Title: Hacking Unix and Unix Security
1Hacking Unix andUnix Security
2Lets talk about Unix and Security
- Passwords
- Originally passwords in /etc/passwd. World
readable as numerous programs needed access to
information contained in it (more than just
passwords, UID, GID, preferred shell, etc) - Passwords encrypted in file using one-way hash so
you cant decrypt them. - Cracking accomplished by finding a hash for
another for a word that matches your password
hash, thus your password - Since having /etc/passwd world readable makes it
easier for folks to grab password file to crack,
systems generally now utilize a shadow file in a
location such as /etc/shadow - Change password with passwd command
- Unless NIS is being used, then use yppasswd
3Users, Groups, and the Superuser
- Some common users you may find in the /etc/passwd
file - root the superuser
- daemon or sys associated with some utility
systems on some versions of Unix - guest used for site visitors
- ftp used for anonymous ftp access
- uucp manages the UUCP system (unix to unix copy
program) - lp used for the printer system
- nobody a user that owns no files and is
sometimes used as a default user for unprivileged
operations.
4Users, groups, superuser
- User Identifiers (UIDs)
- A mapping between the username and the UID is
kept in the /etc/passwd file. - The OS actually uses the UID for identifying a
user and his/her processes. The username is just
a convenience for the human user. - If two users are assigned the same UID, as far as
Unix is concerned they are the same user. - Generally considered a bad idea
5Users, groups, superuser
- Every Unix user belongs to one or more groups.
- Groups have both a groupname and group
identification number (GID). - Each user belongs to a primary group. This GID
is stored in their entry in the /etc/passwd file. - Groups provide a handy mechanism to handle
several users in a specified way. - Groups can be used to restrict access to
sensitive information or specific programs. - /etc/group file contains the list of groups with
their names, GID, and list of users in the group. - Wheel group on some systems is group 0, the
sysadmins - Users listed in groups in this file are in
addition to their primary group found in the
/etc/passwd file
6Users, groups, superuser
- The superuser has a UID of 0 and is usually
called root. - The superuser can exercise almost complete
control over the system. - Generally good idea to NOT have sysadmin log in
as root. Create another account so that in case
a mistake is made you dont trash the system. - Security checks turned off for Superuser.
- Thus, remote logging in for root considered a bad
thing, should not be allowed. - Sysadmins should log in using their own account
and su to root. This makes tracking who is using
root account easier. - su substitute user
- You can restrict login of root to specific
terminals on some versions of UNIX. Thus, you
will need to have two passwords to be able to
gain root access.
7Log files
- Different versions of Unix store messages in
different files. - /etc/syslog.conf file on Linux to identify where
log messages will go. - /var/adm/messages a possible place message may
be found - May also be in /var/log/messages
- /var/adm/sulog another possibility, used to log
su attempts - /var/log/secure
8inodes
- Unix uses a system called inodes (index nodes) to
implement the file system. Each inode contains - Location of the items contents on the disk
- Pointers to the locations where file is stored,
indirect blocks used for larger files - The items type
- The items size
- The time the inode was last modified
- The time the files contents were last modified
- The time the file was last accessed
- A reference count (the number of names the file
has) - The files owner (UID)
- The files group (GID)
- The files mode bits (file permissions or
permission bits)
9The ls command
ls lF total 161 -rw-r--r-- 1 fred user
505 Feb 9 1210 file1 -rw-rw-r-- 1 fred
marketing 1234 Feb 10 1320 client_lst -rwx--x-
-- 1 fred user 223433 Jan 29 0917 stats
- - The files type. For regular files this field
is always a dash - rw-r--r-- The files permissions
- 1 The number of hard links to the file the
number of names for the file - fred The name of the files owner
- user The name of the files group
- 505 The files size in bytes
- Feb 9 1210 The files modification time
- file1 The files name
10The ls command with F option
ls lF total 161 -rw-r--r-- 1 fred user
505 Feb 9 1210 file1 -rw-rw-r-- 1 fred
marketing 1234 Feb 10 1320 client_lst -rwx--x-
-- 1 fred user 223433 Jan 29 0917 stats
- The F option for the ls command prints a special
character after the filename to indicate what
type of file it is. - If blank then regular file or named pipe (FIFO)
- If then executable program or command file
- If / then a directory
- If - then a socket
- Socket used for interprocess communication by
generalizing file I/O - If _at_ then a symbolic link
11Understanding File permissions
ls lF total 161 -rw-r--r-- 1 fred user
505 Feb 9 1210 file1 -rw-rw-r-- 1 fred
marketing 1234 Feb 10 1320 client_lst -rwx--x-
