DaemonForums  

Go Back   DaemonForums > FreeBSD > FreeBSD General

FreeBSD General Other questions regarding FreeBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 7th July 2008
audio audio is offline
Port Guard
 
Join Date: May 2008
Posts: 17
Default Bypassing & detecting nonexistant home and nologin

How do attackers gain access to a *nix box by exploit services running as unprivileged users with no home directory and without a shell?

On the host level, is there a way to detect attackers when they are in the limbo phase created by exploiting a service like that?
Reply With Quote
  #2   (View Single Post)  
Old 7th July 2008
richardpl richardpl is offline
Spam Deminer
 
Join Date: May 2008
Location: Croatia
Posts: 284
Default

They never can actually gain access to *nix box in that way ........
Reply With Quote
  #3   (View Single Post)  
Old 7th July 2008
deemon's Avatar
deemon deemon is offline
Fdisk Soldier
 
Join Date: May 2008
Location: Estonia
Posts: 50
Default

Yes they can.
Shell is not needed to execute commands using the privileges of the user running the service.
Anyway - weakness in the service running under unprivileged user is used to gain access to local system and then that access is used to run a local root exploit(s) (which are more common than remote root exploits).
About detection - there is no universal and foolproof way. It helps to have syslog logging to remote machine and running stealth IDS systems between services and internet.
__________________
Fhtagn nagh Yog-Sothoth
Reply With Quote
  #4   (View Single Post)  
Old 7th July 2008
anomie's Avatar
anomie anomie is offline
Local
 
Join Date: Apr 2008
Location: Texas
Posts: 445
Default

Quote:
Originally Posted by audio
On the host level, is there a way to detect attackers when they are in the limbo phase created by exploiting a service like that?
At the host level:
  • Application logging.
  • Honeypot, perhaps?

At the network level you could employ a NIDS for early detection.
__________________
Kill your t.v.
Reply With Quote
  #5   (View Single Post)  
Old 7th July 2008
audio audio is offline
Port Guard
 
Join Date: May 2008
Posts: 17
Default

People exploit Apache all the time, so I know it's possible. For example in Absolute FreeBSD 2nd edition the author said the attacker can get around not having a home directory by using /tmp which is world writable.

I suspect a way to detect an attack on Apache running as user 'www' where perhaps the attacker hasn't yet gotten full access would be to check /tmp for files owned by www.

It just seems like there has to be more sophisticated ways to detect something like that on the host level. Such as the Kernel realizing and logging commands that the user www is trying to carry out.
Reply With Quote
  #6   (View Single Post)  
Old 7th July 2008
audio audio is offline
Port Guard
 
Join Date: May 2008
Posts: 17
Default

Quote:
Originally Posted by anomie View Post
At the host level:
  • Application logging.
  • Honeypot, perhaps?

At the network level you could employ a NIDS for early detection.
What kind of application logging is there? Could you specify that all services running as unprivileged users should have the applications they run logged?
Reply With Quote
  #7   (View Single Post)  
Old 7th July 2008
anomie's Avatar
anomie anomie is offline
Local
 
Join Date: Apr 2008
Location: Texas
Posts: 445
Default

Quote:
Originally Posted by audio
It just seems like there has to be more sophisticated ways to detect something like that on the host level. Such as the Kernel realizing and logging commands that the user www is trying to carry out.
Ah, maybe you need to take a close look at MAC.

