viernes, 27 de enero de 2017

The first step

Hello and welcome,

This blog is about the journey on the achievement of my first 0-day which, let's be honest, can never happen but I'm sure we'll learn a lot of things along the way :)
The journey should only be considered complete when the following conditions are met:
  • Privilege escalation or,
  • Code execution
  • Involves shellcoding
  • Bypass of exploit mitigations

Intro

First things first. Setup.

So, some weeks ago, had some problems when setting up Ubuntu 16.04 on a laptop which, by then, I really needed to have up and running as quick as possible. The easiest way would have been:

  • Reinstalling
  • Changing to another linux distro
  • Ask for a new laptop with preshipped Ubuntu
So for the first post, instead of talking about anythin related to exploiting, I will start my first post with a little story that will help you overcome all the barriers that Ubuntu 16.04 and Dell sets on users if they want to use their OS of choice. And before we start:

Takeaways for you, the reader

  • How to install Ubuntu 16.04 with encryption on a laptop with an SSD (NVME)
  • Know about some Ubuntu bugs that haven't got a fix
  • Know about some Ubuntu bugs that have a fix
  • How to run the latest VMWare Player on newer Kernels (4.9.5)

Here we go!

First days - Installing Ubuntu 16.04 with encryption

I was given a Dell XPS 15 shipped with Windows 10 Home. As a pc-gamer I am used to have Windows and make heavy use of virtualization programs to run Linux on top of it.
But since there wasn't an easy way to set bitlocker on Windows 10 Home and I wasn't going to play any games on this laptop, I decided to get rid of the preshipped OS and install Ubuntu on it.
So, I set the BIOS legacy boot option, insert the live Ubuntu USB, select installation, format the drive into ext4 format, choose encryption and... BANG! Ubuntu's standard installation won't select the right NVME partition to write the boot into, it tries to write the boot into "/dev/nvme" which is not a real partition, hence we face our first problem.

PROBLEM:
If we choose the standard installation with full disk encryption the wizard won't let us choose which partition to write the boot into but if we choose the alternative installation where we can choose where to write the boot into, it won't let us choose the full disk encryption.


NVMe, UGH!

SOLUTION:
After playing around with the Ubuntu installer wizard I managed to choose the right partition to write the boot into and choose full disk encryption as well:
  1. Boot into the Live Ubuntu USB
  2. Get boot-repair
  3. Run boot-repair and set the "boot flag" on the partition you want the boot written to (in my case "/dev/nvme0n1p1")
  4. Run the installer wizard
  5. Select the alternative installation
  6. Change the partition that the boot is going to be written to
  7. Go back in the wizard and select the standard installation with full disk encryption
  8. ???
  9. Profit!

But rest not, for tragedies are about to come...

The laptop hangs up

After a day of using the laptop and in the middle of something important (for this I have to say, thank programmers for the invention of auto-saving) the whole system freezes. Nothing works. The mouse, keyboard, graphics... everything is stuck. Not even REISUB works.
After some time searching on Google and forums I stumble upon this Bug, which has been around since 2013 yet nobody has come up with any solutions.
Some people said they got it fixed by updating the kernel: I updated the kernel to the next version (I had 4.4 by that time so, 4.5 it is).
Nothing. Same problem plus I can't control the brightness of the screen anymore. Anything else?
Of course, keep reading!
Now I can't type the password to decrypt the disk. Althought the "splash" screen is showing, there's a prompt on top left of the screen where everything I type shows but it doesn't seem to be a proper shell nor the password input for decryption.
Then, rebooted, grub appears the same way it would do as if you hold shift at boot and, there, it did let me choose "Ubuntu" or "Advanced options". I select "Ubuntu" and suddenly a new prompt to decrypt the disk appears.
More Googling aaaaand... it seems that, again it's a known bug, and found someone else who had the same problem but, in my case, I didn't install any new graphic drivers.

PROBLEM:
What the hell is happening? Seriously? Everything hangs up from time to time, sometimes when Ubuntu gets to boot with Kernel 4.5 the graphic cards seem to go so slow. And the only thing that we can think of is updating the Kernel and Bios.

FIX:
Upgrading to kernel 4.9.0 did it for me but, since I wanted to know how far I could go I upgraded to Kernel 4.9.4 and also, updated the BIOS, 'cause, why not.
If you are looking to update your Dell's XPS laptop please, refer to this link: Dell BIOS Update

No more hangs anymore! Oh wait...

So far so good but, when trying to install VMWare it just wouldn't compile plus, you need GCC-6.2.0. So...

PROBLEM:
Latest VMWare will not compile on newer kernels (4.9.5). Seems like the Kernel developers decided to regroup the flags from get_user_pages in version 4.6 into one variable on version 4.9.

(dirty) FIX:
The FIX can be found here but, since the formatting is not that good, will paste it here for the easeness on copy-pasting for you, the reader:

Extract and edit
tar -xf /usr/lib/vmware/modules/source/vmmon.tar
vi vmmon-only/linux/hostif.c
 
In vmmon-only/linux/hostif.c around line 1162, change:
#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 6, 0)
    retval = get_user_pages((unsigned long)uvAddr, numPages, 0, 0, ppages, NULL);
#else
    retval = get_user_pages(current, current->mm, (unsigned long)uvAddr,
    numPages, 0, 0, ppages, NULL);
#endif
to:
#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 9, 0)
    retval = get_user_pages((unsigned long)uvAddr, numPages, 0, ppages, NULL);
#else
    #if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 6, 0)
        retval = get_user_pages((unsigned long)uvAddr, numPages, 0, 0, ppages, NULL);
    #else
        retval = get_user_pages(current, current->mm, (unsigned long)uvAddr,
                    numPages, 0, 0, ppages, NULL);
    #endif
#endif
Now "re-tar", extract the next file and edit:
sudo tar -cf /usr/lib/vmware/modules/source/vmmon.tar vmmon-only/
tar -xf /usr/lib/vmware/modules/source/vmnet.tar
vi vmnet-only/userif.c
In vmnet-only/userif.c, around line 113, change:
#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 6, 0)
    retval = get_user_pages(addr, 1, 1, 0, &page, NULL);
#else
    retval = get_user_pages(current, current->mm, addr,
                1, 1, 0, &page, NULL);
#endif
to
#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 9, 0)
    retval = get_user_pages(addr, 1, 0, &page, NULL);
#else
    #if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 6, 0)
        retval = get_user_pages(addr, 1, 1, 0, &page, NULL);
    #else
        retval = get_user_pages(current, current->mm, addr,
        1, 1, 0, &page, NULL);
    #endif
#endif
Now re-tar and run the VMWare installer, feed it with the right path for GCC-6.2.0 and you're done!
sudo tar -cf /usr/lib/vmware/modules/source/vmnet.tar vmnet-only/
Woo! That's it. How I got it all setup... But I, in the end, won't keep Ubuntu. Still haven't made my mind up on which Linux distribution to choose or keeping Windows 10 (Win-afl maybe?)

Next post

Stay tuned! More to come! Some fuzzing and analyzing crashes found while doing so.

Happy learning!