View
219
Download
5
Category
Preview:
Citation preview
October 25th, 2000 Black Hat BriefingsAmsterdam
Getting rooted and never knowing it
The importance of kernel integrity
Job de Haas <job@itsx.com>
October 24th, 2000 Black Hat BriefingsAmsterdam
Overview
• The issue• Detection• How to avoid it?• Introducing kmod.• What can be done about it?
October 24th, 2000 Black Hat BriefingsAmsterdam
The issue
• root is almighty• lots of opportunities to hack root• root can change the kernel• the kernel is critical to detect abuse
A kernel attack can be very effective.
October 24th, 2000 Black Hat BriefingsAmsterdam
Some arguments
• When you get rooted you have lost anyway but why do we make it so easy?
• It is so sophisticated that the risk is very low kernel hacking falls in the scriptable class
• My OS is closed source so it won't be feasible who are you kidding?
• All solutions result in unworkable situations So lets do better!
October 24th, 2000 Black Hat BriefingsAmsterdam
Detection
• Host-based Intrusion detection• Network-based Intrusion detection
• Misuse detection• Anomaly detection• System health monitoring
October 24th, 2000 Black Hat BriefingsAmsterdam
Detection
• Audit trails• System monitoring• Integrity checking• Network protocol sniffing and
reconstruction
October 24th, 2000 Black Hat BriefingsAmsterdam
What to hide from?
• Black Hat: repeatedly use a system without detection
• White Hat: hide or protect detection measures.
• Tripwire (and other host based IDS)• Process accounting• Auditing trail software• ‘netstat’, ‘lsof’, ‘ps’ etc.
October 24th, 2000 Black Hat BriefingsAmsterdam
What to hide?
• Use your imagination: anything the kernel does or shows can be changed:– Processes– Backdoors: changed programs– Files– System logging– Network connections or interface state– File modification times– Loadable modules– …
October 24th, 2000 Black Hat BriefingsAmsterdam
How to fool tripwire
• Tripwire calculates signatures of– File content– File properties (timestamps, owner)– Directory properties (number of files in it)
• The (modified) kernel should preserve these properties.– execve() opens different file than open() does– stat() returns original values
October 24th, 2000 Black Hat BriefingsAmsterdam
What is a Kernel?
• The Operating System ‘program’– Offers services to ‘userland’
• Creates and maintains processes• Separation of privileges and memory• Access to devices• …
– Extensible: network protocols, filesystems
– No internal privilege levels– …
October 24th, 2000 Black Hat BriefingsAmsterdam
What is a Kernel? - 2
• ‘Userland’ can– inquire about kernel state– change kernel state– For example: state of network devices
• Through:– System calls – /dev devices (e.g. /dev/kmem)– /proc filesystem
October 24th, 2000 Black Hat BriefingsAmsterdam
How to modify a kernel?
• Loadable kernel modules• Write-able kernel memory
– Write directly in /dev/(k)mem
• The kernel executable– Build a new kernel
October 24th, 2000 Black Hat BriefingsAmsterdam
Loadable modules
• Modularization of the kernel– Only use resources when needed– Generally works well for any design
• Mechanism:– Compiled code is resolved against kernel
symbols– Memory is allocated– Code is copied in and an initialization function
is called
October 24th, 2000 Black Hat BriefingsAmsterdam
Introducing kmod
• Goal:– Demonstrate effect of kernel
modifications– Targeted at Solaris– ‘Easy’ to use.– Use several ways to manipulate
kernel– Open Source
October 24th, 2000 Black Hat BriefingsAmsterdam
Details: How to proceed?
• Think about how to fool programs.
• Use the Kernel internal stuctures:– Switch tables– Linked lists– Global variables
October 24th, 2000 Black Hat BriefingsAmsterdam
Kernel switch tables.
• Changing function pointers• Kernel uses ‘switch tables’ for
extensibility.• Overwrite function pointer:
– old_execve = sys_call_table[SYS_execve]
– sys_call_table[SYS_execve]=new_execve
October 24th, 2000 Black Hat BriefingsAmsterdam
Kernel linked lists.
• Used for dynamically adding entries
• Hide:
October 24th, 2000 Black Hat BriefingsAmsterdam
Where to start?
