1 / 40

Linux Operating System Vulnerabilities

Linux Operating System Vulnerabilities. SCSC 555. Objectives. Fundamentals of Linux operating system Vulnerabilities of Linux operating system Remote attacks on Linux Protecting Linux operating system. Linux default directories. Linux file system history Minix file system

mliss
Télécharger la présentation

Linux Operating System Vulnerabilities

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Linux Operating System Vulnerabilities SCSC 555

  2. Objectives • Fundamentals of Linux operating system • Vulnerabilities of Linux operating system • Remote attacks on Linux • Protecting Linux operating system

  3. Linux default directories • Linux file system history • Minix file system • Extended File System (Ext) • Second Extended File System (Ext2fs) • Third Extended File System (Ext3fs) • (read details on text)

  4. Linux File System • File system • Enables directories or folders organization • Establishes a file-naming convention • Includes utilities to compress or encrypt files • Provides for both file and data integrity • Enables error recovery • Stores information about files and folders • File systems store information about files in information nodes (inodes)

  5. Linux File System (continued) • Information stored in an inode • An inode number • Owner of the file • Group the file belongs to • Size of the file • Date the file was created • Date the file was last modified or read • File systems use a fixed number of inodes • mounts a file system as a subfile system of the root file system

  6. Linux File System (continued) • mount command is used to mount file systems

  7. Linux File System (continued) • df command displays the currently mounted file systems

  8. Linux Network Commands

  9. Linux Network Commands

  10. Objectives • Fundamentals of Linux operating system • Vulnerabilities of Linux operating system • Remote attacks on Linux • Protecting Linux operating system

  11. Linux OS Vulnerabilities • UNIX has been around for quite some time • Attackers have had plenty of time to discover vulnerabilities in *NIX systems • Enumeration tools can also be used against Linux systems • Nessus can be used to enumerate Linux systems • Discover vulnerabilities related to SMB and NetBIOS • Enumerate shared resources • Discover the root password

  12. Common known vulnerabilities (CVE)

  13. Objectives • Fundamentals of Linux operating system • Vulnerabilities of Linux operating system • Remote attacks on Linux • Protecting Linux operating system

  14. Linux OS Vulnerabilities (continued) • Differentiate between local attacks and remote attacks • Remote attacks are harder to perform • Attacking a network remotely requires • Knowing what system a remote user is operating • The attacked system’s password and login accounts

  15. Footprinting a Target System • Footprinting techniques • Used to find out information about a target system • footprinting tools include: Whois databases, DNS zone transfers, Nessus, and port scanning tools • Determining the OS version the attacked computer is running • Check newsgroups for details on posted messages • Knowing a company’s e-mail address makes the search easier

  16. Using Social Engineering to Attack Remote Linux Systems • Goal • To get OS information from company employees • Common techniques • Urgency • Quid pro quo • Status quo • Kindness • Position • Train your employees about social engineering techniques

  17. Installing Trojan Programs • Trojan programs spread as • E-mail attachments • Fake patches or security fixes that can be downloaded from the Internet • Trojan program functions • Allow for remote administration • Create a FTP server on attacked machine • Steal passwords • Log all keys a user enters, and e-mail results to the attacker

  18. Installing Trojan Programs (continued) • Linux Trojan programs disguised as legitimate programs • can use legitimate outbound ports • Firewalls and IDSs cannot identify this traffic as malicious • E.g.: Sheepshank use port 80 FTTP GET (p214) • It is easier to protect systems from already identified Trojan programs • E.g., Trojan.Linux.JBellz, Remote Shell, Dextenea

  19. Rootkits • Rootkits • Contain Trojan binary programs ready to be installed by an intruder with root access to the system • Attacker hide the tools used for later attacks • Replace legitimate commands with Trojan programs • E.g.: LRK5 • Tool to check rootkits • Rootkit Hunter • Chkrootkit

  20. How they gain root? • Scan the system(s) for un-patched code/module • Intruders usually focus on a small number of exploits

  21. Deploy Trojan • Trojan horse is a malicious program that is disguised as legitimate software • Trojan horse programs bundled in the form of “Rootkits”. • Originally written for Sun’s Berkeley flavor of Unix (SunOS 4) "

  22. What is a Rootkit? • A rootkit is a set of tools used by an intruder after cracking a computer system. • help the attacker maintain his or her access to the system and use it for malicious purposes. • Hides data that indicates an intruder has control of your system • Rootkits exist for a variety of operating systems such as Linux, Solaris and Microsoft Windows.

  23. History • Rootkits were first developed for Unix • Back in 1980’s determining what was happening on your Unix box wasn’t too hard • a set of tools “service tools” report status, maintain logs and provide user feedback to the current state of the system.

  24. Service tools Scheduler information Eg: crontab Future User account information Eg: who, last, login, passwd Process/File information Eg: ls, find, du, top, pidof, du Network information Eg:netstat, ifconfig, rshd, telnet Present System/User Logs Eg: /var/log/messages Past

  25. Early Rootkits • Early Rootkits were bundle of program that replaced these service binary with trojans • For example: a binary of “last” with following wrapper script last | awk '$1 !~ /malliciousUserName/ {print $0}'

  26. Traditional Rootkits • Linux RootKit 5 (lrk5) • written by Lord Somer • one of the most full-featured RootKits • includes Trojan versions of the following: • chfn, chsh, crontab, du, find, ifconfig, inetd, killall, login, ls, netstat, passwd, pidof, ps, rshd, syslogd, tcpd, top, sshd, and su

  27. Protection / Prevention mechanism • Get a program to scan /bin/login and see if it has been corrupted • Tools like Tripwrie can check the Integrity of the file if an hash has been generated at install time. • Identify and replace the files that have been modified. • Use md5 checksum to check for the authenticity of the program.

  28. Unix Rootkit Analysis/Detection/Deterrent Tools • Chkrootkit • Tripwire • Rkscan • Carbonite • Rkdet • Checkps • LSM (Loadable Security Module) • LCAP (Linux Kernel Capability Bounding Set Editor)

  29. Chkrootkit Tests

  30. 01. lrk3, lrk4, lrk5, lrk6 (and variants); 02. Solaris rootkit; 03. FreeBSD rootkit; 04. t0rn (and variants); 05. Ambient's Rootkit (ARK); 06. Ramen Worm; 07. rh[67]-shaper; 08. RSHA; 09. Romanian rootkit; 10. RK17; 11. Lion Worm; 12. Adore Worm; 13. LPD Worm; 14. kenny-rk; 15. Adore LKM; 16. ShitC Worm; Chkrootkit Detects These Rootkits, Worms and LKMs • 17. Omega Worm; • 18. Wormkit Worm; • 19. Maniac-RK; • 20. dsc-rootkit; • 21. Ducoci rootkit; • 22. x.c Worm; • 23. RST.b trojan; • 24. duarawkz; • 25. knark LKM; • 26. Monkit; • 27. Hidrootkit; • 28. Bobkit; • 29. Pizdakit; • 30. t0rn v8.0; • 31. Showtee; • 32. Optickit; • 33. T.R.K; • 34. MithRa's Rootkit; • 35. George; • 36. SucKIT; • 37. Scalper; • 38. Slapper A, B, C and D; • 39. OpenBSD rk v1; • 40. Illogic rootkit; • 41. SK rootkit. • 42. sebek LKM; • 43. Romanian rootkit; • 44. LOC rootkit; • 45. shv4 rootkit; • 46. Aquatica rootkit; • 47. ZK rootkit;

  31. Creating Buffer Overflow Programs • Buffer overflows write code to the OS’s memory • Then run some type of program • Can elevate the attacker’s permissions to the level of the owner • A buffer overflow program looks like

  32. Creating Buffer Overflow Programs (continued) • The program compiles, but returns the following error

  33. Creating Buffer Overflow Programs (continued) • Guidelines to help reduce this type of attack • Avoids functions known to have buffer overflow vulnerabilities • strcpy() • strcat() • sprintf() • gets() • Configure OS to not allow code in the stack to run any other executable code in the stack • Use compilers that warn programmers when functions listed in the first bullet are used

  34. Using Sniffers to Gain Access to Remote Linux Systems • Sniffers work by setting a network card adapter in promiscuous mode • NIC accepts all packets that traverse the network cable • Attacker can analyze packets and learn user names and passwords • Avoid using protocols such as Telnet, HTTP, and FTP that send data in clear text • Sniffers • Tcpdump, Ethereal (wireshark)

  35. Objectives • Fundamentals of Linux operating system • Vulnerabilities of Linux operating system • Remote attacks on Linux • Protecting Linux operating system

  36. User awareness training • Users must be told not to reveal information to outsiders • Make customers aware that many exploits can be downloaded from Web sites • Teach users to be suspicious of people asking questions about the system they are using • Verify caller’s identity • Call back technique

  37. Keeping current • Keeping current on new kernel releases and security updates • Installing these fixes is essential to protecting your system • automated tools for updating your systems

More Related