lecture securing unix topics trusted unix releases unix security risks set-uid buffer overflow...
TRANSCRIPT
Lecture Securing Unix
Lecture Securing Unix
TopicsTopics Trusted Unix Releases Unix Security Risks Set-uid Buffer Overflow Problems
July 1, 2003
CSCE 517 Forensic Computing
– 2 – CSCE 517 Sum 03
Unix WrapupUnix WrapupPassword file structurePassword file structure
Group fileGroup file
Superuser Superuser
susu
sudosudo
setuidsetuid
guidguid
Buffer OverflowBuffer Overflow http://secinf.net/uparticle/l/p49-14.txt
– 3 – CSCE 517 Sum 03
Unix HistoryUnix History1965 Multics Operating Systems project, a multiuser, multiple 1965 Multics Operating Systems project, a multiuser, multiple
concurrent users, data sharingconcurrent users, data sharing
1969 Ken Thompson at Bell Labs developed an operating system 1969 Ken Thompson at Bell Labs developed an operating system he called Unix (a pun on Multics)he called Unix (a pun on Multics)
1970 Dennis Ritchie developed the language C and a compiler for 1970 Dennis Ritchie developed the language C and a compiler for it. Thompson wrote the second version of Unix largely in C it. Thompson wrote the second version of Unix largely in C (90% C 10% assembly language) (90% C 10% assembly language)
Late 1970’s - Bell Labs effectively gave away Unix to universitiesLate 1970’s - Bell Labs effectively gave away Unix to universities
BSD (Berkeley Software Division) branchBSD (Berkeley Software Division) branch
1991 Linux - a graduate student, 1991 Linux - a graduate student, LinusLinus TorvaldsTorvalds, implemented an , implemented an open source version of Unix open source version of Unix
http://www.levenez.com/unix/http://www.levenez.com/unix/
– 4 – CSCE 517 Sum 03
Open Source SystemsOpen Source SystemsUnix was almost the first open-source, but Bell Labs Unix was almost the first open-source, but Bell Labs
really retained some of the rightsreally retained some of the rights
GNU Free Software FoundationGNU Free Software Foundation Gnu emacs – Richard Stallman gcc - gnu c compiler
LinuxLinux Red Hat Mandrake …
Open BSD a “hardened” systemOpen BSD a “hardened” system
– 5 – CSCE 517 Sum 03
OpenBSDOpenBSDDerived from BSD branchDerived from BSD branch
Pays special attention to security issuesPays special attention to security issues
Security BenefitsSecurity Benefits “Out-of-the-box” hardened system configuration; no effort Strong Cryptography up and ready
OpenSSH – remote secure shell (secure “telnet”) IPSec - Strong PRNG (Pseudo Random Number Generator)
http://www.openbsd.org
Standard Linux releases can be configured “hardened” Standard Linux releases can be configured “hardened” but OpenBSD comes that way.but OpenBSD comes that way.
– 6 – CSCE 517 Sum 03
OpenSSHOpenSSHThe problem with telnet –The problem with telnet –
SSH – Secure Shell, …SSH – Secure Shell, …
““What is Secure Shell” FAQ What is Secure Shell” FAQ http://www.employees.org/~satch/ssh/faq
Is it a Protocol or Program? Is it a Protocol or Program?
