Everything, Everything

2024: J F M A M J J A S O N
2023: J F M A M J J A S O N D
2022: J F M A M J J A S O N D
2021: J F M A M J J A S O N D
2020: J F M A M J J A S O N D
2019: J F M A M J J A S O N D
2018: J F M A M J J A S O N D
2017: J F M A M J J A S O N D
2016: J F M A M J J A S O N D
2015: J F M A M J J A S O N D
2014: J F M A M J J A S O N D
2013: J F M A M J J A S O N D
2012: J F M A M J J A S O N D
2011: J F M A M J J A S O N D
2010: J F M A M J J A S O N D
2009: J F M A M J J A S O N D
2008: J F M A M J J A S O N D
2007: J F M A M J J A S O N D
2006: J F M A M J J A S O N D
2005: J F M A M J J A S O N D
2004: J F M A M J J A S O N D
Tricking Nessus SSH Authentication
Saturday 11th June, 2016 18:35 Comments: 0
She makes me nervous and makes me scared
But I feel so good if I just say the words
Su su (sudo su), just say the words
Oh, su su (sudo su), oh

With apologies to Phil Collins there, during a recent compliance check against an AIX host I had to configure Nessus to run the command "su su" to trick it into running "sudo su" in order to gain root privileges before it could successfully run its commands.

I'm not sure if this is the same issue someone else posted almost two years ago about sudo not working properly on AIX, but it seems that Nessus 6.7.0 tries to do the following when you configure it to use sudo (or su+sudo):
  1. Echo a string containing a random number.
  2. Run the actual audit command.
  3. Echo a string containing a different random number.
Unfortunately, based on looking at log files, it doesn't appear to surround all three commands with double quotes. This means that the first command, echoing a random string, is run using sudo. The next two commands then run normally under the current (low privileged) user. This fails and fills the compliance check output with lots of errors about files not existing, for example.

An elegant way to work around this is to create a symlink to sudo. For example:

ln -s /usr/bin/sudo /home/pentester/su

Then configure Nessus to use the method "su" and configure the "su" username as "su". Enter your own password again for the "su" user's password. Instead of using the default location for the su binary, point Nessus at your symlink, e.g. "/home/pentester". When the scan runs Nessus will run "/home/pentester/su su" which causes AIX to run "/usr/bin/sudo su".

Assuming your account requires a password in order to use sudo, AIX then prompts Nessus for a password. It'll supply what it thinks is the "su" user's password (which you probably don't even know) and your password elevates you to root.

From here Nessus runs all the commands properly, and your AIX 6.1 compliance results will hopefully contain a lot more passes instead of failures.
© Robert Nicholls 2002-2024
The views and opinions expressed on this site do not represent the views of my employer.
HTML5 / CSS3