# chmod +x implant



## Phishfry (Mar 9, 2017)

Working with Mikrotek
https://wikileaks.org/ciav7p1/cms/page_44957707.html
This makes for some excellent training.


----------



## ShelLuser (Mar 10, 2017)

Phishfry said:


> So my question is can you remove chmod, chown, chroot from a base system once built out and running?(Especially like the router OS featured)


Maybe. I'd sooner focus on Jails to set up specific environments like that, this would ensure that the main system remains as is.

But quite frankly I don't see the point. FreeBSD has much better ways to secure things, through kernel space even:


```
root@macron:/boot/kernel # ls -l pf.ko
-r-xr-xr-x  1 root  wheel  275857 Mar 10 11:51 pf.ko*
root@macron:/boot/kernel # chmod o-rx pf.ko
chmod: pf.ko: Operation not permitted
root@macron:/boot/kernel # id
uid=0(root) gid=0(wheel) groups=0(wheel),5(operator)
root@macron:/boot/kernel # chgrp peter pf.ko
chgrp: pf.ko: Operation not permitted
root@macron:/boot/kernel #
```
See? I'm root (no tricks here) yet I can't even use chmod nor chown on this file. So there's no need to remove these utilities, I mean; if even root can't use them 

The trick is two-faced. First I used chflags(1) to apply the schg flag on these files. Schg is short for schange or simmutable ("System immutable flag"). I then raised the kern.securelevel to 1 using sysctl(8).

In this secured state these flags are now enforced. You can't change files, and you can't even remove these flags (kind of obvious: if you can't change the files then you obviously also can't change them to remove the flags; chicken & egg). Next you also have no more write access to /dev/mem, /dev/kmem nor any mounted filesystems (direct access through the /dev entry, obviously normal read/write operations still work) and kernel modules can no longer be loaded or unloaded.

The best part is that all of this is enforced in kernel space, which sits at another level than user space (which is what root directly controls). And because the security level can only be raised and not lowered there's no easy way to avoid all this.


```
root@macron:/boot/kernel # ls -lo pf*
-r-xr-xr-x  1 root  wheel  schg 275857 Mar 10 11:51 pf.ko*
-r-xr-xr-x  1 root  wheel  -    522114 Mar 10 11:51 pf.ko.symbols*
root@macron:/boot/kernel # sysctl kern.securelevel
kern.securelevel: 1
```
For more information see security(7).


----------



## Phishfry (Mar 11, 2017)

Looks like an HTTPD exploit. HTTP servers are a security problem I see. Ye old WebGUI is a leaking sieve.
https://forum.mikrotik.com/viewtopic.php?t=119255
Good to see a vendor so proactive.

Wikileaks, Where are the exploits? Show us the implants. Supposedly they are not releasing the source code.
Maybe this means they don't have it and are bluffing. The source would show an insider versus captured implants.


----------



## max21 (Mar 11, 2017)

sorry, wrong thread.


----------

