Transcript Hacking Exposed 7 Network Security Secrets & Solutions

Hacking Exposed 7
Network Security Secrets & Solutions
Chapter 5 Hacking UNIX
1
Hacking UNIX
•
•
•
•
The quest for root
Remote access
Local access
After hacking root
2
The Quest for Root
• Two levels of access in UNIX: root and user
• Vulnerability mapping
– Map attributes (listening services, versions of running servers)
to potential security holes
– Vulnerability info: Bugtraq, Open Source Vulnerability
Database, Common Vulnerability and Exposures Database
– Use public exploit codes or write their own
– Use automated vulnerability scanning tools – nessus
• Script kiddies – uneducated attackers
– Skip vulnerability mapping
– Use UNIX exploit against Windows systems – useless!
3
Remote Access vs. Local Access
• Remote access: gaining access via network (a listening
service)
• Local access: having an actual command shell or login to
system – privilege escalation attacks
– Escalating local privilege to root
• From remote to local
– Remotely exploit a vulnerability in a listening service and
then gain local shell access
• Reference: Hacking Exposed Linux, 3rd edition, 2008
– Teach a man to fish and feed him or life vs. feed him for a
day
4
Remote Access
• Four primary ways
– Exploit a listening service
– Route through a UNIX system
• Source-routing to circumvent a UNIX firewall
– User-initiated remote execution
• Done by browser, mail reader, app, etc.
– Promiscuous-mode attacks
• A carefully crafted packet to hack your sniffer or driver
5
Brute-Force Password Guessing Attacks
• Services that can be brute-forced
– telnet, FTP, rlogin/rsh, SSH, SNMP, LDAP, POP/IMAP, HTTP/HTTPS,
CVS/SVN, Postgres, MySQL, Oracle
• Enumeration  a list of user accounts
– Finger, rusers, sendmail, etc.
• “Smoking Joe” account
– ID and password are identical
• Automated tools: THC Hydra, Medusa
• Brute-force countermeasures
–
–
–
–
Strong password policy
One-time password
Public key authentication
Tools: cracklib (password composition tool), Secure Remote
Password (authentication with key exchange), OpenSSH (with
encryption and authentication), pam_passwdqc (password
strength check), pam_lockout (account lockout)
6
Data-Driven Attacks
Buffer Overflow Attacks
• Data-driven attacks
– Sending data to an active service causing unintended
or undesirable results
• Buffer overflow attacks
– Placing more data into a buffer than was previously
allocated
• strcpy(), strcat(), springf()
– VRFY command of sendmail
• sendmail SUID to root
• egg in VRFY to overflow the return address on the stack
– assembly code that run /bin/sh with root privilege
– System-dependent on OS and CPU
– Reference: Aleph One, “Smashing the stack for fun
and profit,” Phrack Magazine, Issue 49, 1996,
phrack.org.
7
Data-Driven Attacks
Buffer Overflow Attack Countermeasures
• Secure coding practices
– Enable Stack Smashing Protector (SSP) by gcc, validate user-modifiable
inputs, use more secure routines, reduce the amount of code run with
root privilege, etc.
• Test and audit each program
• Disable unused or dangerous services
– Disable these services
– Access control with TCP wrappers (tcpd), xinetd, iptables, ipf
• Stack execution protection
– Supported in Solaris
– Supported in Linux with two kernel patches: Exec Shield, GRSecurity
– Not bullet-proof: distributing code that exploits a buffer overflow
condition
– Heap-based overflow: overrunning dynamically allocated memory
• Address Space Layout Randomization (ASLR)
– Randomized process address space each time a process is created
– Crashed (denial of service) vs. exploited (remote code execution)
8
Data-Driven Attacks
Return-to-libc Attacks
• Return into standard C library (libc) vs. return
to code placed on stack
• Overflow the return address to a new location
in existing executable code in the libc
• Bypass stack execution prevention
• Return oriented programming (ROP)
– Short code sequences (gadgets) chained together
• Countermeasures
– Remove gadgets during compilation, detection of
memory violation, etc.
9
Data-Driven Attacks
Format String Attacks
• Formatted output by printf() and sprintf()
• Pass carefully crafted text strings containing formatting
directives to cause the target host to execute arbitrary
commands
• When more formatting directives than supplied
arguments
– Subsequent data on the stack will be used as the supplied
arguments
• When a formatting directive is a user-supplied string
– Display successive words on the stack
• Countermeasures
– Same as buffer overflow attacks
– Gcc warning at printf()
10
Data-Driven Attacks
Input Validation Attacks
• The server does not properly parse input before
passing it to further processing
• Telnet daemon passes syntactically incorrect
input to the login program
– Attacker could bypass authentication without being
prompted for a password
– Detailed in Chapter 10
• Countermeasures
– Black list validation (not recommended, cannot
protect against new data attacks) vs. white list
validation (recommended)
11
Data-Driven Attacks
Integer Overflow and Integer Sign Attacks
• Wrapping
– Assigning the signed data type a value of 60,000: 5536
• Overflow when assigning the length of a large
user-supplied integer to a data type that is too
small
• Countermeasures
– Same as buffer overflow attacks
– Check signed and unsigned comparison or arithmetic
routines, loop control for(), variables to hold lengths
of user-input data
12
Data-Driven Attacks
Dangling Pointer Attacks
• A dangling pointer, stray pointer
– A pointer points to an invalid memory address
– Errors occur long after it was created: difficult to debug
– Exploited if the memory contains malicious code supplied
by a user
• When
– An object is freed but the reference to it is not reassigned
and later used
– A local object is popped from the stack when the function
returns but a reference to it is still maintained
• Countermeasures
– Garbage collection and bounds checking
13
I Want My Shell
• Interactive shell access
– telnet, rlogin, SSH
• Execute commands without interactive login
– RSH, SSH, Rexec
• Exploit server vulnerability  execute commands
on the target server  interactive shell access
• Figure 5.1: UNIX-based Web server, with an input
validation attack vulnerability, behind a firewall
allowing only HTTP (port 80) and HTTPS (port 443)
14
I Want My Shell
Reverse Telnet and Back Channels
• Exploit awstats (input validation attack)
vulnerability to perform command execution
such as cat /etc/passwd
– Embed the command in the URL
– Interactive shell access by a back channel from the
target server to the attacker system
– Back channel: reverse telnet or nc
• telnet or nc from the server, nc listener on the attacker
system
15
Common Types of Remote Attacks
• FTP
– Anonymous access + world-writable directory
– Many reported vulnerabilities
– Setup nc listener on the client  exploit the server  nc calls back
• Sendmail
– Even more vulnerabilities
•
•
•
•
•
•
•
Remote Procedure Call
NFS
X Insecurities
DNS
SSH
OpenSSL
Apache
16
Local Access
Password Composition Vulnerabilities
• Gain local access via remote vulnerability
– Root access or user access
• Gain user access first, then escalate to root
• Password composition vulnerability
– Password cracking ~ automated dictionary attack
– Compare /etc/passwd (or /etc/shadow, /etc/master.passwd)
with encrypted/hashed (and salted) words from dictionary
• Salted to (1) ensure two users having the same passwords will not
generate the same password hash, (2) mitigate pre-computed
rainbow tables
• Encryption/hashing algorithms: DES, Extended DES, MD5, etc.
– John the Ripper (JTR)
• 2400 rules to permutated words, most encryption/hash algorithms
• Default wordlist and extensive wordlists
– /etc/passwd: $1$Upe/smFP$xNjpYzOvsZCgOFKLWmbgR/
(Modular Crypt Format: $algorithm$salt$encrypted hash/)
17
Local Access
Local Buffer Overflow
• An unsuspecting user runs unrar 3.9.3 to open
a specially crafted rar file  local stack-based
buffer overflow
• Jump to a specific memory address and run
/bin/sh
• Local buffer overflow countermeasures
– Secure coding practices
– Non-executable stack
– Disable the SUID bit on a file that does not require
SUID permissions
18
Local Access
Symbolic Link
• Symbolic link: a file, created by ln, that points to a
different file
• OpenSolaris installs Xscreensaver 5.01 with setuid
bit set: symbolic vulnerability used to view other
files not owned by the user
– Xscreensaver reads user configurations
from .xscreensaver
– If .xscreensaver is a symlink to another file
• Allow us to read any files on the file system
• Symlink countermeasures
– Perform sanity checks on existing files, remove SUID
bit from as many files as possible
19
Local Access
Race Conditions
• Abuse a program/process performing a privileged
operation
• pkexec suffers from a race condition where the
effective uid of the process can be set to 0 by
invoking a setuid-root (SUID) program in the
parent process
• Common race conditions by signal handling
– wu-ftp v2.4 signal-handling vulnerability
• SIGPIPE at connection close, SIGURG at out-of-band
signaling
• Data connection close  SIGPIPE to server  server raises
to root (uid = 0) for housekeeping  attackers creates
SIGURG to server  interrupt the server to jump back to
server’s main loop with root privileges
20
Local Access
Core File Manipulation & Shared Libraries
• Core dump with sensitive info stored in memory
– Password hashes
– Countermeasures: ulimit to turn off core dump
• Shared libraries
– Attackers modify a shared library or provide an
alternate shared library via an environment variable 
could gain root access
– When in.telnetd executes /bin/login (SUID root binary)
to authenticate the user
• the system’s dynamic linker loads the modified library
(pointed to by the modified LD_PRELOAD) and overwrites the
normal library call with root privileges
– Countermeasures: Dynamic linker should ignore
LD_PRELOAD for SUID root binaries
21
Local Access
Kernel Flaws
• UNIX kernel: file/directory permissions,
escalation and relinguishment of privileges
from SUID binaries, signal handling, etc.
• Linux 2.6.39
– Does not adequately verify permissions when
writing to /proc/<pid>/mem
• Countermeasures: Kernel patch
22
Local Access
System Misconfiguration: File/Directory Permissions (1/2)
• Sources of misconfiguration in permissions: SUID
root files, world-writable files, device I/O
• SUID files
– Most attacks abuse a process running SUID binaries
– Many programs are unnecessarily run with SUID
– find: to find all SUID and SGID files
• DOS: users advised to run a non-SUID copy, restrict by
configuring /etc/dosemu.users
– Countermeasures
• Remove SUID/SGID bit from binaries
• Consult man page, user documentation, HOWTOs, and try on
a test system
• Security-enhanced Linux (SELinux): prevent an exploit from
doing anything its parent process cannot do
23
Local Access
System Misconfiguration: File/Directory Permissions (2/2)
• World-writable files
– System initialization files, system configuration files,
user startup files
– World-writable startup scripts executed with root
privileges  attackers overwrites startup scripts  so
as to create an SUID shell in /tmp the next time the
system is restarted
– find: to find world-writable files
– Countermeasures
• Check initialization, configuration, startup files
• /dev might need to be world-writable
• Use extended file attributes to protect files
24
After Hacking Root
• Hoovering all files for info, loading up sniffers to
capture telnet, ftp, POP, SNMP passwords,
attacking yet another victim
• Uploading a customized rootkit
• Rootkits (specific platform type and version)
– Trojans: altered versions of login, netstat, ps, passwd,
su, telnet, ftp, ifconfig, ls, ssh, find, du, sync, reboot,
halt, shutdown, etc.
– Backdoors
– Interface sniffers
– System log cleaners
25
Trojans
• “Trojanize” any commands
– Log username and password to a file
• Special trojan: create a backdoor into your system
by running a TCP listener that waits for clients to
connect
– Rathole: backdoor client – rat, backdoor server – hole
• Countermeasures
– Detect binary modifications – not just file size and date
• Cryptographic checksum: Tripwire, AIDE
• Built-in MD5 checksum: RPM (Red Hat Package Manager)
– Identify known rootkits
• chkrootkit, rkhunter
– Compromise detected  rebuild, not restore, your
system
26
Sniffers
• Network eavesdropping on compromised hosts
– Strike at every system that sends traffic to me
• Promiscuous mode for adaptor cards
• Popular sniffers: Dsniff, Wireshark, tcpdump, Snoop
• Countermeasures
– Migrate to switched networks: common now
• arpredirect, part of dsniff, to redirect
– Detect sniffers
• Host-based: Check Promiscuous Mode (cpm); Check processes and
files by ps, lsof, grep
• Network-based: Anti-Sniff, sniffdet
– Encryption
• SSH, OpenSSH, and FreeSWAN (IPsec and IKE)
27
Log Cleaning
• Logclean-ng
– Login log: /etc/syslog.conf,
– /var/log: cron, mailog, messages, spooler, auth, wtmp,
xferlog, etc.
– Commands: .bash_history
– History of shell: disable by unset
– Modification time: touch
– Intercept log to remote server: ptrace() in badattachK
log cleaner to control syslogd
• Countermeasures
– Log to a medium difficult to modify
• A file system with append-only flag
– Log to a secure log host
28
Kernel Rootkits
• Modify kernel to fool all system programs without modifying them
• Might not compile on latest kernel versions
• Kernel rootkits as a kernel module: loadable kernel module (LKM)
– Abused to intercept and modify system calls
• Modify system call table: knark
• Modify system call handler with its own system call table: enyelkm
– Intercept and modify interrupts
• Modify Interrupt Descriptor Table (IDT) or interrupt handler: kad
– Intercept and modify Virtual File System (VFS): adore-ng
• Raw memory access to inject (if LKM disabled)
– /dev/kmem: SucKIT (~enyelkm), Mood-NT
– /dev/mem: phalanx
• Countermeasures
– Carbonite: uncovers process status in task_struct
– LIDS (Linux Intrusion Detection System): a kernel patch to seal kernel
from modification
– Disable LKM
– St. Michael: an LKM to detect LKM backdoor
– Rootkit recovery: Helix to perform forensic work
29
Summary
• Additional resources
–
–
–
–
–
–
–
–
–
Solaris 10 Security
Practical Solaris Security
Solaris Security Toolkit
AIX Security Redbook
OpenBSD Security
Security-Enhanced Linux
CERT UNIX Configuration Guidelines
SANS Top 25 Vulnerabilities
Secure Programming for Linux and Unix HOWTO
30
Homework #3 Ch4 & Ch5 (Total: 210)
Due: 5/19 (Mon) in printed hardcopy
(format: problem, solution with explanation, screen dumps)
1.
(60 points) Use Cain to crack passwords on “your” Windows system with
the following three different methods supported by Cain.
1)
2)
3)
2.
3.
4.
5.
6.
7.
Brute-force cracking
Dictionary cracking
Rainbow cracking
(30 points) Use John the Ripper (JTR) to crack passwords on “your” Linux
system.
(40 points) Use Metaexploit to exploit a known vulnerability on a server of
your choice and on a browser of your choice, respectively.
(20%) After you gain the access of a target host, show how you could install
a backdoor program and make it accessible with netcat. You can listen on
your host to wait for the backdoor to connect over.
(20%) Compare the vulnerability information that you can collect from
three sources: Bugtraq, Open Source Vulnerability Database, Common
Vulnerability and Exposures Database. Draw a table to compare them in
several features.
(20%) Use find to search the SUID, SGID, and world-writable files on your
Linux system.
(20%) Use Logclean-ng to clean the logs created during one login session on
31
your Linux system.
Quiz #3
1.
Strategically, what are the two types of ways to gain access to a
target host?
2.
Consider a buffer overflow attack.
(a) What has been overflowed? By what from the client?
(a) Why is the thing overflowing the buffer OS and CPU dependent?
3.
In password cracking, consider dictionary and rainbow table.
(a) What is the criteria that a password has been found in a dictionary?
(b) What is the content of a rainbow table?
4.
After gaining access to a target host, you would setup a backdoor.
You can either listen on your host to wait for the backdoor to
connect over, or have the backdoor listens on the target to wait for
you to connect over. Which is better and why?
32