Big Game Hunting - 44CON 2012
description
Transcript of Big Game Hunting - 44CON 2012
![Page 1: Big Game Hunting - 44CON 2012](https://reader033.fdocuments.net/reader033/viewer/2022052522/549bf86fac7959bf2a8b4618/html5/thumbnails/1.jpg)
# Big Game Hunting_
Simple techniques for bug hunting on big iron UNIX
[email protected]:~$ ln s /important /tmp/[email protected]:~$ sudo ./[email protected]:~$ ls la /important
rwrwrw 1 root root 1798 Aug 2 10:39 /important
![Page 2: Big Game Hunting - 44CON 2012](https://reader033.fdocuments.net/reader033/viewer/2022052522/549bf86fac7959bf2a8b4618/html5/thumbnails/2.jpg)
44con, London, 2012 Tim BrownPortcullis Computer Security Ltd
2
# whoami_
# Tim Brown# @timb_machine# Head Of Research at Portcullis Computer Security Ltd
# http://www.nthdimension.org.uk/
![Page 3: Big Game Hunting - 44CON 2012](https://reader033.fdocuments.net/reader033/viewer/2022052522/549bf86fac7959bf2a8b4618/html5/thumbnails/3.jpg)
44con, London, 2012 Tim BrownPortcullis Computer Security Ltd
3
# last_
# >15 years of UNIX experience# Background in telcos and finance# 9 years at Portcullis# More at http://44con.com/speaker/timbrown/
![Page 4: Big Game Hunting - 44CON 2012](https://reader033.fdocuments.net/reader033/viewer/2022052522/549bf86fac7959bf2a8b4618/html5/thumbnails/4.jpg)
44con, London, 2012 Tim BrownPortcullis Computer Security Ltd
4
# cat .plan_
# Auditing# Problems
# Solutions
# Going further# Why?
# The attack surface
# In the real world
# In the lab
![Page 5: Big Game Hunting - 44CON 2012](https://reader033.fdocuments.net/reader033/viewer/2022052522/549bf86fac7959bf2a8b4618/html5/thumbnails/5.jpg)
44con, London, 2012 Tim BrownPortcullis Computer Security Ltd
5
# Auditing_
# Problems# Solutions
![Page 6: Big Game Hunting - 44CON 2012](https://reader033.fdocuments.net/reader033/viewer/2022052522/549bf86fac7959bf2a8b4618/html5/thumbnails/6.jpg)
44con, London, 2012 Tim BrownPortcullis Computer Security Ltd
6
# Problems_
# Limited access# Varying OS capabilities# Multiple solutions# Differences in requirements
![Page 7: Big Game Hunting - 44CON 2012](https://reader033.fdocuments.net/reader033/viewer/2022052522/549bf86fac7959bf2a8b4618/html5/thumbnails/7.jpg)
44con, London, 2012 Tim BrownPortcullis Computer Security Ltd
7
# Limited access_
# Client doesn't own the system# Client doesn't want to give (root) access
# System is physically unavailable# System is a black box
![Page 8: Big Game Hunting - 44CON 2012](https://reader033.fdocuments.net/reader033/viewer/2022052522/549bf86fac7959bf2a8b4618/html5/thumbnails/8.jpg)
44con, London, 2012 Tim BrownPortcullis Computer Security Ltd
8
# Varying OS capabilites
# Standards leave elements undefined# OS tool chain not sufficient# * GNU/Linux moves much faster than commercial OS
# Solaris 10 (much) > Solaris 8
![Page 9: Big Game Hunting - 44CON 2012](https://reader033.fdocuments.net/reader033/viewer/2022052522/549bf86fac7959bf2a8b4618/html5/thumbnails/9.jpg)
