In an enterprise environment, there are many diverse systems on the typical
heterogeneous network. Often, Unix systems are a large part of the equation. In
the enterprise environment, it is not uncommon to have multiple Unix systems
serving specific, individual purposes. All these systems, while often varying in
platform and operating system type, are confronted with similar problems of
insecure default configurations and newly discovered vulnerabilities, and they
require work to maintain their integrity.
Attacking Unix/Linux
It is impossible to determine a host to be one
hundred percent secure.The best that can be done is to ensure that a host is not
vulnerable to any known issues.This also includes ensuring that minimal impact
will result in future compromises.And the only means of ensuring a host is
reasonably secure is to attack the host. There are two main goals of attacking
Unix systems to ensure security: gaining remote access, and gaining elevated
privileges locally, if required. Attacks launched by an individual usually are
preceded by an information gathering attack, which we will discuss briefly. We
next look at common methods of gaining remote access to a host and then methods
of gaining local privilege elevation. Information Gathering
Attacks
Just as an Operations Unit needs intelligence reports on a
target before the launch of an attack, an intelligent attacker needs information
on a site before attempting to compromise a host. An Operator would want maps,
manpower, armament, and objective information before being dropped at a site to
accomplish a mission; an attacker would want information about services, network
configuration, and network defenses before attempting to attack a host.
However, the intelligence used by an Operator would typically have been
gathered, analyzed, and compiled into a report by a third party, whereas an
attacker making a directed attack against a host would likely have to gather
their own intelligence, using any available means to be as inconspicuous as
possible. Information gathering tools are freely and readily available.The most
common is a portscanning utility in this area there is nmap, then there are all
others. Nmap, or network mapper, is a port scanning utility that is versatile in
functions and freely available
Once information has been gathered about
the services on a target host, the attacker may attempt to further identify the
specific vendor that authored the service, as well as the version number.This
often requires communicating with the service directly.This type of information
gathering can be carried out by a utility designed specifically for the
particular protocol.
From this, we gain valuable information about
potentially vulnerable services running on a host. Sometimes, you will not have
a tool at hand that will do the work for you. In this case,Telnet will often
suffice, although netcat is the best and most common choice. Using interactive
utilities requires knowledge of the protocol spoken by the host.This information
can be gathered from many places, although the best resource is the Request for
Comments (RFC) repository. Gaining Remote Access
Gaining
remote access is the objective of most attacks against a Unix system. Remote
access to a host allows an attacker to access the resources of the compromised
host, and can result in the system being used as a platform for the launch of
other attacks. Remote access attempts are launched through exploitation of
services executing on a Unix host.
In the case of a service executing
with minimal privileges, remote access can result in unprivileged access. In the
case of a service executing with elevated privileges, gaining remote access
through the service results in a catastrophic compromise of administrative
privileges. In the case of unprivileged remote access, it is merely a matter of
time before the attacker finds a way to gain elevated privileges. Remote access
is often gained through one of a few methods. One such method is the
exploitation of a programming error such as a buffer overrun or format string
vulnerability. Another is through the use of an input validation bug, such as
that of a PHP include vulnerability. Exploiting Programming
Errors
Programming errors are one of the more commonly exploited
types of vulnerabilities in software. Programming errors are broad, and they
often obscure bugs that exist in software.Their occurrence is common, and their
exploitation usually catastrophic. Two of the most commonly exploited
programming errors are buffer overruns and format string vulnerabilities. In the
case of an exploitable instance of either of these types of vulnerabilities, it
is possible for an attacker to execute arbitrary code.
The code executed
by the attacker is run on the vulnerable host in the context of the vulnerable
process; that is, any code executed through the service is executed with the
privileges of the service.The code executed can perform any action the attacker
requests, but typically the code is used to execute a command shell, giving the
attacker an interactive means of accessing the host. By design, services require
elevated privileges to function on ports below 1024. Services above this port
are free to run with the privilege of any user.
Because of the design of
systems, as well as the frequency of severe vulnerabilities in services that
execute with elevated privileges, many services include functionality that
allows them to drop privileges after execution. In practice, this is good,
although it may be possible to reclaim elevated privileges when the service is
exploited.The easiest method of attacking services vulnerable to programming
errors is with an exploit. Input Validation Errors
Input
validation errors occur when a program trusts input from parties it should not
trust.These types of vulnerabilities generally involve assumptions on the part
of the program that the source of input will never send anything unexpected. As
a result, unexpected input sent to the service allows the source to carry out
actions that should not be permitted. A PHP include, a function in PHP which
imports another file into the PHP script, is one such problem.This function is
used to allow the use of multiple pieces of information spread across different
files.
A PHP include can use a variable as the source of file. However,
if an attacker can define this variable, his attack may place commands in the
include file. When the PHP script loads it, the attacker could potentially
execute commands through the include file. Exploiting PHP includes requires
placing files in a directory of a Web server that can be reached from the target
Web server. A malicious string that defines the variable used for the include is
sent to the server, and the file is downloaded and executed on the vulnerable
host.This process can be used to execute commands on the vulnerable host.
Commands executed on the host through a PHP include vulnerability are performed
with the privileges of the Web server process.
This vulnerability could
be used to download and execute malicious programs. Systems with PHP should be
audited.Any Web applications written in PHP that run on the host should be
audited, and checked for include() vulnerabilities. Pre-written Web applications
can be downloaded from their respective vendor, and a cursory search performed
using a utility such as grep. Include definitions and variables used with them
can be followed through the source code using a text editor.As with programming
errors, information on known issues can be gathered from vulnerability
databases, exploit archives, and security mailing lists. Input validation errors
also occur in CGI programs.
An attacker is able to supply the definition
of a variable to the script, or is able to execute commands using escape
characters such as the back tic (`) and vertical bar ( | ) in an input field.
When the string is received, similar to the PHP include issue, commands are
executed with the privileges of the Web server process. Input validation bugs
may also result in the disclosure of information that can allow an attacker to
gain access to a host, or elevated privileges.Through an input validation error,
an attacker could gain information such as the contents of a password file, a
core file, or other sensitive information.This is particularly true of directory
traversal problems that exist in some Web servers, where an attacker could
supply the path to a file to be viewed.
An attacker could also
potentially use this problem to disclose the contents of the master password
file on the system, unveiling a list of the user names on the host that would be
useful in a brute force attack, which we will discuss next. Brute
Force Attacks
A brute force attack involves using time and chance to
gain access to a host. Brute force attacks can be performed manually against a
host, or using an automated program.The easiest method is the latter. A brute
force attack can be used to gain remote access by trying username and password
combinations through an interactive service such as Secure Shell (SSH),Telnet,
or the File Transfer Protocol (FTP). Most Unix systems direct login of an
administrator remotely, therefore unprivileged access is gained from this type
of attack. Once a valid username and password combination is discovered, the
attacker gains access to the host with the privileges of the cracked user.The
attacker can use the users account to launch attacks from the host, or the
attacker can attempt to gain elevated privileges on the host.
Gaining
elevated privileges and compromising the administrative account on the system is
the priority, as it allows the attacker to put software in place to hide his
penetration of the system. A brute force attack is a matter of probability.The
odds are stacked in favor of the house, as the probability of an attacker
guessing both a username and password are somewhat slim. However, if an attacker
can use another bug such as an input validation issue to gain access to a list
of valid accounts on the host, the probability of success increases
dramatically, especially with the use of an automated brute force
tool. Local Privilege Elevation
If the attack did not
result in elevated privileges after a system has been compromised, additional
steps are required.To gain elevated privileges locally, an attacker must find a
means of exploiting a privileged program or process. Accordingly, we would take
the same path in gaining elevated privileges. Once access to the local system
has been gained, you must evaluate your situation to determine your next move.
First, you must determine if you have gained full access to the host, or if you
are confined to a particular section of the host, such as a chroot directory.You
must also determine the privileges you have locally on the compromised system.
Once you have gathered that information, you must determine the method you are
going to use to gain elevated privileges. Restricted
Environments
Once you have compromised the service to gain access to
the system, you must determine if the process you have exploited has been
confined to a directory with the chroot() or jail() system calls. Services that
have been compromised and are restricted to a directory using these system calls
will require breaking the restricted environment to launch privilege escalation
attacks on the local host.
The steps required to break a restricted
environment depend entirely on the restricted environment. First, if the process
is run as root, you can use known problems with the implementation of some
chroot environments to escape. If you do not have root access through the
compromised service, but have the ability to exploit something in the chroot
environment to gain root access, you can follow the previously mentioned
procedure with the additional step of first gaining root access. Other
restricted environments, such as restricted shells, may be escaped using other
known problems with implementations.
One such example is the capability
of most Unix editors to spawn a shell, which is often not restricted. If you
have compromised a host and gained access to a restricted shell, you will have
to circumvent the shell before you can launch further attacks on the
host. Vulnerability Exposure
Previously, I discussed a few
different types of attacks used to remotely gain access to a host.These attacks
included exploiting programming errors, exploiting input validation errors, and
brute force attacks. These types of attacks however do not only apply to the
system in a remote environment.You may also use these types of attacks in
gaining elevated privileges on the local host.
This involves knowing what
to look for, and where to start these types of attacks. To exploit programming
errors and input validation bugs, you need only find a program on the system
that executes with elevated privileges.This can be a program that is setuid, or
one that is executed by a privileged user, such as through cron or other
means.The best way to go about finding problems that grant elevated privileges
when exploited is to search out a vulnerability database or exploit archive, and
reference system details against available information. It is also possible to
take advantage of other classes of vulnerabilities with local system access.
Problems such as configuration errors are more devastating at the local system
level.
Other issues, such as environment errors and race conditions,
also become more feasible to exploit. Once local access has been gained to the
system, it is merely a matter of time, patience, and research before gaining
elevated privileges.
Be first to comment this article
