Probably the simplest exploit to carry out against Linux systems is to look for unprotected NetBIOS shares. Weak Samba configurations are often very revealing. For example, file shares created for the sake of convenience can end up coming back to haunt you. I've seen Samba-based Linux shares that provided anyone and everyone on the network with access to sensitive files containing patient health records, and network diagrams with detailed information (e.g., passwords for accessing network infrastructure systems, source code, etc.).
This attack is simple to carry out. All someone needs to do is to be logged into the network as a standard Windows user (i.e. no admin privileges), run a network share finder tool such as what's available in GFI LANguard, and then run a text search tool such as FileLocator Pro. As I have mentioned before, it's really simple for anyone on the network to gain access to sensitive documents they otherwise should not have access to -- and no one may ever know about it.
A related attack is one against poorly-configured FTP servers that allow anonymous connections or have accounts with weak or nonexistent passwords. A sample exploit is shown here:
In this situation anonymous FTP provided access to a configuration file that happened to have the password for a financial management database hard-coded into it. You know where things can go from there.
Another Samba exploit can lead to remote user enumeration. When a Linux system's Samba configuration allows for guest (i.e. null session) access, vulnerability scanners such as Nessus and QualysGuard can enumerate the system to glean user names. In most instances an attacker can use these user names in subsequent password-cracking attacks against Linux accounts. In many cases, you can also use a Web vulnerability scanner such as WebInspect or Acunetix Web vulnerability scanner to glean Linux user accounts via an unsecured Apache installation that doesn't have the UserDir Disabled directive in the httpd.conf file.
On the topic of passwords, I've recently seen some situations where CGI applications running on Linux-based Web servers were not filtering input properly and were allowing local file inclusions in the HTTP queries such as what's shown in Figure 2.
In this particular situation, the Web application returned the Linux passwd file revealing hundreds of user accounts. The passwords were masked but this still facilitated simpler password cracking of the system since all of the user accounts were known. This type of attack could lead to exposure of other sensitive Linux OS and data files as well.
Finally, I'd be remiss if I didn't cover the issue of missing patches. It's arguably one of the mostly easily-exploited weaknesses with the most detrimental outcome. This applies to both the OS and third-party software (Note: I talk about what to watch for with third-party software in this tip). In situations such as this, it's merely a matter of minutes before an attacker connected to the internal network can use a free tool such as Metasploit to gain command prompt access with full privileges on the system as shown in Figure 3.
Again, in most situations no one would ever know about such an attack – that is until it was too late.
As you can see some of these vulnerabilities are not specific to the Linux kernel itself, but they're still exploitable and create problems for Linux systems. When testing for Linux vulnerabilities, don't forget to look at your Linux systems from every possible angle. Just because something can't be exploited from the outside doesn't mean it can't be abused by a "trusted" person with valid login credentials. Furthermore, take the findings of automated scanning tools with a grain of salt because not every weakness they report on will be a risk in your environment. Filtering what matters from the rest of the noise will only come with experience so jump in and get your hands dirty!
ABOUT THE AUTHOR: Kevin Beaver is an information security consultant, keynote speaker, and expert witness with Atlanta-based Principle Logic, LLC. Kevin specializes in performing independent security assessments. Kevin has authored/co-authored seven books on information security including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). He's also the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached at kbeaver /at/ principlelogic.com.
This was first published in April 2009