– 7 – CSCE 517 Sum 03
OpenSSH Servers and ClientsOpenSSH Servers and ClientsSSH serversSSH servers
OpenSSH Project
SSH ClientsSSH Clients Putty https://www.cse.sc.edu/FTP Lists: http://www.ece.nwu.edu/~mack23/ssh-clients.html
http://www.freessh.org
SCP – secure copy, http://www.I-tree.orgSCP – secure copy, http://www.I-tree.org
SSH ResourcesSSH Resources Implementation – Univ Florida paper http://www.boran.com/security/sp/ssh-part1.html
– 8 – CSCE 517 Sum 03
SSH ImplementationSSH Implementation
– 9 – CSCE 517 Sum 03
IPSecIPSec
– 10 – CSCE 517 Sum 03
Strong PRNGStrong PRNGStrong PRNG (Pseudo Random Number Generator)Strong PRNG (Pseudo Random Number Generator)
– 11 – CSCE 517 Sum 03
Multilevel Trusted SystemsMultilevel Trusted Systemshttp://http://www.sei.cmu.edu/str/descriptions/trusted_body.htmlwww.sei.cmu.edu/str/descriptions/trusted_body.html
Principles of trusted operating systems (TOS)Principles of trusted operating systems (TOS)1. The principle of least privilege
2. Mandatory Access Controls – a means of restricting access to objects based on the sensitivity of the information
3. Privilege bracketing – enabling and disabling privilege around the smallest section of code that really needs it
Trusted SolarisTrusted Solaris
Trusted BSDTrusted BSD
NSA (National Security Agency)NSA (National Security Agency) http://www.nsa.gov/selinux/index.html
– 12 – CSCE 517 Sum 03
Unix Security RisksUnix Security Risks1.1. Poorly chosen passwordsPoorly chosen passwords
Ref
2.2. Old/misconfigured/buggy network daemonsOld/misconfigured/buggy network daemons Use of telnet, ftp, rsh, …
3.3. Buggy privileged programs (setuid/setgid)Buggy privileged programs (setuid/setgid)
4.4. Filesystem nightmaresFilesystem nightmares
5.5. Insecure applicationsInsecure applications
– 13 – CSCE 517 Sum 03
Unix Password StructureUnix Password StructureOriginal SchemeOriginal Scheme
/etc/passwd/etc/passwd Format
login:encryptedPassword: Commands that access name info: Who, ls, finger
cryptcrypt
– 14 – CSCE 517 Sum 03
Shadow PasswordsShadow PasswordsA number of useful Unix commands make use of much A number of useful Unix commands make use of much
of the information in the password file.of the information in the password file.
But, why does the encrypted password need to be But, why does the encrypted password need to be there?there?
It doesn’t move this to /etc/shadow that only root can It doesn’t move this to /etc/shadow that only root can read!read!
– 15 – CSCE 517 Sum 03
Password Common SensePassword Common SenseUse good strong ones!Use good strong ones!
http:// Modified Phrase Acronyms (keep punctuation, insert
special) “I left my heart in San Francisco” !lmyi$F
Educate Users on common mistakesEducate Users on common mistakes Ref Shear idiocy: Blank, Login, loginReversed Other Simple ones
Check up on usersCheck up on users Dictionary checks
Use proactive password checkersUse proactive password checkers Check the password as entered for quality
– 16 – CSCE 517 Sum 03
Password ProceduresPassword ProceduresEnforce lock down after 3 to 5 failuresEnforce lock down after 3 to 5 failures
Help Desk “password reset” proceduresHelp Desk “password reset” procedures Help desk call - “this is Dean White reset my password!” Procedures: phone back at preset number or voicemail Don’t reset password always to the same value or to a value
that is a function of the user (Soc-Sec) Use phonetic password generator – so they can be
pronounced over the phone
Password Station - electronic reset of passwords Password Station - electronic reset of passwords http://www.passwordstation.nethttp://www.passwordstation.net
Avoid hardcoding passwords in scripts!Avoid hardcoding passwords in scripts!
– 17 – CSCE 517 Sum 03
Set UID / Set GIDSet UID / Set GIDThe NeedThe Need
Consider the problem of a user changing their password. How can they be allowed to write the entry in the file
/etc/shadow? This would mean they could change other user’s passwords.
Setuid – Setuid – Normally when a program runs it runs as the user that
started it A setuid program “changes the user id” to the owner of the
file that contains the program ls –l /bin/passwd Thus /bin/passwd runs with the priviledges of “root”
chmod 01755 file ???chmod 01755 file ???
