/ccs/bin/ranlib /usr/bin/ranlib
INFOSEC part – testing some 0days on Solaris ! CVE-2019-2832
We can use the shiny new GCC6 or the rusty old GCC3, both work either way, I have used in this example the native gcc 3.4.3 for those that want to skip the gcc6 compilation step (it takes considerable amount of time)
We will create our standard user now and set password
# useradd -m -d /export/home/user user -s /usr/bin/bash # passwd user
And define some new .profile variables so that we can use the /usr/pkg goodies , login as user (or # su – user)
Once we are logged in as user, lets download and build Raptor’s https://twitter.com/0xdea dtprintinfo exploit. On the Linux host download the the exploit code from here https://raw.githubusercontent.com/0xdea/exploits/master/solaris/raptor_dtprintname_intel.c and FTP upload to the Solaris 10 VM
$ wget https://raw.githubusercontent.com/0xdea/exploits/master/solaris/raptor_dtprintname_intel.c $ ftp 10.0.2.12 user Name (10.0.2.12:user): user 331 Password required for user. Password: ftp> put raptor_dtprintname_intel.c
On the Solaris 10 VM we compile the code under user in the DT session and run.
$ /usr/sfw/bin/gcc raptor_dtprintname_intel.c -o raptor_dtprintname_intel -Wall $ ./raptor_dtprintinfo_intel 10.0.2.12:0
But we get na error that Xlib: connection to 10.0.2.12:0.0 was refused by the server (default behaviour after install) so lets allow all connections to the X shall we ? (security !!) Run below as root to grant/disable X11 connections from remote hosts
# xhost + (this is to allow all to connect to X11; not a good idea) # xhost - (forbid all who are not authorized) # xhost +10.0.2.12 (in our case this would be better, so only trusted hosts can connect to X11)
As user lets re-run the exploit code again, it works this time :)
So now we can fix the above CDE privilege escallation from the exploited root shell, even if we do not have the official patch from Oracle (If you are lucky and have access to extended user support from Oracle then you can apply the July-2019-CPU patch just like we did earlier) because after-all this is UNIX and there are many ways to get things done there
All that is needed is to remove (S)etuid bit from the /usr/dt/bin/dtprintinfo binary
# chmod -s /usr/dt/bin/dtprintinfo
This time obviously the exploit does not work, because the setuid bit it gone
If interested about the above bug, you can read more about it here https://lab.mediaservice.net/advisory/2019-01-cde-dtprintinfo.txt
So here we have learned a few thing right ? I hope you have enjoyed going throgh this just as I have enjoyed writing it and setting it up.