Hacking Exposed 7 Network Security Secrets Solutions Chapter

Hacking Exposed 7 Network Security Secrets & Solutions Chapter 5 Hacking UNIX 1

Hacking UNIX • • The quest for root Remote access Local access After hacking root 2

The Quest for Root • Two levels of access in UNIX: root and user • Vulnerability mapping – Map attributes (listening services, versions of running servers) to potential security holes – Vulnerability info: Bugtraq, Open Source Vulnerability Database, Common Vulnerability and Exposures Database – Use public exploit codes or write their own – Use automated vulnerability scanning tools – nessus • Script kiddies – uneducated attackers – Skip vulnerability mapping – Use UNIX exploit against Windows systems – useless! 3

Remote Access vs. Local Access • Remote access: gaining access via network (a listening service) • Local access: having an actual command shell or login to system – privilege escalation attacks – Escalating local privilege to root • From remote to local – Remotely exploit a vulnerability in a listening service and then gain local shell access • Reference: Hacking Exposed Linux, 3 rd edition, 2008 – Teach a man to fish and feed him or life vs. feed him for a day 4

Remote Access • Four primary ways – Exploit a listening service – Route through a UNIX system • Source-routing to circumvent a UNIX firewall – User-initiated remote execution • Done by browser, mail reader, app, etc. – Promiscuous-mode attacks • A carefully crafted packet to hack your sniffer or driver 5

Brute-Force Password Guessing Attacks • Services that can be brute-forced – telnet, FTP, rlogin/rsh, SSH, SNMP, LDAP, POP/IMAP, HTTP/HTTPS, CVS/SVN, Postgres, My. SQL, Oracle • Enumeration a list of user accounts – Finger, rusers, sendmail, etc. • “Smoking Joe” account – ID and password are identical • Automated tools: THC Hydra, Medusa • Brute-force countermeasures – – Strong password policy One-time password Public key authentication Tools: cracklib (password composition tool), Secure Remote Password (authentication with key exchange), Open. SSH (with encryption and authentication), pam_passwdqc (password strength check), pam_lockout (account lockout) 6

Data-Driven Attacks Buffer Overflow Attacks • Data-driven attacks – Sending data to an active service causing unintended or undesirable results • Buffer overflow attacks – Placing more data into a buffer than was previously allocated • strcpy(), strcat(), springf() – VRFY command of sendmail • sendmail SUID to root • egg in VRFY to overflow the return address on the stack – assembly code that run /bin/sh with root privilege – System-dependent on OS and CPU – Reference: Aleph One, “Smashing the stack for fun and profit, ” Phrack Magazine, Issue 49, 1996, phrack. org. 7

Data-Driven Attacks Buffer Overflow Attack Countermeasures • Secure coding practices – Enable Stack Smashing Protector (SSP) by gcc, validate user-modifiable inputs, use more secure routines, reduce the amount of code run with root privilege, etc. • Test and audit each program • Disable unused or dangerous services – Disable these services – Access control with TCP wrappers (tcpd), xinetd, iptables, ipf • Stack execution protection – Supported in Solaris – Supported in Linux with two kernel patches: Exec Shield, GRSecurity – Not bullet-proof: distributing code that exploits a buffer overflow condition – Heap-based overflow: overrunning dynamically allocated memory • Address Space Layout Randomization (ASLR) – Randomized process address space each time a process is created – Crashed (denial of service) vs. exploited (remote code execution) 8

Data-Driven Attacks Return-to-libc Attacks • Return into standard C library (libc) vs. return to code placed on stack • Overflow the return address to a new location in existing executable code in the libc • Bypass stack execution prevention • Return oriented programming (ROP) – Short code sequences (gadgets) chained together • Countermeasures – Remove gadgets during compilation, detection of memory violation, etc. 9

Data-Driven Attacks Format String Attacks • Formatted output by printf() and sprintf() • Pass carefully crafted text strings containing formatting directives to cause the target host to execute arbitrary commands • When more formatting directives than supplied arguments – Subsequent data on the stack will be used as the supplied arguments • When a formatting directive is a user-supplied string – Display successive words on the stack • Countermeasures – Same as buffer overflow attacks – Gcc warning at printf() 10

Data-Driven Attacks Input Validation Attacks • The server does not properly parse input before passing it to further processing • Telnet daemon passes syntactically incorrect input to the login program – Attacker could bypass authentication without being prompted for a password – Detailed in Chapter 10 • Countermeasures – Black list validation (not recommended, cannot protect against new data attacks) vs. white list validation (recommended) 11

Data-Driven Attacks Integer Overflow and Integer Sign Attacks • Wrapping – Assigning the signed data type a value of 60, 000: 5536 • Overflow when assigning the length of a large user-supplied integer to a data type that is too small • Countermeasures – Same as buffer overflow attacks – Check signed and unsigned comparison or arithmetic routines, loop control for(), variables to hold lengths of user-input data 12