• Decide where to intercept– Hide processes:
• Memory device (/dev/(k)mem• Filesystem switch table (/proc)
– Hide backdoors:• Execve -> syscall table
– Hide files:• Filesystem switch table (ufs_getattr())
October 24th, 2000 Black Hat BriefingsAmsterdam
Example: execve()
• Has an entry in the syscall table:/usr/include/sys/syscall.h:#define SYS_execve 59
• Looks like:/usr/include/sys/exec.h:struct execa { char *fname; char **argp; char **envp;};extern int exece(struct execa *, rval_t *);
October 24th, 2000 Black Hat BriefingsAmsterdam
Example: execve() 2
• Modify behavior:– Safe pointer to original exece()– Replace it with pointer to our new_exece()– Do our work and call old_exece()
• Advantages:– No detailed knowledge needed about
original exece()– Not very dependent on kernel patches that
might change the original exece()
October 24th, 2000 Black Hat BriefingsAmsterdam
Example: execve() 3
• We want to change:– Test if we call a backdoor executable– If not do nothing and call old_exece– If so redirect the call to our backdoor-
ed version by supplying a new fname– Make sure it is not visible from
userland that a different executable has been called
October 24th, 2000 Black Hat BriefingsAmsterdam
Example: execve() 4
• We need to test the pathname only:int new_exece(struct execa *eap, rval_t *rp)
{
if (backd_head && !ishid(p)) {
if (error = lookupname(eap->fname, UIO_USERSPACE, FOLLOW, NULLVPP, &vp)) return (error);
backdp = backd_head;
while (!VN_CMP(backdp->vp, vp)
&& ((backdp = backdp->bd_nxt) != NULL));
if (backdp) {
kmod_log(KMOD_CE_DEBUG3, "exec matched, redir to %s\n", backdp->bdfname);
October 24th, 2000 Black Hat BriefingsAmsterdam
Example execve() 5
lookupname(backdp->bdfname, UIO_SYSSPACE, FOLLOW, NULLVPP,&vnp);
size = strlen(backdp->bdfname) + 1;
cp = regsp->r_sp - size;
error = copyout(backdp->bdfname, (caddr_t) cp, size);
eap->fname = (char *) cp;
return(old_exece(eap, rp));
}
October 24th, 2000 Black Hat BriefingsAmsterdam
Example: execve() 6
• Result if we have an entry with backdp->bdfname = “/bin/login”:– execve(“/bin/login”, a,e) will really do
execve(“/bin/mylogin”,a,e)but– open(“/bin/login”) will still do
open(“/bin/login”)
October 24th, 2000 Black Hat BriefingsAmsterdam
System calls
• Some system calls that were changed:
• fork fork1• kill sigqueue• exec exece
October 24th, 2000 Black Hat BriefingsAmsterdam
Filesystem routines
• ufs_readdir ufs_lookup• ufs_create ufs_remove• ufs_rename ufs_setattr• ufs_getattr• pr_readdir pr_lookup• spec_ioctl
October 24th, 2000 Black Hat BriefingsAmsterdam
Miscellaneous
• For /dev/kmem:– mmread
• For netstat:– tcp_wput– strrput
October 24th, 2000 Black Hat BriefingsAmsterdam
Other features
• /proc or /dev/kmem hides a process which has a ‘hidden flag’.
• fork() will hide a child of a hidden process.
• Signals to hidden processes fail.• Information on network objects
hidden from ‘netstat’
October 24th, 2000 Black Hat BriefingsAmsterdam
Other features
• Files and directories with a special prefix are hidden.
• stat() will show ‘correct’ number of files in directory (nlink)
• Reboot proof
October 24th, 2000 Black Hat BriefingsAmsterdam
Reboot proof mechanism
• Rename an existing kernel module:/kernel/strmod/connld /kernel/misc/<prefix>
• Place rogue module at that spot.• Redirect all UFS routines for /kernel/strmod/connld to /kernel/strmod/<prefix>
• Have the rogue module load /kernel/strmod/<prefix> and hide itself
October 24th, 2000 Black Hat BriefingsAmsterdam
Demonstration
• Following steps:– Hack root remote– Install kmod kit– Install backdoor– Run tripwire– Inspect system with other tools: ps,
lsof– Reboot– Check again
October 24th, 2000 Black Hat BriefingsAmsterdam
Advanced
• No loadable module support?– Copy directly into kernel memory
• In-kernel network daemons -> hide network connections
• Modify executable code directly if possible
• Change network stack protocol behavior– Phrack 55: September 9, 1999– http://ww.phrack.com
October 24th, 2000 Black Hat BriefingsAmsterdam
Advanced 2
• Snoop ttys through loadable modules
• Install and hide ipfilter and redirect traffic based on some token to a local backdoor.
October 24th, 2000 Black Hat BriefingsAmsterdam
What can be done about it?
• Securelevel protection.• Reduce root: Fine grained
privileges.• Userland kernel integrity checker
– Easily fooled
• In-kernel kernel integrity checker– Chicken and egg problem– IPD http://www.pedestalsoftware.com
October 24th, 2000 Black Hat BriefingsAmsterdam
Securelevels
• Protection mechanism• Prevents all users including root
from modifying kernel memory directly
• Found in *BSD and Linux• Not found on most commercial Unices• Depends on the value of 2 bits in the
kernel
October 24th, 2000 Black Hat BriefingsAmsterdam
Fine grained privileges
• Examples:– Capabilities:ftp://linux.kernel.org/pub/linux/libs/security/linux-privs/
index.html
– Mandatory Access Control (MAC)• ftp://ftp.tislabs.com/pub/lomac/• http://www.trustedbsd.org/downloads/
– Trusted Solaris– PitBull from Argus Systems
October 24th, 2000 Black Hat BriefingsAmsterdam
FreeBSD: Jail
• Developed by Poul-Henning Kamp for FreeBSD 4.0
• Beefed up chroot()• Acts a bit like a MAC system with
one label: jail simplification• More info:http://www.nluug.nl/events/sane2000/papers/
kamp.pdf
October 24th, 2000 Black Hat BriefingsAmsterdam
Windows?
• Same problems• Internals less understood (yet)• Open Source project:
– http://www.rootkit.com
October 24th, 2000 Black Hat BriefingsAmsterdam
Acknowledgement
• Gene Kim, Tripwire
for supplying the demonstration copy.
October 24th, 2000 Black Hat BriefingsAmsterdam
References
• Phrack 50-55, http://www.phrack.com
• THC http://thc.pimmel.org• UNIX Internals by Valhalia• Design and Implementation of the
4.4BSD Operating System• http://docs.sun.com• http://www.itsx.com/kmod.html
Recommended