– 18 – CSCE 517 Sum 03
Set UID / Set GIDSet UID / Set GIDSet UID programs are necessarySet UID programs are necessary
No passwd command System Admin called each time a password is changed !?
Set UID filesSet UID files Extreme care must be used in their implementation One failure of a setuid application game over, the
attacker has root priviledge http://www.safermag.com/html/safer25/alerts/33.html
Set-gid wrinklesSet-gid wrinkles Works the same way but Can be set on a directory, which inherited by each file in
the subtree.
– 19 – CSCE 517 Sum 03
Exploiting Set UID ProgramsExploiting Set UID ProgramsSkeleton of a setuid programSkeleton of a setuid program
Non-priviledged section code Setuid system call
priviledged section code Restore uid with another setuid syscall
Non-priviledged section code
Note the problem is not just writing secure priviledged Note the problem is not just writing secure priviledged sections, because a problem in the non-priviledged sections, because a problem in the non-priviledged section can lead to another setuid call !section can lead to another setuid call !
A buffer overflow anywhere in a setuid program can A buffer overflow anywhere in a setuid program can result in someone becoming root.result in someone becoming root. Setuid, exec shell
– 20 – CSCE 517 Sum 03
Set UID ProgramsSet UID ProgramsUnix systems ship with typically 70-100 setuid Unix systems ship with typically 70-100 setuid
programsprograms Passwrd, ping … SecurityFocus.com BugTraq reports of new setuid problems
So what is a Systems Administrator to do?So what is a Systems Administrator to do?
Setuid lock-down tipsSetuid lock-down tips Solaris http://ist.uwaterloo.ca/security/howto/2000-08-17 Linux
– 21 – CSCE 517 Sum 03
Set UID LockdownsSet UID Lockdowns1.1. Avoid installing the full installationAvoid installing the full installation
2.2. List set uid/set gid programsList set uid/set gid programs find / -perm –u+s –print find / -perm –g+s –print
3.3. For those that only root needs to run remove setuid bitFor those that only root needs to run remove setuid bit
4.4. Identify setuid programs that leak informationIdentify setuid programs that leak information Ps, top, netstat
5.5. Identify setuid programs that only a trusted group needs; Identify setuid programs that only a trusted group needs; remove access to “others”remove access to “others”
6.6. Identify those that you think no one will ever need.Identify those that you think no one will ever need. AUSCERT wrapper
7.7. For essential ones modify the AUSCERT wrapperFor essential ones modify the AUSCERT wrapper Don’t accept long arguments or environment variables
– 22 – CSCE 517 Sum 03
Breaking Set UID Programs for Fun and ProfitBreaking Set UID Programs for Fun and Profit
– 23 – CSCE 517 Sum 03
UmaskUmaskWhat are the default permissions set on a file when it is What are the default permissions set on a file when it is
created?created?
The umask is an mask that is used to mask out bits in The umask is an mask that is used to mask out bits in the permissions.the permissions.
e.g. if umask is 023 thene.g. if umask is 023 then Group – 2 = 010 ‘w’ is masked out Others – 3 = 011 ‘w’ and ‘x’ are masked out
Umask manipulationUmask manipulation Umask command – can be run at prompt but usually in setup
scripts Common default 022 Frequently set in /etc/profile
– 24 – CSCE 517 Sum 03
Umask DangersUmask DangersIn Unix the way one process creates another is using In Unix the way one process creates another is using
the system call fork.the system call fork.
Umask is inherited across forksUmask is inherited across forks
Init is the process that creates various “login Init is the process that creates various “login processes” which create the shells, which create processes” which create the shells, which create user filesuser files
If init has has too loose of a umask then too many files If init has has too loose of a umask then too many files will be readable. will be readable.
– 25 – CSCE 517 Sum 03
Chroot for serversChroot for servers
– 26 – CSCE 517 Sum 03
Caveats of ChrootCaveats of ChrootNot a virtual computer; it’s a filesystem abstractionNot a virtual computer; it’s a filesystem abstraction
Escape from chroot jailEscape from chroot jail
1.1. If process has root access the game is over. To If process has root access the game is over. To Break out first create devices to access memory Break out first create devices to access memory directly then modify the process’s idea of the root directly then modify the process’s idea of the root directorydirectory
2.2. http://www.bpfh.net/simes/computing/chroot-break.html http://www.bpfh.net/simes/computing/chroot-break.html
3.3. User Mode Linux (UML) – User Mode Linux (UML) – http://user-mode-linux.sourceforge.net/
– 27 – CSCE 517 Sum 03
Root PrivilegesRoot PrivilegesManaging the password of rootManaging the password of root
1.1. Use a strong passwordUse a strong password
2.2. Never let a naïve or reckless user have the password.Never let a naïve or reckless user have the password.
3.3. Disable remote root loginsDisable remote root logins
4.4. Use su to gain root accessUse su to gain root access
Su – switch userSu – switch user
– 28 – CSCE 517 Sum 03
SudoSudoUse to permit/control access to privileged programsUse to permit/control access to privileged programs
e.g., sudo ethereale.g., sudo ethereal
– 29 – CSCE 517 Sum 03
Rootkit CountermeasuresRootkit Countermeasureshttp://www.tripwire.orghttp://www.tripwire.org
http://www.kernelhacking.orghttp://www.kernelhacking.org
http://packetstormsecurity.nl/Unix/penetration/rootkitshttp://packetstormsecurity.nl/Unix/penetration/rootkits
LKM supportLKM support
– 30 – CSCE 517 Sum 03
R-ServicesR-ServicesTCP ports 513 and 514TCP ports 513 and 514
rlogindrlogind
rshd rshd
r-Services Risksr-Services Risks
Just don’t use them or telnet or FTP! Use SSHJust don’t use them or telnet or FTP! Use SSH
– 31 – CSCE 517 Sum 03
Assessing Vulnerabilities of a Unix SystemAssessing Vulnerabilities of a Unix System
1.1. Use network based scanner tool to identify remotely Use network based scanner tool to identify remotely exploitable security holes (e.g., Nessus discussed exploitable security holes (e.g., Nessus discussed later)later)
2.2. Prioritize by risk analysisPrioritize by risk analysis
3.3. Draw up and execute plan for fixing the problemsDraw up and execute plan for fixing the problems
4.4. Use network based scanner tool to identify locally Use network based scanner tool to identify locally exploitable security holesexploitable security holes
5.5. Identify biggest risks and get to work.Identify biggest risks and get to work.
Scanners, Intrusion Detection Systems, etc. laterScanners, Intrusion Detection Systems, etc. later
– 32 – CSCE 517 Sum 03
Unix Host LockdownUnix Host Lockdown
Host lockdown is the process of making a system Host lockdown is the process of making a system compliant with the established security policycompliant with the established security policy
ApproachesApproaches
Manually make the changesManually make the changes
Develop a script or scripts to automate the changesDevelop a script or scripts to automate the changes
Use a hardening toolUse a hardening tool
Host hardening toolsHost hardening tools YASSP (Yet Another Solaris Security Package)
http://www.yassp.org TITAN http://www.fish.com/titan Bastille Unix http://www.bastille-linux.org/
– 33 – CSCE 517 Sum 03
Buffer Overflow ProblemsBuffer Overflow ProblemsA lot of well known attacks on systems take advantage A lot of well known attacks on systems take advantage
of buffer overflowsof buffer overflows
Activation Stack – stores local variables, return address Activation Stack – stores local variables, return address for each separate function callfor each separate function call
– 34 – CSCE 517 Sum 03
IA32/Linux Stack FrameIA32/Linux Stack FrameCurrent Stack Frame (“Top” Current Stack Frame (“Top”
to Bottom)to Bottom) Parameters for function
about to call“Argument build”
Local variables If can’t keep in registers
Saved register context Old frame pointer
Caller Stack FrameCaller Stack Frame Return address
Pushed by call instruction
Arguments for this call Stack Pointer(%esp)
Frame Pointer(%ebp)
Return Addr
SavedRegisters
+Local
Variables
ArgumentBuild
Old %ebp
Arguments
CallerFrame
– 35 – CSCE 517 Sum 03
Buffer Overflow StackBuffer Overflow Stack
echo:pushl %ebp # Save %ebp on stackmovl %esp,%ebpsubl $20,%esp # Allocate space on stackpushl %ebx # Save %ebxaddl $-12,%esp # Allocate space on stackleal -4(%ebp),%ebx # Compute buf as %ebp-4pushl %ebx # Push buf on stackcall gets # Call gets. . .
