getting rooted and never knowing it
DESCRIPTION
Getting rooted and never knowing it. The importance of kernel integrity Job de Haas . Overview. The issue Detection How to avoid it? Introducing kmod. What can be done about it?. The issue. root is almighty lots of opportunities to hack root root can change the kernel - PowerPoint PPT PresentationTRANSCRIPT
October 25th, 2000 Black Hat BriefingsAmsterdam
Getting rooted and never knowing it
The importance of kernel integrity
Job de Haas <[email protected]>
October 24th, 2000 Black Hat BriefingsAmsterdam
Overview• The issue• Detection• How to avoid it?• Introducing kmod.• What can be done about it?
October 24th, 2000 Black Hat BriefingsAmsterdam
The issue• root is almighty• lots of opportunities to hack root• root can change the kernel• the kernel is critical to detect abuse
A kernel attack can be very effective.
October 24th, 2000 Black Hat BriefingsAmsterdam
Some arguments• When you get rooted you have lost anyway
but why do we make it so easy?• It is so sophisticated that the risk is very low
kernel hacking falls in the scriptable class• My OS is closed source so it won't be feasible
who are you kidding?• All solutions result in unworkable situations
So lets do better!
October 24th, 2000 Black Hat BriefingsAmsterdam
Detection• Host-based Intrusion detection• Network-based Intrusion detection
• Misuse detection• Anomaly detection• System health monitoring
October 24th, 2000 Black Hat BriefingsAmsterdam
Detection• Audit trails• System monitoring• Integrity checking• Network protocol sniffing and
reconstruction
October 24th, 2000 Black Hat BriefingsAmsterdam
What to hide from?• Black Hat: repeatedly use a system
without detection• White Hat: hide or protect detection
measures.
• Tripwire (and other host based IDS)• Process accounting• Auditing trail software• ‘netstat’, ‘lsof’, ‘ps’ etc.
October 24th, 2000 Black Hat BriefingsAmsterdam
What to hide?• Use your imagination: anything the
kernel does or shows can be changed:– Processes– Backdoors: changed programs– Files– System logging– Network connections or interface state– File modification times– Loadable modules– …
October 24th, 2000 Black Hat BriefingsAmsterdam
How to fool tripwire• Tripwire calculates signatures of
– File content– File properties (timestamps, owner)– Directory properties (number of files in it)
• The (modified) kernel should preserve these properties.– execve() opens different file than open() does– stat() returns original values
October 24th, 2000 Black Hat BriefingsAmsterdam
What is a Kernel?• The Operating System ‘program’
– Offers services to ‘userland’• Creates and maintains processes• Separation of privileges and memory• Access to devices• …
– Extensible: network protocols, filesystems– No internal privilege levels– …
October 24th, 2000 Black Hat BriefingsAmsterdam
What is a Kernel? - 2• ‘Userland’ can
– inquire about kernel state– change kernel state– For example: state of network devices
• Through:– System calls – /dev devices (e.g. /dev/kmem)– /proc filesystem
October 24th, 2000 Black Hat BriefingsAmsterdam
How to modify a kernel?• Loadable kernel modules• Write-able kernel memory
– Write directly in /dev/(k)mem• The kernel executable
– Build a new kernel
October 24th, 2000 Black Hat BriefingsAmsterdam
Loadable modules• Modularization of the kernel
– Only use resources when needed– Generally works well for any design
• Mechanism:– Compiled code is resolved against kernel
symbols– Memory is allocated– Code is copied in and an initialization function
is called
October 24th, 2000 Black Hat BriefingsAmsterdam
Introducing kmod• Goal:
– Demonstrate effect of kernel modifications
– Targeted at Solaris– ‘Easy’ to use.– Use several ways to manipulate
kernel– Open Source
October 24th, 2000 Black Hat BriefingsAmsterdam
Details: How to proceed?• Think about how to fool programs.
• Use the Kernel internal stuctures:– Switch tables– Linked lists– Global variables
October 24th, 2000 Black Hat BriefingsAmsterdam
Kernel switch tables.• Changing function pointers• Kernel uses ‘switch tables’ for
extensibility.• Overwrite function pointer:
– old_execve = sys_call_table[SYS_execve]
– sys_call_table[SYS_execve]=new_execve
October 24th, 2000 Black Hat BriefingsAmsterdam
Kernel linked lists.• Used for dynamically adding
entries
• Hide:
October 24th, 2000 Black Hat BriefingsAmsterdam
Where to start?• Decide where to intercept
– Hide processes:• Memory device (/dev/(k)mem• Filesystem switch table (/proc)
– Hide backdoors:• Execve -> syscall table
– Hide files:• Filesystem switch table (ufs_getattr())
October 24th, 2000 Black Hat BriefingsAmsterdam
Example: execve()• Has an entry in the syscall table:/usr/include/sys/syscall.h:#define SYS_execve 59
• Looks like:/usr/include/sys/exec.h:struct execa { char *fname; char **argp; char **envp;};extern int exece(struct execa *, rval_t *);
October 24th, 2000 Black Hat BriefingsAmsterdam
Example: execve() 2• Modify behavior:
– Safe pointer to original exece()– Replace it with pointer to our new_exece()– Do our work and call old_exece()
