linux operating system vulnerabilities
DESCRIPTION
Linux Operating System Vulnerabilities. SCSC 555. Objectives. Fundamentals of Linux operating system Vulnerabilities of Linux operating system Remote attacks on Linux Protecting Linux operating system. Linux default directories. Linux file system history Minix file system - PowerPoint PPT PresentationTRANSCRIPT
SCSC 555
Fundamentals of Linux operating system
Vulnerabilities of Linux operating system
Remote attacks on Linux Protecting Linux operating system
2
3
Linux default directories
Linux file system history•Minix file system•Extended File System (Ext)•Second Extended File System (Ext2fs)•Third Extended File System (Ext3fs)
(read details on text)
4
File system◦ Enables directories or folders organization◦ Establishes a file-naming convention◦ Includes utilities to compress or encrypt files◦ Provides for both file and data integrity◦ Enables error recovery◦ Stores information about files and folders
File systems store information about files in information nodes (inodes)
5
Information stored in an inode◦ An inode number◦ Owner of the file◦ Group the file belongs to◦ Size of the file◦ Date the file was created◦ Date the file was last modified or read
File systems use a fixed number of inodes◦ mounts a file system as a subfile system of the
root file system
6
mount command is used to mount file systems
7
8
df command displays the currently mounted file systems
Linux File System (continued)
9
Linux Network Commands
10
Linux Network Commands
Fundamentals of Linux operating system
Vulnerabilities of Linux operating system
Remote attacks on Linux Protecting Linux operating system
11
UNIX has been around for quite some time◦ Attackers have had plenty of time to discover
vulnerabilities in *NIX systems◦ Enumeration tools can also be used against Linux systems
Nessus can be used to enumerate Linux systems Discover vulnerabilities related to SMB and NetBIOS Enumerate shared resources Discover the root password
12
13
14
15
Common known vulnerabilities (CVE)
Fundamentals of Linux operating system
Vulnerabilities of Linux operating system
Remote attacks on Linux Protecting Linux operating system
16
Differentiate between local attacks and remote attacks◦ Remote attacks are harder to perform
◦ Attacking a network remotely requires Knowing what system a remote user is operating The attacked system’s password and login accounts
17
Footprinting techniques◦ Used to find out information about a target
system◦ footprinting tools include: Whois databases, DNS zone
transfers, Nessus, and port scanning tools
Determining the OS version the attacked computer is running◦ Check newsgroups for details on posted
messages◦ Knowing a company’s e-mail address makes the
search easier
18
Goal◦ To get OS information from company employees
Common techniques◦ Urgency◦ Quid pro quo◦ Status quo◦ Kindness◦ Position
Train your employees about social engineering techniques
19
Trojan programs spread as◦ E-mail attachments◦ Fake patches or security fixes that can be
downloaded from the Internet Trojan program functions
◦ Allow for remote administration◦ Create a FTP server on attacked machine◦ Steal passwords◦ Log all keys a user enters, and e-mail results to
the attacker
20
Linux Trojan programs disguised as legitimate programs◦ can use legitimate outbound ports◦ Firewalls and IDSs cannot identify this traffic as
malicious E.g.: Sheepshank use port 80 FTTP GET (p214)
It is easier to protect systems from already identified Trojan programs◦ E.g., Trojan.Linux.JBellz, Remote Shell, Dextenea
21
Rootkits◦ Contain Trojan binary programs ready to be
installed by an intruder with root access to the system
◦ Attacker hide the tools used for later attacks◦ Replace legitimate commands with Trojan
programs◦ E.g.: LRK5
Tool to check rootkits◦ Rootkit Hunter◦ Chkrootkit
22
23
• Scan the system(s) for un-patched code/module
• Intruders usually focus on a small number of exploits
Trojan horse is a malicious program that is disguised as legitimate software◦ Trojan horse programs bundled in the form of “Rootkits”.
◦ Originally written for Sun’s Berkeley flavor of Unix (SunOS 4)
24
"
A rootkit is a set of tools used by an intruder after cracking a computer system. ◦ help the attacker maintain his or her access to the system
and use it for malicious purposes. ◦ Hides data that indicates an intruder has control of your
system◦ Rootkits exist for a variety of operating systems such as
Linux, Solaris and Microsoft Windows.
25
Rootkits were first developed for Unix◦ Back in 1980’s determining what was happening
on your Unix box wasn’t too hard◦ a set of tools “service tools” report status,
maintain logs and provide user feedback to the current state of the system.
