Backdoor Freebsd

7/29/2019 Backdoor Freebsd

1/26

Back-dooring FreeBSDAn Introduction to FreeBSD Rootkit Hacking

Robert Escriva

RPI Security ClubRensselaer Polytechnic Institute

RPI Security Club, August 30, 2008

Robert Escriva (RPI) Back-dooring FreeBSD RPI-SEC 2008 1 / 26
http://find/http://goback/


2/26

Outline

1 Introduction

Overview

Prerequisites

Questions

2 Examples

Hello, World!

EBG13

Process HidingUDP Hooking



3/26

Introduction Overview

Overview.Goals of this lecture.

Teach the basics of FreeBSD LKMs (sometimes called KLDs).

Demonstrate techniques similar to basic rootkit functionalityDiscuss ways to prevent rootkit installation (perhaps using

rootkits?).

Generate discussion about potential attacks, and their

corresponding defenses.

http://find/


4/26

Introduction Overview

Overview.This lecture does not. . .

Provide a definitive reference to all subject matter discussed.

Provide working, complete rootkit code.

Encourage illegal intrusion/compromise of systems (doubly so for

code I provide to you).



5/26

Introduction Prerequisites

Academic Prerequisites.General knowledge that will aid in your understanding of material presented.

Experience reading/writing C code.

Knowledge of kernel-level functionality (system calls, etc.).

Kernel interface: read, write, stat, etc.Basic file-system functions.Process, threads.


I d i P i i
http://find/


6/26

Introduction Prerequisites

Tools Necessary.Some things that make following along with the examples easier.

root access on a FreeBSD 7.0 box (all code tested on 7.0-p2).

Kernel source tree (very useful as a reference) /usr/src/sys.

perl for testing system calls (easier than writing in C).

netcat for sending/receiving UDP packets.


I t d ti Q ti
http://find/


7/26

Introduction Questions

Questions.Answer mine and ask your own.

What is a rootkit? (-10 points if you just cite Wikipedia)

What is a KLD/LKM (for purposes of this talk, the two are

synonymous)?

If you could load one module into a kernel, what would it do?


Examples Hello World!
http://find/


8/26

Examples Hello, World!

Functionality Included.What the hello KLD demonstrates.

Module event handler functions.Declaring the module to the kernel.

Writing a simple, no-parameter system call.


http://find/


9/26


Shortcomings.Ways in which the hello KLD falls short.


http://find/


10/26


Shortcomings.Ways in which the hello KLD falls short.

A simple kldstat will show the module.

It adds a new entry to the sysent table.


http://find/


11/26


Fixes.Ways in which the hello KLD could be improved.

Cloak the module so that it is hidden from kldstat.Hook the function that looks up system calls.

/usr/src/sys/i386/i386/trap.c


Examples EBG13
http://find/


12/26

Examples EBG13

Functionality Included.What the rot13 KLD demonstrates.

Hooking system calls in a simple manner.

Specifically hooking read.

Only do anything on read calls that ask for only 1 byte of data.Only do anything on read calls reading from fd 0.Only change alphabetical text (all else goes through).

Does not impact ability to log in, nor have any disastrous

consequences.


Examples EBG13
http://find/


13/26

p

Shortcomings.Ways in which the rot13 KLD falls short.


Examples EBG13


14/26

p

Shortcomings.Ways in which the rot13 KLD falls short.


It changes an entry in the sysent table.


Examples EBG13


15/26

Fixes.Ways in which the rot13 KLD could be improved.

If youre paying attention you should notice that this is the same as

hello.Cloak the module so that it is hidden from kldstat.

Hook the function that looks up system calls.

/usr/src/sys/i386/i386/trap.c


Examples Process Hiding
http://find/


16/26

Functionality Included.What the process KLD demonstrates.

How to hide a process from top.How to hide a process from ps.

. . . and do it without altering scheduling of the process.




17/26

Shortcomings.Ways in which the process KLD falls short.


http://find/


18/26

Shortcomings.Ways in which the process KLD falls short.


It modifies internal kernel structures (some code may crash on

exit).

It does not completely hide a process.


http://find/


19/26

Fixes.Ways in which the process KLD could be improved.

Unlink the process from its parent.Dont let the process be found (it wont crash if it doesnt exit).

/usr/src/sys/kern/kern_exit.c


Examples UDP Hooking


20/26

Functionality Included.What the udp KLD demonstrates.

How to hook a communications protocol.Do something when a UDP packet arrives.

Potential to spawn a connect-back shell (not implemented).




21/26

Shortcomings.Ways in which the udp KLD falls short.


http://find/


22/26

Shortcomings.Ways in which the udp KLD falls short.

A simple kldstat will show the module.What if legitimate traffic on port 42 is interrupted?


http://find/


23/26

Fixes.Ways in which the udp KLD could be improved.

Make the code that "spawns" the shell look for something morespecific.

42 bytes on port 42 maybe?


Summary
http://find/


24/26

Summary

KLDs are not too intimidating to write if you are patient.

If the presence of a KLD is suspected, no function provided by the

kernel is trustworthy.Such techniques should not be used maliciously.

Can anyone think of ways to use KLDs beneficially?


Summary
http://find/


25/26

Presentation Materials

All presentation materials will be available online at:

http://robescriva.com/2008/08/back-dooring-freebsd/


Appendix For Further Reading
http://goforward/http://find/http://goback/


26/26

For Further Reading I

J. Kong.

Designing BSD Rootkits: An Introduction to Kernel Hacking.

No Starch Press, 2007.

Kernel Source.

/usr/src

man Pages.

man whatever

http://find/

Documents

Backdoor Freebsd