View Issue Details

IDProjectCategoryView StatusLast Update
0008687Kali LinuxGeneral Bugpublic2024-04-08 23:31
ReporterLynx Assigned To 
PrioritynormalSeverityminorReproducibilityhave not tried
Status newResolutionopen 
Summary0008687: The root prompt is accessible from the EC2 serial console
Description

Summary

The kali Linux AMI ami-08ff8eb7758eb14ec, available on the AWS Marketplace, has a vulnerability that enables operation with root privileges without the need for authentication. With only limited IAM permissions, an attacker can access the kali root prompt. This vulnerability might enable users with minimal privileges on the operating system, like monitoring operators, to acquire root privileges via the serial console.

Steps for reproduce

  1. Choose the following AMI from the AWS Marketplace and launch an instance as victim.
    • Install all options with the default settings tailored to your environment.

AMI name: kali-last-snapshot-amd64-2023.4.0-804fcc46-63fc-4eb6-85a1-50e66d6c7215
AMI ID: ami-08ff8eb7758eb14ec

Kali Linux
By Kali
| Ver Kali Linux 2023.4
17 AWS reviews | 140 external reviewsKali Linux (formerly known as BackTrack Linux) is an open-source, Debian-based Linux > distribution aimed at advanced Penetration Testing and Security Auditing. It does this by providing common tools, configurations, and automations which allows the user to focus on the task that needs to be...

  1. Grant permissions to IAM users.

The IAM user who is performing the operation needs to have the permission to connect to the EC2 serial console. Please grant the following permissions.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowEC2SerialConsole",
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeInstances",
                "ec2:DescribeInstanceTypes",
                "ec2:GetSerialConsoleAccessStatus",
                "ec2:EnableSerialConsoleAccess",
                "ec2:DisableSerialConsoleAccess",
                "ec2-instance-connect:SendSerialConsoleSSHPublicKey",
                "ec2-instance-connect:SendSSHPublicKey"
            ],
            "Resource": "*"
        }
    ]
}
  1. Operations in the AWS Management Console
  • Choose the target instance.
  • Navigate to [Actions] > [Monitor and troubleshoot] > [EC2 serial console]
  • Click on "Connect" in the displayed screen to establish a connection to ttyS0.
  • After the screen has loaded, press the Enter key. The root@kali: ~# prompt will be displayed.

Root cause analysis

The following entry is located in /etc/systemd/system/[email protected]/autologin.conf.

[Service]
ExecStart=
ExecStart=-/sbin/agetty —autologin root -o ‘-p -f — \\u’ —keep-baud 115200,38400,9600  —noclear %I $TERM

Recommendation to fix

I recommend to fix /etc/systemd/system/[email protected]/autologin.conf as follows:

[Service]
ExecStart=
ExecStart=-/sbin/agetty -o ‘-p — \\u’ —keep-baud 115200,38400,9600  —noclear %I $TERM
Attached Files

Activities

Lynx

Lynx

2024-03-23 06:09

reporter   ~0019065

Last edited: 2024-03-23 06:09

some corrections:

[Service]
ExecStart=
ExecStart=-/sbin/agetty --autologin root -o '-p -f -- \\u' --keep-baud 115200,38400,9600 --noclear %I $TERM
[Service]
ExecStart=
ExecStart=-/sbin/agetty -o ‘-p -- \\u’ --keep-baud 115200,38400,9600  --noclear %I $TERM
Lynx

Lynx

2024-03-23 06:26

reporter   ~0019066

Last edited: 2024-03-23 06:32

The IAM user who is performing the operation needs to have the permission to connect to the EC2 serial console. Please grant the following permissions.

see IAM.png

After the screen has loaded, press the Enter key. The root@kali: ~# prompt will be displayed.

see AWS-kali-SerialConsole.png:

Additional recommendations

  • A similar entry is found in /etc/systemd/system/[email protected]/autologin.conf. It is advisable to make corrections here too.
  • In the /etc/sudoers.d/90-cloud-init-users file, the entry is set to kali ALL=(ALL:ALL) NOPASSWD:ALL , which may indicate the file was unintentionally left behind. This configuration allows sudo commands to execute without a password. If the file's presence is intentional, changing the entry to kali ALL=(ALL:ALL) ALL would enhance security.

Consideration

  • Installing kali linux on Hyper-V with kali-linux-2023.4-installer-amd64.iso did not result in any files containing the --autologin root directive under /etc/systemd/system/. Furthermore, automatic login was not executed at startup. This issue does not stem from the installation media but is likely a flaw in the AWS AMI creation process.

  • Automatic login through the EC2 serial console was not permitted for both Ubuntu 22.04.4 LTS and Amazon Linux 2023 (see AWS-Ubuntu22.04.4 LTS.png and AWS-AL2023.png). This phenomenon appears to be specific to the kali linux AMI offered on AWS.

IAM.png (23,975 bytes)   
IAM.png (23,975 bytes)   
AWS-kali-SerialConsole.png (27,516 bytes)   
AWS-kali-SerialConsole.png (27,516 bytes)   
AWS-Ubuntu22.04.4 LTS.jpg (2,292 bytes)   
AWS-Ubuntu22.04.4 LTS.jpg (2,292 bytes)   
AWS-AL2023.png (8,623 bytes)   
AWS-AL2023.png (8,623 bytes)   
dominik.borkowski

dominik.borkowski

2024-04-08 12:41

reporter   ~0019115

I would argue this is a feature, not a bug. In fact, we often use it for ease of debugging. Access to serial console on AWS means you are in full control over the system: you can gain access easily via other means, including feeding appropriate user-data settings, and so on.

Lynx

Lynx

2024-04-08 13:08

reporter   ~0019116

There is no dispute that access to the OS from the Serial Console is a feature. However, being able to access the root prompt without requiring authentication is a different issue.

dominik.borkowski

dominik.borkowski

2024-04-08 14:26

reporter   ~0019117

I was referring to the fact that the console does not require password as a feature. We find it useful. If Kali developers deem necessary to change this behavior, I'd ask for it to be announced, along with instructions on how to revert it to the original behavior for the benefit of other folks who rely on it.

Lynx

Lynx

2024-04-08 23:31

reporter   ~0019119

Unfortunately, in the context of security, convenience and security are incomparable. When a user prompt appears, simply authenticating suffices. Moreover, as a fundamental feature of Linux, you're probably aware that customizing --autologin for your instance is possible, right? If you prefer that environment, you can customize it that way.

Issue History

Date Modified Username Field Change
2024-03-23 05:21 Lynx New Issue
2024-03-23 05:21 Lynx File Added: kali linux on AWS serial console issue.pdf
2024-03-23 06:09 Lynx Note Added: 0019065
2024-03-23 06:09 Lynx Note Edited: 0019065
2024-03-23 06:26 Lynx Note Added: 0019066
2024-03-23 06:26 Lynx File Added: IAM.png
2024-03-23 06:26 Lynx File Added: AWS-kali-SerialConsole.png
2024-03-23 06:26 Lynx File Added: AWS-Ubuntu22.04.4 LTS.jpg
2024-03-23 06:26 Lynx File Added: AWS-AL2023.png
2024-03-23 06:28 Lynx Note Edited: 0019066
2024-03-23 06:32 Lynx Note Edited: 0019066
2024-04-08 12:41 dominik.borkowski Note Added: 0019115
2024-04-08 13:08 Lynx Note Added: 0019116
2024-04-08 14:26 dominik.borkowski Note Added: 0019117
2024-04-08 23:31 Lynx Note Added: 0019119