11.1 SetUID and its Exploits
UID (User ID) and GID (Group ID) real user ID and real group ID effective user ID and effective group ID an active process has an effective user ID and an effective group ID that are used to determine file access permissions (see below). The effective user ID and effective group ID are equal to the process's real user ID and real group ID respectively, unless the process or one of its ancestors evolved from a file that had the set-user-ID bit or set-group-ID bit setsetting UID (chmod 4000 path) and GID (chmod 2000 path) Example
$ cp /bin/rm . $ cp rm srm $ cp /bin/sh . $ su Password: # id uid=0(root) gid=0(root) ... # chown root * # chgrp root * # chmod 4755 # ls -l total 318 -wxr-xr-x 1 root root 10116 Oct 30 14:44 rm -wxr-xr-x 1 root root 301272 Oct 30 14:45 sh -wxr-xr-x 1 root root 10116 Oct 30 14:44 srm # ls -l /bin/sh lrwxrwxrwx 1 root root 4 Oct 16 22:52 /bin/sh -> bash # chmod 4755 s* # ls -l total 318 -rwxr-xr-x 1 root root 10116 Oct 30 14:44 rm -rwsr-xr-x 1 root root 301272 Oct 30 14:45 sh -rwsr-xr-x 1 root root 10116 Oct 30 14:44 srm # exit $ id ud=103(rhee) gid=100(users) groups=100(users) $ ls -l /test* -rwxr-xr-x 1 root root 301272 Oct 30 14:50 /test-file -rwxr-xr-x 1 root root 301272 Oct 30 14:50 /test-file2 $ ./rm /test-file ./rm: `/test-file'¸¦ Áö¿ó´Ï´Ù: ¸ðµå 0755À» µ¤¾î¾µ±î¿ä? y ./rm: /test-file: Çã°¡ °ÅºÎµÊ $ ls /test* /test-file /test-file2 $ ./srm /test-file $ ls /test* /test-file2 $ ./sh # doesn't work in Solaris # id uid=103(rhee) gid=100(users) euid=0(root) groups=100(users) # ./rm /test-file2 # ls /test* ls: /test*: ±×·± ÆÄÀÏÀ̳ª µð·ºÅ丮°¡ ¾øÀ½
11.2 .rhosts and r-commandsshell variable: IFS (Input Field Separator)
- IFS = " \t\n" by default
- can be changed to split text lines into fields, in which fields were separated by a character other than space characters (filelds in /etc/passwd are separated by ':')
- Example of exploit (SetUID, IFS, rdist command)
- "rdist" is owned by root, and has set-user-id bit set
- "rdist" executes "/usr/lib/sendmail"
- cp /bin/sh .
- "usr.c" to be compiled into "usr"
main() { setuid (0); chown ("sh", 0, 0); chmod ("sh", 04755); }run "setenv IFS /" run "rdist" run "./sh" lpd bug
- "lpr" is owned by root, and has set-user-id bit set
- "lpr" creates a spool file in "/usr/spool/lpd"
- "lpr -s path" creates a symbolic link in "/usr/spool/lpd" to "path"
- "rm path; ln -s /etc/passwd" path
- buggy lpd repeats the names in "/usr/spool/lpd" quite often
run "lpr false-passwd" many times until "false-passwd" overwrites "/etc/passwd"
The /etc/hosts.equiv and .rhosts files provide the remote authentication database for rlogin, rsh, rcp, and rcmd. The files specify remote hosts and users that are considered trusted. Trusted users are allowed to access the local system without supplying a password. The /etc/hosts.equiv file applies to the entire system, while individual users can maintain their own .rhosts files in their home directories.The remote authentication procedure first checks the /etc/hosts.equiv file and then checks the .rhosts file in the home directory of the local user who is requesting access. Entries in these files can be of two forms. Positive entries allow access, while negative entries deny access. The authentication succeeds when a matching positive entry is found. The procedure fails when the first matching negative entry is found, or if no matching entries are found in either file. Thus, the order of entries is important; If the files contain positive and negative entries, the entry that appears first will prevail. The rsh and rcp programs fail if the remote authentication procedure fails. The rlogin program falls back to the standard password-based login procedure if the remote authentication fails.
Both files are formatted as a list of one-line entries. Each entry has the form:
hostname [username]Negative entries are differentiated from positive entries by a `-' character preceding either the hostname or username field.Positive Entries
If the form:hostnameis used, then users from the named host are trusted. This form may be used in both the /etc/hosts.equiv and .rhosts files.
11.3 sticky bitsIf the line is in the form:
hostname usernamethen the named user from the named host can access the system. This form may be used in individual .rhosts files to allow remote users to access the system as a different local user. If this form is used in the /etc/hosts.equiv file, the named remote user will be allowed to access the system as any local user.The special character `+' can be used in place of either hostname or username to match any host or user. For example, the entry
+will allow a user from any remote host to access the system with the same username. The entry+ usernamewill allow the named user from any remote host to access the system.