44con, London, 2012 Tim BrownPortcullis Computer Security Ltd
9
# Multiple solutions_
# How do you lock an account?# passwd l?
# Change the shell?
# Etc...
# If you don't run sendmail, should the configuration still be hardened?
![Page 10: Big Game Hunting - 44CON 2012](https://reader033.fdocuments.net/reader033/viewer/2022052522/549bf86fac7959bf2a8b4618/html5/thumbnails/10.jpg)
44con, London, 2012 Tim BrownPortcullis Computer Security Ltd
10
# Differences in requirements_
# Which audit methodology do you use?# Vendors?
# US DoD?
# CIS?
# Etc...
# What if they differ significantly?# Would you know?
![Page 11: Big Game Hunting - 44CON 2012](https://reader033.fdocuments.net/reader033/viewer/2022052522/549bf86fac7959bf2a8b4618/html5/thumbnails/11.jpg)
44con, London, 2012 Tim BrownPortcullis Computer Security Ltd
11
# Solutions_
# Better scripts# Gap analysis# C(ommon) C(onfiguration) E(numeration)
# Smarter humans
![Page 12: Big Game Hunting - 44CON 2012](https://reader033.fdocuments.net/reader033/viewer/2022052522/549bf86fac7959bf2a8b4618/html5/thumbnails/12.jpg)
44con, London, 2012 Tim BrownPortcullis Computer Security Ltd
12
# Gap analysis_
# We probably need to know what different methodologies check for
# I wish someone else had done it
![Page 13: Big Game Hunting - 44CON 2012](https://reader033.fdocuments.net/reader033/viewer/2022052522/549bf86fac7959bf2a8b4618/html5/thumbnails/13.jpg)
44con, London, 2012 Tim BrownPortcullis Computer Security Ltd
13
# C(ommon) C(onfiguration) E(numeration)_
# They have (kinda):# http://cce.mitre.org/
# Incomplete# Missing various OS
# Not sure I agree with their methodology
# No mention of gap analysis (AIX guy may not know Solaris and vice versa)
# They consider outcome, not technique
![Page 14: Big Game Hunting - 44CON 2012](https://reader033.fdocuments.net/reader033/viewer/2022052522/549bf86fac7959bf2a8b4618/html5/thumbnails/14.jpg)
44con, London, 2012 Tim BrownPortcullis Computer Security Ltd
14
# Smarter humans_
# I don't scale well!# We all need training when it comes to stuff we don't see every day
# Maybe talks like this will help DevOps get their shit together?
![Page 15: Big Game Hunting - 44CON 2012](https://reader033.fdocuments.net/reader033/viewer/2022052522/549bf86fac7959bf2a8b4618/html5/thumbnails/15.jpg)
44con, London, 2012 Tim BrownPortcullis Computer Security Ltd
15
# Going further_
# Why?# The attack surface# In the real world
![Page 16: Big Game Hunting - 44CON 2012](https://reader033.fdocuments.net/reader033/viewer/2022052522/549bf86fac7959bf2a8b4618/html5/thumbnails/16.jpg)
44con, London, 2012 Tim BrownPortcullis Computer Security Ltd
16
# Why?_
# Bug hunting# More importantly, auditing fails to answer the hard question – did you want segregation of roles with that?
![Page 17: Big Game Hunting - 44CON 2012](https://reader033.fdocuments.net/reader033/viewer/2022052522/549bf86fac7959bf2a8b4618/html5/thumbnails/17.jpg)
