Exploits
Alan Laudicina
Exploits are holes in code. They can be manipulated into allowing crackers (people who gain unauthorized access to remote machines) access to your machine or network. Exploits can also be used maliciously to make a machine lose its Internet connection or reboot (these types of exploits are referred to as "Denial of Service" exploits). Exploits are either run locally (on the machine that the cracker wants to exploit), or remotely (from a machine across a network). Once a cracker has access to your machine, he can do anything from change Web pages to use your bandwidth to attack machines across the Internet.
If a cracker gains access to one machine on your subnet, it puts your whole network in jeopardy, because the cracker can run a sniffer or a password cracker and hope the users are using network-wide passwords (see Common Exploits). This article focuses on Linux and FreeBSD machines. Although most of the exploits discussed here aren't OS dependent, many are. So, if you don't have a certain file that is mentioned, most likely you will have a substitute for it.
How to Protect Yourself Securing your machine is not something you do once or twice a month; it is something you should do every one or two days. New exploits are released every day, and go into the hands of malicious cracker rings. The first step in protecting yourself is to go through the packages on your machine, and make sure none of them are exploitable. I recommend not installing XFree (X Windows), as this is one of the most commonly exploited programs found on a *nix machine, in my opinion.
You should also keep tabs on any SUID files you may have on your machine, however, find / -perm +4000 doesn't list everything you need to know to make sure your machine hasn't been backdoored overnight. To properly do this, you should download the Perl script sysadm.pl from http://www.unixpower.org/security/sysadm.html and add the following to your root user's crontab:
crontab -e root] : 0 0 * * * /path/to/sysadm.pl
where /path/to/ is the path to the sysadm.pl script. This will go through all the files on your machine at 12:00 a.m. and send root@localhost a very informative email, which includes information on any root accounts that may have been added/changed/deleted since the last check, and any setuid or setgid files that have been changed since the last check. This can be especially useful because when crackers gain unauthorized access to your machine (and they want to be able to gain access to your machine again), they can code "backdoors" into setuid programs. A common backdoor I have seen installed on a friend's machine allows someone to type ping -0 as a normal user and obtain a root shell. The source for this is located at http://www.unixpower.org/security/sysadm.
Common Exploits Here is a list of some of the many ways a cracker can gain access into your network:
HTTP daemons - Many http daemons include CGI scripts that allow crackers to list files on your filesystem, or view files they shouldn't have access to. Passwd/shadow files will always be a target of a cracker.
DNS - I will assume you are running the named package, it is the default name server daemon package for just about every UNIX. Running bind under a chroot() environment is a good idea; it helps to prevent such exploits as namedsploit.c from rootshell.com. Also you should not allow domain transfers to anyone besides the machines that are secondary nameservers for you. This makes it harder for people to run such things as mscan on your domain.
Default Accounts - A lot of UNIX flavors pack with default accounts that shouldn't be there. In my opinion, all the system accounts should be disabled by putting a * in the password/shadowed password file for that account. One example of such a default account is IRIX's old lp/guest/etc. login, which was fixed in later releases.
NFS - NFS can be a major problem. If configured incorrectly, it may allow anybody to mount certain partitions of your filesystem. This may lead to a cracker adding himself an account, or adding hosts to a legitimate user's .rlogin.
r-services - The r-services (rlogin, rsh, etc.) can be another major problem. Crackers can regain access to your machine remotely after cracking it, simply by adding themselves to one of your legitimate user's ~/.rlogin, thus allowing them to login via rlogin, or execute things remotely via rsh. If you care about the security of your machine, disable all the r-services, or use wrapper programs, such as TCPwrapper.
SMTP daemons - Many versions of UNIX ship with Sendmail by default. Unfortunately, Sendmail has led to the cracking of many machines. If you are going to run Sendmail, make sure you are running the latest version at least once a week, or take the liberty of installing qmail (http://www.qmail.org), the most secure MTA out there.
Network-wide passwords - Some people like to use the same password on many machines on their subnet. This is a bad idea for the simple reason that if somebody cracks your machine and runs a sniffer, or runs a password cracker on the passwd/shadow file, they could gain access to the other machines on your subnet with the logins sniffed from the other machines.
RPC Services - The RPC services (e.g., statd, walld, mountd) can come in handy, but many are exploitable. statd, for instance, is used for many (and I mean many) intrusions.
