1

Hacking Exposed 7Network Security Secrets & Solutions

Chapter 5 Hacking UNIX

2

Hacking UNIX

• The quest for root• Remote access• Local access• After hacking root

3

The Quest for Root

• Two levels of access in UNIX: root and user• Vulnerability mapping

– Map attributes (listening services, versions of running servers) to potential security holes

– Vulnerability info: Bugtraq, Open Source Vulnerability Database, Common Vulnerability and Exposures Database

– Use public exploit codes or write their own– Use automated vulnerability scanning tools – nessus

• Script kiddies – uneducated attackers– Skip vulnerability mapping– Use UNIX exploit against Windows systems – useless!

4

Remote Access vs. Local Access

• Remote access: gaining access via network (a listening service)

• Local access: having an actual command shell or login to system – privilege escalation attacks– Escalating local privilege to root

• From remote to local– Remotely exploit a vulnerability in a listening service and then

gain local shell access• Reference: Hacking Exposed Linux, 3rd edition, 2008

– Teach a man to fish and feed him for life vs. feed him for a day

5

Remote Access

• Four primary ways– Exploit a listening service– Route through a UNIX system• Source-routing to circumvent a UNIX firewall

– User-initiated remote execution• Done by browser, mail reader, app, etc.

– Promiscuous-mode attacks• A carefully crafted packet to hack your sniffer or driver

6

Brute-Force Password Guessing Attacks• Services that can be brute-forced

– telnet, FTP, rlogin/rsh, SSH, SNMP, LDAP, POP/IMAP, HTTP/HTTPS, CVS/SVN, Postgres, MySQL, Oracle

• Enumeration a list of user accounts– Finger, rusers, sendmail, etc.

• “Smoking Joe” account– ID and password are identical

• Automated tools: THC Hydra, Medusa• Brute-force countermeasures

– Strong password policy– One-time password– Public key authentication– Tools: cracklib (password composition tool), Secure Remote Password

(authentication with key exchange), OpenSSH (with encryption and authentication), pam_passwdqc (password strength check), pam_lockout (account lockout)

7

Data-Driven AttacksBuffer Overflow Attacks

• Data-driven attacks – Sending data to an active service causing unintended or

undesirable results• Buffer overflow attacks– Placing more data into a buffer than was previously

allocated• strcpy(), strcat(), springf()

– VRFY command of sendmail• sendmail SUID to root• egg in VRFY to overflow the return address on the stack

– assembly code that run /bin/sh with root privilege– System-dependent on OS and CPU

– Reference: Aleph One, “Smashing the stack for fun and profit,” Phrack Magazine, Issue 49, 1996, phrack.org.

8

Data-Driven AttacksBuffer Overflow Attack Countermeasures

• Secure coding practices– Enable Stack Smashing Protector (SSP) by gcc, validate user-modifiable inputs,

use more secure routines, reduce the amount of code run with root privilege, etc.

• Test and audit each program• Disable unused or dangerous services

– Disable these services– Access control with TCP wrappers (tcpd), xinetd, iptables, ipf

• Stack execution protection– Supported in Solaris– Supported in Linux with two kernel patches: Exec Shield, GRSecurity– Not bullet-proof: distributing code that exploits a buffer overflow condition– Heap-based overflow: overrunning dynamically allocated memory

• Address Space Layout Randomization (ASLR)– Randomized process address space each time a process is created– Crashed (denial of service) vs. exploited (remote code execution)

9

Data-Driven AttacksReturn-to-libc Attacks

• Return into standard C library (libc) vs. return to code placed on stack

• Overflow the return address to a new location in existing executable code in the libc

• Bypass stack execution prevention• Return oriented programming (ROP)– Short code sequences (gadgets) chained together

• Countermeasures– Remove gadgets during compilation, detection of

memory violation, etc.

10

Data-Driven AttacksFormat String Attacks

• Formatted output by printf() and sprintf()• Pass carefully crafted text strings containing formatting

directives to cause the target host to execute arbitrary commands

• When more formatting directives than supplied arguments– Subsequent data on the stack will be used as the supplied

arguments• When a formatting directive is a user-supplied string

– Display successive words on the stack• Countermeasures

– Same as buffer overflow attacks– Gcc warning at printf()

11

Data-Driven AttacksInput Validation Attacks

• The server does not properly parse input before passing it to further processing

• Telnet daemon passes syntactically incorrect input to the login program– Attacker could bypass authentication without being

prompted for a password– Detailed in Chapter 10

• Countermeasures– Black list validation (not recommended, cannot

protect against new data attacks) vs. white list validation (recommended)

12

Data-Driven AttacksInteger Overflow and Integer Sign Attacks

• Wrapping– Assigning the signed data type a value of 60,000: -5536

• Overflow when assigning the length of a large user-supplied integer to a data type that is too small