26
27
User account informationEg: who, last, login, passwd
Process/File informationEg: ls, find, du, top, pidof, du
Network informationEg:netstat, ifconfig, rshd, telnet
System/User LogsEg: /var/log/messages
Scheduler informationEg: crontab
Future
Present
Past
Early Rootkits were bundle of program that replaced these service binary with trojans
For example: a binary of “last” with following wrapper script
last | awk '$1 !~ /malliciousUserName/ {print $0}'
28
Linux RootKit 5 (lrk5)◦ written by Lord Somer◦ one of the most full-featured RootKits◦ includes Trojan versions of the following:
chfn, chsh, crontab, du, find, ifconfig, inetd, killall, login, ls, netstat, passwd, pidof, ps, rshd, syslogd, tcpd, top, sshd, and su
29
Get a program to scan /bin/login and see if it has been corrupted◦ Tools like Tripwrie can check the Integrity of the
file if an hash has been generated at install time.
Identify and replace the files that have been modified. ◦ Use md5 checksum to check for the authenticity
of the program.
30
Chkrootkit Tripwire Rkscan Carbonite Rkdet Checkps LSM (Loadable Security Module) LCAP (Linux Kernel Capability Bounding Set
Editor)
31
aliens sniffer basename dirname grep identd
asp wted biff echo inetdconf mail
bindshell scalper chfn egrep hdparm killall
lkm slapper chsh env ifconfig ldsopreload
rexedcs amd cron find su login
du z2 date fingerd inetd ls
mingetty pop3 sendmail telnetd w write
pidof slogin syslogd tcpdump traceroute timed
passwd rshd tcpd sshd tar top
rpcinfo gpm pstree ps named netstat
pop2 rlogind lsof init
32
33
01. lrk3, lrk4, lrk5, lrk6 (and variants);
02. Solaris rootkit; 03. FreeBSD rootkit; 04. t0rn (and variants); 05. Ambient's Rootkit (ARK); 06. Ramen Worm; 07. rh[67]-shaper; 08. RSHA; 09. Romanian rootkit; 10. RK17; 11. Lion Worm; 12. Adore Worm; 13. LPD Worm; 14. kenny-rk; 15. Adore LKM; 16. ShitC Worm;
17. Omega Worm;18. Wormkit Worm;19. Maniac-RK;20. dsc-rootkit;21. Ducoci rootkit;22. x.c Worm;23. RST.b trojan;24. duarawkz;25. knark LKM;26. Monkit;27. Hidrootkit;28. Bobkit;29. Pizdakit;30. t0rn v8.0;31. Showtee;32. Optickit;33. T.R.K;
34. MithRa's Rootkit;35. George;36. SucKIT;37. Scalper;38. Slapper A, B, C and D;
39. OpenBSD rk v1;40. Illogic rootkit;41. SK rootkit.42. sebek LKM;43. Romanian rootkit;44. LOC rootkit;45. shv4 rootkit;46. Aquatica rootkit;47. ZK rootkit;
Buffer overflows write code to the OS’s memory◦ Then run some type of program◦ Can elevate the attacker’s permissions to the
level of the owner A buffer overflow program looks like
34
The program compiles, but returns the following error
35
Guidelines to help reduce this type of attack◦ Avoids functions known to have buffer overflow
vulnerabilities strcpy() strcat() sprintf() gets()
◦ Configure OS to not allow code in the stack to run any other executable code in the stack
◦ Use compilers that warn programmers when functions listed in the first bullet are used
36
Sniffers work by setting a network card adapter in promiscuous mode◦ NIC accepts all packets that traverse the network
cable Attacker can analyze packets and learn user
names and passwords◦ Avoid using protocols such as Telnet, HTTP, and
FTP that send data in clear text Sniffers
◦ Tcpdump, Ethereal (wireshark)
37
Fundamentals of Linux operating system
Vulnerabilities of Linux operating system
Remote attacks on Linux Protecting Linux operating system
38
Users must be told not to reveal information to outsiders
Make customers aware that many exploits can be downloaded from Web sites
Teach users to be suspicious of people asking questions about the system they are using◦Verify caller’s identity◦Call back technique
39
Keeping current on new kernel releases and security updates◦ Installing these fixes is essential to protecting
your system◦ automated tools for updating your systems
40