Privileged Programs

Click here to load reader

download Privileged Programs

of 36

  • date post

  • Category


  • view

  • download


Embed Size (px)


James Walden Northern Kentucky University. Privileged Programs. Topics. Privilege Escalation SetUID Race Conditions. Privilege Escalation. Privileged programs : programs that have privileges to perform operations that the user running them would not otherwise have the right to do. - PowerPoint PPT Presentation

Transcript of Privileged Programs

  • Privileged ProgramsJames WaldenNorthern Kentucky University

  • TopicsPrivilege EscalationSetUIDRace Conditions

  • Privilege EscalationPrivileged programs: programs that have privileges to perform operations that the user running them would not otherwise have the right to do.Privilege escalation: Using a privileged program to obtain additional privileges beyond those the user ordinarily has.Vertical: user gains uncontrolled access to the privileged program and is able to perform any action the privileged user could perform.Horizontal: user uses program to gain access to other users data that he would not otherwise be able to see.

  • UNIX User IDsReal User ID (UID or RUID)The owner of the process.Effective User ID (EUID)The UID used by the operating system to make access control decisions.Saved User ID (SUID)Stores previous UID so that it can be restored later.Usually set to EUID when a SETUID program starts.

  • Propagation of User IDsfork()All new processes created via fork().Child process inherits the 3 UIDs from parent.exec()Loads a program image from a file.Does not change UIDs unlessThe program is SETUID, in which caseEUID and SUID are set to UID of file owner.

  • SetUID Programslogin: Uses SetUID privilege to change user IDs to those of user who successfully authenticates to login program. See also ssh, vmware-authd.passwd: Uses SetUID privilege to modify /etc/shadow to change the users password.crontab: Requires SetUID privilege to install and modify cron configuration files for Uses SetUID privilege to access raw network sockets and send broadcasts.

  • Privilege Profiles

  • Privilege Management Functions

  • Chen, Wagner, Dean API

  • Linux CapabilitiesDivide monolithic root into capabilities. Examples:

  • Linux CapabilitiesFiles and processes have 3 capability sets:Inheritable: capabilities that will be inherited by child processes.Permitted: capabilities that the current process can obtain if it requests them.Effective: capabilities that will be applied to access control decisions for current process.Capabilities set when executing a programpI = pIpP = (X & fP) | (pI & fI)pE = fE ? pP : where X is per-process capability bounding set.

  • Limit Filesystem PrivilegeUse chroot(path) to change system root.Program sees path as /.All files needed must be under path./etc/passwd: only contains necessary accounts/lib/ and any other shared libraries.How to chroot() safely.Close all open file descriptors.Call chroot(), check errs, then chdir().Drop privileges.

  • Breaking out of a chroot() jailRe-chroot() with open filehandle above new rootCreate temporary directory in CWD.Open CWD, keeping an open fh above tmpdir.Chroot(tmpdir)Use fchdir() with CWD fh to move CWD outside the chrooted area.Perform chdir(..) to move CWD to /.Chroot(.), making root the real /.Direct disk accessUse mknod() to create a raw disk device.Edit files directly using raw disk.Direct memory accessUse mknod() to create /dev/kmem.Modify /dev/kmem to alter running OS kernel.

  • What is a Race Condition?Incorrect behavior arising from unexpected dependency on relative timing of events.Timing of events on multitasking system depends on system load.Events generally happen in the expected order.On multitasking system, processes can be interrupted between any two instructions.Private resources (memory) are protected.Shared resources (filesystem, network) can be modified by interrupting process.

  • Java Servlet Hit Counter// Example from BSS, pp. 210-211public class Counter extends HttpServlet { int count = 0; public void doGet(HttpServletRequest in, HttpServletResponse out) throws ServletException, IOException { out.setContentType("text/plain"); Printwriter p = out.getWriter(); count++; p.println(count + " hits so far!"); }}

  • Analysis of Hit CounterAssumes variable count does not change between incrementing and printing.What if users A + B hit page at approximately the same time?A is first, count = 1B is second, before println occurs, count = 2A sees 2 hits so farB sees 2 hits so far

  • Window of VulnerabilityPeriod of time when violating assumption about order of events will produce incorrect behavior.Generally
  • Critical SectionsSegment of code which may only be executed by one thread at a time.Critical Section executes atomically from viewpoint of other threads.Performance ImpactOther threads must wait for thread in critical section to finish executing.Limit critical section size.