• Countermeasures– Same as buffer overflow attacks– Check signed and unsigned comparison or arithmetic

routines, loop control for(), variables to hold lengths of user-input data

13

Data-Driven AttacksDangling Pointer Attacks

• A dangling pointer, stray pointer– A pointer points to an invalid memory address– Errors occur long after it was created: difficult to debug– Exploited if the memory contains malicious code supplied by a

user• When

– An object is freed but the reference to it is not reassigned and later used

– A local object is popped from the stack when the function returns but a reference to it is still maintained

• Countermeasures– Garbage collection and bounds checking

14

I Want My Shell• Interactive shell access– telnet, rlogin, SSH

• Execute commands without interactive login– RSH, SSH, Rexec

• Exploit server vulnerability execute commands on the target server interactive shell access

• Figure 5.1: UNIX-based Web server, with an input validation attack vulnerability, behind a firewall allowing only HTTP (port 80) and HTTPS (port 443)

15

I Want My ShellReverse Telnet and Back Channels

• Exploit awstats (input validation attack) vulnerability to perform command execution such as cat /etc/passwd– Embed the command in the URL– Interactive shell access by a back channel from the

target server to the attacker system– Back channel: reverse telnet or nc• telnet or nc from the server, nc listener on the attacker

system

16

Common Types of Remote Attacks• FTP

– Anonymous access + world-writable directory– Many reported vulnerabilities– Setup nc listener on the client exploit the server nc calls back

• Sendmail– Even more vulnerabilities

• Remote Procedure Call• NFS• X Insecurities• DNS• SSH• OpenSSL• Apache

17

Local AccessPassword Composition Vulnerabilities

• Gain local access via remote vulnerability– Root access or user access

• Gain user access first, then escalate to root• Password composition vulnerability

– Password cracking ~ automated dictionary attack– Compare /etc/passwd (or /etc/shadow, /etc/master.passwd) with

encrypted/hashed (and salted) words from dictionary• Salted to (1) ensure two users having the same passwords will not generate

the same password hash, (2) mitigate pre-computed rainbow tables• Encryption/hashing algorithms: DES, Extended DES, MD5, etc.

– John the Ripper (JTR)• 2400 rules to permutated words, most encryption/hash algorithms• Default wordlist and extensive wordlists

– /etc/passwd: $1$Upe/smFP$xNjpYzOvsZCgOFKLWmbgR/ (Modular Crypt Format: $algorithm$salt$encrypted hash/)

18

Local AccessLocal Buffer Overflow

• An unsuspecting user runs unrar 3.9.3 to open a specially crafted rar file local stack-based buffer overflow

• Jump to a specific memory address and run /bin/sh

• Local buffer overflow countermeasures– Secure coding practices– Non-executable stack– Disable the SUID bit on a file that does not require

SUID permissions

19

Local AccessSymbolic Link

• Symbolic link: a file, created by ln, that points to a different file

• OpenSolaris installs Xscreensaver 5.01 with setuid bit set: symbolic vulnerability used to view other files not owned by the user– Xscreensaver reads user configurations from .xscreensaver– If .xscreensaver is a symlink to another file

• Allow us to read any files on the file system

• Symlink countermeasures– Perform sanity checks on existing files, remove SUID bit from

as many files as possible

20

Local AccessRace Conditions

• Abuse a program/process performing a privileged operation

• pkexec suffers from a race condition where the effective uid of the process can be set to 0 by invoking a setuid-root (SUID) program in the parent process

• Common race conditions by signal handling– wu-ftp v2.4 signal-handling vulnerability

• SIGPIPE at connection close, SIGURG at out-of-band signaling• Data connection close SIGPIPE to server server raises to

root (uid = 0) for housekeeping attackers creates SIGURG to server interrupt the server to jump back to server’s main loop with root privileges

21

Local AccessCore File Manipulation & Shared Libraries

• Core dump with sensitive info stored in memory– Password hashes– Countermeasures: ulimit to turn off core dump

• Shared libraries– Attackers modify a shared library or provide an alternate

shared library via an environment variable could gain root access

– When in.telnetd executes /bin/login (SUID root binary) to authenticate the user• the system’s dynamic linker loads the modified library (pointed to by

the modified LD_PRELOAD) and overwrites the normal library call with root privileges

– Countermeasures: Dynamic linker should ignore LD_PRELOAD for SUID root binaries

22

Local AccessKernel Flaws

• UNIX kernel: file/directory permissions, escalation and relinguishment of privileges from SUID binaries, signal handling, etc.

