Linux Operating System Vulnerabilities

SCSC 555

Fundamentals of Linux operating system

Vulnerabilities of Linux operating system

Remote attacks on Linux Protecting Linux operating system

2

3

Linux default directories

Linux file system history•Minix file system•Extended File System (Ext)•Second Extended File System (Ext2fs)•Third Extended File System (Ext3fs)

(read details on text)

4

File system◦ Enables directories or folders organization◦ Establishes a file-naming convention◦ Includes utilities to compress or encrypt files◦ Provides for both file and data integrity◦ Enables error recovery◦ Stores information about files and folders

File systems store information about files in information nodes (inodes)

5

Information stored in an inode◦ An inode number◦ Owner of the file◦ Group the file belongs to◦ Size of the file◦ Date the file was created◦ Date the file was last modified or read

File systems use a fixed number of inodes◦ mounts a file system as a subfile system of the

root file system

6

mount command is used to mount file systems

7

8

df command displays the currently mounted file systems

Linux File System (continued)

9

Linux Network Commands

10

Linux Network Commands

Fundamentals of Linux operating system

Vulnerabilities of Linux operating system

Remote attacks on Linux Protecting Linux operating system

11

UNIX has been around for quite some time◦ Attackers have had plenty of time to discover

vulnerabilities in *NIX systems◦ Enumeration tools can also be used against Linux systems

Nessus can be used to enumerate Linux systems Discover vulnerabilities related to SMB and NetBIOS Enumerate shared resources Discover the root password

12

13

14

15

Common known vulnerabilities (CVE)

Fundamentals of Linux operating system

Vulnerabilities of Linux operating system

Remote attacks on Linux Protecting Linux operating system

16

Differentiate between local attacks and remote attacks◦ Remote attacks are harder to perform

◦ Attacking a network remotely requires Knowing what system a remote user is operating The attacked system’s password and login accounts

17

Footprinting techniques◦ Used to find out information about a target

system◦ footprinting tools include: Whois databases, DNS zone

transfers, Nessus, and port scanning tools

Determining the OS version the attacked computer is running◦ Check newsgroups for details on posted

messages◦ Knowing a company’s e-mail address makes the

search easier

18

Goal◦ To get OS information from company employees

Common techniques◦ Urgency◦ Quid pro quo◦ Status quo◦ Kindness◦ Position

Train your employees about social engineering techniques

19

Trojan programs spread as◦ E-mail attachments◦ Fake patches or security fixes that can be

downloaded from the Internet Trojan program functions

◦ Allow for remote administration◦ Create a FTP server on attacked machine◦ Steal passwords◦ Log all keys a user enters, and e-mail results to

the attacker

20

Linux Trojan programs disguised as legitimate programs◦ can use legitimate outbound ports◦ Firewalls and IDSs cannot identify this traffic as

malicious E.g.: Sheepshank use port 80 FTTP GET (p214)

It is easier to protect systems from already identified Trojan programs◦ E.g., Trojan.Linux.JBellz, Remote Shell, Dextenea

21

Rootkits◦ Contain Trojan binary programs ready to be

installed by an intruder with root access to the system

◦ Attacker hide the tools used for later attacks◦ Replace legitimate commands with Trojan

programs◦ E.g.: LRK5

Tool to check rootkits◦ Rootkit Hunter◦ Chkrootkit

22

23

• Scan the system(s) for un-patched code/module

• Intruders usually focus on a small number of exploits

Trojan horse is a malicious program that is disguised as legitimate software◦ Trojan horse programs bundled in the form of “Rootkits”.

◦ Originally written for Sun’s Berkeley flavor of Unix (SunOS 4)

24

"

A rootkit is a set of tools used by an intruder after cracking a computer system. ◦ help the attacker maintain his or her access to the system

and use it for malicious purposes. ◦ Hides data that indicates an intruder has control of your

system◦ Rootkits exist for a variety of operating systems such as

Linux, Solaris and Microsoft Windows.

25

Rootkits were first developed for Unix◦ Back in 1980’s determining what was happening

on your Unix box wasn’t too hard◦ a set of tools “service tools” report status,

maintain logs and provide user feedback to the current state of the system.