Data-Driven Attacks Dangling Pointer Attacks • A dangling pointer, stray pointer – A pointer points to an invalid memory address – Errors occur long after it was created: difficult to debug – Exploited if the memory contains malicious code supplied by a user • When – An object is freed but the reference to it is not reassigned and later used – A local object is popped from the stack when the function returns but a reference to it is still maintained • Countermeasures – Garbage collection and bounds checking 13

I Want My Shell • Interactive shell access – telnet, rlogin, SSH • Execute commands without interactive login – RSH, SSH, Rexec • Exploit server vulnerability execute commands on the target server interactive shell access • Figure 5. 1: UNIX-based Web server, with an input validation attack vulnerability, behind a firewall allowing only HTTP (port 80) and HTTPS (port 443) 14

I Want My Shell Reverse Telnet and Back Channels • Exploit awstats (input validation attack) vulnerability to perform command execution such as cat /etc/passwd – Embed the command in the URL – Interactive shell access by a back channel from the target server to the attacker system – Back channel: reverse telnet or nc • telnet or nc from the server, nc listener on the attacker system 15

Common Types of Remote Attacks • FTP – Anonymous access + world-writable directory – Many reported vulnerabilities – Setup nc listener on the client exploit the server nc calls back • Sendmail – Even more vulnerabilities • • Remote Procedure Call NFS X Insecurities DNS SSH Open. SSL Apache 16

Local Access Password Composition Vulnerabilities • Gain local access via remote vulnerability – Root access or user access • Gain user access first, then escalate to root • Password composition vulnerability – Password cracking ~ automated dictionary attack – Compare /etc/passwd (or /etc/shadow, /etc/master. passwd) with encrypted/hashed (and salted) words from dictionary • Salted to (1) ensure two users having the same passwords will not generate the same password hash, (2) mitigate pre-computed rainbow tables • Encryption/hashing algorithms: DES, Extended DES, MD 5, etc. – John the Ripper (JTR) • 2400 rules to permutated words, most encryption/hash algorithms • Default wordlist and extensive wordlists – /etc/passwd: $1$Upe/sm. FP$x. Njp. Yz. Ovs. ZCg. OFKLWmbg. R/ (Modular Crypt Format: $algorithm$salt$encrypted hash/) 17

Local Access Local Buffer Overflow • An unsuspecting user runs unrar 3. 9. 3 to open a specially crafted rar file local stack-based buffer overflow • Jump to a specific memory address and run /bin/sh • Local buffer overflow countermeasures – Secure coding practices – Non-executable stack – Disable the SUID bit on a file that does not require SUID permissions 18

Local Access Symbolic Link • Symbolic link: a file, created by ln, that points to a different file • Open. Solaris installs Xscreensaver 5. 01 with setuid bit set: symbolic vulnerability used to view other files not owned by the user – Xscreensaver reads user configurations from. xscreensaver – If. xscreensaver is a symlink to another file • Allow us to read any files on the file system • Symlink countermeasures – Perform sanity checks on existing files, remove SUID bit from as many files as possible 19

Local Access Race Conditions • Abuse a program/process performing a privileged operation • pkexec suffers from a race condition where the effective uid of the process can be set to 0 by invoking a setuid-root (SUID) program in the parent process • Common race conditions by signal handling – wu-ftp v 2. 4 signal-handling vulnerability • SIGPIPE at connection close, SIGURG at out-of-band signaling • Data connection close SIGPIPE to server raises to root (uid = 0) for housekeeping attackers creates SIGURG to server interrupt the server to jump back to server’s main loop with root privileges 20

Local Access Core File Manipulation & Shared Libraries • Core dump with sensitive info stored in memory – Password hashes – Countermeasures: ulimit to turn off core dump • Shared libraries – Attackers modify a shared library or provide an alternate shared library via an environment variable could gain root access – When in. telnetd executes /bin/login (SUID root binary) to authenticate the user • the system’s dynamic linker loads the modified library (pointed to by the modified LD_PRELOAD) and overwrites the normal library call with root privileges – Countermeasures: Dynamic linker should ignore LD_PRELOAD for SUID root binaries 21

Local Access Kernel Flaws • UNIX kernel: file/directory permissions, escalation and relinguishment of privileges from SUID binaries, signal handling, etc. • Linux 2. 6. 39 – Does not adequately verify permissions when writing to /proc/<pid>/mem • Countermeasures: Kernel patch 22

Local Access System Misconfiguration: File/Directory Permissions (1/2) • Sources of misconfiguration in permissions: SUID root files, world-writable files, device I/O • SUID files – Most attacks abuse a process running SUID binaries – Many programs are unnecessarily run with SUID – find: to find all SUID and SGID files • DOS: users advised to run a non-SUID copy, restrict by configuring /etc/dosemu. users – Countermeasures • Remove SUID/SGID bit from binaries • Consult man page, user documentation, HOWTOs, and try on a test system • Security-enhanced Linux (SELinux): prevent an exploit from doing anything its parent process cannot do 23