The feature of trusted hosts is useful for many purposes: but an extreme caution should be given; otherwise it can be a serious security hole. It is advised not to use '+' at all.convenient access to remote systems X Window access to remote devices like backup tape drives
Example of exploit (SetUID, sendmail bug, .rhosts) /usr/lib/sendmail is owned by root, and has set-user-id bit set some old buggy /usr/lib/sendmail creates /var/tmp/dead.letter when it fails to deliver a message. create a file (fake) to be faked as .rhosts localhost guestcreate a symbolic link to /.rhosts by "ln -s /.rhosts /var/tmp/dead.letter" run "/usr/lib/sendmail unknown-user < fake", which will create /.rhosts containing the line localhost guestSome useful find commands find all the files owned by root and set-user-id bit set find / -user root -perm -4000 -exec ls -l {} \; | mail rootfind all the world-writable files find / -perm -0002 -exec ls -l {} \; | mail rootfind all the files named .rhosts find /user -name .rhosts -exec ls -l {} \; | mail root
The sticky bit (file mode bit 01000) is used to indicate special treatment of certain files and directories.A file in a sticky directory may only be removed or renamed by a user who has write permission on the directory. This is useful for directories such as /tmp, which must be publicly writable, but should deny users permission to arbitrarily delete or rename the files of others.
If the sticky bit is set on a regular file and no execute bits are set, the system's page cache will not be used to hold the file's data. This bit is normally set on swap files of diskless clients so that accesses to these files do not flush more valuable data from the system's cache.
Example of related exploits /tmp is supposed be set with the sticky bit. When it isn't, it can be exploited.
The command ps creates ps.xxxxx (xxxxx is the process-id of ps) and changes its ownership to root, and then renames the file as ps_data.
Attack is as follows: prepare a personal sh file with set-user-id bit set run ps after ps.xxxxx is created but before its ownership is changed, do the following very quickly: delete /tmp/ps.xxxxx ln -s personal-sh-file /tmp/ps.xxxxx caveat: this attack cannot be done manually; we need to write a program to the above job.
11.4 Buffer overflow
Consider:
char s[10], t[100];... gets (s); strcpy (s, t); ...
A program like above may crash or show an unexpected behavior if the input to "gets(s)" or the string in "t[]" is larger than 10 bytes. If the program were running with root permission, its user may obtain a rootshell after the crash. A safe practice would have been to use "fgets()" and "strncpy()".11.5 TCP/IP Protocol Vulnerabilities
some buggy rlogin, rdist, lpr give away rootshell on buffer overflow
3-way handshake protocol for establishing a TCP connection: host A --> host B: SYN (a: 32-bit seq no. called ISN)
host B --> host A: SYN (b: 32-bit seq no.), ACK (a+1)
host A --> host B: ACK (b+1)
- SYN flooding attack
Every time a client SYN arrives on a valid port, a large memory structure must be allocated in a queue called backlog queue until the connection is established. There is an upper limit to amount of concurrent connection requests a given TCP can have. This limit is on the length of the backlog queue, or the limit itself is often the backlog, which is not a large value (less than 10 in many systems: Sunos 4.x, Windows NT 4.0, ...)When the attacking host sends a SYN request using IP address spoofed to be that of an unreachable host, the targetted TCP cannot complete the 3-way handshake and will keep trying until it times out. That is the basis for the attack. The attacking host sends a few (we saw that as little as 6 is enough) SYN requests to the target TCP port.
- Avarice attack (from Phrack Vol. 49)
Avarice works by listening for the 3-way handshake procedure to begin, and then immediately resetting it. The result is that no TCP based connections can be negotiated, and therefore no TCP traffic can flow.
ICMP attacks
- faked ICMP unreachable message: certain hosts are unreachable
- faked ICMP redirect message: sending a false routing information using a spoofed gateway address
IP Spoofing
- very tricky, and famous for being used by Kevin Mitnick
- host C is going to spoof as host B to host A
- Assume that host B is a trusted host to host A
- host C first attacks host B so that it is unreachable from host A, using DoS attack like SYN flooding.
- host C repeatedly requests TCP connections to host A, and analyzes host A's ISN pattern
- host C sends a SYN request to host A, spoofing as host B
- host C cannot see SYN+ACK from host A, but it can make a good guess; if this guess is right, then host A accepts the connection.
- host C still cannot receive packets from host A to host B, but it can send ones to host A; host C may run commands like
rsh host-A echo "+ +" > /.rhosts
11.6 Problematic programs
- debug mode enabled: allows copying of /etc/passwd and running shell scripts with root permission
- $HOME/.forward may contain a line like
| uudecode
NFS allows the sharing of file systems and directories. NFS uses
remote procedure calls (RPC) to communicate between machines. It's a service
that is designed to be machine-independent and transparent to the user.
When setup properly, local and remote file systems will appear as one big
local file system to the user. The major functions of NFS are mount/export
directories from/to other computers so that they can be accessed as if
they are local.
Example of stringent config: /user2 -ro,access=cs2:cs3,root=cs2
NIS allows networked machines to have a common interface regardless
of the workstation that you log into. This service was formerly known as
the Yellow Pages, or YP. With NIS you have the same passwd and group files
(same uid and gid) and can be placed into the same home directory on each
of your machines.
- NIS server spoofing
- NIS client spoofing: the server may reveal all the NIS maps including /etc/passwd or even password shadow file
11.7 Security Tools
When logging into the specified hostname, the user must prove his
identity to the remote machine using public key authentication based on
the use of digital signatures. If other authentication methods fail,
ssh prompts for a password. Since all communications
are encrypted, the password will not be available for eavesdroppers. All
communication with the remote command or shell will be automatically encrypted.
The session terminates when the command or shell in on the remote machine
exits and all X11 and TCP/IP connections have been closed.
Forwarding of arbitrary TCP/IP connections over the secure channel can be specified either on command line or in a configuration file. TCP/IP forwarding can be used for secure connections to electronic purses or going through firewalls.
ssh automatically maintains and checks a database containing public keys of hosts.