26

27

User account informationEg: who, last, login, passwd

Process/File informationEg: ls, find, du, top, pidof, du

Network informationEg:netstat, ifconfig, rshd, telnet

System/User LogsEg: /var/log/messages

Scheduler informationEg: crontab

Future

Present

Past

Early Rootkits were bundle of program that replaced these service binary with trojans

For example: a binary of “last” with following wrapper script

last | awk '$1 !~ /malliciousUserName/ {print $0}'

28

Linux RootKit 5 (lrk5)◦ written by Lord Somer◦ one of the most full-featured RootKits◦ includes Trojan versions of the following:

chfn, chsh, crontab, du, find, ifconfig, inetd, killall, login, ls, netstat, passwd, pidof, ps, rshd, syslogd, tcpd, top, sshd, and su

29

Get a program to scan /bin/login and see if it has been corrupted◦ Tools like Tripwrie can check the Integrity of the

file if an hash has been generated at install time.

Identify and replace the files that have been modified. ◦ Use md5 checksum to check for the authenticity

of the program.

30

Chkrootkit Tripwire Rkscan Carbonite Rkdet Checkps LSM (Loadable Security Module) LCAP (Linux Kernel Capability Bounding Set

Editor)

31

aliens sniffer basename dirname grep identd

asp wted biff echo inetdconf mail

bindshell scalper chfn egrep hdparm killall

lkm slapper chsh env ifconfig ldsopreload

rexedcs amd cron find su login

du z2 date fingerd inetd ls

mingetty pop3 sendmail telnetd w write

pidof slogin syslogd tcpdump traceroute timed

passwd rshd tcpd sshd tar top

rpcinfo gpm pstree ps named netstat

pop2 rlogind lsof init

32

33

01. lrk3, lrk4, lrk5, lrk6 (and variants);

02. Solaris rootkit; 03. FreeBSD rootkit; 04. t0rn (and variants); 05. Ambient's Rootkit (ARK); 06. Ramen Worm; 07. rh[67]-shaper; 08. RSHA; 09. Romanian rootkit; 10. RK17; 11. Lion Worm; 12. Adore Worm; 13. LPD Worm; 14. kenny-rk; 15. Adore LKM; 16. ShitC Worm;

17. Omega Worm;18. Wormkit Worm;19. Maniac-RK;20. dsc-rootkit;21. Ducoci rootkit;22. x.c Worm;23. RST.b trojan;24. duarawkz;25. knark LKM;26. Monkit;27. Hidrootkit;28. Bobkit;29. Pizdakit;30. t0rn v8.0;31. Showtee;32. Optickit;33. T.R.K;

34. MithRa's Rootkit;35. George;36. SucKIT;37. Scalper;38. Slapper A, B, C and D;

39. OpenBSD rk v1;40. Illogic rootkit;41. SK rootkit.42. sebek LKM;43. Romanian rootkit;44. LOC rootkit;45. shv4 rootkit;46. Aquatica rootkit;47. ZK rootkit;

Buffer overflows write code to the OS’s memory◦ Then run some type of program◦ Can elevate the attacker’s permissions to the

level of the owner A buffer overflow program looks like

34

The program compiles, but returns the following error

35

Guidelines to help reduce this type of attack◦ Avoids functions known to have buffer overflow

vulnerabilities strcpy() strcat() sprintf() gets()

◦ Configure OS to not allow code in the stack to run any other executable code in the stack

◦ Use compilers that warn programmers when functions listed in the first bullet are used

36

Sniffers work by setting a network card adapter in promiscuous mode◦ NIC accepts all packets that traverse the network

cable Attacker can analyze packets and learn user

names and passwords◦ Avoid using protocols such as Telnet, HTTP, and

FTP that send data in clear text Sniffers

◦ Tcpdump, Ethereal (wireshark)

37

Fundamentals of Linux operating system

Vulnerabilities of Linux operating system

Remote attacks on Linux Protecting Linux operating system

38

Users must be told not to reveal information to outsiders

Make customers aware that many exploits can be downloaded from Web sites

Teach users to be suspicious of people asking questions about the system they are using◦Verify caller’s identity◦Call back technique

39

Keeping current on new kernel releases and security updates◦ Installing these fixes is essential to protecting

your system◦ automated tools for updating your systems

40