/* Echo Line */void echo(){ char buf[4]; /* Way too small! */ gets(buf); puts(buf);}
Return Address
Saved %ebp
[3][2][1][0] buf
%ebp
StackFrame
for main
StackFrame
for echo
– 36 – CSCE 517 Sum 03
Malicious Use of Buffer OverflowMalicious Use of Buffer Overflow
Input string contains byte representation of executable code Overwrite return address with address of buffer When bar() executes ret, will jump to exploit code
void bar() { char buf[4]; gets(buf); ... }
void foo(){ bar(); ...}
Stack after call to gets()
B
returnaddress
A
foo stack frame
bar stack frame
B
exploitcode
pad
data written
bygets()
– 37 – CSCE 517 Sum 03
Buffer Overflow Ex.Buffer Overflow Ex.
Activation Record for bar()Activation Record for bar() Arguments Return address (4 bytes) Local variables
buf[4]
How do you get foo to return How do you get foo to return somewhere other than somewhere other than 04100000?04100000?
Is this Big or Little Endian?Is this Big or Little Endian?
10101010 0404
10091009 0101
10081008 0000
10071007 0000
10061006
10051005
10041004
10031003
10021002
10011001
10101010
09990999
09980998
09970997
09960996
09950995
foo RA
buf[3]
buf[2]
buf[1]
buf[0]
bar RA
– 38 – CSCE 517 Sum 03
Avoiding Overflow VulnerabilityAvoiding Overflow Vulnerability
Use Library Routines that Limit String LengthsUse Library Routines that Limit String Lengths fgets instead of gets strncpy instead of strcpy Don’t use scanf with %s conversion specification
Use fgets to read the string
/* Echo Line */void echo(){ char buf[4]; /* Way too small! */ fgets(buf, 4, stdin); puts(buf);}
– 39 – CSCE 517 Sum 03
Avoiding Buffer Overflow AttacksAvoiding Buffer Overflow AttacksImmunixImmunix
Developed a modified compiler, StackGuard
Linux Kernel patchesLinux Kernel patches
System Call WrappersSystem Call Wrappers
– 40 – CSCE 517 Sum 03
Buffer Overflow References-HowToBuffer Overflow References-HowTo““Compromised-Buffer-Overflows, from Intel to SPARC Compromised-Buffer-Overflows, from Intel to SPARC
Version 8” by Mudge from “@Stake”Version 8” by Mudge from “@Stake” http://www.astake.com/research/advisories/1996/bufitos.pdf
““The Tao of Windows Buffer Overflow” by Dildog again The Tao of Windows Buffer Overflow” by Dildog again from @Stakefrom @Stake http://www.cultdeadcow.com/cDc_files/cDc-351
””Smashing the Stack for Fun and Profit” by Aleph1 of Smashing the Stack for Fun and Profit” by Aleph1 of SecurityFocus.com, Issue 49 of PhrackSecurityFocus.com, Issue 49 of Phrack http://www.shmoo.com/phrack/Phrack49/p49-14
– 41 – CSCE 517 Sum 03
SummarySummary