Local Access System Misconfiguration: File/Directory Permissions (2/2) • World-writable files – System initialization files, system configuration files, user startup files – World-writable startup scripts executed with root privileges attackers overwrites startup scripts so as to create an SUID shell in /tmp the next time the system is restarted – find: to find world-writable files – Countermeasures • Check initialization, configuration, startup files • /dev might need to be world-writable • Use extended file attributes to protect files 24

After Hacking Root • Hoovering all files for info, loading up sniffers to capture telnet, ftp, POP, SNMP passwords, attacking yet another victim • Uploading a customized rootkit • Rootkits (specific platform type and version) – Trojans: altered versions of login, netstat, ps, passwd, su, telnet, ftp, ifconfig, ls, ssh, find, du, sync, reboot, halt, shutdown, etc. – Backdoors – Interface sniffers – System log cleaners 25

Trojans • “Trojanize” any commands – Log username and password to a file • Special trojan: create a backdoor into your system by running a TCP listener that waits for clients to connect – Rathole: backdoor client – rat, backdoor server – hole • Countermeasures – Detect binary modifications – not just file size and date • Cryptographic checksum: Tripwire, AIDE • Built-in MD 5 checksum: RPM (Red Hat Package Manager) – Identify known rootkits • chkrootkit, rkhunter – Compromise detected rebuild, not restore, your system 26

Sniffers • Network eavesdropping on compromised hosts – Strike at every system that sends traffic to me • Promiscuous mode for adaptor cards • Popular sniffers: Dsniff, Wireshark, tcpdump, Snoop • Countermeasures – Migrate to switched networks: common now • arpredirect, part of dsniff, to redirect – Detect sniffers • Host-based: Check Promiscuous Mode (cpm); Check processes and files by ps, lsof, grep • Network-based: Anti-Sniff, sniffdet – Encryption • SSH, Open. SSH, and Free. SWAN (IPsec and IKE) 27

Log Cleaning • Logclean-ng – Login log: /etc/syslog. conf, – /var/log: cron, mailog, messages, spooler, auth, wtmp, xferlog, etc. – Commands: . bash_history – History of shell: disable by unset – Modification time: touch – Intercept log to remote server: ptrace() in badattach. K log cleaner to control syslogd • Countermeasures – Log to a medium difficult to modify • A file system with append-only flag – Log to a secure log host 28

Kernel Rootkits • Modify kernel to fool all system programs without modifying them • Might not compile on latest kernel versions • Kernel rootkits as a kernel module: loadable kernel module (LKM) – Abused to intercept and modify system calls • Modify system call table: knark • Modify system call handler with its own system call table: enyelkm – Intercept and modify interrupts • Modify Interrupt Descriptor Table (IDT) or interrupt handler: kad – Intercept and modify Virtual File System (VFS): adore-ng • Raw memory access to inject (if LKM disabled) – /dev/kmem: Suc. KIT (~enyelkm), Mood-NT – /dev/mem: phalanx • Countermeasures – Carbonite: uncovers process status in task_struct – LIDS (Linux Intrusion Detection System): a kernel patch to seal kernel from modification – Disable LKM – St. Michael: an LKM to detect LKM backdoor – Rootkit recovery: Helix to perform forensic work 29

Summary • Additional resources – Solaris 10 Security – Practical Solaris Security – Solaris Security Toolkit – AIX Security Redbook – Open. BSD Security – Security-Enhanced Linux – CERT UNIX Configuration Guidelines – SANS Top 25 Vulnerabilities – Secure Programming for Linux and Unix HOWTO 30

Homework #3 Ch 4 & Ch 5 (Total: 210) Due: 5/19 (Mon) in printed hardcopy (format: problem, solution with explanation, screen dumps) 1. 2. 3. 4. 5. 6. 7. (60 points) Use Cain to crack passwords on “your” Windows system with the following three different methods supported by Cain. 1) 2) 3) Brute-force cracking Dictionary cracking Rainbow cracking (30 points) Use John the Ripper (JTR) to crack passwords on “your” Linux system. (40 points) Use Metaexploit to exploit a known vulnerability on a server of your choice and on a browser of your choice, respectively. (20%) After you gain the access of a target host, show you could install a backdoor program and make it accessible with netcat. You can listen on your host to wait for the backdoor to connect over. (20%) Compare the vulnerability information that you can collect from three sources: Bugtraq, Open Source Vulnerability Database, Common Vulnerability and Exposures Database. Draw a table to compare them in several features. (20%) Use find to search the SUID, SGID, and world-writable files on your Linux system. (20%) Use Logclean-ng to clean the logs created during one login session on 31 your Linux system.

Quiz #3 1. Strategically, what are the two types of ways to gain access to a target host? 2. Consider a buffer overflow attack. (a) What has been overflowed? By what from the client? (a) Why is the thing overflowing the buffer OS and CPU dependent? 3. In password cracking, consider dictionary and rainbow table. (a) What is the criteria that a password has been found in a dictionary? (b) What is the content of a rainbow table? 4. After gaining access to a target host, you would setup a backdoor. You can either listen on your host to wait for the backdoor to connect over, or have the backdoor listens on the target to wait for you to connect over. Which is better and why? 32