In the case of apache, you could also consider running it inside a FreeBSD jail. At least in this case you can keep a "cold spare" backup of the jail on standby and learn enough from an exploit to lock it down and then fire it up again. Additionally, even if apache within a jail is compromised, it'll be a lot more difficult to cause problems on the host system.
__________________
Kill your t.v.
Reply With Quote
  #8   (View Single Post)  
Old 7th July 2008
anomie's Avatar
anomie anomie is offline
Local
 
Join Date: Apr 2008
Location: Texas
Posts: 445
Default

Quote:
Originally Posted by audio
What kind of application logging is there? Could you specify that all services running as unprivileged users should have the applications they run logged?
I was talking about the daemon's logging itself. I don't know much about FBSD's Security Event Auditing, but you should check it out: http://www.freebsd.org/doc/en_US.ISO...ook/audit.html
__________________
Kill your t.v.
Reply With Quote
  #9   (View Single Post)  
Old 7th July 2008
audio audio is offline
Port Guard
 
Join Date: May 2008
Posts: 17
Default

Quote:
Originally Posted by anomie View Post
I was talking about the daemon's logging itself. I don't know much about FBSD's Security Event Auditing, but you should check it out: http://www.freebsd.org/doc/en_US.ISO...ook/audit.html
I'll check that out. Hopefully it can do user specified accounting. It would be great to be able to see a user only used by a service was accessing unusual commands like id; uname -a;w or similar.
Reply With Quote
Old 7th July 2008
dk_netsvil dk_netsvil is offline
Real Name: Devon
Fdisk Soldier
 
Join Date: May 2008
Location: New York
Posts: 75
Default

If you're interested in preventing attacks through necessary services you can give /tmp it's own partition and mount it with the nodev,nosuid, and noexec flags.

It's no guarantee, but it should be part of a larger security policy, and it's one place to start.
Reply With Quote
Old 7th July 2008
audio audio is offline
Port Guard
 
Join Date: May 2008
Posts: 17
Default

So far I really like the Security Event Auditing. The FreeBSD Handbook showed something similar to what I wanted.

Code:
root:lo,+ex:no
www:fc,+ex:no
The last line logs files created and files executed by the www user. Pretty cool.

I also found BSMtrace, which is basically a context based HIDS, which uses those audit trails. Here's some of the things it can do.
Quote:
- A subject having 50 failed, then one successful login over the course of
a week. Something you might expect to find during an SSH brute force.

- User "nobody" creating files outside of /usr/local/www

- User "nobody" executing administrative utilities, or utilities like id(1)
to determine which level of privilege has been acquired


- Detect the execution of common shellcode where certain sequences don't
normally appear, for example, the typical execution pattern of bind
when it services a DNS request might be:
[1] recvmsg
o buffer overflow is exploited, and now the execution pattern
might look something like this:
[2] socket
[3] bind
[4] listen
[5] accept
[6] dup2
[7] exec

- Users or groups of users executing utilities, looking at (or attempting)
files they shouldn't be.
That's pretty much identical to what I was looking for. Anyone here have experience with BSMtrace?
Reply With Quote
Old 7th July 2008
audio audio is offline
Port Guard
 
Join Date: May 2008
Posts: 17
Default

Quote:
Originally Posted by dk_netsvil View Post
If you're interested in preventing attacks through necessary services you can give /tmp it's own partition and mount it with the nodev,nosuid, and noexec flags.

It's no guarantee, but it should be part of a larger security policy, and it's one place to start.
Thanks, that seems like a good way to fix someone without a home directory trying to use /tmp.
Reply With Quote
Old 7th July 2008
deemon's Avatar
deemon deemon is offline
Fdisk Soldier
 
Join Date: May 2008
Location: Estonia
Posts: 50
Default

Please do note that noexec doesn't prevent executing scripts the /tmp directory (eg. /usr/bin/perl /tmp/httpd) since the executable resides in /usr not /tmp.
__________________
Fhtagn nagh Yog-Sothoth
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
FTP users sharing same home directory phreud FreeBSD General 6 11th November 2008 10:11 PM
NFS mount /usr/home? giddyupman FreeBSD General 1 1st September 2008 07:06 PM
Adding a separate /home JMJ_coder NetBSD General 2 29th August 2008 10:45 AM
Questions about my home configuration services aleunix OpenBSD Security 9 12th June 2008 01:54 PM
Home Button JMJ_coder Feedback and Suggestions 4 5th May 2008 05:13 PM


All times are GMT. The time now is 04:41 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick