82-03-08 DATA SECURITY MANAGEMENT A PRIMER ON CRACKING: PART 2 Edward Skoudis INSIDE Stack-based Buffer Overflows; The Art and Science of Password Cracking; Backdoors; Trojan Horses and RootKits; Overall Defenses — Intrusion Detection and Incident Response Procedures INTRODUCTION Part 1 of this article (82-03-07) discussed network mapping and port scanning, vulnerability scanning, wardialing, network exploits, and deni- al-of-service attacks. Part 2 discusses stack-based buffer overflows, pass- word cracking, backdoors, Trojan horses and rootkits, and defenses — intrusion detection and incident response procedures. STACK-BASED BUFFER OVERFLOWS Stack-based buffer overflow attacks are commonly used by an attacker to take over a system remotely across a network. Additionally, buffer over- flows can be employed by local malicious users to elevate their privileges and gain superuser access to a system. Stack-based buffer overflow attacks exploit the way many operating systems handle their stack, an internal data structure used by running programs to store data temporarily. When a func- tion call is made, the current state of the executing program and variables to be passed to the function are pushed on the stack. New local variables used by the function are also allocated space on the stack. Additionally, the stack stores the return address of the code calling the function. This return address will be accessed from the stack once the function call is com- plete. The system uses this address to PAYOFF IDEA With the rise of powerful, easy-to-use, and widely resume execution of the calling pro- distributed hacker tools, many in the security in- gram at the appropriate place. Exhibit dustry have observed that today is the golden age 1 shows how a stack is constructed. of hacking. The purpose of this article is to de- Most UNIX and all Windows sys- scribe the tools in widespread use today for com- promising computer and network security. Addi- tems have a stack that can hold data tionally, for each tool and technique described, and executable code. Because local the article presents practical advice on defending variables are stored on the stack against each type of attack. Auerbach Publications © 2001 CRC Press LLC DATA SECURITY MANAGEMENT EXHIBIT 1 — A Normal Stack and a Stack with a Buffer Overflow when a function is called, poor code can be exploited to overrun the boundaries of these variables on the stack. If user input length is not ex- amined by the code, a particular variable on the stack may exceed the memory allocated to it on the stack, overwriting all variables and even the return address for where execution should resume after the function is complete. This operation, called “smashing” the stack, allows an attacker to overflow the local variables to insert executable code and another return address on the stack. Exhibit 1 also shows a stack that has been smashed with a buffer overflow. The attacker will overflow the buffer on the stack with machine-spe- cific bytecodes that consist of executable commands (usually a shell rou- tine), and a return pointer to begin execution of these inserted commands. Therefore, with very carefully constructed binary code, the attacker can actually enter information as a user into a program that con- sists of executable code and a new return address. The buggy program will not analyze the length of this input, but will place it on the stack, and actually begin to execute the attacker’s code. Such vulnerabilities allow an attacker to break out of the application code and access any system components with the permissions of the broken program. If the broken program is running with superuser privileges (e.g., SUID root on a UNIX system), the attacker has taken over the machine with a buffer overflow. Stack-based Buffer Overflow Defenses The most thorough defense against buffer overflow attacks is to properly code software so that it cannot be used to smash the stack. All programs should validate all input from users and other programs, ensuring that it Auerbach Publications © 2001 CRC Press LLC A PRIMER ON CRACKING: PART 2 fits into allocated memory structures. Each variable should be checked (including user input, variables from other functions, input from other programs, and even environment variables) to ensure that allocated buff- ers are adequate to hold the data. Unfortunately, this ultimate solution is only available to individuals who write the programs and those with source code. Additionally, security practitioners and system administrators should carefully control and minimize the number of SUID programs on a sys- tem that users can run and have permissions of other users (such as root). Only SUID programs with an explicit business need should be in- stalled on sensitive systems. Finally, many stack-based buffer overflow attacks can be avoided by configuring the systems to not execute code from the stack. Notably, So- laris and Linux offer this option. For example, to secure a Solaris system against