Upload
christiaan-ottow
View
137
Download
1
Embed Size (px)
Citation preview
Hiding for Persistence - Backdooring Linux Systems
Key messages
• They’re out to get you
• Kernel backdoors are hard to find
• However, most attackers are not so
motivated or well equipped
• There is a lot you can do
Hi
Christiaan Ottow
• Developer, Sysop, Hacker
• Security Coach @ Computest / Pine Digital Security
• @cottow
Performance Security TestAutomation
Reasons you get pwned
• Spam
• DDoS
• Ransomware
• To pwn others
• To do you damage
• Lulz
• Espionage
Your adversary
• Crime groups
• State-sponsored attackers
• People you’ve pissed off
• Bored teenagers
discover hack monetise
discover hack monetise
persistence
The bad news
The good news
How?
How to do persistence as uid > 0
• “hidden” directories
• “.. “ (note the space)
• innocuous filenames
• libglsconv.so
• process renaming
• write to argv[0]
How to do persistence as uid == 0
• hide inside existing executables
• patch /bin/su
• patch processes in memory
• attach to sshd, patch, detach
• kernel module
• loadable backdoors!
• firmware backdoor
• hardware has own microcontroller and “OS”
<prayer to the demo gods>
#include <stdio.h>
int main() { printf(“Hello, world!\n”); return 0; }
int main() { … printf(“hi”);…}
Standard C library
kernel
printf()
write()
main()
sys_write()
0x00000000
0xc0000000
0xffffffff
user spacememory
kernel memory
printf()
call 0x804031d
mov eax, 0x4int 0x80
libc libc libcuser
kernel
disk input devices
app app
interrupt interruptsyscall syscall
applibc
Let’s look at the code
0xc00a3400 0xc0990d00
0xc09912a4
0xc0993600
0xc099fe0a
0xc00a3404
0xc00a3408
0xc00a340c
0xc099….
0xc099….
0xc00a…..
0xc00a…..
0xc00a3400 0xc0990d00
0xc09912a4
0xc0993600
0xc099fe0a
0xc00a3404
0xc00a3408
0xc00a340c
0xc099….
0xc099….
0xc00a…..
0xc00a…..
push r15mov r15d,edipush r14mov r14,rsipush r13mov r13,rdxpush r12lea r12,[rip+0x207f78] push rbplea rbp,[rip+0x207f78]
0xc00a3400 0xc0990d00
0xc09912a4
0xc0993600
0xcfe89a40
0xc00a3404
0xc00a3408
0xc00a340c
0xc099….
0xc099….
0xc00a…..
0xc00a…..
push r15mov r15d,edipush r14mov r14,rsipush r13mov r13,rdxpush r12lea r12,[rip+0x207f78] push rbplea rbp,[rip+0x207f78]
call 0xc099fe0a<filter results>
Let’s look at the code
Detection
• syscall table should be predictable and boring
• server’s external behaviour doesn’t lie - the hacker has a business case
• cat and mouse game between detection and hiding
• volatility framework for memory inspection
Prevention - kernel level
• grsecurity / selinux
• disallow anomalous behaviour
• limit what root kan do
• disable module loading
Prevention - hardening
• remove unnecessary tools like compilers
• isolate services (chroot / containers / cgroups / apparmor)
• see CIS and Certified Secure guidelines
Prevention - HIDS
• tripwire / OSSEC
• trigger on anomalous events
Conclusions
• They’re out to get you
• Most of them aren’t that well resourced
• A good backdoor is next to impossible to find
• There are excellent mitigations to take
• Spend your time and money wisely
Dan is het ookniet leukwww.werkenbijcomputest.nl
Als het niet kapot kan..
Image credits
• Why girl: http://www.cellmaxxindo.com
• Lulz: Image courtesy of http://knowyourmeme.com
• Trump: http://www.northcountrypublicradio.org/
• The good news: http://theverybesttop10.com
• The bad news: http://stuffpoint.com
• Questions: http://www.slideshare.net/linaroorg/sfo15tr6-server-ecosystem-day-
part-6a