Here is a list of some (not all) exploitable RPC services.
ttdbserver - Various versions of Solaris/HP-UX/IRIX systems are vulnerable to a ttdbserver remote exploit, which gives the cracker full root access.
mountd - rpc.mountd that packs with various versions of Slackware Linux, Redhat Linux, IRIX, and some other platforms is vulnerable to an exploit that gives the cracker a root shell.
statd - the statd that packs with various versions of AIX, IRIX, DEC UNIX, SunOS, and some other platforms is vulnerable to a remote exploit that allows the cracker to gain privileges locally or remotely (if statd is accessible via the network).
Note that this is only a small portion of RPC security problems.
Logging Tips When editing your syslog.conf file, you must always use tabs instead of the space bar to make spaces. After a cracker gains access to your machine, you will want to catch him. But if he or she cleans or removes the log files, you're stuck. So, to prevent the logs from being erased, you will need to put them where the cracker won't think to look. An example /etc/syslog.conf file:
*.=info;*.=notice;mail.none /var/adm/messages
*.=debug /var/adm/debug
*.err /var/adm/syslog
mail.* /var/log/maillog
Explanation In this example, *.=info;*.=notice;mail.none logs all the system information and notices to /var/adm/messages, and does not log any mail information. The *.=debug logs all debugging information to /var/adm/debug. The *.err logs all system errors to /var/log/syslog. And, the mail.* logs all mail information, notices, etc. to /var/log/maillog. This configuration works, but when the cracker gains root access to your machine, he knows where the default log files are, and can delete them or edit them to make it look like he never connected to your machine.
To prevent the cracker from hiding himself, you can use remote logging, put log files in non-default places, and echo messages to the console.
Additionally, you should add:
*.* /dev/tty1
This will log everything to /dev/tty1 (thus, printing it on the screen). Another good thing to add, if you have access to another machine, would be remote logging. Here is an example of remote logging, where syslogd.host.com is the host of the remote syslogd machine:
*.* @syslogd.host.com
After you edit syslog.conf to allow remote host logging, you need to restart it with the -r (accept/send remote messages) For example:
kill -9 `cat /var/run/syslogd.pid` ; sleep 3 ; syslogd -r
[uw]tmp/lastlog files
The utmp, wtmp, and lastlog files contain vital information about who has logged into your machine. These files display the person's username, IP address, the tty they logged into, and what time they logged in.
utmp The utmp file contains information about who is currently logged into your machine. You can see the utmp information by typing who. Once a cracker breaks into your machine, one of the first files he manipulates is this one. Crackers can use a "log cleaner" (utclean.c for example, found at: http://members.xoom.com/unixwizard/utclean.c) to change the data in the utmp so it looks as if they are not logged into your machine. You don't need to make backups or copy this file over remotely.
Here is an example of using w to view the utmp information:
[root@geeks:~]# w
aim up 25 days, 5:25, 4 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root tty10 Tue 7pm 9:28m 0.25s 0.04s tail -f
/var/lo
root tty11 Wed10pm 9:28m 0.17s 0.02s tail -f
/var/lo
alan ttyp0 forward Fri 3pm 5:48 26:55 26:54 irc
alan ttyp1 router Tue 7pm 0.00s 0.22s 0.08s w
The wtmp file contains information about who has (or is) logged into your machine. You can see the wtmp information by typing last to list all the users, or last <username> to specify the username to view. Crackers can use the same log cleaner (utclean.c) to change the data in the wtmp so it looks like they haven't logged into your machine, or to just remove their hostname from the file. You should set up a crontab entry to back up this file via ftp/nos/etc.
A example of the wtmp information is shown here, using the last alan command:
[root@geeks:~]# last alan
alan Tap router Mon Jan 4 00:33 still logged in
alan tap forward Sun Jan 3 15:56 - 15:57 (00:00)
alan tap host Sun Jan 3 15:56 - 13:51 (05:00)
wtmp begins Fri Jan 1 07:43
lastlog
The lastlog file contains information about the users login habits, such as, last hostname, tty, time they logged on, and time. This information can be useful when your system has been perpetrated by a cracker.
Here is an example of checking the contents of the lastlog file using the lastlog command:
[root@geeks:~]# lastlog
Username Port From Latest
halt **Never logged in**
operator **Never logged in**
root tty3 Mon Jan 4 00:58:27 1999
shutdown **Never logged in**
sync **Never logged in**
bin **Never logged in**
ftp **Never logged in**
daemon **Never logged in**
adm **Never logged in**
lp **Never logged in**
mail tty6 Mon Dec 28 00:16:28 1998
postmaster tty6 Mon Dec 28 00:14:49 1998
news **Never logged in**
uucp **Never logged in**
man **Never logged in**
guest **Never logged in**
www tty9 Fri Dec 25 22:49:22 1998
wuug ttyp2 beta.unix.windso Thu Dec 31 00:01:52 1998
alan ttyp0 forward Mon Jan 4 00:58:23 1999
Security Tools On the Internet, there are masses of security sites, some good and some useless. But almost every site has a couple links to security tools, such as SAINT, Abacus Sentry, Nessus, etc. The problem is that, when you see these tools, you don't know which one to go with. So, I will discuss five of (in my opinion) the best security analysis tools and rate them on a 1 to 5 star (*) scale (* being the worst and ***** being the best).
