Privilege Escalation via fail2ban

fail2ban is a great IDPS tool, not only it can detect attacks but also block the malicious IP addresses by using Linux iptables.

Working
Although fail2ban can be used for services like HTTP, SMTP, IMAP etc. but most of sys-admins use it to protect the SSH service. fail2ban daemon reads the log files and if there is a malicious pattern detected (e.g multiple failed login requests) it executes a command for blocking the IP for certain period of time or maybe forever.

Demo
In this article, I am using fail2ban version 0.11.2 and my base operating system is Kali Linux 2020.4. I have configured fail2ban with default settings and it is enabled only for SSH service.

SSH jail running

f2b running and f2b’s version

Next, I tried SSH to kali box (f2b running) but I gave wrong passwords, which ultimately triggered f2b to block my IP.

giving wrong SSH password

We can see that IP 192.168.10.7 has been added to our iptables.

iptables rules

If we save the iptables rules to a file and read them, it blocked the IP with multiport configuration.

iptables rules in a file

So, what is this multiport ? If we go to our fail2ban directory, which in my case is at /etc/fail2ban, inside there is action.d folder which has different types of configuration rules that can be applied for blocking an IP.

action.d folder

If we look closely at the iptables-multiport.conf file

There are two things actionban and actionunban. If we have write access to this file, we can add our malicious command and escalate our privileges.

Lets try to give 777 permissions (anyone can w+r+e file) /etc/shadow file, which has the hashed password of all the users. Just to be on safe side, I have copied this file to /dev/shm directory. You don’t need to copy it to /dev/shm.

original permissions

Adding new malicious command to iptables-multiport.conf file.

Now, if we try false SSH attempts, fail2ban will not only block the IP but also give 777 permission to /dev/shm/shadow.

modified permissions

A malicious person can now replace the hash of root or privileged user with his/her own password hash and escalate easily.

Or maybe adding a reverse shell or setting SUID thing. Sky is limit !!!

Countermeasures
Dont give everyone WRITE permissions to /etc/fail2ban/action.d folder.

3 thoughts on “Privilege Escalation via fail2ban

  1. thank you for sharing this article, i was practising pentesting with offsec proving grounds and there is a machine which has fail2ban and i have rw in /etc/fail2ban/action.d i am not familiar with fail2ban, and hence has tried to modify a few conf files… but none of them trigger the bash command, until i read your blog…:D

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: