Getting Rooted and Never Knowing It

Download Report

Transcript Getting Rooted and Never Knowing It 

Getting rooted and never
knowing it
The importance of kernel integrity
Job de Haas
July 25th, 2000
<[email protected]>
Black Hat Briefings
Las Vegas
Overview
•
•
•
•
•
The issue
Detection
How to avoid it?
Introducing kmod.
What can be done about it?
July 25th, 2000
Black Hat Briefings
Las Vegas
The issue
•
•
•
•
root is almighty
lots of opportunities to hack root
root can change the kernel
the kernel is critical to detect abuse
 A kernel attack can be very effective.
July 25th, 2000
Black Hat Briefings
Las Vegas
Some arguments
• When you get rooted you have lost anyway
 but why do we make it so easy?
• It is so sophisticated that the risk is very low
 kernel hacking falls in the scriptable class
• My OS is closed source so it won't be feasible
 who are you kidding?
• All solutions result in unworkable situations
 So lets do better!
July 25th, 2000
Black Hat Briefings
Las Vegas
Detection
• Host-based Intrusion detection
• Network-based Intrusion detection
• Misuse detection
• Anomaly detection
• System health monitoring
July 25th, 2000
Black Hat Briefings
Las Vegas
Detection
•
•
•
•
Audit trails
System monitoring
Integrity checking
Network protocol sniffing and
reconstruction
July 25th, 2000
Black Hat Briefings
Las Vegas
What to hide from?
• Black Hat: repeatedly use a system without
detection
• White Hat: hide or protect detection
measures.
•
•
•
•
Tripwire (and other host based IDS)
Process accounting
Auditing trail software
‘netstat’, ‘lsof’, ‘ps’ etc.
July 25th, 2000
Black Hat Briefings
Las Vegas
What to hide?
• Use your imagination: anything the kernel
does or shows can be changed:
–
–
–
–
–
–
–
–
Processes
Backdoors: changed programs
Files
System logging
Network connections or interface state
File modification times
Loadable modules
…
July 25th, 2000
Black Hat Briefings
Las Vegas
How to fool tripwire
• Tripwire calculates signatures of
– File content
– File properties (timestamps, owner)
– Directory properties (number of files in it)
• The (modified) kernel should preserve these
properties.
– execve() opens different file than open() does
– stat() returns original values
July 25th, 2000
Black Hat Briefings
Las Vegas
What is a Kernel?
• The Operating System ‘program’
– Offers services to ‘userland’
• Creates and maintains processes
• Separation of privileges and memory
• Access to devices
•…
– Extensible: network protocols, filesystems
– No internal privilege levels
–…
July 25th, 2000
Black Hat Briefings
Las Vegas
What is a Kernel? - 2
• ‘Userland’ can
– inquire about kernel state
– change kernel state
– For example: state of network devices
• Through:
– System calls
– /dev devices (e.g. /dev/kmem)
– /proc filesystem
July 25th, 2000
Black Hat Briefings
Las Vegas
How to modify a kernel?
• Loadable kernel modules
• Write-able kernel memory
– Write directly in /dev/(k)mem
• The kernel executable
– Build a new kernel
July 25th, 2000
Black Hat Briefings
Las Vegas
Loadable modules
• Modularization of the kernel
– Only use resources when needed
– Generally works well for any design
• Mechanism:
– Compiled code is resolved against kernel symbols
– Memory is allocated
– Code is copied in and an initialization function is
called
July 25th, 2000
Black Hat Briefings
Las Vegas
Introducing kmod
• Goal:
– Demonstrate effect of kernel modifications
– Targeted at Solaris
– ‘Easy’ to use.
– Use several ways to manipulate kernel
– Open Source
July 25th, 2000
Black Hat Briefings
Las Vegas
Details: How to proceed?
• Think about how to fool programs.
• Use the Kernel internal stuctures:
– Switch tables
– Linked lists
– Global variables
July 25th, 2000
Black Hat Briefings
Las Vegas
Kernel switch tables.
• Changing function pointers
• Kernel uses ‘switch tables’ for
extensibility.
• Overwrite function pointer:
– old_execve = sys_call_table[SYS_execve]
– sys_call_table[SYS_execve]=new_execve
July 25th, 2000
Black Hat Briefings
Las Vegas
Kernel linked lists.
• Used for dynamically adding entries
• Hide:
July 25th, 2000
Black Hat Briefings
Las Vegas
Where to start?
• Decide where to intercept
– Hide processes:
• Memory device (/dev/(k)mem
• Filesystem switch table (/proc)
– Hide backdoors:
• Execve -> syscall table
– Hide files:
• Filesystem switch table (ufs_getattr())
July 25th, 2000
Black Hat Briefings
Las Vegas
Example: execve()
• Has an entry in the syscall table:
/usr/include/sys/syscall.h:
#define
SYS_execve
59
• Looks like:
/usr/include/sys/exec.h:
struct execa {
char
*fname;
char
**argp;
char
**envp;
};
extern int exece(struct execa *, rval_t *);
July 25th, 2000
Black Hat Briefings
Las Vegas
Example: execve() 2
• Modify behavior:
– Safe pointer to original exece()
– Replace it with pointer to our new_exece()
– Do our work and call old_exece()
• Advantages:
– No detailed knowledge needed about original
exece()
– Not very dependent on kernel patches that might
change the original exece()
July 25th, 2000
Black Hat Briefings
Las Vegas
Example: execve() 3
• We want to change:
– Test if we call a backdoor executable
– If not do nothing and call old_exece
– If so redirect the call to our backdoor-ed
version by supplying a new fname
– Make sure it is not visible from userland
that a different executable has been called
July 25th, 2000
Black Hat Briefings
Las Vegas
Example: execve() 4
• We need to test the pathname only:
int new_exece(struct execa *eap, rval_t *rp)
{
if (backd_head && !ishid(p)) {
if (error = lookupname(eap->fname,
UIO_USERSPACE, FOLLOW, NULLVPP, &vp)) return (error);
backdp = backd_head;
while (!VN_CMP(backdp->vp, vp)
&& ((backdp = backdp->bd_nxt) != NULL));
if (backdp) {
kmod_log(KMOD_CE_DEBUG3, "exec matched,
redir to %s\n", backdp->bdfname);
July 25th, 2000
Black Hat Briefings
Las Vegas
Example execve() 5
lookupname(backdp->bdfname, UIO_SYSSPACE, FOLLOW,
NULLVPP,&vnp);
size = strlen(backdp->bdfname) + 1;
cp = regsp->r_sp - size;
error = copyout(backdp->bdfname, (caddr_t) cp, size);
eap->fname = (char *) cp;
return(old_exece(eap, rp));
}
July 25th, 2000
Black Hat Briefings
Las Vegas
Example: execve() 6
• Result if we have an entry with
backdp->bdfname = “/bin/login”:
– execve(“/bin/login”, a,e) will really do
execve(“/bin/mylogin”,a,e)
but
– open(“/bin/login”) will still do
open(“/bin/login”)
July 25th, 2000
Black Hat Briefings
Las Vegas
System calls
• Some system calls that were changed:
• fork
• kill
• exec
July 25th, 2000
fork1
sigqueue
exece
Black Hat Briefings
Las Vegas
Filesystem routines
•
•
•
•
•
•
ufs_readdir
ufs_create
ufs_rename
ufs_getattr
pr_readdir
spec_ioctl
July 25th, 2000
ufs_lookup
ufs_remove
ufs_setattr
pr_lookup
Black Hat Briefings
Las Vegas
Miscellaneous
• For /dev/kmem:
– mmread
• For netstat:
– tcp_wput
– strrput
July 25th, 2000
Black Hat Briefings
Las Vegas
Other features
• /proc or /dev/kmem hides a process
which has a ‘hidden flag’.
• fork() will hide a child of a hidden
process.
• Signals to hidden processes fail.
• Information on network objects hidden
from ‘netstat’
July 25th, 2000
Black Hat Briefings
Las Vegas
Other features
• Files and directories with a special
prefix are hidden.
• stat() will show ‘correct’ number of files
in directory (nlink)
• Reboot proof
July 25th, 2000
Black Hat Briefings
Las Vegas
Reboot proof mechanism
• Rename an existing kernel module:
/kernel/strmod/connld  /kernel/misc/<prefix>
• Place rogue module at that spot.
• Redirect all UFS routines for
/kernel/strmod/connld to
/kernel/strmod/<prefix>
• Have the rogue module load
/kernel/strmod/<prefix> and hide itself
July 25th, 2000
Black Hat Briefings
Las Vegas
Demonstration
• Following steps:
– Hack root remote
– Install kmod kit
– Install backdoor
– Run tripwire
– Inspect system with other tools: ps, lsof
– Reboot
– Check again
July 25th, 2000
Black Hat Briefings
Las Vegas
Advanced
• No loadable module support?
– Copy directly into kernel memory
• In-kernel network daemons -> hide network
connections
• Modify executable code directly if possible
• Change network stack protocol behavior
– Phrack 55:
September 9, 1999
– http://ww.phrack.com
July 25th, 2000
Black Hat Briefings
Las Vegas
Advanced 2
• Snoop ttys through loadable modules
• Install and hide ipfilter and redirect
traffic based on some token to a local
backdoor.
July 25th, 2000
Black Hat Briefings
Las Vegas
What can be done about it?
• Securelevel protection.
• Reduce root: Fine grained privileges.
• Userland kernel integrity checker
– Easily fooled
• In-kernel kernel integrity checker
– Chicken and egg problem
– IPD http://www.pedestalsoftware.com
July 25th, 2000
Black Hat Briefings
Las Vegas
Securelevels
• Protection mechanism
• Prevents all users including root from
modifying kernel memory directly
• Found in *BSD and Linux
• Not found on most commercial Unices
• Depends on the value of 2 bits in the
kernel
July 25th, 2000
Black Hat Briefings
Las Vegas
Fine grained privileges
• Examples:
– Capabilities:
ftp://linux.kernel.org/pub/linux/libs/security/linux-privs/index.html
– Mandatory Access Control (MAC)
• ftp://ftp.tislabs.com/pub/lomac/
• http://www.trustedbsd.org/downloads/
– Trusted Solaris
– PitBull from Argus Systems
July 25th, 2000
Black Hat Briefings
Las Vegas
FreeBSD: Jail
• Developed by Poul-Henning Kamp for
FreeBSD 4.0
• Beefed up chroot()
• Acts a bit like a MAC system with one
label: jail  simplification
• More info:
http://www.nluug.nl/events/sane2000/papers/kamp.pdf
July 25th, 2000
Black Hat Briefings
Las Vegas
Windows?
• Same problems
• Internals less understood (yet)
• Open Source project:
– http://www.rootkit.com
July 25th, 2000
Black Hat Briefings
Las Vegas
Acknowledgement
• Gene Kim, Tripwire
for supplying the demonstration copy.
July 25th, 2000
Black Hat Briefings
Las Vegas
References
•
•
•
•
Phrack 50-55, http://www.phrack.com
THC http://thc.pimmel.org
UNIX Internals by Valhalia
Design and Implementation of the
4.4BSD Operating System
• http://docs.sun.com
• http://www.itsx.com/kmod.html
July 25th, 2000
Black Hat Briefings
Las Vegas