stack-based buffer overflows, the following lines should be add- ed to /etc/system: set noexec_user_stack=1 set noexec_user_stack_log=1 The first line will prevent execution on a stack, and the second line will log any attempt to do so. Unfortunately, some programs legitimately try to run code off the stack. Such programs will crash if this option is im- plemented. Generally, if the system is single purpose and needs to be se- cure (e.g., a Web server), this option should be used to prevent stack- based buffer overflow. THE ART AND SCIENCE OF PASSWORD CRACKING The vast majority of systems today authenticate users with a static pass- word. When a user logs in, the password is transmitted to the system, which checks the password to make the decision whether or not to let the user login. To make this decision, the system must have a mechanism to compare the user’s input with the actual password. Of course, the sys- tem could just store all of the passwords locally and compare from this file. Such a file of cleartext passwords, however, would provide a very juicy target for an attacker. To make the target less useful for attackers, most modern operating systems use a one-way hash or encryption mech- anism to protect the stored passswords. When a user types in a password, the system hashes the user’s entry and compares it to the stored hash. If the two hashes match, the password is correct and the user can login. Password cracking tools are used to attack this method of password protection. An attacker will use some exploit (often a buffer overflow) to gather the encrypted or hashed password file from a system (on a UNIX system without password shadowing, any user can read the hashed pass- Auerbach Publications © 2001 CRC Press LLC DATA SECURITY MANAGEMENT word file). After downloading the hashed password file, the attacker uses a password cracking tool to determine users’ passwords. The cracking tool operates using a loop: it guesses a password, hashes or encrypts the password, and compares it to the hashed password from the stolen file. If the hashes match, the attacker has the password. If the hashes do not match, the loop begins again with another password guess. Password cracking tools base their password guesses on a dictionary or a complete brute-force attack, attempting every possible password. Dozens of dictionaries are available online, in a multitude of languages including English, French, German, Klingon, etc. Numerous password cracking tools are available. The most popular and full-functional password crackers include: • John-the-Ripper, by Solar Designer, focuses on cracking UNIX pass- words; available at http://www.openwall.com/john/. • L0phtCrack, used to crack Windows NT passwords, is available at ht- tp://www.l0pht.com. Password Cracking Defenses The first defense against password cracking is to minimize the exposure of the encrypted/hashed password file. On UNIX systems, shadow pass- word files should be used, which allow only the superuser to read the password file. On Windows NT systems, the SYSKEY feature available in NT 4.0 SP 3 and later should be installed and enabled. Furthermore, all backups and system recovery disks should be stored in physically se- cured locations and possibly even encrypted. A strong password policy is a crucial element in ensuring a secure net- work. A password policy should require password lengths greater than eight characters and the use of alphanumeric and special characters in every password, and force users to have passwords with mixed-case let- ters. Users must be aware of the issue of weak passwords and be trained in creating memorable, yet difficult-to-guess passwords. To ensure that passwords are secure and to identify weak passwords, security practitioners should check system passwords on a periodic basis using password cracking tools. When weak passwords are discovered, the security group should have a defined procedure for interacting with users whose passwords can be easily guessed. Finally, several software packages are available that prevent users from setting their passwords to easily guessed values. When a user estab- lishes a new password, these filtering programs check the password to make sure that it is sufficiently complex and is not just a variation of the user name or a dictionary word. With this kind of tool, users are simply unable to create passwords that are easily guessed, eliminating a signifi- cant security issue. For filtering software to be effective, it must be in- stalled on all servers where users establish passwords, including UNIX Auerbach Publications © 2001 CRC Press LLC A PRIMER ON CRACKING: PART 2 servers, Windows NT primary and backup domain controllers, and Nov- ell servers. (Jonathan Held, “Password Security,” Data Security Manage- ment, April 2000, 83-01-11.) BACKDOORS Backdoors are programs that bypass traditional security checks on a sys- tem, allowing an attacker to gain access to a machine without providing a system password and getting logged.