TIS Hack

In January 2004 Cees-Bart Breunesse and Martijn Oostdijk were invited to perform a black box penetration test of the ISIS+/TIS/Kiss concern system hosted by the university's computer center UCI.

The ISIS+ system contains address information of all students and keeps track of followed courses and assigned grades. Recently students are allowed to access their personal information through the web, leading to some concerns about the security of the system.

The challenge was twofold:

• Given a student account, try and discover sensitive data about other students' address information or grades (breach of confidentiality).
• Given a student account, try and change the grades of this student (breach of integrity).

Both are important security aspects of the system. Of course we accepted the challenge...

We quickly discovered that the system was implemented as an Oracle database and application server running on IBM AIX UNIX machines. Since neither of us was particularly knowledgeable of Oracle products, and time was very limited, we decided to concentrate on operating system level security.

In the end, it turned out that the weak point was a Solaris machine which was set up to allow students to host their personal web-page. To gain access to this machine, the students use the same login/password combination as the one for the ISIS+/TIS/Kiss system.

Strategy

We roughly followed the following strategy to try and gain access to the different UCI UNIX machines:

1. Gain as much information about the target machine and its users as possible.
2. Get a normal user account on the target machine (or a machine close to the target).
3. Obtain administrator rights by exploiting a local bug in a suid binary.
4. Get the passwd file (or rather, the shadow file) and apply a dictionary based cracker like John the Ripper to find users with easy passwords.
5. Try the cracked user/password combinations on other machines, go back to 1.

Results

• We gained root-access on several UNIX machines. Hopping from machine to machine was possible since some of the administrators used the same (guessable) password on multiple machines. We ended up with a normal user account on a machine which was very close to the machine running the database. Unfortunately we lacked the resources to actually gain access to the database machine.
• We found unnecessary suid binaries on many of these systems. Some of the local root-exploits (especially the ones that worked on the Solaris machines) were found by browsing the various vulnerability announcement lists. These worked out-of-the-box (and made us feel like script-kidies). Some other exploits were discovered especially for this project by Cees-Bart:
  • An adaptation of an AIX 4.X exploit for xterm to AIX 5.1.
  • IBM AIX Diag Local Privilege Escalation Vulnerabilities
  • IBM AIX PAGINIT Local Buffer Overflow Vulnerability
• Out of the 20,000 student accounts in the password file, 5,000 had a password guessable by John the Ripper within a week (using a couple of 1GHz PCs). Many of these passwords were chosen to be very similar to the account name (the student number) or the student's real name. Many were words from the standard dictionaries.
• Some of our early portscans were discovered, leading to a CERT incident report. Apparently the procedures for handling incidents are in place.