  • Synchronized Hit Counter// Example from BSS, p. 213public class Counter extends HttpServlet { int count = 0; public void doGet(HttpServletRequest in, HttpServletResponse out) throws ServletException, IOException { int mycount; out.setContentType("text/plain"); Printwriter p = out.getWriter(); synchronized(this) { mycount = ++count; } p.println(mycount + " hits so far!"); }}

  • Time of Check, Time of UseTOCTOU Security FlawPerform access control check of resource.Access resource.ProblemHas resource ACL changed between steps?Has resource changed between steps, perhaps pointing to a different file or URL?

  • UNIX Exampleint main( int argc, char *argv[] ){ if(access( argv[1], W_OK ) == 0) { fd = open( argv[1], O_WRONLY ); writeFile(fd); } else { perror(Permission denied.\n); exit(1); }}

  • AnalysisWindow of VulnerabilityTime between access() and open()Exploit: rebind filenameGive filename as argument: /tmp/xAfter access(), delete /tmp/xcreate link named /tmp/x pointing at root-owned file like /etc/passwd, /.rhostsExample: xterm log file race conditionHistorically xterm was setuid to access utmp.Could write log file to save xterm session.

  • ex: passwd [Bishop, 1996]passwd: allows user-specified passwd fileNormal functioningopens passwd file + reads user entry; closescreates + opens temp file ptmp in same directoryopens passwd file again, then copies contents to ptmp with user changescloses both passwd and ptmp files; renames ptmp to passwd

  • ex: passwd (cont.)Attacker Goal: rewrite /user/.rhostscontents: localhost attacker :::::exploit: rlogin l user localhostPlan of AttackCreate exploit .rhosts file in attack directorySpecify passwd file to be in attack directorysteps 1 + 3: directory containing passwd file is attack directorysteps 2 + 4: directory containing passwd:/user

  • passwd attack setupmkdir attackdirecho localhost attacker ::::: > attackdir/.rhosts

    # want link to point to attackdir for step 1ln s attackdir link# specify password file using symlink dirpasswd link/.rhosts

  • passwd: step by steppasswd program opens + reads link/.rhostsactual file: attackdir/.rhostsAttacker changes link to point to /user

    passwd program creates + opens link/ptmpactual file: /user/ptmpAttacker changes link to point to attackdir

  • passwd: step by steppasswd program opens link/.rhostsactual file: attackdir/.rhostspasswd program copies contents to ptmpactual file: /user/ptmpAttacker changes link to point to /user

  • passwd: step by steppasswd program closes link/.rhosts + ptmppasswd program renames ptmp to link/.rhostsactual file: /user/.rhosts

    Password file is now target users .rhostsWe can now rlogin to their account without needing a password.

  • UNIX File BindingUNIX provides two forms of namingpathnameuniversal mapping of names to objectsindirect: requires parent directories to identify filemapping can be changed by another processfile descriptorper-process mapping of identifiers to objectsdirect: file descriptor points directly to objectmapping cannot be changed by another process

  • TOCTOU Binding FlawsOccur with two sequential system calls:insecure: Both call refer to same object by pathname.insecure: One call uses file descriptor, other uses First call binds file descriptor to pathname, second uses that file descriptor.Solution: use calls that use file descriptors.Problem: some calls require pathnames.

  • TOCTOU Binding FlawsSolution: use calls that use file descriptors.fchmod() instead of chmod()fchown() instead of chown()fstat() instead of stat()Problem: calls that only use, unlink(), symlink()mkdir(), rmdir()

  • Safe File Openlstat() file before opening, saving stat file, obtaining file descriptoruse O_CREAT | O_EXCL flags.specify permissions in open() call or use safe umask.fstat() on file descriptor, saving stat structure.Compare permissions (st_mode), inode (st_ino), and device (st_dev) of two stat structures. If identical, we know lstat() happened on same file we opened and that we did not follow a link.

  • Safe setuid File OperationsUsing access() is always a race condition.Change process EUID/EGID to the real UID/GID we want to use for check.setreuid( EUID, UID )Perform file operations (access checks will apply to EUID/EGID).Change back to privileged EUID/EGID when privileges needed again.setreuid( UID, EUID )

  • When pathnames are necessaryKeep files in their own, safe directory.Set perms so only UID of program can access.Ensure parent directories are secure too.mkdir safe directorychdir safe directorychdir .. + check permissions until reach root

  • Temporary FilesC libraryFilename generation functions: always a race.tmpfile()insecure, varies between UNIXes.mkstemp() is best choice, butCreates files with mode 0666 on older systems.Can lead to a dential of service if attacker precreates files.Solution: use private dir for temporary files.Create directory securely.Set permissions so only program can execute.Use unlink() on file