44con, London, 2012 Tim BrownPortcullis Computer Security Ltd
17
# The attack surface_
OS Kernel Services
Enterprise apps Services Batch jobs User roles
DevOps Batch jobs User roles
Users Misfortune Malice
# If “everything is a file”, we need to get better at analysing the files...
![Page 18: Big Game Hunting - 44CON 2012](https://reader033.fdocuments.net/reader033/viewer/2022052522/549bf86fac7959bf2a8b4618/html5/thumbnails/18.jpg)
44con, London, 2012 Tim BrownPortcullis Computer Security Ltd
18
# In the real world_
# The OS should protect us from ourselves
# Enterprise applications continue accumulate features
# DevOps will replace us all with shell scripts
![Page 19: Big Game Hunting - 44CON 2012](https://reader033.fdocuments.net/reader033/viewer/2022052522/549bf86fac7959bf2a8b4618/html5/thumbnails/19.jpg)
44con, London, 2012 Tim BrownPortcullis Computer Security Ltd
19
# OS flaws_
# Bad standards# Forks# Poor defaults# Incorrectly implemented separation of privileges
# Poorly implemented administrative functionality
# Incomplete antiexploitation mitigations
![Page 20: Big Game Hunting - 44CON 2012](https://reader033.fdocuments.net/reader033/viewer/2022052522/549bf86fac7959bf2a8b4618/html5/thumbnails/20.jpg)
44con, London, 2012 Tim BrownPortcullis Computer Security Ltd
20
# Examples_
# Shared code such as CDE# Binaries owned by “bin” user# Binaries such as telnet and ftp being SetUID
# WPAR isolation# Patching may be the problem, not the solution
![Page 21: Big Game Hunting - 44CON 2012](https://reader033.fdocuments.net/reader033/viewer/2022052522/549bf86fac7959bf2a8b4618/html5/thumbnails/21.jpg)
44con, London, 2012 Tim BrownPortcullis Computer Security Ltd
21
# Antiexploit mitigations_
Mitigation * GNU/Linux AIX
Mandatory access control Y N (Y in Trusted AIX)
Non-executable stack Y N (select mode by default)
ASLR Y N
Hardened malloc() Y N (Y with Watson malloc())
Stack cookies and other compile time mitigations
Y (glibc) N
mmap() NULL N N
![Page 22: Big Game Hunting - 44CON 2012](https://reader033.fdocuments.net/reader033/viewer/2022052522/549bf86fac7959bf2a8b4618/html5/thumbnails/22.jpg)
44con, London, 2012 Tim BrownPortcullis Computer Security Ltd
22
# Nonexecutable stack?_
# sedmgrStack Execution Disable (SED) mode: selectSED configured in kernel: select# find / perm u+s exec sedmgr d {} \; | grep v system/opt/IBMinvscout/sbin/invscout_lsvpd : Not a recognized executable format.#
![Page 23: Big Game Hunting - 44CON 2012](https://reader033.fdocuments.net/reader033/viewer/2022052522/549bf86fac7959bf2a8b4618/html5/thumbnails/23.jpg)
44con, London, 2012 Tim BrownPortcullis Computer Security Ltd
23
# ASLR?_
# ./aslrREMOVEsystem() = f1ab5d70bos.rte.libc 6.1.3.11 ROOT REJECT SUCCESSbos.rte.libc 6.1.3.11 USR REJECT SUCCESSADDsystem() = f1c05490bos.rte.libc 6.1.3.11 USR APPLY SUCCESSbos.rte.libc 6.1.3.11 ROOT APPLY SUCCESSREMOVEsystem() = f1d4bd70bos.rte.libc 6.1.3.11 ROOT REJECT SUCCESSbos.rte.libc 6.1.3.11 USR REJECT SUCCESSADDsystem() = f1e9b490bos.rte.libc 6.1.3.11 USR APPLY SUCCESSbos.rte.libc 6.1.3.11 ROOT APPLY SUCCESS
![Page 24: Big Game Hunting - 44CON 2012](https://reader033.fdocuments.net/reader033/viewer/2022052522/549bf86fac7959bf2a8b4618/html5/thumbnails/24.jpg)
