Hacking Exposed 5th Edition
| ||
| ||
|
Thus far, we have covered common remote access techniques. As mentioned previously, most attackers strive to gain local access via some remote vulnerability. At the point where attackers have an interactive command shell, they are considered to be local on the system. Although it is possible to gain direct root access via a remote vulnerability, often attackers will gain user access first. Thus, attackers must escalate user privileges to root access, better known as privilege escalation. The degree of difficulty in privilege escalation varies greatly by operating system and depends on the specific configuration of the target system. Some operating systems do a superlative job of preventing users without root privileges from escalating their access to root, whereas others do it poorly. A default install of OpenBSD is going to be much more difficult for users to escalate their privileges than a default install of Irix. Of course, the individual configuration has a significant impact on the overall security of the system. The next section of this chapter will focus on escalating user access to privileged or root access. We should note that, in most cases, attackers would attempt to gain root privileges; however, oftentimes it might not be necessary. For example, if attackers are solely interested in gaining access to an Oracle database, the attackers may only need to gain access to the Oracle ID, rather than root.
Password Composition Vulnerabilities
Popularity: | 10 |
Simplicity: | 9 |
Impact: | 9 |
Risk Rating: | 9 |
Based on our discussion in the "Brute-force Attacks" section earlier, the risks of poorly selected passwords should be evident at this point. It doesn't matter whether attackers exploit password composition vulnerabilities remotely or locallyweak passwords put systems at risk. Because we covered most of the basic risks earlier, let's jump right into password cracking.
Password cracking is commonly known as an automated dictionary attack. Whereas brute-force guessing is considered an active attack, password cracking can be done offline and is passive in nature. It is a common local attack, as attackers must obtain access to the /etc/passwd file or shadow password file. It is possible to grab a copy of the password file remotely (for example, via TFTP or HTTP). However, we felt password cracking is best covered as a local attack. It differs from brute-force guessing because the attackers are not trying to access a service or to "su" to root in order to guess a password. Instead, the attackers try to guess the password for a given account by encrypting a word or randomly generated text and comparing the results with the encrypted password hash obtained from /etc/passwd or the shadow file.
If the encrypted hash matches the hash generated by the password-cracking program, the password has been successfully cracked. The process is simple algebra. If you know two out of three items, you can deduce the third. We know the dictionary word or random textwe'll call this input. We also know the password-hashing algorithmnormally Data Encryption Standard (DES). Therefore, if we hash the input by applying the applicable algorithm, and the resultant output matches the hash of the target user ID, we know what the original password is. This process is illustrated in Figure 5-4.
Two of the best programs available to crack passwords are Crack 5.0a, from Alec Muffett, and John the Ripper, from Solar Designer. Crack 5.0aor "Crack" for shortis probably the most popular cracker available and has continuously evolved since its inception. Crack comes with a very comprehensive wordlist that runs the gamut from the unabridged dictionary to Star Trek terms. Crack even provides a mechanism that allows a cracking session to be distributed across multiple systems. John the Ripperor "John" for shortis newer than Crack 5.0a and is highly optimized to crack as many passwords as possible in the shortest time. In addition, John handles more types of password hashing algorithms than Crack. Both Crack and John provide a facility to create permutations of each word in their wordlist. By default, each tool has over 2,400 rules that can be applied to a dictionary list to guess passwords that would seem impossible to crack. Each tool has extensive documentation that we encourage you to peruse. Rather than discussing each tool feature by feature, we are going to discuss how to run Crack and review the associated output. It is important to be familiar with how a password file is organized. If you need a refresher on how the /etc/passwd file is organized, consult your UNIX textbook of choice.
Crack 5.0a
Running Crack on a password file is normally as easy as giving it a password file and waiting for the results. Crack is a self-compiling program and, when executed, will begin to make certain components necessary for operation. One of Crack's strong points is the sheer number of rules used to create permutated words. In addition, each time it is executed, it will build a custom wordlist that incorporates the user's name, as well as any information in the GECOS or comments field. Do not overlook the GECOS field when cracking passwords. It is extremely common for users to have their full name listed in the GECOS field and to choose a password that is a combination of their full name . Crack will rapidly ferret out these poorly chosen passwords. Let's take a look at a bogus password file and begin cracking:
root:cwIBREDaWLHmo:0:0:root:/root:/bin/bash bin:*:1:1:bin:/bin: daemon:*:2:2:daemon:/sbin: <other locked accounts omitted> nobody:*:99:99:Nobody:/: eric:GmTFg0AavFA0U:500:0::/home/eric:/bin/csh samantha:XaDeasK8g8g3s:501:503::/home/samantha:/bin/bash temp:kRWegG5iTZP5o:502:506::/home/temp:/bin/bash hackme:nh.StBNcQnyE2:504:1::/home/hackme:/bin/bash bob:9wynbWzXinBQ6:506:1::/home/bob:/bin/csh es:0xUH89TiymLcc:501:501::/home/es:/bin/bash mother:jxZd1tcz3wW2Q:505:505::/home/mother:/bin/bash jfr:kyzKROryhFDE2:506:506::/home/jfr:/bin/bash
To execute Crack against our bogus password file, we run the following command:
[sigma]# Crack passwd Crack 5.0a: The Password Cracker. (c) Alec Muffett, 1991, 1992, 1993, 1994, 1995, 1996 System: Linux 2.0.36 #1 Tue Oct 13 22:17:11 EDT 1998 i686 unknown <omitted for brevity> Crack: The dictionaries seem up to date... Crack: Sorting out and merging feedback, please be patient... Crack: Merging password files... Crack: Creating gecos-derived dictionaries mkgecosd: making non-permuted words dictionary mkgecosd: making permuted words dictionary Crack: launching: cracker -kill run/system.11324 Done
At this point, Crack is running in the background and saving its output to a database. To query this database and determine whether any passwords were cracked, we need to run Reporter :
[sigma]# Reporter -quiet ---passwords cracked as of Sat 13:09:50 EDT ---- Guessed eric [jenny] [passwd /bin/csh] Guessed hackme [hackme] [passwd /bin/bash] Guessed temp [temp] [passwd /bin/bash] Guessed es [eses] [passwd /bin/bash] Guessed jfr [solaris1] [passwd /bin/bash]
We have displayed all the passwords that have cracked thus far by using the -quiet option. If we execute Reporter with no options, it will display errors, warnings, and locked passwords. Several scripts included with Crack are extremely useful. One of the most useful scripts is shadmrg.sv. This script is used to merge the UNIX password file with the shadow file. Thus, all relevant information can be combined into one file for cracking. Another command of interest is make tidy, which is used to remove the residual user accounts and passwords after Crack has been executed.
One final item that should be covered is learning how to identify the associated algorithm used to hash the password. Our test password file uses DES to hash the password files, which is standard for most UNIX flavors. As added security measures, some vendors have implemented the MD5 and blowfish algorithms, which are stronger cryptographic algorithms. A password that has been hashed with MD5 is significantly longer than a DES hash and is identified by "$1" as the first two characters of the hash. Similarly, a blowfish hash is identified by "$2" as the first two characters of the hash. If you plan to crack MD5 or blowfish hashes, we strongly recommend the use of John the Ripper.
John the Ripper
John the Ripper, from Solar Designer, is one of the best password-cracking utilities available and can be found at http://www.openwall.com/john. You will find both UNIX and NT versions of John here, which is a bonus for Windows users. As mentioned before, John is one of the best and fastest password-cracking programs available. It is extremely simple to run:
[shadow]# john passwd Loaded 9 passwords with 9 different salts (Standard DES [24/32 4K]) hackme (hackme) temp (temp) eses (es) jenny (eric) t78 (bob) guesses: 5 time: 0:00:04:26 (3) c/s: 16278 trying: pireth - StUACT
We run john, give it the password file that we want ( passwd ), and off it goes. It will identify the associated encryption algorithmin our case, DESand begin guessing passwords. It first uses a dictionary file (password.lst) and then begins brute-force guessing. As you can see, the stock version of John guessed the user bob, whereas Crack was able to guess the user jfr. So we received different results with each program. This is primarily related to the limited word file that comes with John, so we recommend using a more comprehensive wordlist, which is controlled by john.ini. Extensive wordlists can be found at http://packetstormsecurity.org/Crackers/wordlists/ and ftp:// coast .cs.purdue.edu/pub/dict.
Password Composition Countermeasure
See "Brute-force Attack Countermeasure," earlier in this chapter.
Local Buffer Overflow
Popularity: | 10 |
Simplicity: | 9 |
Impact: | 10 |
Risk Rating: | 10 |
Local buffer overflow attacks are extremely popular. As discussed in the "Remote Access" section earlier, buffer overflow vulnerabilities allow attackers to execute arbitrary code or commands on a target system. Most times, buffer overflow conditions are used to exploit SUID root files, enabling the attackers to execute commands with root privileges. We already covered how buffer overflow conditions allow arbitrary command execution. (See "Buffer Overflow Attacks," earlier in the chapter.) In this section, we discuss and give examples of how a local buffer overflow attack works.
In May 1999, Shadow Penguin Security released an advisory related to a buffer overflow condition in libc relating to the environmental variable LC_MESSAGES. Any SUID program that is dynamically linked to libc and that honors the LC_MESSAGES environmental variable is subject to a buffer overflow attack. This buffer overflow condition affects many different programs because it is a buffer overflow in the system libraries (libc) rather than in one specific program, as discussed earlier. This is an important point, and one of the reasons we chose this example. It is possible for a buffer overflow condition to affect many different programs if the overflow condition exists in libc. Let's discuss how this vulnerability is exploited.
First, we need to compile the actual exploit. Your mileage will vary greatly because exploit code is very persnickety. Often, you will have to tinker with the code to get it to compile because it is platform dependent. This particular exploit is written for Solaris 2.6 and 7. To compile the code, we used gcc, or the GNU compiler. Solaris doesn't come with a compiler, unless purchased separately, but gcc may be downloaded for free at http://www.sunfreeware.com. The source code is designated by *.c. The executable will be saved as ex_lobc by using the -o option:
[itchy]$ gcc ex_lobc.c -o ex_lobc
Next, we execute ex_lobc, which will exploit the overflow condition in libc via an SUID program such as /bin/passwd:
[itchy]$ ./ex_lobc jumping address : efffe7a8 #
The exploit then jumps to a specific address in memory, and /bin/sh is run with root privileges. This results in the unmistakable # sign, indicating that we have gained root access. This exercise was quite simple and can make anyone look like a security expert. In reality, the Shadow Penguin Security group performed the hard work by discovering and exploiting this vulnerability. As you can imagine, the ease of obtaining root access is a major attraction to most attackers when using local buffer overflow exploits.
Local Buffer Overflow Countermeasure
The best buffer overflow countermeasure is secure coding practices combined with a nonexecutable stack. If the stack had been nonexecutable, we would have had a much harder time trying to exploit this vulnerability. See the "Buffer Overflow Attacks" section, earlier in the chapter, for a complete listing of countermeasures. Evaluate and remove the SUID bit on any file that does not absolutely require SUID permissions.
Symlink
Popularity: | 7 |
Simplicity: | 9 |
Impact: | 10 |
Risk Rating: | 9 |
Junk files, scratch space, temporary filesmost systems are littered with electronic refuse . Fortunately, in UNIX, most temporary files are created in one directory, /tmp. Although this is a convenient place to write temporary files, it is also fraught with peril. Many SUID root programs are coded to create working files in /tmp or other directories without the slightest bit of sanity checking. The main security problem stems from programs blindly following symbolic links to other files. A symbolic link is a mechanism where a file is created via the ln command. A symbolic link is nothing more than a file that points to a different file. Let's create a symbolic link from /tmp/foo and point it to /etc/passwd:
[itchy]$ ln -s /tmp/foo /etc/passwd
Now if we cat out /tmp/foo, we get a listing of the password file. This seemingly benign feature is a root compromise waiting to happen. Although it is most common to abuse scratch files that are created in /tmp, some applications create scratch files elsewhere on the file system. Let's examine a real-life symbolic link vulnerability to see what happens.
In our example, we are going to study the dtappgather exploit for Solaris. dtappgather is a utility shipped with the common desktop environment. Each time dtappgather is executed, it creates a temporary file named /var/dt/appconfig/appmanager/generic-display-0 and sets the file permissions to 0666. It also changes the ownership of the file to the UID of the user who executed the program. Unfortunately, dtappgather does not perform any sanity checking to determine if the file exists or if it is a symbolic link. Therefore, if attackers were to create a symbolic link from /var/dt/appconfig/appmanager/generic-display-0 to another file on the file system (for example, /etc/passwd), the permissions of this file would be changed to 0666, and the ownership of the file would change to that of the attackers. We can see before we run the exploit that the owner and group permissions of the file /etc/passwd are root:sys.
[itchy]$ ls -l /etc/passwd -r-xr-xr-x 1 root sys 560 May 5 22:36 /etc/passwd
Next, we will create a symbolic link from named /var/dt/appconfig/appmanager/ generic-display-0 to /etc/passwd.
[itchy]$ ln -s /etc/passwd /var/dt/appconfig/appmanager/generic-display-0
Finally, we will execute dtappgather and check the permissions of the /etc/passwd file:
[itchy]$ /usr/dt/bin/dtappgather MakeDirectory: /var/dt/appconfig/appmanager/generic-display-0: File exists [itchy]$ ls -l /etc/passwd -r-xr-xr-x 1 gk staff 560 May 5 22:36 /etc/passwd
Dtappgather blindly followed our symbolic link to /etc/passwd and changed the ownership of the file to our user ID. It is also necessary to repeat the process on /etc/ shadow. Once the ownership of /etc/passwd and /etc/shadow are changed to our user ID, we can modify both files and add a 0 UID (root equivalent) account to the password file. Game over in less than a minute's work.
Symlink Countermeasure
Secure coding practices are the best countermeasure available. Unfortunately, many programs are coded without performing sanity checks on existing files. Programmers should check to see if a file exists before trying to create one, by using the O_EXCL O_CREAT flags. When creating temporary files, set the UMASK and then use the tmpfile () or mktemp() function. If you are really curious to see a small complement of programs that create temporary files, execute the following in /bin or /usr/sbin/:
[itchy]$ strings * grep tmp
If the program is SUID, a potential exists for attackers to execute a symlink attack. As always, remove the SUID bit from as many files as possible to mitigate the risks of symlink vulnerabilities.
Race Conditions
Popularity: | 8 |
Simplicity: | 5 |
Impact: | 9 |
Risk Rating: | 7 |
In most physical assaults, attackers will take advantage of victims when they are most vulnerable. This axiom holds true in the cyberworld as well. Attackers will take advantage of a program or process while it is performing a privileged operation. Typically, this includes timing the attack to abuse the program or process after it enters a privileged mode but before it gives up its privileges. Most times, a limited window exists for attackers to abscond with their booty. A vulnerability that allows attackers to abuse this window of opportunity is called a race condition. If the attackers successfully manage to compromise the file or process during its privileged state, it is called "winning the race." There are many different types of race conditions. We are going to focus on those that deal with signal handling, because they are very common.
Signal-Handling Issues Signals are a mechanism in UNIX used to notify a process that some particular condition has occurred and provide a mechanism to handle asynchronous events. For instance, when users want to suspend a running program, they press CTRL-Z . This actually sends a SIGTSTP to all processes in the foreground process group. In this regard, signals are used to alter the flow of a program. Once again, the red flag should be popping up when we discuss anything that can alter the flow of a running program. The ability to alter the flow of a running program is one of the main security issues related to signal handling. Keep in mind SIGTSTP is only one type of signal; over 30 signals can be used.
An example of signal-handling abuse is the wu- ftpd v2.4 signal-handling vulnerability discovered in late 1996. This vulnerability allowed both regular and anonymous users to access files as root. It was caused by a bug in the FTP server related to how signals were handled. The FTP server installed two signal handlers as part of its startup procedure. One signal handler was used to catch SIGPIPE signals when the control/data port connection closed. The other signal handler was used to catch SIGURG signals when out-of- band signaling was received via the ABOR (abort file transfer) command. Normally, when a user logs into an FTP server, the server runs with the effective UID of the user and not with root privileges. However, if a data connection is unexpectedly closed, the SIGPIPE signal is sent to the FTP server. The FTP server jumps to the dologout() function and raises its privileges to root (UID 0). The server adds a logout record to the system log file, closes the xferlog log file, removes the user's instance of the server from the process table, and exits. At the point when the server changes its effective UID to 0, it is vulnerable to attack. Attackers would have to send a SIGURG to the FTP server while its effective UID is 0, interrupt the server while it is trying to log out the user, and have it jump back to the server's main command loop. This creates a race condition where the attackers must issue the SIGURG signal after the server changes its effective UID to 0 but before the user is successfully logged out. If the attackers are successful (which may take a few tries ), they will still be logged into the FTP server with root privileges. At this point, attackers can put or get any file they like and potentially execute commands with root privileges.
Signal-Handling Countermeasure
Proper signal handling is imperative when dealing with SUID files. End users can do little to ensure that the programs they run trap signals in a secure mannerit's up to the programmers. As mentioned time and time again, you should reduce the number of SUID files on each system and apply all relevant vendor-related security patches.
Core File Manipulation
Popularity: | 7 |
Simplicity: | 9 |
Impact: | 4 |
Risk Rating: | 7 |
Having a program dump core when executed is more than a minor annoyance, it could be a major security hole. A lot of sensitive information is stored in memory when a UNIX system is running, including password hashes read from the shadow password file. One example of a core-file manipulation vulnerability was found in older versions of FTPD, which allowed attackers to cause the FTP server to write a world-readable core file to the root directory of the file system if the PASV command was issued before logging into the server. The core file contained portions of the shadow password file and, in many cases, users' password hashes. If password hashes were recoverable from the core file, attackers could potentially crack a privileged account and gain root access to the vulnerable system.
Core File Countermeasure
Core files are necessary evils. Although they may provide attackers with sensitive information, they can also provide a system administrator with valuable information in the event that a program crashes. Based on your security requirements, it is possible to restrict the system from generating a core file by using the ulimit command. By setting ulimit to 0 in your system profile, you turn off core file generation (consult ulimit ˜s man page on your system for more information):
[sigma]$ ulimit -a core file size (blocks) unlimited [sigma]$ ulimit -c 0 [sigma]$ ulimit -a core file size (blocks) 0
Shared Libraries
Popularity: | 4 |
Simplicity: | 4 |
Impact: | 9 |
Risk Rating: | 6 |
Shared libraries allow executable files to call discrete pieces of code from a common library when executed. This code is linked to a host-shared library during compilation. When the program is executed, a target-shared library is referenced, and the necessary code is available to the running program. The main advantages of using shared libraries are to save system disk and memory and to make it easier to maintain the code. Updating a shared library effectively updates any program that uses the shared library. Of course, you pay a security price for this convenience. If attackers are able to modify a shared library or provide an alternate shared library via an environment variable, they could gain root access.
An example of this type of vulnerability occurred in the in.telnetd environment vulnerability (CERT advisory CA-95.14). This is an ancient vulnerability, but makes a nice example. Essentially, some versions of in.telnetd allow environmental variables to be passed to the remote system when a user attempts to establish a connection (RFC 1408 and 1572). Therefore, attackers could modify their LD_PRELOAD environmental variable when logging into a system via telnet and gain root access.
To successfully exploit this vulnerability, attackers had to place a modified shared library on the target system by any means possible. Next, attackers would modify their LD_PRELOAD environment variable to point to the modified shared library upon login. When in.telnetd executed /bin/login to authenticate the user, the system's dynamic linker would load the modified library and override the normal library call. This allowed the attackers to execute code with root privileges.
Shared Libraries Countermeasure
Dynamic linkers should ignore the LD_PRELOAD environment variable for SUID root binaries. Purists may argue that shared libraries should be well written and safe for them to be specified in LD_PRELOAD . In reality, programming flaws in these libraries would expose the system to attack when an SUID binary is executed. Moreover, shared libraries (for example, /usr/lib and /lib) should be protected with the same level of security as the most sensitive files. If attackers can gain access to /usr/lib or /lib, the system is toast .
Kernel Flaws
It is no secret that UNIX is a complex and highly robust operating system. With this complexity, UNIX and other advanced operating systems will inevitably have some sort of programming flaws. For UNIX systems, the most devastating security flaws are associated with the kernel itself. The UNIX kernel is the core component of the operating system that enforces the overall security model of the system. This model includes honoring file and directory permissions, the escalation and relinquishment of privileges from SUID files, how the system reacts to signals, and so on. If a security flaw occurs in the kernel itself, the security of the entire system is in grave danger.
The year 2004 was full of kernel vulnerabilities for the Linux operating systemover 20! Some of these vulnerabilities were simply denial of service attacks, but otherssuch as buffer overflows, race conditions that led to privilege escalation, and integer overflowswere exposed as well. An example of a kernel flaw that affects millions of systems was discovered in January 2005 by Paul Starzetz and is related to almost all Linux 2.2. x, 2.4. x , and 2.6. x kernels developed as of that date. The vulnerability is related to the loader layer the kernel uses to execute different binary formats such as ELF and a.out. The kernel function sys_uselib() is called to load a library. Analysis of the sys_uselib() function reveals an incorrect handling of the library's brk segment:
[itchy]$ ./elflbl [+] SLAB cleanup child 1 VMAs 454 [+] moved stack bfffe000, task_size=0xc0000000, map_base=0xbf800000 [+] vmalloc area 0xd8000000 - 0xeffe1000 Wait... \ [+] race won maps=56128 expanded VMA (0xbfffc000-0xe0b0e000) [!] try to exploit 0xd8898000 [+] gate modified ( 0xffec94df 0x0804ec00 ) [+] exploited, uid=0 sh-2.05a# id uid=0(root) gid=0(root) groups=10(wheel)
The incorrect handling can be used to disrupt memory management within the kernel, and, as you can see in the preceding example, attackers who have shell access to a vulnerable system can escalate their privilege to root. Furthermore, because this vulnerability allows an attacker to execute code at ring 0, attackers have the ability to break out of virtual machines such as user-mode Linux.
Kernel Flaws Countermeasure
This vulnerability affects many Linux systems and is something that any Linux administrator should patch immediately. Luckily, the fix is fairly straightforward. For 2.2. x and 2.4. x kernel users, simply upgrade the kernel to version 2.4.29rc1 or higher. As of this writing, there was no official patch for the 2.6. x kernel branch.
System Misconfiguration
We have tried to discuss common vulnerabilities and methods that attackers can use to exploit these vulnerabilities and gain privileged access. This list is fairly comprehensive, but attackers could compromise the security of a vulnerable system in a multitude of ways. A system can be compromised because of poor configuration and administration practices. A system can be extremely secure out of the box, but if the system administrator changes the permission of the /etc/passwd file to be world writable, all security just goes out the window. It is the human factor that will be the undoing of most systems.
File and Directory Permissions
Popularity: | 8 |
Simplicity: | 9 |
Impact: | 7 |
Risk Rating: | 8 |
UNIX's simplicity and power stem from its use of filesbe they binary executables, text-based configuration files, or devices. Everything is a file with associated permissions. If the permissions are weak out of the box, or the system administrator changes them, the security of the system can be severely affected. The two biggest avenues of abuse related to SUID root files and world-writable files are discussed next. Device security (/dev) is not addressed in detail in this text because of space constraints; however, it is equally important to ensure that device permissions are set correctly. Attackers who can create devices or who can read or write to sensitive system resources, such as /dev/kmem or to the raw disk, will surely attain root access. Some interesting proof-of-concept code was developed by Mixter and can be found at http://mixter.warrior2k.com/rawpowr.c. This code is not for the faint of heart because it has the potential to damage your file system. It should only be run on a test system where damaging the file system is not a concern.
SUID Files Set user ID (SUID) and set group ID (SGID) root files kill. Period! No other file on a UNIX system is subject to more abuse than an SUID root file. Almost every attack previously mentioned abused a process that was running with root privilegesmost were SUID binaries. Buffer overflow, race conditions, and symlink attacks would be virtually useless unless the program were SUID root. It is unfortunate that most UNIX vendors slap on the SUID bit like it was going out of style. Users who don't care about security perpetuate this mentality . Many users are too lazy to take a few extra steps to accomplish a given task and would rather have every program run with root privileges.
To take advantage of this sorry state of security, attackers who gain user access to a system will try to identify SUID and SGID files. The attackers will usually begin to find all SUID files and to create a list of files that may be useful in gaining root access. Let's take a look at the results of a find on a relatively stock Linux system (the output results have been truncated for brevity):
[sigma]# find / -type f -perm -04000 -ls -rwsr-xr-x 1 root root 30520 May 5 1998 /usr/bin/at -rwsr-xr-x 1 root root 29928 Aug 21 1998 /usr/bin/chage -rwsr-xr-x 1 root root 29240 Aug 21 1998 /usr/bin/gpasswd -rwsr-xr-x 1 root root 770132 Oct 11 1998 /usr/bin/dos -r-sr-sr-x 1 root root 13876 Oct 2 1998 /usr/bin/lpq -r-sr-sr-x 1 root root 15068 Oct 2 1998 /usr/bin/lpr -r-sr-sr-x 1 root root 14732 Oct 2 1998 /usr/bin/lprm -rwsr-xr-x 1 root root 42156 Oct 2 1998 /usr/bin/nwsfind -r-sr-xr-x 1 root bin 15613 Apr 27 1998 /usr/bin/passwd -rws--x--x 2 root root 464140 Sep 10 1998 /usr/bin/suidperl <output truncated for brevity>
Most of the programs listed (for example, chage and passwd) require SUID privileges to run correctly. Attackers will focus on those SUID binaries that have been problematic in the past or that have a high propensity for vulnerabilities based on their complexity. The dos program would be a great place to start. dos is a program that creates a virtual machine and requires direct access to the system hardware for certain operations. Attackers are always looking for SUID programs that look out of the ordinary or that may not have undergone the scrutiny of other SUID programs. Let's perform a bit of research on the dos program by consulting the dos HOWTO documentation. We are interested in seeing if there are any security vulnerabilities in running dos SUID. If so, this may be a potential avenue of attack.
The dos HOWTO states the following: "Although dosemu drops root privilege wherever possible, it is still safer to not run dosemu as root, especially if you run DPMI programs under dosemu. Most normal DOS applications don't need dosemu to run as root, especially if you run dosemu under X. Thus, you should not allow users to run a suid root copy of dosemu, wherever possible, but only a non-suid copy . You can configure this on a per-user basis using the /etc/dosemu.users file."
The documentation clearly states that it is advisable for users to run a non-SUID copy. On our test system, no such restriction exists in the /etc/dosemu.users file. This type of misconfiguration is just what attackers look for. A file exists on the system where the propensity for root compromise is high. Attackers would determine if there are any avenues of attack by directly executing dos as SUID, or if there are other ancillary vulnerabilities that could be exploited, such as buffer overflows, symlink problems, and so on. This is a classic case of having a program unnecessarily SUID root, and it poses a significant security risk to the system.
SUID Files Countermeasure
The best prevention against SUID/SGID attacks is to remove the SUID/SGID bit on as many files as possible. It is difficult to give a definitive list of files that should not be SUID because a large variation exists among UNIX vendors. Consequently, any list that we could provide would be incomplete. Our best advice is to inventory every SUID/SGID file on your system and to be sure that it is absolutely necessary for that file to have root-level privileges. You should use the same methods attackers would use to determine whether a file should be SUID. Find all the SUID/SGID files and start your research.
The following command will find all SUID files:
find / -type f -perm -04000 -ls
The following command will find all SGID files:
find / -type f -perm -02000 -ls
Consult the man page, user documentation, and HOWTOs to determine whether the author and others recommend removing the SUID bit on the program in question. You may be surprised at the end of your SUID/SGID evaluation to find how many files don't require SUID/SGID privileges. As always, you should try your changes in a test environment before just writing a script that removes the SUID/SGID bit from every file on your system. Keep in mind, there will be a small number of files on every system that must be SUID for the system to function normally.
Linux and HP-UX users can use Bastille (http://www.bastille-linux.org), a fantastic hardening tool from Jay Beale. Bastille will harden their system against many of the aforementioned local attacks, especially to help remove the SUID from various files. Bastille is a fantastic utility that draws from every major reputable source on Linux security and incorporates their recommendations into an automated hardening tool. Bastille was originally designed to harden Red Hat systems (which need a lot of hardening); however, version 1.20 and above make it much easier to adapt to other Linux distributions.
World-Writable Files Another common system misconfiguration is setting sensitive files to world writable, allowing any user to modify them. Similar to SUID files, world writables are normally set as a matter of convenience. However, grave security consequences arise in setting a critical system file as world writable. Attackers will not overlook the obvious, even if the system administrator has. Common files that may be set world writable include system initialization files, critical system configuration files, and user startup files. Let's discuss how attackers find and exploit world-writable files:
find / -perm -2 -type f -print
The find command is used to locate world-writable files.
/etc/rc.d/rc3.d/S99local /var/tmp /var/tmp/.X11-unix /var/tmp/.X11-unix/X0 /var/tmp/.font-unix /var/lib/games/xgalscores /var/lib/news/innd/ctlinnda28392 /var/lib/news/innd/ctlinnda18685 /var/spool/fax/outgoing /var/spool/fax/outgoing/locks /home/public
Based on the results, we can see several problems. First, /etc/rc.d/rc3.d/S99local is a world-writable startup script. This situation is extremely dangerous because attackers can easily gain root access to this system. When the system is started, S99local is executed with root privileges. Therefore, attackers could create an SUID shell the next time the system is restarted by performing the following:
[sigma]$ echo "/bin/cp /bin/sh /tmp/.sh ; /bin/chmod 4755 /tmp/.sh" \ /etc/rc.d/rc3.d/S99local
The next time the system is rebooted, an SUID shell will be created in /tmp. In addition, the /home/public directory is world writable. Therefore, attackers can overwrite any file in the directory via the mv command. This is possible because the directory permissions supersede the file permissions. Typically, attackers would modify the public users shell startup files (for example, .login or .bashrc) to create an SUID user file. After public logs into the system, an SUID public shell will be waiting for the attackers.
World-Writable Files Countermeasure
It is good practice to find all world-writable files and directories on every system you are responsible for. Change any file or directory that does not have a valid reason for being world writable. It can be hard to decide what should and shouldn't be world writable, so the best advice we can give is common sense. If the file is a system initialization file, critical system configuration file, or user startup file, it should not be world writable. Keep in mind that it is necessary for some devices in /dev to be world writable. Evaluate each change carefully and make sure you test your changes thoroughly.
Extended file attributes are beyond the scope of this text, but worth mentioning. Many systems can be made more secure by enabling read-only, append, and immutable flags on certain key files. Linux (via chattr ) and many of the BSD variants provide additional flags that are seldom used but should be. Combine these extended file attributes with kernel security levels (where supported), and your file security will be greatly enhanced.