The tools I picked are:
Abacus Sentry - Detects and responds to port scans to a target host in real time, by either adding the user to the hosts.deny or firewalling the user's IP address.
mscan - This wasn't developed to be a security tool, but it is useful to systems administrators to know what can be exploited on their machines.
SAINT - Security administrator's integrated network tool. This is coded in Perl and is to be used with your favorite browser.
sysmon.pl - A simple Perl script run from cron that checks whether any s[gu]id files on your system have been added, removed, edited, etc. It also checks to see whether any root accounts (both UID 0 or 131072) have been added/deleted/changed since the last check.
Nessus - A security auditing tool for UNIX.
Abacus Sentry Distribution site: http://www.psionic.com
Abacus Sentry is one of the most advanced port detector protectors out there. It can stop port scans by putting the user who is scanning you in the hosts.deny, or firewalling them out using ipfwadm/ipchains. Sentry will also open up ports (at your request) to fool people and make sure nothing gets bound to the specified port. The makers of Abacus Sentry didn't just stop with port scanning though, they added a feature that allows administrators to set how many connections per minute a single IP address can have to a port on a machine. If the IP connects more than the allocated number of times, it is automatically firewalled.
I give Sentry a **** rating, because it is being very highly configurable. I use it on one of the machines on my LAN, and it watches connections to all four machines.
mscan Distribution site: unknown; use http://www.rootshell.com
mscan scans multiple hosts for various vulnerabilities such as NFS, statd, CGI, X11, named, pop3, and other things. Although it was written to be a crackers tool to break into machines of a subnet, it can be used by any systems administrator to make sure the machines on his network are secure. If the nameserver for the domain you are using approves domain AXFRs to anybody mscan can use this, dump it to a file (named .ipdb), then scan these IP addresses one by one and report to you the vulnerabilities it finds along the way.
I give mscan a *** rating, because it doesn't look for such remote vulnerabilities as mountd. If you own an IP subnet and every machine on the subnet has a unique IP address, you should use mscan to check for vulnerabilities.
SAINT Distribution site: http://www.wwdsi.com/saint/
SAINT is a tool to assess network security. It was written in Perl and is run through a browser (lynx, Netscape, etc.). It is capable of scanning or DoS (Denial of Service) attacking a target host, allowing the administrator to pick from Light, Normal, Heavy, and Heavy+ modes. Newer versions also check for such trojans as NetBus (12345/tcp) and BackOrifice (31337/tcp). SAINT also allows you to scan machines behind a firewall, but states that the results may not be accurate.
I give SAINT a **** rating, because it allows you to scan all hosts in the target's subnet, and lets you decide whether it will check ports that may cause some operating systems to crash.
sysmon.pl Distribution site: http://www.unixpower.org/security/ \ sysmon-pl.html <modified by Alan> or http://www.rootshell.com <original version>
The original sysmon.pl checked for modified, new, or deleted s[gu]id files and new/modified/deleted root accounts. It is meant to be run daily (from the crontab). I have modified sysmon.pl to back up the wtmp as well as mail it to an account (defined at the top of the file).
I give sysmon.pl **, although I have personally done work on it. sysmon.pl has some very ugly usage of system() (that I added) to back up and mail the wtmp files. Uuencoding the files could have been done with pack(), but I wanted to save time.
Nessus Nessus is made up of a server and client. Nessus is regularly used to perform many DoS attacks and exploits against target class a/b/c networks, and the client reports the information it finds to the user. Currently, it supports more than 119 DoS attacks and exploits, as well as port scanning. After it does the multiple scans, it puts each host in its own pull-down folder.
Nessus is off the charts; I give it a ***** rating. It is by far the best security tool I've seen for both UNIX and Windows.
About the Author
Alan Laudicina is a student at Assumption College School in Windsor, Ontario, Canada. Currently he is the webmaster of www.unixpower.org. He started using Unices at the age of 9 and is the founder/president of the Windsor Unix Users Group. He can be contacted via email at alanp@unixpower.org.
|