20771: Computer Security Lecture 6: Server Security, Unix

1
20-771 Computer SecurityLecture 6 Server
Security, Unix

• Robert Thibadeau
• School of Computer Science
• Carnegie Mellon University
• Institute for eCommerce, Fall 2000

2
Todays lecture

• Server Security
• Crashing machines and Stacheldraht!
• Break (10 min)
• Unix Server
• Unix Access Control
• Code to check SUID bits

3
This Week

• Chapters 6,7 WS

4
Server Side Security

• Webjacking Editing a page without your
  permission.
• Stealing information.
• Disabling your web site.
• Authenticating Users, Authorizing Users

5
Why are Web Sites Vulnerable

• Bugs in System Software
• System Software is Incorrectly Configured
• The Server Hardware isnt Secure
• Networks are Not Secure
• Remote Authoring and Administration Tools Open
  Holes
• Insider Threats are Overlooked

6
Bugs in System Software
KOOPMAN DEMO

• System self destructs and hardware lost
• System self destructs and software/data lost
• System crashes and needs reboot
• Software crashes and needs restarting
• Software runs slowly/non-responsively
• Software does something not intended
• Software feature a nuisance

7
The Buffer Overrun

• Really a whole range of attacks
• A program is handed long arguments. Causes
  program to fail but leaves user with
  write-priviledges.
• A program is handed arguments that are
  interpreted and therefore possible can be run.
• Never use exec or system in cgi-bin
• How common is it for a program/module to fail if
  given the wrong arguments?
• Koopman.pdf

8
Koopman 2000 DataBUFFER OVERUNS LIVE ON!
9
Denial of Service Large numbers of computers are
recruited to create an attack

• Stacheldraht (Barbed Wire) first reported by
  David Dittrich University of Washington December
  29, 1999 (basis for giant DoS in Jan 2000)
• The Client
• The client connects to the master server on port
  16660 or port 60001. Packet contents are blowfish
  encrypted using the default password "sicken.
  Attacker uses client to manage Stacheldraht
  agents, IP addresses of attack victims, lists of
  master servers, and to perform DoS attacks
  against specified machines.
• The Master Server
• The master server handles all communication
  between client and agent programs.
• The Agent
• The agent listens for commands from master
  servers on port 65000. In addition to this port,
  master server/agent communications are also
  managed using ICMP echo reply packets. These
  packets are transmitted and replied to
  periodically. They contain specific values in the
  ID field (such as 666, 667, 668, and 669) and
  corresponding plaintext strings in the data
  fields (including "skillz", "ficken", and
  "spoofworks"). The ICMP packets act as a
  "heartbeat" between agent and master server, and
  to determine source IP spoofing capabilities of
  the master server. The agent identifies master
  servers using an internal address list, and an
  external encrypted file containing master server
  IP addresses. Agents can be directed to "upgrade"
  themselves by downloading a fresh copy of the
  agent program and deleting the old image as well
  as accepting commands to execute flood attacks
  against target machines.

10
Denial of Service II Large numbers of computers
are recruited to create an attack

• Stacheldraht (Barbed Wire)
• The Client
• Attacker uses client to manage Stacheldraht
  agents.
• The Master Server
• The master server handles all communication
  between client and agent programs.
• The Agent
• Agents can be directed to "upgrade" themselves by
  downloading a fresh copy of the agent program and
  deleting the old image as well as accepting
  commands to execute flood attacks against target
  machines.
• The Attack
• Stacheldraht can be used to perform ICMP, SYN,
  and UDP flood attacks. The attacks can run for a
  specified duration, and SYN floods can be
  directed to a set of specified ports. These flood
  attacks cause the target machine to slow down
  because of the processing required to handle the
  incoming packets, leaving little or no network
  bandwidth. Possible methods for detection of
  these flooding attacks are discussed in the
  TFN/trin00 ISS Security Alert published December
  7, 1999. Stacheldraht runs on Linux and Solaris
  machines.
• Where and How
• Stacheldraht agents were originally found in
  binary form on a number of Solaris 2.x systems,
  which were identified as having been compromised
  by exploitation of buffer overrun bugs in the RPC
  services "statd", "cmsd" and "ttdbserverd". They
  are often witnessed "in the wild".

11
Stacheldraht Model
Master Server A
Client B
Master Server B
Client A
AGENT N
AGENT A
First set up a bunch of master servers Set up
thousands of agents Now say march! through any
one or more of Your master servers.
AGENT B
YOU N
YOU 1
YOU 2
12
Stacheldraht Commands!

• .distro user server Instructs the agent to
  install and run a new copy of itself using the
  Berkeley "rcp" command, on the system
  "server",using the account "user" (e.g., "rcp
  user_at_serverlinux.bin ttymon")
• .help Prints a list of supported commands.
• .killall Kills all active agents.
• .madd ip1ip2ipN Add IP addresses to list of
  attack victims.
• .mdie Sends die request to all agents.
• .mdos Begins DoS attack.
• .micmp ip1ip2ipN Begin ICMP flood attack
  against specified hosts.
• .mlist List IP addresses of hosts being DoS
  attacked at the moment.
• .mping Pings all agents (bcasts) to see if they
  are alive.
• .msadd Adds a new master server (handler) to the
  list of available servers.
• .msort Sort out dead/alive agents (bcasts).
  (Sends pings and shows counts/percentage of
  dead/alive agents).

13
Stacheldraht Commands! 2

• .mstop ip1ip2ipN
• .mstop all Stop attacking specific IP addresses,
  or all.
• .msrem Removes a master server (handler) from the
  list of availableservers.
• .msyn ip1ip2ipN Begin SYN flood attack
  against specified hosts.
• .mtimer seconds Set timer for attack duration.
  (No checks on this value.)
• .mudp ip1ip2ipN Begin UDP flood attack
  against specified hosts. (Trinoo DoS emulation
  mode.)
• .setisize Sets size of ICMP packets for flooding.
  (max1024, default1024).
• .setusize Sets size of UDP packets for flooding
  (max1024 default1024).
• .showalive Shows all "alive" agents (bcasts).
• .showdead Shows all "dead" agents (bcasts).
• .sprange lowport-highport Sets the range of ports
  for SYN flooding (defaults to lowport0,
  highport140).

14
SYN Floods

• TCP Synchronization Handshake Attack
• C-SYN S-SYN-ACK C-ACK (triple, but you stop at
  2)
• The server has built in its system memory a data
  structure describing all pending connections.
  This data structure is of finite size, and it can
  be made to overflow by intentionally creating too
  many partially-open connections.
• netstat -a -f inet
• Too many connections in the state "SYN_RECEIVED"
  indicates that the system is being attacked.

15
If Staheldraht did that then

• What is going silently and without destruction?
• Armies of agents?
• Probably

16
Break!
17
Security Policy Components

• Personnel
• Access Levels
• Authorization Procedures
• Revocation of Authorization
• Access Priviledges
• Local Login
• Network Login (never root!)
• Authoring Access
• Remote Server Administration
• Browsing Access
• CGI-Script Installation
• Access to the /private directory

18
Security Policy Components

• Personnel
• Access Priviledges
• Network Services
• Web
• FTP
• Other (no other)
• Maintanence
• 24X7
• Backups

19
Setting up Unix

• Apply vendor OS patches
• Turn off unessential services
• Add minimum number of user accounts
• Make a back door for your self to do admin for
  awhile
• Get the file and directory permissions right
• NOW YOU CAN PUT UNIX ON THE INTERNET!
• Lots of automated programs probe to get trojan
  horses on your machine and this can happen FAST!

20
Unix Access

• User and Group Access Rights is the Basis for
  Unix Security
• Read, Write, Execute on a file/directory/device
• The biggest TCO (total cost of ownership) in a
  computer system is administering and working with
  access control.
• Because things just dont work until you get the
  access rights working properly
• People think it is something wrong with the
  program when it is really just the security
  environment that is set wrong.
• A GREAT REASON to REALLY LEARN YOUR ACCESS
  CONTROL SYSTEM!

21
Unix Access Protections

• What has access protections u-rwx g-rwx o-rwx?
• Files
• Directories
• Devices (/dev/)
• Programs (must have execute bit set).
• All these have ONE user and ONE group that owns
  them.
• Each User is ONE user and ONE DEFAULT group but
  many group memberships.
• Types of protections applied when
  creating/modifying
• User rwx (u-rwx, -rwx------, or 0700)
• Group rwx (g-rwx, ----rwx---, or 0070) other
  members of users group
• Other rwx (o-rwx, -------rwx, or 0007)
• A directory d (d--------- -gt set automatically
  by file system)
• SGID (-----s--- or 2000) inherit group
  protections
• umask 002 automatically let everybody in group
  rwx
• Need private user group user mary, group mary
  if umask 002 not 022.
• A user can be a member of many groups but only
  the primary defaults to write unless directory
  permission is set to overcome user permission
  (sgid bit set on directory).
• When access is provided to a group, every member
  gets it.

22
Unix Access Permission Model
FILE / DIRECTORY / DEVICE / INODE
User A - Group A
2
Other Execute 1
Group Write 2
Other Write 2
Group Execute 1
Set GUID 2
Group Read 4
Other Read 4
User Write 2
Set Sticky 1
User Read 4
Set UserID 4
User Execute 1
1
4
2
OTHER
GROUP A
GROUP C
USER B Group B
USER C Group A
GROUP B
USER A Group A
23
Special Bits do ONE thing eachdrwsrwsrwt

• 4 Set User ID causes an executable file (a
  program) to go into the access permissions of the
  owner of the file (note, group or OTHER could
  execute it!) not the person executing it.
• 2 Set Group ID causes a new file that is being
  created in a directory to have the group ID of
  the directory, not the person (User) that is
  creating the file.
• 1 Sticky Bit Causes a new file that is being
  created in a directory to not be deletable by
  just anybody in that directory but by the user
  who created the file.

24
Seeing Who you Pretend to Be.

• !/bin/sh idinfo Print user informationecho "
  effective user-ID" id -un echo " real
  user-ID" id -unr echo " group ID" id -gn

25
Set User ID Test

• /suidtest.c/ include ltstdio.hgt include
  ltunistd.hgt int main() /secure SUID programs
  MUST not trust any user input or environment
  variable!! / char env"PATH/bin/usr/bin",
  NULL char prog"/home/alice/idinfo" if
  (access(prog,X_OK))     fprintf(stderr,"ERROR
  s not executable\n",prog)     exit(1)
  printf("running now s ...\n",prog)
  execle(prog,(const char)NULL,env)
  perror("suidtest") return(1)

26
More on SUID

• gcc -o suidtest -Wall suidtest.c
• chmod 4755   suidtest OR
• chmod us   suidtest
• ls l suidtest
• suidtest idtest
• Set-UID programs are often used by "root" to give
  ordinary users access to things that normally
  only "root" can do. As root you can e.g modify
  the suidtest.c to allow any user to run the
  ppp-on/ppp-off scripts on your machine.
• Note It is possible to switch off Suid when
  mounting a file system. If the above does not
  work then check your /etc/fstab. It should look
  like this/dev/hda5 / ext2 defaults 1 1 If you
  find the option "nosuid" there then this Suid
  feature is switched off. For details have a look
  at the man-page of mount.

27
SUID User Bit

• If root owns the file with s-bit set. Any user
  can then do things that normally only root can
  do.
• A few words on security.
• When you write a SUID program then you must make
  sure that it can only be used for the purpose
  that you intended it to be used.
• Always set the path to a hard-coded value.
• Never rely on environment variables or functions
  that use environment variables.
• Never trust user input (config files, command
  line arguments....). Careful on BUFFER
  OVERFLOWAAA!
• Check user input byte for byte and compare it
  with values that you consider valid.

28
umask

• Applies only when you are creating a file
  (directory, device)
• 022 is the general default only you can write a
  file but everybody else can read and execute it.
  It is a mask on the file settings given by
  environment.
• 002 lets everybody in your group write the file.
• 000 lets everybody write the file.
• 277 lets only you read and execute (safety)
• Just type umask 277 in a shell window and now
  when you make a file, it will have these
  attributes.

29
Unix Access Model
30
P3P

• Client makes any first http request
• Server includes in its http response header a
  pointer to its p3p policyref (policy reference
  page).
• Client MAY now check the p3p policyref before
  proceeding to any next interaction with the
  server.
• Method is to apply APPEL rules.
• Each APPEL rule looks at a part of the policyref
  and decides to ACCEPT, REJECT, INFORM or WARN the
  person.

31
P3P XML Tree
32
P3P Summary
other/
location/
physical/
law/
money/
correct/
CATEGORIES/
online/
content/
uniqueid/
REMEDIES
state/
purchase/
political/
financial/
DISPUTES
law/
navigation/
health/
computer/
Service/
interactive/
preference/
resolution-type
IMG
Independent/
demographic/
court/
none
ACCESS
All/
PURPOSE/
current/
Contact_and_other/
customization/
admin/
Other_ident/
Contact/
Nonident/
develop/
Ident_contact/
Other-purpose/
Targeting/
ours/
profiling/
RECIPIENT/
same/
Legal-requirement/
RETENTION/
Other-recipient/
Business-practices/
unrelated/
delivery/
public/
indefinitely/
No-retention/
Stated-purpose/
33
APPEL Rules

• If you are taking my name and the recipient is
  other recipient maybe I want to reject.
• If you are taking my name and the recipient is
  other recipient but there is extended text (the
  machine cant read this only know it is there)
  then maybe I WARN and put this text in the
  warning window.