44con, London, 2012 Tim BrownPortcullis Computer Security Ltd
24
# Hardened malloc()_
# Check out David Litchfield's paper “Heap overflows on AIX 5”
# Also, “Enhancements in AIX 5L Version 5.3 for application development” mentions a number of enhancements / possible areas of concern
![Page 25: Big Game Hunting - 44CON 2012](https://reader033.fdocuments.net/reader033/viewer/2022052522/549bf86fac7959bf2a8b4618/html5/thumbnails/25.jpg)
44con, London, 2012 Tim BrownPortcullis Computer Security Ltd
25
# Hardened malloc() ++_
$ ls la mallocrwsrxrx 1 root system 53648 Sep 04 22:41 malloc$ MALLOCTYPE=watson$ export MALLOCTYPE$ ./mallocblah$ MALLOCDEBUG=catch_overflow ./mallocSegmentation fault
![Page 26: Big Game Hunting - 44CON 2012](https://reader033.fdocuments.net/reader033/viewer/2022052522/549bf86fac7959bf2a8b4618/html5/thumbnails/26.jpg)
44con, London, 2012 Tim BrownPortcullis Computer Security Ltd
26
# Enterprise “features”_
# Data# The real value of your system
# “Interesting” code# More code is always bad, but OS
code at least benefits more from the “many eyes” principal – assuming the “many eyes” are actually looking – your enterprise app may not
![Page 27: Big Game Hunting - 44CON 2012](https://reader033.fdocuments.net/reader033/viewer/2022052522/549bf86fac7959bf2a8b4618/html5/thumbnails/27.jpg)
44con, London, 2012 Tim BrownPortcullis Computer Security Ltd
27
# “Interesting” code_
# Backdoors# Proprietary protocols# Embedded library copies# Changes to user environment# Insecure API usage# Missing antiexploitation techniques
# Key material and entropy# Java :)
![Page 28: Big Game Hunting - 44CON 2012](https://reader033.fdocuments.net/reader033/viewer/2022052522/549bf86fac7959bf2a8b4618/html5/thumbnails/28.jpg)
44con, London, 2012 Tim BrownPortcullis Computer Security Ltd
28
# Practising unsafe DevOps_
# Build infrastructure# Cron, cron, cron# .rhosts# Sudo :)# Init and inetd# User provisioning and access management
# Key material# NFS
![Page 29: Big Game Hunting - 44CON 2012](https://reader033.fdocuments.net/reader033/viewer/2022052522/549bf86fac7959bf2a8b4618/html5/thumbnails/29.jpg)
44con, London, 2012 Tim BrownPortcullis Computer Security Ltd
29
# Cron, cron, cron_
# Your shell script just ran over my shadow
# grep victim /var/spool/cron/crontabs/*/var/spool/cron/crontabs/root:0 01 * * * /opt/victim/start.sh# cat /opt/victim/start.sh...umask 000OUTDIR=/tmp...service=/opt/victim/service...OUTFILE="${OUTDIR}/${DATE}_${TIME}.log"...$service o ${OUTFILE}
![Page 30: Big Game Hunting - 44CON 2012](https://reader033.fdocuments.net/reader033/viewer/2022052522/549bf86fac7959bf2a8b4618/html5/thumbnails/30.jpg)
44con, London, 2012 Tim BrownPortcullis Computer Security Ltd
30
# In the lab_
# Systems# Books# Code# Tools# Techniques
![Page 31: Big Game Hunting - 44CON 2012](https://reader033.fdocuments.net/reader033/viewer/2022052522/549bf86fac7959bf2a8b4618/html5/thumbnails/31.jpg)