• Linux 2.6.39– Does not adequately verify permissions when

writing to /proc/<pid>/mem• Countermeasures: Kernel patch

23

Local AccessSystem Misconfiguration: File/Directory Permissions (1/2)

• Sources of misconfiguration in permissions: SUID root files, world-writable files, device I/O

• SUID files– Most attacks abuse a process running SUID binaries– Many programs are unnecessarily run with SUID– find: to find all SUID and SGID files

• DOS: users advised to run a non-SUID copy, restrict by configuring /etc/dosemu.users

– Countermeasures• Remove SUID/SGID bit from binaries• Consult man page, user documentation, HOWTOs, and try on a test

system• Security-enhanced Linux (SELinux): prevent an exploit from doing

anything its parent process cannot do

24

Local AccessSystem Misconfiguration: File/Directory Permissions (2/2)

• World-writable files– System initialization files, system configuration files,

user startup files– World-writable startup scripts executed with root

privileges attackers overwrites startup scripts so as to create an SUID shell in /tmp the next time the system is restarted

– find: to find world-writable files– Countermeasures

• Check initialization, configuration, startup files• /dev might need to be world-writable• Use extended file attributes to protect files

25

After Hacking Root

• Hoovering all files for info, loading up sniffers to capture telnet, ftp, POP, SNMP passwords, attacking yet another victim

• Uploading a customized rootkit• Rootkits (specific platform type and version)– Trojans: altered versions of login, netstat, ps, passwd, su,

telnet, ftp, ifconfig, ls, ssh, find, du, sync, reboot, halt, shutdown, etc.

– Backdoors– Interface sniffers– System log cleaners

26

Trojans• “Trojanize” any commands– Log username and password to a file

• Special trojan: create a backdoor into your system by running a TCP listener that waits for clients to connect– Rathole: backdoor client – rat, backdoor server – hole

• Countermeasures– Detect binary modifications – not just file size and date

• Cryptographic checksum: Tripwire, AIDE• Built-in MD5 checksum: RPM (Red Hat Package Manager)

– Identify known rootkits• chkrootkit, rkhunter

– Compromise detected rebuild, not restore, your system

27

Sniffers• Network eavesdropping on compromised hosts

– Strike at every system that sends traffic to me• Promiscuous mode for adaptor cards• Popular sniffers: Dsniff, Wireshark, tcpdump, Snoop• Countermeasures

– Migrate to switched networks: common now• arpredirect, part of dsniff, to redirect

– Detect sniffers• Host-based: Check Promiscuous Mode (cpm); Check processes and

files by ps, lsof, grep• Network-based: Anti-Sniff, sniffdet

– Encryption• SSH, OpenSSH, and FreeSWAN (IPsec and IKE)

28

Log Cleaning• Logclean-ng– Login log: /etc/syslog.conf, – /var/log: cron, mailog, messages, spooler, auth, wtmp,

xferlog, etc.– Commands: .bash_history– History of shell: disable by unset– Modification time: touch– Intercept log to remote server: ptrace() in badattachK log

cleaner to control syslogd• Countermeasures– Log to a medium difficult to modify

• A file system with append-only flag

– Log to a secure log host

29

Kernel Rootkits• Modify kernel to fool all system programs without modifying them• Might not compile on latest kernel versions• Kernel rootkits as a kernel module: loadable kernel module (LKM)

– Abused to intercept and modify system calls• Modify system call table: knark• Modify system call handler with its own system call table: enyelkm

– Intercept and modify interrupts• Modify Interrupt Descriptor Table (IDT) or interrupt handler: kad

– Intercept and modify Virtual File System (VFS): adore-ng• Raw memory access to inject (if LKM disabled)

– /dev/kmem: SucKIT (~enyelkm), Mood-NT– /dev/mem: phalanx

• Countermeasures– Carbonite: uncovers process status in task_struct– LIDS (Linux Intrusion Detection System): a kernel patch to seal kernel from

modification– Disable LKM– St. Michael: an LKM to detect LKM backdoor– Rootkit recovery: Helix to perform forensic work

30

Summary• Additional resources– Solaris 10 Security– Practical Solaris Security– Solaris Security Toolkit– AIX Security Redbook– OpenBSD Security– Security-Enhanced Linux– CERT UNIX Configuration Guidelines– SANS Top 25 Vulnerabilities– Secure Programming for Linux and Unix HOWTO

31

Homework #3 Ch4 & Ch5 (Total: 210)Due: 5/19 (Mon) in printed hardcopy

(format: problem, solution with explanation, screen dumps)

1. (60 points) Use Cain to crack passwords on “your” Windows system with the following three different methods supported by Cain.

1) Brute-force cracking2) Dictionary cracking3) Rainbow cracking

2. (30 points) Use John the Ripper (JTR) to crack passwords on “your” Linux system.3. (40 points) Use Metaexploit to exploit a known vulnerability on a server of your

choice and on a browser of your choice, respectively.4. (20 points) After you gain the access of a target host, show how you could install a

backdoor program and make it accessible with netcat. You can listen on your host to wait for the backdoor to connect over.

5. (20 points) Compare the vulnerability information that you can collect from three sources: Bugtraq, Open Source Vulnerability Database, Common Vulnerability and Exposures Database. Draw a table to compare them in several features.

6. (20 points) Use find to search the SUID, SGID, and world-writable files on your Linux system.

7. (20 points) Use Logclean-ng to clean the logs created during one login session on your Linux system.