From bbda3b39371193b2e1882601ff0fa89caa60f571 Mon Sep 17 00:00:00 2001 From: Astronand Date: Wed, 11 Mar 2026 08:52:41 -0400 Subject: [PATCH 1/3] fixed elevate VULN --- .../lib/modules/hyperion/40_auth.kmod | 8 ++++---- Src/hysh/bin/passwd | 4 ++-- Src/hysh/bin/su | 20 ++++++++++++------- Src/hysh/bin/sudo | 2 +- manifest.lua | 18 +++++++++-------- 5 files changed, 30 insertions(+), 22 deletions(-) diff --git a/Src/Hyperion-kernel/lib/modules/hyperion/40_auth.kmod b/Src/Hyperion-kernel/lib/modules/hyperion/40_auth.kmod index 821a64d..9551ee1 100644 --- a/Src/Hyperion-kernel/lib/modules/hyperion/40_auth.kmod +++ b/Src/Hyperion-kernel/lib/modules/hyperion/40_auth.kmod @@ -236,12 +236,12 @@ local function nextUID() return max + 1 end -function auth.login(username, password) - if type(username) ~= "string" or type(password) ~= "string" then +function auth.login(uid, password) + if type(uid) ~= "number" or type(password) ~= "string" then return nil, "Authentication failure" end - local entry = getPasswdByUsername(username) + local entry = getPasswdByUID(uid) if not entry then -- timing attack resistance hashPassword(password, "aaaaaaaaaaaaaaaa") @@ -619,4 +619,4 @@ if kernel.syscalls then kernel.syscalls["setshell"] = auth.setShell kernel.syscalls["sethomedir"] = auth.setHomedir kernel.syscalls["setgid"] = auth.setGID -end +end \ No newline at end of file diff --git a/Src/hysh/bin/passwd b/Src/hysh/bin/passwd index 7f263a1..5b3a3a0 100644 --- a/Src/hysh/bin/passwd +++ b/Src/hysh/bin/passwd @@ -9,7 +9,7 @@ local currentUid = syscall.getuid() local targetUid if targetName then - targetUid = syscall.getuid(targetName) + targetUid = syscall.getuid() if not targetUid then print("passwd: user '" .. targetName .. "' does not exist") syscall.exit(1); return @@ -36,7 +36,7 @@ if currentUid ~= 0 then if #cur > 0 then cur=cur:sub(1,-2); syscall.write(1,"\b \b") end else cur=cur..ch; syscall.write(1,"*") end end - local ok, err = syscall.elevate(targetName, cur) + local ok, err = syscall.login(targetUid, cur) if not ok then sleep(1) print("passwd: authentication failure") diff --git a/Src/hysh/bin/su b/Src/hysh/bin/su index 5405b39..393c1ce 100644 --- a/Src/hysh/bin/su +++ b/Src/hysh/bin/su @@ -1,7 +1,12 @@ --:Minify:-- -local targetUser = ({ ... })[1] or "root" +local targetUser = ({ ... })[1] local currentUid = syscall.getuid() -local targetUid = syscall.getuidbyname(targetUser) +local targetUid +if targetUser then + targetUid = syscall.getuidbyname(targetUser) +else + targetUid = 0 +end if not targetUid then print("su: user '" .. targetUser .. "' does not exist") @@ -25,20 +30,21 @@ if currentUid ~= 0 then end end - local ok, err = syscall.elevate(targetUser, pw) + local ok, err = syscall.login(targetUid, pw) if not ok then sleep(1) print("su: Authentication failure") syscall.exit(1) return end +else + syscall.setuid(targetUid) end -syscall.setuid(targetUid) - local pwent = syscall.getpasswd(targetUid) local shell = (pwent and pwent.shell) or "/bin/hysh" local homedir = (pwent and pwent.homedir) or "/" +local username= (pwent and pwent.username)or "Unknown" local ok_cd, err_cd = pcall(syscall.chdir, homedir) if not ok_cd then @@ -46,11 +52,11 @@ if not ok_cd then syscall.chdir(homedir) end syscall.setEnviron("HOME", homedir) -syscall.setEnviron("USER", targetUser) +syscall.setEnviron("USER", username) syscall.setEnviron("SHELL", shell) local ok, err = pcall(syscall.exec, shell) if not ok then print("su: cannot exec shell '" .. shell .. "': " .. tostring(err)) syscall.exit(1) -end +end \ No newline at end of file diff --git a/Src/hysh/bin/sudo b/Src/hysh/bin/sudo index 6fc29eb..8c4e5d9 100644 --- a/Src/hysh/bin/sudo +++ b/Src/hysh/bin/sudo @@ -55,7 +55,7 @@ if currentUid ~= 0 then end end - local ok, err = syscall.elevate("root", pw) + local ok, err = syscall.login(0, pw) if not ok then sleep(1) print("sudo: Authentication failure") diff --git a/manifest.lua b/manifest.lua index f6c8716..14edcf0 100644 --- a/manifest.lua +++ b/manifest.lua @@ -3,6 +3,8 @@ --- @diagnostic disable: duplicate-set-field syscall={} +--- @alias userinfo {username:string,homedir:string,shell:string,uid:number,gid:number} + --- Sets home directory of User with corresponding uid to homedir --- @param uid integer --- @param homedir string @@ -164,7 +166,7 @@ syscall.setpassword=function(uid, newPassword) end --- Set environment variable --- @param key string ---- @param value string +--- @param value any --- @return boolean syscall.setEnviron=function(key, value) end @@ -197,7 +199,7 @@ syscall.exit=function(code) end --- Get environment variable --- @param key string ---- @return string|nil +--- @return any syscall.getEnviron=function(key) end --- Continue a stopped task @@ -337,7 +339,7 @@ syscall.remove=function(path) end --- @return string|nil syscall.type=function(path) end ---- Elevate to another user with password +--- Elevate to root with password (Disabled due to VULN) --- @param targetUsername string --- @param password string --- @return boolean @@ -374,11 +376,11 @@ syscall.setusername=function(uid, newUsername) end --- @return integer syscall.geteuid=function() end ---- Login user ---- @param username string +--- Login as user +--- @param uid integer --- @param password string --- @return boolean -syscall.login=function(username, password) end +syscall.login=function(uid, password) end --- Get system hostname --- @return string @@ -514,9 +516,9 @@ syscall.access=function(path, mode) end --- Ignore current signal syscall.sigignore=function() end ---- Get user password hash +--- Get user information --- @param uid integer ---- @return string|nil +--- @return userinfo|nil syscall.getpasswd=function(uid) end --- Get OS version From a5e86243688c76be48e01f4973838ad9eaa7fe08 Mon Sep 17 00:00:00 2001 From: Astronand Date: Wed, 11 Mar 2026 08:54:47 -0400 Subject: [PATCH 2/3] forgot to edit login --- Src/hysh/bin/login | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/Src/hysh/bin/login b/Src/hysh/bin/login index 50c3a2e..d570ca4 100644 --- a/Src/hysh/bin/login +++ b/Src/hysh/bin/login @@ -130,8 +130,9 @@ local function doLogin() syscall.write(1, "Password: ") local password = readLine("*") - - local ok, err = syscall.login(username, password) + local uid = syscall.getuidbyname(username) + + local ok, err = syscall.login(uid, password) if ok then local uid = syscall.getuid() local pwent = syscall.getpasswd(uid) From 677b2cccecc387695d78fce39853515de4752707 Mon Sep 17 00:00:00 2001 From: Astronand Date: Wed, 11 Mar 2026 10:37:13 -0400 Subject: [PATCH 3/3] user login fixed --- Src/Hyperion-kernel/lib/modules/hyperion/40_auth.kmod | 3 +-- Src/Hyperion-kernel/lib/modules/hyperion/92_setup.kmod | 4 ++-- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/Src/Hyperion-kernel/lib/modules/hyperion/40_auth.kmod b/Src/Hyperion-kernel/lib/modules/hyperion/40_auth.kmod index 9551ee1..3c11560 100644 --- a/Src/Hyperion-kernel/lib/modules/hyperion/40_auth.kmod +++ b/Src/Hyperion-kernel/lib/modules/hyperion/40_auth.kmod @@ -248,7 +248,6 @@ function auth.login(uid, password) return nil, "Authentication failure" end - local uid = tonumber(entry[1]) local sEntry = getShadowByUID(uid) if not sEntry then hashPassword(password, "aaaaaaaaaaaaaaaa") @@ -273,7 +272,7 @@ function auth.login(uid, password) _task.egid = tonumber(entry[2]) or uid end - kernel.log("AUTH: login uid=" .. tostring(uid) .. " (" .. username .. ")") + kernel.log("AUTH: login uid=" .. tostring(uid) .. " (" .. getPasswdByUID(uid)[3] .. ")") return true end diff --git a/Src/Hyperion-kernel/lib/modules/hyperion/92_setup.kmod b/Src/Hyperion-kernel/lib/modules/hyperion/92_setup.kmod index 926eb32..5fcdc09 100644 --- a/Src/Hyperion-kernel/lib/modules/hyperion/92_setup.kmod +++ b/Src/Hyperion-kernel/lib/modules/hyperion/92_setup.kmod @@ -96,8 +96,8 @@ if kernel.firstBoot then {"sbin", REG, 0, 0, RWX_RX_RX}, {"tmp", REG, 0, 0, RWXRWXRWX}, {"usr", REG, 0, 0, RWX_RX_RX}, - {"var", REG, 0, 0, RWX_RX_RX}, - {"opt", REG, 0, 0, RWXRWXRWX}, + {"var", REG, 0, 0, RWXRWXRWX}, + {"opt", REG, 0, 0, RWX_RX_RX}, }) mergeMeta("/bin", {