44con, London, 2012 Tim BrownPortcullis Computer Security Ltd
31
# Systems_
# Buy or emulate the systems you see in the wild
# Better still, buy or emulate those you don't – they're still there!
![Page 32: Big Game Hunting - 44CON 2012](https://reader033.fdocuments.net/reader033/viewer/2022052522/549bf86fac7959bf2a8b4618/html5/thumbnails/32.jpg)
44con, London, 2012 Tim BrownPortcullis Computer Security Ltd
32
# Books_
# If you understand how one OS works, the next OS you look at might just work in a similar way (with similar bugs / different edge cases):
# Vendor web sites
# Man pages
# Solaris Systems Programming and Solaris Internals are great books
![Page 33: Big Game Hunting - 44CON 2012](https://reader033.fdocuments.net/reader033/viewer/2022052522/549bf86fac7959bf2a8b4618/html5/thumbnails/33.jpg)
44con, London, 2012 Tim BrownPortcullis Computer Security Ltd
33
# Code_
# Next time code leaks, take a look, your adversaries will
# Identify lists like osssecurity, fewer size contests mean more signal and less noise
# .jar files are human readable
![Page 34: Big Game Hunting - 44CON 2012](https://reader033.fdocuments.net/reader033/viewer/2022052522/549bf86fac7959bf2a8b4618/html5/thumbnails/34.jpg)
44con, London, 2012 Tim BrownPortcullis Computer Security Ltd
34
# Tools_
# strings and grep# truss and strace# DTrace and SystemTap# objdump, GDB and IDA# jad, JDGUI and friends# Compilers# checksec.sh (for * GNU/Linux)# unixprivesccheck
![Page 35: Big Game Hunting - 44CON 2012](https://reader033.fdocuments.net/reader033/viewer/2022052522/549bf86fac7959bf2a8b4618/html5/thumbnails/35.jpg)
44con, London, 2012 Tim BrownPortcullis Computer Security Ltd
35
# Techniques_
# Sometimes the same crash on another OS yields greater joy – the Solaris stack for a certain RPC service isn't munged
# SetUID binaries can often be exploited via obscure enviroment variables – ++ local roots for IBM products :)
# Old techniques can be reapplied – glob() style bugs still afflict AIX
![Page 36: Big Game Hunting - 44CON 2012](https://reader033.fdocuments.net/reader033/viewer/2022052522/549bf86fac7959bf2a8b4618/html5/thumbnails/36.jpg)
44con, London, 2012 Tim BrownPortcullis Computer Security Ltd
36
# Techniques ++_
# Auditing (the other type) will catch stuff you might miss
# Decompile .jar files# Check what libraries $enterpriseapp ships with (don't forget to check for embedded JVMs)
![Page 37: Big Game Hunting - 44CON 2012](https://reader033.fdocuments.net/reader033/viewer/2022052522/549bf86fac7959bf2a8b4618/html5/thumbnails/37.jpg)
44con, London, 2012 Tim BrownPortcullis Computer Security Ltd
37
# Techniques ++_
# Check against Microsoft's banned API list
# Check for antiexploitation mitigations
# DT_RPATH AKA Import File Strings
![Page 38: Big Game Hunting - 44CON 2012](https://reader033.fdocuments.net/reader033/viewer/2022052522/549bf86fac7959bf2a8b4618/html5/thumbnails/38.jpg)
44con, London, 2012 Tim BrownPortcullis Computer Security Ltd
38
# DT_RPATH AKA Import File Strings_
# dump Hv kbbacf1
kbbacf1:
***Loader Section*** Loader Header InformationVERSION# #SYMtableENT #RELOCent LENidSTR0x00000001 0x0000000f 0x0000001c 0x000000b5
#IMPfilID OFFidSTR LENstrTBL OFFstrTBL0x00000007 0x000002d8 0x00000063 0x0000038d
***Import File Strings***INDEX PATH BASE MEMBER 0 /usr/lib:/lib::/opt/IBM/ITM/tmaitm6/links/aix51/lib:.:./lib:../lib::
![Page 39: Big Game Hunting - 44CON 2012](https://reader033.fdocuments.net/reader033/viewer/2022052522/549bf86fac7959bf2a8b4618/html5/thumbnails/39.jpg)
44con, London, 2012 Tim BrownPortcullis Computer Security Ltd
39
# unixprivesccheck_
# Originally conceived by @pentestmonkey
# I'm working on 2.x# Code will be made real soon now!
![Page 40: Big Game Hunting - 44CON 2012](https://reader033.fdocuments.net/reader033/viewer/2022052522/549bf86fac7959bf2a8b4618/html5/thumbnails/40.jpg)
44con, London, 2012 Tim BrownPortcullis Computer Security Ltd
40
# Conclusions_
# Ask yourself “who analysed the OS?”; “do I care about segregation of roles?”; “do I know what my applications are doing?”; “do I care what my DevOps teams are bringing to the party?”
# If these questions matter, don't audit, whitebox
![Page 41: Big Game Hunting - 44CON 2012](https://reader033.fdocuments.net/reader033/viewer/2022052522/549bf86fac7959bf2a8b4618/html5/thumbnails/41.jpg)
44con, London, 2012 Tim BrownPortcullis Computer Security Ltd
41
# Questions_
< /dev/audience