-- 1 fred user 223433 Jan 29 0917
stats drwxr-xr-x 1 fred user 512 Feb
1 1011 saved/
- The first character of the files mode field
indicates the type of file. - If - then just a plain old ordinary file
- If d then its a directory
- If c then its a character device (tty or
printer) - If b then its a block device (usually disk or
CD-ROM) - If l then its a symbolic link (BSD or V.4)
- If s then its a socket (BSD or V.4)
- If or p then FIFO pipe (System V, Linux)
12Understanding File permissions
ls lF total 161 -rw-r--r-- 1 fred user
505 Feb 9 1210 file1 -rw-rw-r-- 1 fred
marketing 1234 Feb 10 1320 client_lst -rwx--x-
-- 1 fred user 223433 Jan 29 0917
stats drwxr-xr-x 1 fred user 512 Feb
1 1011 saved/
- The next nine characters, taken in groups of
three, indicate who on your computer can do what
with the file. There are 3 permissions - r permission to read
- w permission to write
- x permission to execute
- The three groups represent the different classes
of individuals, taken from the left in groups of
three - Owner
- Group, users who are in the files group
- World (other), everybody else on the system
13Changing permissions
ls lF total 161 -rw-r--r-- 1 fred user
505 Feb 9 1210 file1 -rw-rw-r-- 1 fred
marketing 1234 Feb 10 1320 client_lst -rwx--x-
-- 1 fred user 223433 Jan 29 0917
stats drwxr-xr-x 1 fred user 512 Feb
1 1011 saved/
- The chmod command is used to change a files
permissions - chmod -Rfh agou - rwxXstugol filelist
- Changes the permissions of filelist which can be
either a single file or group of files - agou specify whose privileges are being
modified, can have none, one, or more - amodify privileges for all users
- gmodify group privileges
- omodify others privileges
- umodify owners privileges
- - specify what is supposed to be done with the
privileges - adds to current privilege, - removes from
current privilege, replaces current privilege - rwxXstugol specify which privilege is to be
adjusted (some Unix variant specific) - r is for Read access
- w is for write access
- x is for execute access
- s is for SUID or SGID
- t is for the sticky bit
- Rfh depends on variant,
- R for recursive if filelist a directory, f to
suppress error messages, h to not perform
operation on links
14Changing permissions
ls lF total 161 -rw-r--r-- 1 fred user
505 Feb 9 1210 file1 -rw-rw-r-- 1 fred
marketing 1234 Feb 10 1320 client_lst -rwx--x-
-- 1 fred user 223433 Jan 29 0917
stats drwxr-xr-x 1 fred user 512 Feb
1 1011 saved/
- Some examples
- chmod o-r client_lst / removes ability for
others to read client_lst / - chmod gw file1 / adds ability for group to
write to file1 / - Can also use octal representation
- chmod 711 stats / gives everybody execute,
owner also rw / - 7 111, thus rwx
- 1 001, thus just x
15The umask
- Short for user file-creation mode mask
- A four-digit octal number that UNIX uses to
determine the file permission for newly created
files. - Every process has its own umask, inherited from
its parent process. - Specifies the permissions you do NOT want given
by default to newly created files and
directories. - Normally set in your .login, .cshrc, or .profile
files. - e.g. umask 033 / would turn off wx for folks
in/ / group and others /
16Directories and permissions
- What do the values for rwx mean for directories?
- r you can use ls to find out what is in the
directory - w you can add, rename, or remove entries in the
directory - x you can determine the owners and the lengths
of the files in the directory. You also need
execute to make the directory your current
working directory or to open files inside the
directory.
17SUID, SGID, and Sticky Bits
- Sometimes unprivileged users must be able to
accomplish tasks that require privileges - e.g. passwd program needs to write to password
file which users normally dont have write
permissions for. - Users can assume another UID or GID when running
a program. A program that changes its UID is
called a SUID program (set UID). - When a SUID program is run, its effective UID
becomes that of the owner of the file, rather
than the user who is running it. - If a program is SUID or SGID, the output of the
ls l command will have the x in the display
changed to an s. If the program is sticky, the
last x changes to a t. - Sticky bit originally used to speed up swapping
for files often used, now if with directory
limits who can remove or rename files - Obvious security implications with SUID
- If person were to execute
- cp /bin/sh /tmp/specfile / create copy of sh /
- chmod 4755 /tmp/specfile / SUID so it runs as if
your UID /
18SSH
- Secure SHell
- Most commonly used as a secure replacement for
telnet, rsh, rcp, and rlogin. - Offers secure TCP communications between any two
systems regardless of what untrusted systems
might be between them - Uses public key encryption techniques to encrypt
each message. - Check www.ssh.org or www.openssh.com
19Remote versus Local Access
- Remote Access gaining access via the network
or other communication channel. - Local Access having an actual command shell or
login to the system. - Also known as privilege escalation attacks.
- Attackers may (often) start with a remote access
attempt. If successful in obtaining shell access
then they are considered local for further
attempts.
20Remote Access
- Four primary methods used to remotely circumvent
the security of a UNIX system. - Exploit a listening service
- If it isnt listening, it cant be broken into.
- Route through a UNIX system
- Kernel had IP forwarding turned on (more on this
in later chapter) - User-initiated remote execution attacks
- A hostile web site or Trojan horse email
- Promiscuous mode attacks
- There are ways to exploit a NIC that has been
placed in promiscuous mode.
21Brute Force Attacks
- Nothing more than guessing a user ID/password
combination on a running service that includes
authentication. (Implies we need usernames!) - Common services to brute force
- Telnet
- FTP
- The R commands (rlogin, rsh, )
- SSH
- SNMP community names
- Post Office Protocol (POP) and Internet Message
Access Protocol (IMAP) - HTTP
- Several tools to help with brute-forcing
- Brutus, brute_web.c, pwscan.pl,
22Data Driven Attacks
- Executed by sending data to an active service
that causes unintended or undesirable results. - Buffer Overflow Attacks
- Nov 1996 Phrack Magazine article Smashing the
Stack for Fun and Profit - On many C implementations it is possible to
corrupt the execution stack by writing past the
end of an array declared auto in a routine. Code
that does this is said to smash the stack, and
can cause return from the routine to jump to a
random address. - A buffer overflow is the result of stuffing more
data into a buffer than it can handle. - How can we place arbitrary instruction into its
address space? The answer is to place the code
we are trying to execute in the buffer we are
overflowing, and overwrite the return address so
it points back into the buffer. - Associated with certain commands such as
strcpy(), strcat(), and sprintf(). - If we find a program that has one of these in it,
and we overflow the buffer, we may be able to
execute a shell. If the original program was
running as root, so will this shell!
23Buffer overflow attacks
- To exploit a buffer overflow (beyond simply
crashing the program) takes quite a bit of
sophistication. - Fortunately, there are others who have already
written exploit code for us so we dont have to. - Exploit code for buffer overflows very system
specific. - Buffer overflows are problems at the coding level
and the real solution is secure programming
practices. - For administrators the best thing you can do is
to ensure all appropriate patches have been
installed.
24Input Validation Attack
- An input validation attack occurs when
- A program fails to recognize syntactically
incorrect input. - A module accepts extraneous input.
- A module fails to handle missing input fields.
- A field-value correlation error occurs.
- An early example of this was the PHF
vulnerability that came standard with early
versions of the Apache web server. - The program did not properly parse and validate
input it received. - A newline character could be sent which would
cause subsequent commands to be executed with the
privilege that the web server was running at. - Common early exploit was to cause it to execute
cat command to print password file which gave
user names and encrypted passwords which could
then be cracked.
25Gaining Shell access and other remote attacks
- What we want to be able to do is have shell
access. - Number of different techniques described in text.
- FTP useful but frequently anonymous use allowed.
- Is file system restricted? World-writable
directory? (if so, watch out for .rhosts files) - Sendmail
- Numerous exploits over the years, as far back as
1988 when Morris worm exploited a vulnerability
in sendmail as part of its capability to gain
access to systems. - Numerous other possible attacks, check textbook
for more details
26Local Access
- Password cracking possible if you can obtain
password file in /etc/passwd or shadow file. - Number of Unix password crackers that can be run
on both Unix and Windows platforms. - Buffer overflows are a problem here as well.
- Check file and directory permissions as they may
not have been set to be secure. - Number of other possibilities, again, check the
text.
27Rootkits
- After gaining root, one of the first things an
attacker will want to do is install a rootkit. - A rootkit generally consists of
- Trojan programs such as altered versions of login
and ps. - Backdoors
- Sniffers
- System log clearers
- Some of the latest rootkits are kernel rootkits
which modify the OS kernel. - A Loadable Kernel Module (LKM) allows a running
kernel to be modified without having to compile
it into the kernel.
28The 7 most deadly sins from Real World Linux
Security 2ed
- The list was created to help folks secure
systems, for us it provides ideas to test. - Weak and Default Passwords
- Open Network Ports
- Old Software Versions
- Insecure and Badly Configured Programs
- Insufficient Resources and Misplaced Priorities
- Stale and Unnecessary Accounts
- Procrastination
29Summary
- What is the importance and significance of this
material? - Unix has been around for a long time and versions
of Linux have been cutting into MS dominance. - How does this topic fit into the subject of
Security Risk Analysis? - Need to know how to attack these systems. Also
need to know how these systems work as many tools
are designed for Unix environment.