Understanding Linux Operations for Worms and Trojan type Attacks.
11. Exploits
The diversity of today's networks exposes your system to a wide variety of possible security-related incidents. In order to protect your systems, you must be aware of these exploits in order to protect yourself from them. While previous sections explained the types of people to protect against, and the reasons they attack, this section attempts to explain the types of exploits that are typically performed to break into a computer system.
There are several exploits that won't be mentioned here, such as Macro Code Attacks and Virus Infections, of which Linux and Unix itself in general is not susceptible. However, any Windows-based systems that connect to it will be suseptible, via shared filesystems, electronic mail, etc.
There are now several programs available to check your system for the most common exploits. The rootshell site, http://www.rootshell.com has several of these programs, and there is also the following available ftp://ftp.fu-berlin.de/unix/security/chkexploit/
11.1 Worm Attacks
Worms are problems which replicate themselves, but unlink viruses they do not modify other programs and are not triggered by user actions. Worms are self-contained programs that attack systems or other programs without changing them in any way, and that typically use networks to accomplish this. The Internet Worm, which reportedly gained access to more than 6,000 Unix systems, flooded the Internet with so many access requests that it became unusable. These are no where near as common as they once were.
11.2 Trojan Horse Programs
A trojan horse is a program that is an unauthorized, self-contained program that is not self-replicating. It is often hidden or given a misleading name to deter suspicion.
A Trojan Horse is named after the fabled ploy in Homer's great literary work. The idea is that you put up a program or binary that sounds great, and get other people to download it and run it as root. Then, you can compromise their system while they are not paying attention. While they think the binary they just pulled down does one thing (and it might very well), it also compromises their security.
You should take care of what programs you install on your machine. Red Hat provides MD5 checksums, and PGP signs RPM files so you can verify you are installing the real thing. Other distributions have similar methods. You should never run any binary you don't have the source for or a well known binary as root! Few attackers are willing to release source code to public scrutiny.
Although it can be complex, make sure you are getting the source for some program from it's real distribution site. If the program is going to run as root make sure either you or someone you trust has looked over the source and verified it.
11.3 Cracking Attacks
Cracking attacks are attacks perpetrated by network intruders, or crackers (formally known as hackers). These attacks take the form of network intrusions, which are break-ins into remote systems, or the use of the services they provide, without authorization. The number of cracker attacks is proliferating more rapidly than any other type of incident, in large part because the Internet provides broad connectivity without intrinsic security mechanisms.
Information security professionals have long accepted the premise that more incidents are caused by insiders (e.g., company employees and contractors) than by outsiders. Many feel this trend is now reversing, and news of organizations' incurring major financial losses as the result of network intrusions is becoming commonplace.
Obviously, neither type of exploit should be taken lightly.
11.4 Direct Physical Access
Users often log on to workstations and then leave them unattended for long periods of time. This allows unauthorized individuals physical access to the workstations and to the organization's systems. An attacker can enter the office and use the workstation to attack numerous systems at a commercial site.
Attacks involving direct physical access can be extremely costly, because the attacker is often an insider who knows exactly where valuable data and applications reside on the system.
See the section on physical security for more information on how to protect your system.
11.5 Spoofing
Spoofing is a complex technical attack that is made up of several components. It is a security exploit that works by tricking computers in a trust-relationship that you are someone that you really aren't. Spoofing of network connections involves forging an IP source address to trick the destination into thinking you are someone you really aren't. Spoofing of network services involves using poorly configured (or misconfigured) applications, typically SMTP, to trick the client, server, or receipient into thinking you are someone you are not.
Using the most recent implementations of the available service can help to protect against this ``masquerading''. Preventing internal IP addresses from seemingly entering your firewall from the outside is something that should be a mandatory addition to your rulebase. There is some information on preventing DNS spoofing available at http://www.sunworld.com/swol-11-1997/swol-11-bind.html
A general guide to securing DNS is available at http://www.psionic.com/papers/dns-linux.html
A great reference of spoofing information is available at http://www.unitedcouncil.org/text.html including the excellent article published in Volume Seven, Issue Forty-Eight of Phrack, available here http://www.unitedcouncil.org/spoof/IPSpoofing.txt This paper will help you understand the low-level TCP details.
11.6 Denial of Service Attacks
A Denial of Service (DoS) attack is one where the attacker prevents legimitate users from accessing a service. Denial of service attacks either try to make some resource too busy to answer legitimate service requests, or to deny legitimate users access to a machine.
Also of significant concern is a denial of service attack that is really intended to keep the victim busy while really the intruder is impersonating the host, preventing it from replying. These are typically referred to as ``man in the middle'' attacks.
Denial of service attacks have increased greatly in recent years. Some of the more popular and recent ones are listed below. Note that new ones show up all the time, so this is just a few examples.
- SYN Flooding - SYN flooding is a network denial of service attack. It takes advantage of a "loophole" in the way TCP connections are created. The newer Linux kernels (2.0.30 and up) have several configurable options to prevent SYN flood attacks from denying people access to your machine or services. See the section on kernel security for proper kernel protection options.
- Pentium "F00F" Bug - It was discovered in the summer of 1997 that a series of assembly codes send to a genuine Intel Pentium processor would reboot the machine. This affects every machine with a Pentium processor (not clones, not Pentium Pro or PII), no matter what operating system it's running. Linux kernel 2.0.32 and up contain a work around for this bug, preventing it from locking your machine. Kernel 2.0.33 has an improved version of the kernel fix, and is suggested over 2.0.32. If you are running on a Pentium, you should upgrade now!
- Ping Flooding - Ping flooding is a simple brute force denial of service attack. The attacker sends a "flood" of ICMP packets to your machine. If they are doing this from a host with better bandwidth than yours, your machine will be unable to send anything on the network. A variation on this attack, called "smurfing", sends ICMP packets to a broadcast address with your machines return IP, allowing them to flood you less detectably. You can find more information about the "smurf" attack at http://www.quadrunner.com/~chuegen/smurf.txt
If you are ever under a ping flood attack, use a tool like tcpdump available at ftp://ftp.ee.lbl.gov/tcpdump.tar.Z (although it should be part of your Linux vendor's distribution) and is used to determine where the packets are coming from (or appear to be coming from), then contact your provider with this information. Ping floods can most easily be stopped at the router level or by using a firewall.
- Email Bombing and Spamming - Sending out large quantities of unsolicited email can clog networks, causing depletion of resources, and degradation of network bandwidth. The newer versions of sendmail have greatly improved support for eliminiating this problem.
- Ping 'o Death - The Ping 'o Death attack is a result of incoming ICMP ECHO REQUEST packets being larger than the kernel data structures that store this information can hold. Because sending a single, large (65,510 bytes) "ping" packet to many systems will cause them to hang or even crash, this problem was quickly dubbed the "Ping o' Death." This one has long been fixed, and is no longer anything to worry about.
Someone has put together a further discussion of the Ping 'o Death attack, and is available at http://www.sophist.demon.co.uk/ping/
- Teardrop / New Tear - One of the most recent exploits involves a bug present in the IP fragmentation code on Linux and Windows platforms. It is fixed in kernel version 2.0.33, and does not require selecting any kernel compile-time options to utilize the fix. Linux is apparently not vulnerable to the 'newtear' exploit.
11.7 Program Code Exploits
Much work is being done in this area by some very capable people to proactively catch these problems before further exploits are discovered. The Linux Security Audit Group is working on auditing many of the stock packages that vendors ship with their distributions. You can follow their efforts, or even help evaluate programs by joining the security audit list, security-audit-subscribe@ferret.lmh.ox.ac.uk and using ``subscribe'' in the body of the message. You can find the mailing list archives at http://www.nas.nasa.gov/Pubs/Mail/archive/linux-security-audit/ This is strictly an auditing list. It does not discuss issues regarding configuring your system to be more secure, reporting an exploit, etc. Do not expect to find information here about steps to perform an exploit.
Be sure to keep your subscription information, as it is very distracting to see unsubscribe requests being sent to the list. You can unsubscribe from the list by sending ``unsubscribe security-audit'' in the body of the message to security-audit-unsubscribe@ferret.lmh.ox.ac.uk
Chris Evans is doing a fine job of maintaining the mailing list, as well as a list of outstanding security issues, specifically, those in Red Hat 5.1. You can find this list at http://www-jcr.lmh.ox.ac.uk/~chris/rhbugs.txt
Some of the types of exploits performed on flaws in programming consist of at least the following:
- Exploits in Vendor Packages - Vendors frequently update the packages in their distribution to include security exploit fixes. It is important that you remain aware of these changes, and apply their fixes as they are distributed. Most vendors have mailing lists to notify users of changes as they happen, and you should subscribe to those lists.
See the Web Links section for URLs to the most common Linux vendor security updates, and the Mail Links section for addresses for notification from most security vendors. Additionally, there are several user-contributed programs that will monitor particular ftp sites for changes, and either notify you when they change, or update automatically.
- Buffer Overflow - Common coding style is never to allocate buffers ``large enough'' and not checking for overflows. When such buffers are overflows, the executing program (daemon or set-uid program) can be tricked in doing some other things. Generally this works by overwriting a function's return address on the stack to point to another location.
- World Writable Directories - Directories such as
/tmpare typically used for temporary files, such as are created by the line printer daemon, X11, accounting programs, etc. A potential for guessing the names of the files written to this directory exists. As a result, poorly coded programs may have the potential for being exploited by writing into a prexisting file. For a more complete explanation, see the Writing Secure Code section.
11.8 Misconfigured Services
Misconfigured, or unnecessary services pose a significant threat to both host and network security. Exportable filesystems, inherently insecure services, too lenient configuration of a service, can all lead to a compromise.
Be sure to turn off any service that is not being used, and remove any executables that are not used. See the Network Security and Host Security for further information.
11.9 Known Vulnerabilities
There is certainly nothing easier than gathering the latest exploits from http://www.rootshell.com and trying them out on a list of machines.
Typically by the time the exploits are available on the Internet, the vendor has distributed a patched version of the susecptible program. Be sure to install these updated versions, or at the least disable the service until you can do so. See the Contacts section of this document for the locations of vendors' updates.
11.10 WWW and CGI-BIN attacks
Please see the WWW Security FAQ http://www-genome.wi.mit.edu/WWW/faqs/www-security-faq.html for more information.
You can also find information on further securing Apache at http://www.apache.org/docs/misc/security_tips.html
No comments:
Post a Comment