• Advantages:– No detailed knowledge needed about
original exece()– Not very dependent on kernel patches that
might change the original exece()
October 24th, 2000 Black Hat BriefingsAmsterdam
Example: execve() 3• We want to change:
– Test if we call a backdoor executable– If not do nothing and call old_exece– If so redirect the call to our backdoor-
ed version by supplying a new fname– Make sure it is not visible from
userland that a different executable has been called
October 24th, 2000 Black Hat BriefingsAmsterdam
Example: execve() 4• We need to test the pathname only:int new_exece(struct execa *eap, rval_t *rp){ if (backd_head && !ishid(p)) { if (error = lookupname(eap->fname,
UIO_USERSPACE, FOLLOW, NULLVPP, &vp)) return (error); backdp = backd_head; while (!VN_CMP(backdp->vp, vp) && ((backdp = backdp->bd_nxt) != NULL)); if (backdp) { kmod_log(KMOD_CE_DEBUG3, "exec matched,
redir to %s\n", backdp->bdfname);
October 24th, 2000 Black Hat BriefingsAmsterdam
Example execve() 5lookupname(backdp->bdfname, UIO_SYSSPACE, FOLLOW,
NULLVPP,&vnp);size = strlen(backdp->bdfname) + 1;cp = regsp->r_sp - size;error = copyout(backdp->bdfname, (caddr_t) cp, size);eap->fname = (char *) cp;return(old_exece(eap, rp));}
October 24th, 2000 Black Hat BriefingsAmsterdam
Example: execve() 6• Result if we have an entry with backdp->bdfname = “/bin/login”:– execve(“/bin/login”, a,e) will really do
execve(“/bin/mylogin”,a,e)but– open(“/bin/login”) will still do
open(“/bin/login”)
October 24th, 2000 Black Hat BriefingsAmsterdam
System calls• Some system calls that were
changed:
• fork fork1• kill sigqueue• exec exece
October 24th, 2000 Black Hat BriefingsAmsterdam
Filesystem routines• ufs_readdir ufs_lookup• ufs_create ufs_remove• ufs_rename ufs_setattr• ufs_getattr• pr_readdir pr_lookup• spec_ioctl
October 24th, 2000 Black Hat BriefingsAmsterdam
Miscellaneous• For /dev/kmem:
– mmread
• For netstat:– tcp_wput– strrput
October 24th, 2000 Black Hat BriefingsAmsterdam
Other features• /proc or /dev/kmem hides a
process which has a ‘hidden flag’.• fork() will hide a child of a hidden
process.• Signals to hidden processes fail.• Information on network objects
hidden from ‘netstat’
October 24th, 2000 Black Hat BriefingsAmsterdam
Other features• Files and directories with a special
prefix are hidden.• stat() will show ‘correct’ number of
files in directory (nlink)• Reboot proof
October 24th, 2000 Black Hat BriefingsAmsterdam
Reboot proof mechanism• Rename an existing kernel module:
/kernel/strmod/connld /kernel/misc/<prefix>• Place rogue module at that spot.• Redirect all UFS routines for /kernel/strmod/connld to /kernel/strmod/<prefix>
• Have the rogue module load /kernel/strmod/<prefix> and hide itself
October 24th, 2000 Black Hat BriefingsAmsterdam
Demonstration• Following steps:
– Hack root remote– Install kmod kit– Install backdoor– Run tripwire– Inspect system with other tools: ps, lsof– Reboot– Check again
October 24th, 2000 Black Hat BriefingsAmsterdam
Advanced• No loadable module support?
– Copy directly into kernel memory• In-kernel network daemons -> hide
network connections• Modify executable code directly if
possible• Change network stack protocol behavior
– Phrack 55: September 9, 1999– http://ww.phrack.com
October 24th, 2000 Black Hat BriefingsAmsterdam
Advanced 2• Snoop ttys through loadable
modules• Install and hide ipfilter and redirect
traffic based on some token to a local backdoor.
October 24th, 2000 Black Hat BriefingsAmsterdam
What can be done about it?
• Securelevel protection.• Reduce root: Fine grained privileges.• Userland kernel integrity checker
– Easily fooled• In-kernel kernel integrity checker
– Chicken and egg problem– IPD http://www.pedestalsoftware.com
October 24th, 2000 Black Hat BriefingsAmsterdam
Securelevels• Protection mechanism• Prevents all users including root
from modifying kernel memory directly
• Found in *BSD and Linux• Not found on most commercial Unices• Depends on the value of 2 bits in the
kernel
October 24th, 2000 Black Hat BriefingsAmsterdam
Fine grained privileges• Examples:
– Capabilities:ftp://linux.kernel.org/pub/linux/libs/security/linux-privs/
index.html– Mandatory Access Control (MAC)
• ftp://ftp.tislabs.com/pub/lomac/• http://www.trustedbsd.org/downloads/
– Trusted Solaris– PitBull from Argus Systems
October 24th, 2000 Black Hat BriefingsAmsterdam
FreeBSD: Jail• Developed by Poul-Henning Kamp
for FreeBSD 4.0• Beefed up chroot()• Acts a bit like a MAC system with
one label: jail simplification• More info:http://www.nluug.nl/events/sane2000/papers/
kamp.pdf
October 24th, 2000 Black Hat BriefingsAmsterdam
Windows?• Same problems• Internals less understood (yet)• Open Source project:
– http://www.rootkit.com
October 24th, 2000 Black Hat BriefingsAmsterdam
Acknowledgement
• Gene Kim, Tripwire
for supplying the demonstration copy.
October 24th, 2000 Black Hat BriefingsAmsterdam
References• Phrack 50-55, http://www.phrack.com• THC http://thc.pimmel.org• UNIX Internals by Valhalia• Design and Implementation of the
4.4BSD Operating System• http://docs.sun.com• http://www.itsx.com/kmod.html